[apparmor] [patch 05/12] Make the af type protocol mappings available for use
Steve Beattie
steve at nxnw.org
Mon Aug 25 20:42:38 UTC 2014
On Mon, Aug 25, 2014 at 12:47:26PM -0700, John Johansen wrote:
> This is a fix for [patch 05/12] Make the af type protocol mappings available for use
>
> before the af type protocol mappings patch was applied, a single rule could
> result in multiple rule entries being created. The af type protocol mappings
> patch broke this by apply only the first of the mappings that could be
> found.
>
> Restore the previous behavior by search through the entire table until
> all matches have been made.
NACK.
> === modified file 'parser/network.c'
> --- parser/network.c 2014-08-24 07:00:28 +0000
> +++ parser/network.c 2014-08-25 19:45:28 +0000
> @@ -249,22 +249,24 @@
> }
>
>
> -const struct network_tuple *net_find_mapping(const char *family,
> +const struct network_tuple *net_find_mapping(struct network_tuple *map,
> + const char *family,
> const char *type,
> const char *protocol)
> {
> - int i;
> + if (!map)
> + map = network_mappings;
>
> - for (i = 0; network_mappings[i].family_name; i++) {
> + while (map->family_name) {
> if (family) {
> - PDEBUG("Checking family %s\n", network_mappings[i].family_name);
> - if (strcmp(family, network_mappings[i].family_name) != 0)
> + PDEBUG("Checking family %s\n", map->family_name);
> + if (strcmp(family, map->family_name) != 0)
> continue;
map needs to be advanced here, as this just gets stuck in an infinite
loop if family != map->family_name.
> PDEBUG("Found family %s\n", family);
> }
> if (type) {
> - PDEBUG("Checking type %s\n", network_mappings[i].type_name);
> - if (strcmp(type, network_mappings[i].type_name) != 0)
> + PDEBUG("Checking type %s\n", map->type_name);
> + if (strcmp(type, map->type_name) != 0)
> continue;
> PDEBUG("Found type %s\n", type);
> }
> @@ -272,12 +274,12 @@
> /* allows the proto to be the "type", ie. tcp implies
> * stream */
> if (!type) {
> - PDEBUG("Checking protocol type %s\n", network_mappings[i].type_name);
> - if (strcmp(protocol, network_mappings[i].type_name) == 0)
> + PDEBUG("Checking protocol type %s\n", map->type_name);
> + if (strcmp(protocol, map->type_name) == 0)
> goto match;
> }
> - PDEBUG("Checking type %s protocol %s\n", network_mappings[i].type_name, network_mappings[i].protocol_name);
> - if (strcmp(protocol, network_mappings[i].protocol_name) != 0)
> + PDEBUG("Checking type %s protocol %s\n", map->type_name, map->protocol_name);
> + if (strcmp(protocol, map->protocol_name) != 0)
> continue;
> /* fixme should we allow specifying protocol by #
> * without needing the protocol mapping? */
> @@ -285,7 +287,7 @@
>
> /* if we get this far we have a match */
> match:
> - return &network_mappings[i];
> + return map;
> }
>
> return NULL;
> @@ -295,9 +297,9 @@
> const char *protocol)
> {
> struct aa_network_entry *new_entry, *entry = NULL;
> - const struct network_tuple *mapping = net_find_mapping(family, type, protocol);
> + const struct network_tuple *mapping = NULL;
>
> - if (mapping) {
> + while ((mapping = net_find_mapping(NULL, family, type, protocol))) {
This needs to pass mapping into net_find_mapping (I think) as every
iteration will start over at the beginning of the mapping list.
> new_entry = new_network_ent(mapping->family, mapping->type,
> mapping->protocol);
> if (!new_entry)
>
> === modified file 'parser/network.h'
> --- parser/network.h 2014-08-24 07:00:28 +0000
> +++ parser/network.h 2014-08-25 19:39:10 +0000
> @@ -88,7 +88,8 @@
> const char *net_find_type_name(int type);
> int net_find_af_val(const char *af);
> const char *net_find_af_name(unsigned int af);
> -const struct network_tuple *net_find_mapping(const char *family,
> +const struct network_tuple *net_find_mapping(struct network_tuple *map,
> + const char *family,
> const char *type,
> const char *protocol);
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140825/b763ab51/attachment-0001.pgp>
More information about the AppArmor
mailing list