apparmor: make sure perm indexes are accumulated
accumulate permission indexes on a first encountered basis. This favors original rulesets so that new ones can not override without profile replacement. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
670f31774a
commit
0bece4fa97
@ -88,10 +88,10 @@ static inline struct aa_label *aa_get_file_label(struct aa_file_ctx *ctx)
|
||||
* - exec type - which determines how the executable name and index are used
|
||||
* - flags - which modify how the destination name is applied
|
||||
*/
|
||||
#define AA_X_INDEX_MASK 0x00ffffff
|
||||
#define AA_X_INDEX_MASK AA_INDEX_MASK
|
||||
|
||||
#define AA_X_TYPE_MASK 0x0c000000
|
||||
#define AA_X_NONE 0x00000000
|
||||
#define AA_X_NONE AA_INDEX_NONE
|
||||
#define AA_X_NAME 0x04000000 /* use executable name px */
|
||||
#define AA_X_TABLE 0x08000000 /* use a specified name ->n# */
|
||||
|
||||
|
@ -78,11 +78,20 @@ struct aa_perms {
|
||||
u32 quiet; /* set only when ~allow | deny */
|
||||
u32 hide; /* set only when ~allow | deny */
|
||||
|
||||
|
||||
u32 xindex;
|
||||
u32 tag; /* tag string index, if present */
|
||||
u32 label; /* label string index, if present */
|
||||
};
|
||||
|
||||
/*
|
||||
* Indexes are broken into a 24 bit index and 8 bit flag.
|
||||
* For the index to be valid there must be a value in the flag
|
||||
*/
|
||||
#define AA_INDEX_MASK 0x00ffffff
|
||||
#define AA_INDEX_FLAG_MASK 0xff000000
|
||||
#define AA_INDEX_NONE 0
|
||||
|
||||
#define ALL_PERMS_MASK 0xffffffff
|
||||
extern struct aa_perms nullperms;
|
||||
extern struct aa_perms allperms;
|
||||
|
@ -348,6 +348,13 @@ void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend)
|
||||
accum->hide &= addend->hide & ~addend->allow;
|
||||
accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
|
||||
accum->subtree |= addend->subtree & ~addend->deny;
|
||||
|
||||
if (!accum->xindex)
|
||||
accum->xindex = addend->xindex;
|
||||
if (!accum->tag)
|
||||
accum->tag = addend->tag;
|
||||
if (!accum->label)
|
||||
accum->label = addend->label;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -367,6 +374,13 @@ void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend)
|
||||
accum->hide &= addend->hide & ~accum->allow;
|
||||
accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
|
||||
accum->subtree &= addend->subtree & ~accum->deny;
|
||||
|
||||
if (!accum->xindex)
|
||||
accum->xindex = addend->xindex;
|
||||
if (!accum->tag)
|
||||
accum->tag = addend->tag;
|
||||
if (!accum->label)
|
||||
accum->label = addend->label;
|
||||
}
|
||||
|
||||
void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,
|
||||
|
Loading…
Reference in New Issue
Block a user