[apparmor] [patch 12/12] map the net permission set into a form compatible with the old dfa table

John Johansen john.johansen at canonical.com
Fri Aug 29 20:23:42 UTC 2014 

On 08/26/2014 11:30 PM, Seth Arnold wrote:
> On Mon, Aug 25, 2014 at 05:06:17PM -0700, john.johansen at canonical.com wrote:
>> The old dfa table format has 2 64 bit permission field used to store
>> all of allow, quiet, audit, owner/!owner and transition mask. This leaves
>> 7 bits for entry + a few other special bits.
>>
>> Since policydb entries when using old style dfa permission format
>> don't use support the !owner permission entries we can map, the
>> high net work permission bits to these entries.
>>
>> This allows us to enforce base network permissions on system with
>> only support for the old dfa table format.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> Sorry, I'm still not convinced with map_perms()... I did the math again
> with the new values and it still looks like there's a collision.
> 
>> ---
>>  parser/af_unix.cc |   30 +++++++++++++++++++-----------
>>  1 file changed, 19 insertions(+), 11 deletions(-)
>>
>> --- 2.9-test.orig/parser/af_unix.cc
>> +++ 2.9-test/parser/af_unix.cc
>> @@ -216,6 +216,14 @@
>>  	}
>>  }
>>  
>> +static uint32_t map_perms(uint32_t mask)
>> +{
>> +	return (mask & 0x7f) |
>> +		((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
>> +		((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
>> +		((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
>> +}
>> +
> 
> Bits 0-7 inclusive stay put
> Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR
> Bits 20-23 inclusive move -4 to 16-19 ACCEPT | BIND | LISTEN
> Bits 24-25 inclusive move -5 to 19-20 SETOPT | GETOPT
> 
> Is this correct? It looks like AA_NET_LISTEN overlaps with AA_NET_GETOPT.
> 
No your counting is off
20-22 inclusive move -4 to 16-18  ACCEPT | BIND | LISTEN  (notice 22 not 23)

23 is skipped, hence the need to shift 5 for 24-25 instead of 4

24-25 inclusive move -5 to 19-20

obviously the comments could be fixed to list the bit positions as above

More information about the AppArmor mailing list