[apparmor] [patch 12/12] map the net permission set into a form compatible with the old dfa table
Seth Arnold
seth.arnold at canonical.com
Fri Aug 29 23:57:06 UTC 2014
On Fri, Aug 29, 2014 at 01:23:42PM -0700, John Johansen wrote:
> >> +static uint32_t map_perms(uint32_t mask)
> >> +{
> >> + return (mask & 0x7f) |
> >> + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
> >> + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
> >> + ((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
> >> +}
> >> +
> >
> > Bits 0-7 inclusive stay put
> > Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR
> > Bits 20-23 inclusive move -4 to 16-19 ACCEPT | BIND | LISTEN
> > Bits 24-25 inclusive move -5 to 19-20 SETOPT | GETOPT
> >
> > Is this correct? It looks like AA_NET_LISTEN overlaps with AA_NET_GETOPT.
> >
> No your counting is off
> 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23)
>
> 23 is skipped, hence the need to shift 5 for 24-25 instead of 4
>
> 24-25 inclusive move -5 to 19-20
>
> obviously the comments could be fixed to list the bit positions as above
Oh! This is fantastic. Thanks. Happy to find out it was a mistake on
my end. (Even if there had been a nice comment here I would have wanted to
duplicate the math to ensure it was right. Hopefully future readers will
share the same skepticism..)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140829/293b6242/attachment.pgp>
More information about the AppArmor
mailing list