[apparmor] [PATCH 16/31] parser: Move match file handling to separate file

Tyler Hicks tyhicks at canonical.com
Fri Jan 23 03:34:37 UTC 2015 

On 2015-01-22 10:17:26, John Johansen wrote:
> On 12/05/2014 04:22 PM, Tyler Hicks wrote:
> > In addition, define MATCH_STRING_SIZE macro instead of using a magic
> > number.
> > 
> err, why? The match file is just the old (deprecated) way of specifying
> what features are available in the kernel.
> 
> I really don't see a reason to separate it from features, in fact worse
> than that I want to hide the existence of match and not have it be
> part of a public api because it has never been upstream nor will it.

I was not aware of the history of the match file. Was this an Ubuntu
thing, SUSE thing, or more widespread than a single distro?

Separating it out seemed like the right thing to do because I thought
that the parser was the only thing that would ever need to worry about
it. For example, systemd would not need to use the aa_match API.

However, from what you've explained, it makes sense to hide it behind
the aa_features API. If the match file support was specific to a single
distro, it may even make sense for that distro to carry a patch to
libapparmor to support it. You tell me what to do here and I'll do it.

Tyler

> 
> 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> >  parser/Makefile      | 10 +++++++---
> >  parser/features.c    | 19 -------------------
> >  parser/features.h    |  1 -
> >  parser/match.c       | 46 ++++++++++++++++++++++++++++++++++++++++++++++
> >  parser/match.h       | 26 ++++++++++++++++++++++++++
> >  parser/parser_main.c |  1 +
> >  6 files changed, 80 insertions(+), 23 deletions(-)
> >  create mode 100644 parser/match.c
> >  create mode 100644 parser/match.h
> > 
> > diff --git a/parser/Makefile b/parser/Makefile
> > index c50398f..7f2a532 100644
> > --- a/parser/Makefile
> > +++ b/parser/Makefile
> > @@ -81,10 +81,11 @@ SRCS = parser_common.c parser_include.c parser_interface.c parser_lex.c \
> >         parser_yacc.c parser_regex.c parser_variable.c parser_policy.c \
> >         parser_alias.c common_optarg.c lib.c network.c \
> >         mount.cc dbus.cc profile.cc rule.cc signal.cc ptrace.cc \
> > -       af_rule.cc af_unix.cc features.c policy_cache.c kernel_interface.c
> > +       af_rule.cc af_unix.cc features.c policy_cache.c kernel_interface.c \
> > +       match.c
> >  HDRS = parser.h parser_include.h immunix.h mount.h dbus.h lib.h profile.h \
> >         rule.h common_optarg.h signal.h ptrace.h network.h af_rule.h af_unix.h \
> > -       features.h policy_cache.h kernel_interface.h
> > +       features.h policy_cache.h kernel_interface.h match.h
> >  TOOLS = apparmor_parser
> >  
> >  OBJECTS = $(patsubst %.cc, %.o, $(SRCS:.c=.o))
> > @@ -243,7 +244,10 @@ mount.o: mount.cc mount.h parser.h immunix.h rule.h
> >  common_optarg.o: common_optarg.c common_optarg.h parser.h libapparmor_re/apparmor_re.h
> >  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
> >  
> > -features.o: features.c features.h parser.h libapparmor_re/apparmor_re.h
> > +features.o: features.c features.h parser.h match.h libapparmor_re/apparmor_re.h
> > +	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
> > +
> > +match.o: match.c match.h parser.h
> >  	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
> >  
> >  policy_cache.o: policy_cache.c policy_cache.h parser.h features.h
> > diff --git a/parser/features.c b/parser/features.c
> > index d195e2b..1adeba9 100644
> > --- a/parser/features.c
> > +++ b/parser/features.c
> > @@ -166,22 +166,3 @@ int load_features(const char *name)
> >  
> >  	return 0;
> >  }
> > -
> > -void set_features_by_match_file(void)
> > -{
> > -	autofclose FILE *ms = fopen(MATCH_FILE, "r");
> > -	if (ms) {
> > -		autofree char *match_string = (char *) malloc(1000);
> > -		if (!match_string)
> > -			goto no_match;
> > -		if (!fgets(match_string, 1000, ms))
> > -			goto no_match;
> > -		if (strstr(match_string, " perms=c"))
> > -			perms_create = 1;
> > -		kernel_supports_network = 1;
> > -		return;
> > -	}
> > -
> > -no_match:
> > -	perms_create = 1;
> > -}
> > diff --git a/parser/features.h b/parser/features.h
> > index f0d9adc..aaa4229 100644
> > --- a/parser/features.h
> > +++ b/parser/features.h
> > @@ -21,7 +21,6 @@
> >  
> >  #include "parser.h"
> >  
> > -#define MATCH_FILE "/sys/kernel/security/" MODULE_NAME "/matching"
> >  #define FEATURES_FILE "/sys/kernel/security/" MODULE_NAME "/features"
> >  
> >  extern char *features_string;
> > diff --git a/parser/match.c b/parser/match.c
> > new file mode 100644
> > index 0000000..770d548
> > --- /dev/null
> > +++ b/parser/match.c
> > @@ -0,0 +1,46 @@
> > +/*
> > + *   Copyright (c) 2014
> > + *   Canonical, Ltd. (All rights reserved)
> > + *
> > + *   This program is free software; you can redistribute it and/or
> > + *   modify it under the terms of version 2 of the GNU General Public
> > + *   License published by the Free Software Foundation.
> > + *
> > + *   This program is distributed in the hope that it will be useful,
> > + *   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + *   GNU General Public License for more details.
> > + *
> > + *   You should have received a copy of the GNU General Public License
> > + *   along with this program; if not, contact Novell, Inc. or Canonical
> > + *   Ltd.
> > + */
> > +
> > +#include <stdio.h>
> > +#include <string.h>
> > +#include <stdlib.h>
> > +
> > +#include "match.h"
> > +#include "lib.h"
> > +#include "parser.h"
> > +
> > +#define MATCH_STRING_SIZE 1000
> > +
> > +void set_features_by_match_file(void)
> > +{
> > +	autofclose FILE *ms = fopen(MATCH_FILE, "r");
> > +	if (ms) {
> > +		autofree char *match_string = (char *) malloc(MATCH_STRING_SIZE);
> > +		if (!match_string)
> > +			goto no_match;
> > +		if (!fgets(match_string, MATCH_STRING_SIZE, ms))
> > +			goto no_match;
> > +		if (strstr(match_string, " perms=c"))
> > +			perms_create = 1;
> > +		kernel_supports_network = 1;
> > +		return;
> > +	}
> > +
> > +no_match:
> > +	perms_create = 1;
> > +}
> > diff --git a/parser/match.h b/parser/match.h
> > new file mode 100644
> > index 0000000..deb7c00
> > --- /dev/null
> > +++ b/parser/match.h
> > @@ -0,0 +1,26 @@
> > +/*
> > + *   Copyright (c) 2014
> > + *   Canonical, Ltd. (All rights reserved)
> > + *
> > + *   This program is free software; you can redistribute it and/or
> > + *   modify it under the terms of version 2 of the GNU General Public
> > + *   License published by the Free Software Foundation.
> > + *
> > + *   This program is distributed in the hope that it will be useful,
> > + *   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > + *   GNU General Public License for more details.
> > + *
> > + *   You should have received a copy of the GNU General Public License
> > + *   along with this program; if not, contact Novell, Inc. or Canonical
> > + *   Ltd.
> > + */
> > +
> > +#ifndef __AA_MATCH_H
> > +#define __AA_MATCH_H
> > +
> > +#define MATCH_FILE "/sys/kernel/security/" MODULE_NAME "/matching"
> > +
> > +void set_features_by_match_file(void);
> > +
> > +#endif /* __AA_MATCH_H */
> > diff --git a/parser/parser_main.c b/parser/parser_main.c
> > index 4af54a5..2888a1a 100644
> > --- a/parser/parser_main.c
> > +++ b/parser/parser_main.c
> > @@ -41,6 +41,7 @@
> >  
> >  #include "lib.h"
> >  #include "features.h"
> > +#include "match.h"
> >  #include "kernel_interface.h"
> >  #include "parser.h"
> >  #include "parser_version.h"
> > 
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150122/d7227821/attachment.pgp>

More information about the AppArmor mailing list