1
Description: Check for kernel support prior to processing dbus entries
3
When a parser that is aware of dbus rules is running under a kernel
4
that is unaware of dbus rules, the parser should ignore the dbus rules
5
instead of attempting to load them into the kernel. Otherwise, the
6
kernel will reject the entire profile, leaving the application
9
Similar to what is done for mount rules, the features listed in
10
apparmorfs should be checked to see if dbus is supported under the
13
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
14
Acked-by: John Johansen <john.johansen@canonical.com>
15
Origin: backport, revision id: tyhicks@canonical.com-20131030000323-s9gvhv02e5b83lml
16
Author: Tyler Hicks <tyhicks@canonical.com>
17
Bug: https://launchpad.net/bugs/1231778
18
Last-Update: 2013-10-30
19
X-Bzr-Revision-Id: tyhicks@canonical.com-20131030000323-s9gvhv02e5b83lml
21
Index: apparmor-2.8.0/parser/parser.h
22
===================================================================
23
--- apparmor-2.8.0.orig/parser/parser.h 2013-10-29 17:11:21.018325063 -0700
24
+++ apparmor-2.8.0/parser/parser.h 2013-10-29 17:11:20.998325063 -0700
25
@@ -268,6 +268,7 @@ extern int net_af_max_override;
26
extern int kernel_load;
27
extern int kernel_supports_network;
28
extern int kernel_supports_mount;
29
+extern int kernel_supports_dbus;
30
extern int flag_changehat_version;
31
extern int conf_verbose;
32
extern int conf_quiet;
33
Index: apparmor-2.8.0/parser/parser_common.c
34
===================================================================
35
--- apparmor-2.8.0.orig/parser/parser_common.c 2013-10-29 17:11:21.018325063 -0700
36
+++ apparmor-2.8.0/parser/parser_common.c 2013-10-29 17:11:21.002325063 -0700
37
@@ -28,6 +28,7 @@ int net_af_max_override = -1;
39
int kernel_supports_network = 1; /* kernel supports network rules */
40
int kernel_supports_mount = 0; /* kernel supports mount rules */
41
+int kernel_supports_dbus = 0; /* kernel supports dbus rules */
42
int flag_changehat_version = FLAG_CHANGEHAT_1_5;
45
Index: apparmor-2.8.0/parser/parser_main.c
46
===================================================================
47
--- apparmor-2.8.0.orig/parser/parser_main.c 2013-10-29 17:11:21.018325063 -0700
48
+++ apparmor-2.8.0/parser/parser_main.c 2013-10-29 17:11:21.006325063 -0700
49
@@ -805,6 +805,8 @@ static void get_match_string(void) {
50
kernel_supports_network = 0;
51
if (strstr(flags_string, "mount"))
52
kernel_supports_mount = 1;
53
+ if (strstr(flags_string, "dbus"))
54
+ kernel_supports_dbus = 1;
58
Index: apparmor-2.8.0/parser/parser_regex.c
59
===================================================================
60
--- apparmor-2.8.0.orig/parser/parser_regex.c 2013-10-29 17:11:21.018325063 -0700
61
+++ apparmor-2.8.0/parser/parser_regex.c 2013-10-29 18:08:00.790308545 -0700
62
@@ -1172,15 +1172,19 @@ static int post_process_mnt_ents(struct
63
static int post_process_dbus_ents(struct codomain *cod)
66
- struct dbus_entry *entry;
69
- list_for_each(cod->dbus_ents, entry) {
70
- if (regex_type == AARE_DFA &&
71
- !process_dbus_entry(cod->policy_rules, entry))
75
+ if (cod->dbus_ents && kernel_supports_dbus) {
76
+ struct dbus_entry *entry;
78
+ list_for_each(cod->dbus_ents, entry) {
79
+ if (regex_type == AARE_DFA &&
80
+ !process_dbus_entry(cod->policy_rules, entry))
84
+ } else if (cod->dbus_ents && !kernel_supports_dbus)
85
+ pwarn("profile %s dbus rules not enforced\n", cod->name);
87
cod->policy_rule_count += count;