Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:Test
apparmor-parser
apparmor-parser-fix-two-x-transition-conflict-bugs
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apparmor-parser-fix-two-x-transition-conflict-bugs of Package apparmor-parser
From: John Johansen <john.johansen@canonical.com> Subject: apparmor-parser: Fix two x transition conflict bugs. References: bnc#662928 lpn#lp693082 The is_merged_x_consistend macro was incorrect in that is tested for USER_EXEC_TYPE to determine if there was an x transition. This fails for unconfined execs so an unconfined exec would not correctly conflict with another exec type. The dfa match flag table for xtransitions was not large enough and not indexed properly for pux, and cux transitions. The index calculation did not take into account the pux flag so that pux and px aliased to the same location and cux and cx aliased to the same location. This would result in the first rule being processed defining what the transition type was for all following rules of the type following. So if a px transition was processed first all pux, transitions in the profile would be treated pux. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Jeff Mahoney <jeffm@suse.com> --- immunix.h | 4 libapparmor_re/regexp.y | 4 tst/Makefile | 13 ++- tst/gen-xtrans.pl | 152 ++++++++++++++++++++++++++++++++++++ tst/simple_tests/generated_x/readme | 2 5 files changed, 169 insertions(+), 6 deletions(-) --- a/immunix.h +++ b/immunix.h @@ -148,12 +148,12 @@ enum pattern_t { #include <stdio.h> static inline int is_merged_x_consistent(int a, int b) { - if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) && + if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) && ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE))) { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b); return 0; } - if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) && + if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) && ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE))) { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b); return 0; --- a/libapparmor_re/regexp.y +++ b/libapparmor_re/regexp.y @@ -2098,8 +2098,8 @@ extern "C" int aare_add_rule_vec(aare_ru flip_tree(tree); -/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ -#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) +/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ +#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) // fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); --- a/tst/Makefile +++ b/tst/Makefile @@ -10,9 +10,18 @@ endif all: tests -.PHONY: tests -tests: ../apparmor_parser +.PHONY: tests gen_xtrans + +tests: gen_xtrans parser_sanity + +parser_sanity: ../apparmor_parser $(Q)${PROVE} ${PROVE_ARG} ${TESTS} +gen_xtrans: + perl ./gen-xtrans.pl + ../apparmor_parser: make -C .. apparmor_parser + +clean: + rm -f simple_tests/generated_x/* --- /dev/null +++ b/tst/gen-xtrans.pl @@ -0,0 +1,154 @@ +#!/usr/bin/perl + +use strict; +use Locale::gettext; +use POSIX; + +setlocale(LC_MESSAGES, ""); + +my $prefix="simple_tests/"; + +my @trans_types = ("p", "P", "c", "C", "u", "i"); +#my @modifiers = ("i", "u"); +# Apparmor 2.3 has no qualified 'u' mode. +my @modifiers = ("i"); +my %trans_modifiers = ( + "p" => \@modifiers, + "P" => \@modifiers, + "c" => \@modifiers, + "C" => \@modifiers, + ); + +my @targets = ("", "target", "target2"); +my @null_target = (""); + +my %named_trans = ( + "p" => \@targets, + "P" => \@targets, + "c" => \@targets, + "C" => \@targets, + "u" => \@null_target, + "i" => \@null_target, + ); + +# audit qualifier disabled for now it really shouldn't affect the conflict +# test but it may be worth checking every once in awhile +#my @qualifiers = ("", "owner", "audit", "audit owner"); +my @qualifiers = ("", "owner"); + +my $count = 0; + +gen_conflicting_x(); +gen_overlap_re_exact(); +gen_dominate_re_re(); +gen_ambiguous_re_re(); + +print "Generated $count xtransition interaction tests\n"; + +sub gen_list { + my @output; + foreach my $trans (@trans_types) { + if ($trans_modifiers{$trans}) { + foreach my $mod (@{$trans_modifiers{$trans}}) { + push @output, "${trans}${mod}x"; + } + } + push @output, "${trans}x"; + } + return @output; +} + +sub print_rule($$$$) { + my ($file, $name, $perm, $target) = @_; + print $file "\t${name} ${perm}"; + if ($target ne "") { + print $file " -> $target"; + } + print $file ",\n"; +} + +sub gen_file($$$$$$$$) { + my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_; + +# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n"; + + my $file; + unless (open $file, ">$name") { + print("couldn't open $name\n"); + exit 1; + } + + print $file "#\n"; + print $file "#=DESCRIPTION ${name}\n"; + print $file "#=EXRESULT ${xres}\n"; + print $file "#\n"; + print $file "/usr/bin/foo {\n"; + print_rule($file, $rule1, $perm1, $target1); + print_rule($file, $rule2, $perm2, $target2); + print $file "}"; + close($file); + + $count++; +} + +#NOTE: currently we don't do px to cx, or cx to px conversion +# so +# /foo { +# /* px -> /foo//bar, +# /* cx -> bar, +# +# will conflict +# +#NOTE: conflict tests don't tests leading permissions or using unsafe keywords +# It is assumed that there are extra tests to verify 1 to 1 coorispondance +sub gen_files($$$$) { + my ($name, $rule1, $rule2, $default) = @_; + + my @perms = gen_list(); + +# print "@perms\n"; + + foreach my $i (@perms) { + foreach my $t (@{$named_trans{substr($i, 0, 1)}}) { + foreach my $q (@qualifiers) { + foreach my $j (@perms) { + foreach my $u (@{$named_trans{substr($j, 0, 1)}}) { + foreach my $r (@qualifiers) { + my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd"; +# print "$file\n"; + + #override failures when transitions are the same + my $xres = ${default}; + if ($i eq $j && $t eq $u) { + $xres = "PASS"; + } + + +# print "foo $xres $rule1 $i $t $rule2 $j $u\n"; + gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u); + } + } + } + } + } + } + +} + +sub gen_conflicting_x { + gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL"); +} + +sub gen_overlap_re_exact { + + gen_files("exact", "/bin/cat", "/bin/*", "PASS"); +} + +# we currently don't support this, once supported change to "PASS" +sub gen_dominate_re_re { + gen_files("dominate", "/bin/*", "/bin/**", "FAIL"); +} + +sub gen_ambiguous_re_re { + gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL"); +} --- /dev/null +++ b/tst/simple_tests/generated_x/readme @@ -0,0 +1,2 @@ +Directory for auto generated x-transition tests +
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor