[apparmor] [PATCH 01/14] Rename AA_MAY_XXX permission bits that conflict with new layout

Tyler Hicks tyhicks at canonical.com
Thu Jun 4 13:56:16 UTC 2015 

On 2015-06-04 03:56:30, John Johansen wrote:
> The parser currently is still using the old permission layout, the kernel
> uses a newer layout that allows for more permission bits. The newer
> newer permission layout is needed by the library to query the kernel,
> however that causes some of the permission bits to be redefined.
> 
> Rename the permission bits that cause redefination warnings to use
> AA_OLD_MAY_XXX
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Out of curiosity, how can the parser and kernel be out of sync and
things still work as expected? The kernel is doing some sort of
conversion on the rules loaded by the parser?

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Tyler

> ---
>  parser/immunix.h      | 25 ++++++++++++++-----------
>  parser/parser_misc.c  |  8 ++++----
>  parser/parser_regex.c |  4 ++--
>  3 files changed, 20 insertions(+), 17 deletions(-)
> 
> diff --git a/parser/immunix.h b/parser/immunix.h
> index 1762a1c..e033eed 100644
> --- a/parser/immunix.h
> +++ b/parser/immunix.h
> @@ -29,9 +29,9 @@
>  #define AA_MAY_WRITE			(1 << 1)
>  #define AA_MAY_READ			(1 << 2)
>  #define AA_MAY_APPEND			(1 << 3)
> -#define AA_MAY_LINK			(1 << 4)
> -#define AA_MAY_LOCK			(1 << 5)
> -#define AA_EXEC_MMAP			(1 << 6)
> +#define AA_OLD_MAY_LINK			(1 << 4)
> +#define AA_OLD_MAY_LOCK			(1 << 5)
> +#define AA_OLD_EXEC_MMAP		(1 << 6)
>  #define AA_EXEC_PUX			(1 << 7)
>  #define AA_EXEC_UNSAFE			(1 << 8)
>  #define AA_EXEC_INHERIT			(1 << 9)
> @@ -42,8 +42,8 @@
>  
>  #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
>  					 AA_MAY_READ | AA_MAY_APPEND | \
> -					 AA_MAY_LINK | AA_MAY_LOCK | \
> -					 AA_EXEC_PUX | AA_EXEC_MMAP | \
> +					 AA_OLD_MAY_LINK | AA_OLD_MAY_LOCK | \
> +					 AA_EXEC_PUX | AA_OLD_EXEC_MMAP | \
>  					 AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
>  					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
>  					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
> @@ -95,8 +95,8 @@
>  #define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
>  #define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
>  
> -#define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
> -					 (AA_MAY_LINK << AA_OTHER_SHIFT))
> +#define AA_LINK_BITS			((AA_OLD_MAY_LINK << AA_USER_SHIFT) | \
> +					 (AA_OLD_MAY_LINK << AA_OTHER_SHIFT))
>  
>  #define SHIFT_MODE(MODE, SHIFT)		((((MODE) & AA_BASE_PERMS) << (SHIFT))\
>  					 | ((MODE) & ~AA_FILE_PERMS))
> @@ -104,7 +104,7 @@
>  					 | ((MODE) & ~AA_FILE_PERMS))
>  
>  
> -#define AA_LINK_SUBSET_TEST		(AA_MAY_LINK << 1)
> +#define AA_LINK_SUBSET_TEST		(AA_OLD_MAY_LINK << 1)
>  #define LINK_SUBSET_BITS	((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \
>  				 (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
>  #define LINK_TO_LINK_SUBSET(X)		(((X) << 1) & AA_LINK_SUBSET_TEST)
> @@ -137,9 +137,9 @@ enum pattern_t {
>  #define HAS_MAY_WRITE(mode)		((mode) & AA_MAY_WRITE)
>  #define HAS_MAY_APPEND(mode)		((mode) & AA_MAY_APPEND)
>  #define HAS_MAY_EXEC(mode)		((mode) & AA_MAY_EXEC)
> -#define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
> -#define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
> -#define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
> +#define HAS_MAY_LINK(mode)		((mode) & AA_OLD_MAY_LINK)
> +#define HAS_MAY_LOCK(mode)		((mode) & AA_OLD_MAY_LOCK)
> +#define HAS_EXEC_MMAP(mode) 		((mode) & AA_OLD_EXEC_MMAP)
>  
>  #define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
>  #define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
> @@ -161,3 +161,6 @@ static inline int is_merged_x_consistent(int a, int b)
>  }
>  
>  #endif				/* ! _IMMUNIX_H */
> +
> +/*  LocalWords:  MMAP
> + */
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index 6c0beb9..3b83679 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -332,7 +332,7 @@ reeval:
>  		case COD_READ_CHAR:
>  			if (read_implies_exec) {
>  				PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc);
> -				mode |= AA_MAY_READ | AA_EXEC_MMAP;
> +				mode |= AA_MAY_READ | AA_OLD_EXEC_MMAP;
>  			} else {
>  				PDEBUG("Parsing mode: found %s READ\n", mode_desc);
>  				mode |= AA_MAY_READ;
> @@ -355,12 +355,12 @@ reeval:
>  
>  		case COD_LINK_CHAR:
>  			PDEBUG("Parsing mode: found %s LINK\n", mode_desc);
> -			mode |= AA_MAY_LINK;
> +			mode |= AA_OLD_MAY_LINK;
>  			break;
>  
>  		case COD_LOCK_CHAR:
>  			PDEBUG("Parsing mode: found %s LOCK\n", mode_desc);
> -			mode |= AA_MAY_LOCK;
> +			mode |= AA_OLD_MAY_LOCK;
>  			break;
>  
>  		case COD_INHERIT_CHAR:
> @@ -439,7 +439,7 @@ reeval:
>  
>  		case COD_MMAP_CHAR:
>  			PDEBUG("Parsing mode: found %s MMAP\n", mode_desc);
> -			mode |= AA_EXEC_MMAP;
> +			mode |= AA_OLD_EXEC_MMAP;
>  			break;
>  
>  		case COD_EXEC_CHAR:
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 96f377a..310af20 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -514,9 +514,9 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
>  	 * dfa states like it does for pcre
>  	 */
>  	if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
> -		entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
> +		entry->mode |= AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT;
>  	if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
> -		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
> +		entry->mode |= AA_OLD_EXEC_MMAP << AA_USER_SHIFT;
>  
>  	/* the link bit on the first pair entry should not get masked
>  	 * out by a deny rule, as both pieces of the link pair must
> -- 
> 2.1.4
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150604/0287bac5/attachment.pgp>

More information about the AppArmor mailing list