[apparmor] [PATCH 4/6] parser: stop splitting the namespace from the named transition targets

Tyler Hicks tyhicks at canonical.com
Tue Mar 15 03:39:09 UTC 2016 

On 2016-03-04 08:28:45, John Johansen wrote:
> On 03/04/2016 12:16 AM, Tyler Hicks wrote:
> > The parser was splitting up the namespace and profile name from named
> > transition targets only to rejoin it later when creating the binary
> > policy. This complicated the changes needed to support the stacking
> > identifier '&' in named transition targets.
> > 
> > To keep the stacking support simple, this patch keeps the entire named
> > transition target string intact from initial profile parsing to writing
> > out the binary.
> > 
> > All of these changes are straightforward except the hunk that removes
> > the namespace string addition to the vector in the process_dfa_entry()
> > function. After speaking with John, the kernel has never expected the
> > namespace to be separated from the profile name.
> > 
> not quite right, the kernel never did for pivotroot transitions but
> it actually does for x transitions. With that said this is a better
> way to handle it and the current kernel handles either.
> 
> We can add the null terminated ns as a conditional in the final
> encode step.

I plan to fold the following changes into this patch to address this.
Let me know if they look good to you:

diff --git a/parser/parser.h b/parser/parser.h
index 81f211a..e7acda6 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -298,6 +298,7 @@ extern int kernel_supports_dbus;
 extern int kernel_supports_signal;
 extern int kernel_supports_ptrace;
 extern int kernel_supports_unix;
+extern int kernel_supports_stacking;
 extern int conf_verbose;
 extern int conf_quiet;
 extern int names_only;
@@ -386,7 +387,8 @@ extern char *process_var(const char *var);
 extern int parse_mode(const char *mode);
 extern int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail);
 bool label_contains_ns(const char *label);
-void parse_label(bool *stack, char **ns, char **name, const char *label);
+bool parse_label(bool *_stack, char **_ns, char **_name,
+		 const char *label, bool yyerr);
 extern struct cod_entry *new_entry(char *id, int mode, char *link_id);
 
 /* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
diff --git a/parser/parser_common.c b/parser/parser_common.c
index ab36a53..4d5d814 100644
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@@ -73,6 +73,7 @@ int kernel_supports_dbus = 0;		/* kernel supports dbus rules */
 int kernel_supports_diff_encode = 0;	/* kernel supports diff_encode */
 int kernel_supports_signal = 0;		/* kernel supports signal rules */
 int kernel_supports_ptrace = 0;		/* kernel supports ptrace rules */
+int kernel_supports_stacking = 0;	/* kernel supports stacking */
 int conf_verbose = 0;
 int conf_quiet = 0;
 int names_only = 0;
diff --git a/parser/parser_main.c b/parser/parser_main.c
index dbf353d..bf3cf84 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -638,6 +638,8 @@ static void set_supported_features(void)
 						       "policy/set_load");
 	kernel_supports_diff_encode = aa_features_supports(features,
 							   "policy/diff_encode");
+	kernel_supports_stacking = aa_features_supports(features,
+							"domain/stack");
 
 	if (aa_features_supports(features, "policy/versions/v7"))
 		kernel_abi_version = 7;
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 22f6fef..ed6c381 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -661,8 +661,10 @@ bool label_contains_ns(const char *label)
 	return _parse_label(&stack, &ns, &ns_len, &name, &name_len, label) == 0 && ns;
 }
 
-void parse_label(bool *_stack, char **_ns, char **_name, const char *label)
+bool parse_label(bool *_stack, char **_ns, char **_name,
+		 const char *label, bool yyerr)
 {
+	const char *err = NULL;
 	char *ns = NULL;
 	char *name = NULL;
 	size_t ns_len = 0;
@@ -671,19 +673,28 @@ void parse_label(bool *_stack, char **_ns, char **_name, const char *label)
 
 	res = _parse_label(_stack, &ns, &ns_len, &name, &name_len, label);
 	if (res == 1) {
-		yyerror(_("Namespace not terminated: %s\n"), label);
+		err = "Namespace not terminated: %s\n";
 	} else if (res == 2) {
-		yyerror(_("Empty namespace: %s\n"), label);
+		err = "Empty namespace: %s\n";
 	} else if (res == 3) {
-		yyerror(_("Empty named transition profile name: %s\n"), label);
+		err = "Empty named transition profile name: %s\n";
 	} else if (res != 0) {
-		yyerror(_("Unknown error while parsing label: %s\n"), label);
+		err = "Unknown error while parsing label: %s\n";
+	}
+
+	if (err) {
+		if (yyerr)
+			yyerror(_(err), label);
+		else
+			fprintf(stderr, _(err), label);
+
+		return false;
 	}
 
 	if (ns) {
 		*_ns = strndup(ns, ns_len);
 		if (!*_ns)
-			yyerror(_("Memory allocation error."));
+			goto alloc_fail;
 	} else {
 		*_ns = NULL;
 	}
@@ -691,8 +702,19 @@ void parse_label(bool *_stack, char **_ns, char **_name, const char *label)
 	*_name = strndup(name, name_len);
 	if (!*_name) {
 		free(*_ns);
-		yyerror(_("Memory allocation error."));
+		goto alloc_fail;
 	}
+
+	return true;
+
+alloc_fail:
+	err = "Memory allocation error.";
+	if (yyerr)
+		yyerror(_(err));
+	else
+		fprintf(stderr, "%s", _(err));
+
+	return false;
 }
 
 struct cod_entry *new_entry(char *id, int mode, char *link_id)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 9270076..c31cdfd 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -566,6 +566,8 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	if (entry->mode & AA_CHANGE_PROFILE) {
 		const char *vec[3];
 		std::string lbuf, xbuf;
+		autofree char *ns = NULL;
+		autofree char *name = NULL;
 		int index = 1;
 
 		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
@@ -585,7 +587,24 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			/* allow change_profile for all execs */
 			vec[0] = "/[^/\\x00][^\\x00]*";
 
-		vec[index++] = tbuf.c_str();
+		if (!kernel_supports_stacking) {
+			bool stack;
+
+			if (!parse_label(&stack, &ns, &name,
+					 tbuf.c_str(), false)) {
+				return FALSE;
+			} else if (stack) {
+				fprintf(stderr,
+					_("The current kernel does not support stacking of named transitions: %s\n"),
+					tbuf.c_str());
+				return FALSE;
+			}
+
+			vec[index++] = ns;
+			vec[index++] = name;
+		} else {
+			vec[index++] = tbuf.c_str();
+		}
 
 		/* regular change_profile rule */
 		if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 44793f7..2d95066 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -311,7 +311,7 @@ profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules TOK_CLOSE
 			yyerror(_("Memory allocation error."));
 		}
 
-		parse_label(&self_stack, &prof->ns, &prof->name, $1);
+		parse_label(&self_stack, &prof->ns, &prof->name, $1, true);
 		free($1);
 
 		if (self_stack) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160314/9acf6ca7/attachment.pgp>

More information about the AppArmor mailing list