[apparmor] [PATCH 2/2] parser: Don't write the stream's address to the rule buffer
Tyler Hicks
tyhicks at canonical.com
Wed Aug 27 22:01:46 UTC 2014
The writeu16() function was returning the address of the passed in
std::ostringstream and then the callers of that function were
incorrectly writing that address to the rule buffer.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
Before:
$ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{43} (0x 46/0/0/0)
{44} (0x 46/0/0/0)
{1} -> {2}: 0x2
{1} -> {3}: 0x4
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {4}: 0x34 4
{3} (0x 4/0/0/0) -> {5}: 0x0
{4} -> {6}: 0x0
{5} -> {7}: 0x1
{6} -> {2}: 0x31 1
{7} -> {8}: 0x30 0
{8} -> {9}: 0x78 x
{9} -> {10}: 0x37 7
{10} -> {11}: 0x66 f
{11} -> {12}: 0x66 f
{12} -> {13}: 0x66 f
{13} -> {14}: 0x31 1
{14} -> {15}: 0x30 0
{15} -> {16}: 0x34 4
{16} -> {17}: 0x66 f
{17} -> {18}: 0x33 3
{18} -> {19}: 0x35 5
{19} -> {20}: 0x31 1
{20} -> {21}: 0x38 8
{21} -> {22}: 0x0
{22} -> {23}: 0x1
{23} -> {24}: 0x30 0
{24} -> {25}: 0x78 x
{25} -> {26}: 0x37 7
{26} -> {27}: 0x66 f
{27} -> {28}: 0x66 f
{28} -> {29}: 0x66 f
{29} -> {30}: 0x31 1
{30} -> {31}: 0x30 0
{31} -> {32}: 0x34 4
{32} -> {33}: 0x66 f
{33} -> {34}: 0x33 3
{34} -> {35}: 0x35 5
{35} -> {36}: 0x31 1
{36} -> {37}: 0x38 8
{37} -> {38}: []
{38} -> {39}: []
{39} -> {40}: 0x0
{39} -> {39}: []
{40} -> {40}: 0x0
{40} -> {41}: 0x1
{40} -> {39}: []
{41} -> {42}: 0x0
{41} -> {39}: []
{42} -> {40}: 0x0
{42} -> {44}: 0x1
{42} -> {43}: []
{43} (0x 46/0/0/0) -> {40}: 0x0
{43} (0x 46/0/0/0) -> {43}: []
{44} (0x 46/0/0/0) -> {42}: 0x0
{44} (0x 46/0/0/0) -> {43}: []
After:
$ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{15} (0x 46/0/0/0)
{16} (0x 46/0/0/0)
{1} -> {2}: 0x2
{1} -> {3}: 0x4
{1} -> {2}: 0x7
{1} -> {2}: 0x9
{1} -> {2}: 0xa
{1} -> {2}: 0x20 \
{1} -> {4}: 0x34 4
{3} (0x 4/0/0/0) -> {5}: 0x0
{4} -> {6}: 0x0
{5} -> {7}: 0x1
{6} -> {2}: 0x31 1
{7} -> {8}: 0x0
{8} -> {9}: 0x1
{9} -> {10}: []
{10} -> {11}: []
{11} -> {12}: 0x0
{11} -> {11}: []
{12} -> {12}: 0x0
{12} -> {13}: 0x1
{12} -> {11}: []
{13} -> {14}: 0x0
{13} -> {11}: []
{14} -> {12}: 0x0
{14} -> {16}: 0x1
{14} -> {15}: []
{15} (0x 46/0/0/0) -> {12}: 0x0
{15} (0x 46/0/0/0) -> {15}: []
{16} (0x 46/0/0/0) -> {14}: 0x0
{16} (0x 46/0/0/0) -> {15}: []
parser/af_unix.cc | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/parser/af_unix.cc b/parser/af_unix.cc
index 7f6c0d0..51e986f 100644
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -189,7 +189,7 @@ static void warn_once(const char *name)
warn_once(name, "extended network unix socket rules not enforced");
}
-std::ostringstream &writeu16(std::ostringstream &o, int v)
+static void writeu16(std::ostringstream &o, int v)
{
u16 tmp = htobe16((u16) v);
u8 *byte1 = (u8 *)&tmp;
@@ -197,7 +197,6 @@ std::ostringstream &writeu16(std::ostringstream &o, int v)
o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte1);
o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte2);
- return o;
}
#define CMD_ADDR 1
@@ -256,13 +255,13 @@ int unix_rule::gen_policy_re(Profile &prof)
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NET;
- buffer << writeu16(buffer, AF_UNIX);
+ writeu16(buffer, AF_UNIX);
if (sock_type)
- buffer << writeu16(buffer, sock_type_n);
+ writeu16(buffer, sock_type_n);
else
buffer << "..";
if (proto)
- buffer << writeu16(buffer, proto_n);
+ writeu16(buffer, proto_n);
else
buffer << "..";
--
2.1.0
More information about the AppArmor
mailing list