Marcus Rueckert
f270973a6c
Accepted submit request 57745 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/57745 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=1
278 lines
8.5 KiB
Plaintext
278 lines
8.5 KiB
Plaintext
From: John Johansen <john.johansen@canonical.com>
|
|
Subject: Fix two x transition conflict bugs.
|
|
References: bnc#662928 lpn#693082
|
|
|
|
This is lp:apparmor/2.5 commit r1443.
|
|
|
|
The is_merged_x_consistend macro was incorrect in that is tested for
|
|
USER_EXEC_TYPE to determine if there was an x transition. This fails
|
|
for unconfined execs so an unconfined exec would not correctly conflict
|
|
with another exec type.
|
|
|
|
The dfa match flag table for xtransitions was not large enough and not
|
|
indexed properly for pux, and cux transitions. The index calculation did
|
|
not take into account the pux flag so that pux and px aliased to the same
|
|
location and cux and cx aliased to the same location.
|
|
|
|
This would result in the first rule being processed defining what the
|
|
transition type was for all following rules of the type following. So
|
|
if a px transition was processed first all pux, transitions in the profile
|
|
would be treated pux.
|
|
|
|
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
|
|
|
|
Add auto generation of xtransition conflict tests
|
|
|
|
All the combiniation of xtransition conflics where not well represented in
|
|
the regression test suite. Instead of relying on multiple static test
|
|
files, automatically generate all possible conflicts.
|
|
|
|
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
|
|
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
|
diff:
|
|
=== modified file 'parser/immunix.h'
|
|
parser/immunix.h | 4
|
|
parser/libapparmor_re/regexp.yy | 10 -
|
|
parser/tst/Makefile | 10 +
|
|
parser/tst/gen-xtrans.pl | 152 +++++++++++++++++++++++++++++
|
|
parser/tst/simple_tests/generated_x/readme | 2
|
|
5 files changed, 169 insertions(+), 9 deletions(-)
|
|
|
|
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
|
|
+++ b/parser/immunix.h 2011-01-07 20:46:15 +0000
|
|
@@ -148,12 +148,12 @@
|
|
#include <stdio.h>
|
|
static inline int is_merged_x_consistent(int a, int b)
|
|
{
|
|
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
|
|
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
|
|
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
|
|
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
|
|
return 0;
|
|
}
|
|
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
|
|
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
|
|
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
|
|
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
|
|
return 0;
|
|
|
|
=== modified file 'parser/libapparmor_re/regexp.yy'
|
|
--- a/parser/libapparmor_re/regexp.yy 2010-07-24 14:16:14 +0000
|
|
+++ b/parser/libapparmor_re/regexp.yy 2011-01-07 20:46:15 +0000
|
|
@@ -2581,9 +2581,9 @@
|
|
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
|
|
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
|
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
|
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
|
|
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
|
|
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
|
|
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
|
|
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
|
|
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
|
|
|
|
extern "C" void aare_reset_matchflags(void)
|
|
{
|
|
@@ -2644,8 +2644,8 @@
|
|
flip_tree(tree);
|
|
|
|
|
|
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
|
|
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
|
|
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
|
|
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
|
|
|
|
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
|
|
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
|
|
|
|
=== modified file 'parser/tst/Makefile'
|
|
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
|
|
+++ b/parser/tst/Makefile 2011-01-07 20:46:15 +0000
|
|
@@ -11,8 +11,11 @@
|
|
|
|
all: tests
|
|
|
|
-.PHONY: tests error_output parser_sanity caching
|
|
-tests: error_output parser_sanity
|
|
+.PHONY: tests error_output gen_xtrans parser_sanity caching
|
|
+tests: error_output gen_xtrans parser_sanity
|
|
+
|
|
+gen_xtrans:
|
|
+ perl ./gen-xtrans.pl
|
|
|
|
error_output: $(PARSER)
|
|
$(PARSER) -S -I errors >/dev/null errors/okay.sd
|
|
@@ -34,3 +37,6 @@
|
|
|
|
$(PARSER):
|
|
make -C $(PARSER_DIR) $(PARSER_BIN)
|
|
+
|
|
+clean:
|
|
+ rm -f simple_tests/generated_x/*
|
|
|
|
=== added file 'parser/tst/gen-xtrans.pl'
|
|
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
|
|
+++ b/parser/tst/gen-xtrans.pl 2011-01-07 20:46:15 +0000
|
|
@@ -0,0 +1,152 @@
|
|
+#!/usr/bin/perl
|
|
+
|
|
+use strict;
|
|
+use Locale::gettext;
|
|
+use POSIX;
|
|
+
|
|
+setlocale(LC_MESSAGES, "");
|
|
+
|
|
+my $prefix="simple_tests/generated_x";
|
|
+
|
|
+my @trans_types = ("p", "P", "c", "C", "u", "i");
|
|
+my @modifiers = ("i", "u");
|
|
+my %trans_modifiers = (
|
|
+ "p" => \@modifiers,
|
|
+ "P" => \@modifiers,
|
|
+ "c" => \@modifiers,
|
|
+ "C" => \@modifiers,
|
|
+ );
|
|
+
|
|
+my @targets = ("", "target", "target2");
|
|
+my @null_target = ("");
|
|
+
|
|
+my %named_trans = (
|
|
+ "p" => \@targets,
|
|
+ "P" => \@targets,
|
|
+ "c" => \@targets,
|
|
+ "C" => \@targets,
|
|
+ "u" => \@null_target,
|
|
+ "i" => \@null_target,
|
|
+ );
|
|
+
|
|
+# audit qualifier disabled for now it really shouldn't affect the conflict
|
|
+# test but it may be worth checking every once in awhile
|
|
+#my @qualifiers = ("", "owner", "audit", "audit owner");
|
|
+my @qualifiers = ("", "owner");
|
|
+
|
|
+my $count = 0;
|
|
+
|
|
+gen_conflicting_x();
|
|
+gen_overlap_re_exact();
|
|
+gen_dominate_re_re();
|
|
+gen_ambiguous_re_re();
|
|
+
|
|
+print "Generated $count xtransition interaction tests\n";
|
|
+
|
|
+sub gen_list {
|
|
+ my @output;
|
|
+ foreach my $trans (@trans_types) {
|
|
+ if ($trans_modifiers{$trans}) {
|
|
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
|
|
+ push @output, "${trans}${mod}x";
|
|
+ }
|
|
+ }
|
|
+ push @output, "${trans}x";
|
|
+ }
|
|
+ return @output;
|
|
+}
|
|
+
|
|
+sub print_rule($$$$) {
|
|
+ my ($file, $name, $perm, $target) = @_;
|
|
+ print $file "\t${name} ${perm}";
|
|
+ if ($target ne "") {
|
|
+ print $file " -> $target";
|
|
+ }
|
|
+ print $file ",\n";
|
|
+}
|
|
+
|
|
+sub gen_file($$$$$$$$) {
|
|
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
|
|
+
|
|
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
|
|
+
|
|
+ my $file;
|
|
+ unless (open $file, ">$name") {
|
|
+ print("couldn't open $name\n");
|
|
+ exit 1;
|
|
+ }
|
|
+
|
|
+ print $file "#\n";
|
|
+ print $file "#=DESCRIPTION ${name}\n";
|
|
+ print $file "#=EXRESULT ${xres}\n";
|
|
+ print $file "#\n";
|
|
+ print $file "/usr/bin/foo {\n";
|
|
+ print_rule($file, $rule1, $perm1, $target1);
|
|
+ print_rule($file, $rule2, $perm2, $target2);
|
|
+ print $file "}";
|
|
+ close($file);
|
|
+
|
|
+ $count++;
|
|
+}
|
|
+
|
|
+#NOTE: currently we don't do px to cx, or cx to px conversion
|
|
+# so
|
|
+# /foo {
|
|
+# /* px -> /foo//bar,
|
|
+# /* cx -> bar,
|
|
+#
|
|
+# will conflict
|
|
+#
|
|
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
|
|
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
|
|
+sub gen_files($$$$) {
|
|
+ my ($name, $rule1, $rule2, $default) = @_;
|
|
+
|
|
+ my @perms = gen_list();
|
|
+
|
|
+# print "@perms\n";
|
|
+
|
|
+ foreach my $i (@perms) {
|
|
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
|
|
+ foreach my $q (@qualifiers) {
|
|
+ foreach my $j (@perms) {
|
|
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
|
|
+ foreach my $r (@qualifiers) {
|
|
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
|
|
+# print "$file\n";
|
|
+
|
|
+ #override failures when transitions are the same
|
|
+ my $xres = ${default};
|
|
+ if ($i eq $j && $t eq $u) {
|
|
+ $xres = "PASS";
|
|
+ }
|
|
+
|
|
+
|
|
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
|
|
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+}
|
|
+
|
|
+sub gen_conflicting_x {
|
|
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
|
|
+}
|
|
+
|
|
+sub gen_overlap_re_exact {
|
|
+
|
|
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
|
|
+}
|
|
+
|
|
+# we currently don't support this, once supported change to "PASS"
|
|
+sub gen_dominate_re_re {
|
|
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
|
|
+}
|
|
+
|
|
+sub gen_ambiguous_re_re {
|
|
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
|
|
+}
|
|
|
|
=== added directory 'parser/tst/simple_tests/generated_x'
|
|
=== added file 'parser/tst/simple_tests/generated_x/readme'
|
|
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
|
|
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-07 20:46:15 +0000
|
|
@@ -0,0 +1,2 @@
|
|
+Directory for auto generated x-transition tests
|
|
+
|