2006-04-11 21:52:54 +00:00
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2012-02-24 04:21:59 -08:00
|
|
|
* Copyright (c) 2010 - 2012
|
|
|
|
|
* Canonical Ltd.
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2010-06-04 18:57:01 -07:00
|
|
|
* along with this program; if not, contact Canonical, Ltd.
|
2006-04-11 21:52:54 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Definitions section */
|
|
|
|
|
/* %option main */
|
|
|
|
|
|
|
|
|
|
/* eliminates need to link with libfl */
|
|
|
|
|
%option noyywrap
|
2010-11-09 13:39:18 -08:00
|
|
|
%option nounput
|
2012-01-02 16:48:24 -08:00
|
|
|
%option stack
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%{
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <libintl.h>
|
2009-07-24 07:35:39 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <dirent.h>
|
2006-04-11 21:52:54 +00:00
|
|
|
#define _(s) gettext(s)
|
|
|
|
|
|
|
|
|
|
#include "parser.h"
|
2009-07-24 07:35:39 +00:00
|
|
|
#include "parser_include.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
#include "parser_yacc.h"
|
2012-08-16 16:26:03 -07:00
|
|
|
#include "lib.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
#ifdef PDEBUG
|
|
|
|
|
#undef PDEBUG
|
|
|
|
|
#endif
|
2006-04-11 21:52:54 +00:00
|
|
|
/* #define DEBUG */
|
|
|
|
|
#ifdef DEBUG
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
#define PDEBUG(fmt, args...) printf("Lexer (state %d): " fmt, YY_START, ## args)
|
2006-04-11 21:52:54 +00:00
|
|
|
#else
|
|
|
|
|
#define PDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
#endif
|
|
|
|
|
#define NPDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
#define DUMP_PREPROCESS do { if (preprocess_only) ECHO; } while (0)
|
|
|
|
|
|
2010-07-26 09:22:45 -07:00
|
|
|
#define YY_NO_INPUT
|
|
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
struct ignored_suffix_t {
|
|
|
|
|
char * text;
|
|
|
|
|
int len;
|
|
|
|
|
int silent;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct ignored_suffix_t ignored_suffixes[] = {
|
|
|
|
|
/* Debian packging files, which are in flux during install
|
|
|
|
|
should be silently ignored. */
|
|
|
|
|
{ ".dpkg-new", 9, 1 },
|
|
|
|
|
{ ".dpkg-old", 9, 1 },
|
|
|
|
|
{ ".dpkg-dist", 10, 1 },
|
2010-02-16 12:56:04 -08:00
|
|
|
{ ".dpkg-bak", 9, 1 },
|
2009-07-24 07:35:39 +00:00
|
|
|
/* RPM packaging files have traditionally not been silently
|
|
|
|
|
ignored */
|
|
|
|
|
{ ".rpmnew", 7, 0 },
|
|
|
|
|
{ ".rpmsave", 8, 0 },
|
|
|
|
|
/* Backup files should be mentioned */
|
|
|
|
|
{ "~", 1, 0 },
|
|
|
|
|
{ NULL, 0, 0 }
|
|
|
|
|
};
|
|
|
|
|
|
2012-08-16 16:26:03 -07:00
|
|
|
static int is_blacklisted(const char *name, const char *path)
|
|
|
|
|
{
|
|
|
|
|
int name_len;
|
|
|
|
|
struct ignored_suffix_t *suffix;
|
|
|
|
|
name_len = strlen(name);
|
|
|
|
|
/* skip blacklisted suffixes */
|
|
|
|
|
for (suffix = ignored_suffixes; suffix->text; suffix++) {
|
|
|
|
|
char *found;
|
|
|
|
|
if ( (found = strstr(name, suffix->text)) &&
|
|
|
|
|
found - name + suffix->len == name_len ) {
|
|
|
|
|
if (!suffix->silent)
|
|
|
|
|
PERROR("Ignoring: '%s'\n", path);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct cb_struct {
|
|
|
|
|
const char *fullpath;
|
|
|
|
|
const char *filename;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int include_dir_cb(__unused DIR *dir, const char *name, struct stat *st,
|
|
|
|
|
void *data)
|
|
|
|
|
{
|
|
|
|
|
struct cb_struct *d = (struct cb_struct *) data;
|
|
|
|
|
|
|
|
|
|
char *path;
|
|
|
|
|
|
|
|
|
|
/* skip dotfiles silently. */
|
|
|
|
|
if (*name == '.')
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (asprintf(&path, "%s/%s", d->fullpath, name) < 0)
|
|
|
|
|
yyerror("Out of memory");
|
|
|
|
|
|
|
|
|
|
if (is_blacklisted(name, path))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (S_ISREG(st->st_mode)) {
|
|
|
|
|
if (!(yyin = fopen(path,"r")))
|
|
|
|
|
yyerror(_("Could not open '%s' in '%s'"), path, d->filename);
|
|
|
|
|
PDEBUG("Opened include \"%s\" in \"%s\"\n", path, d->filename);
|
|
|
|
|
update_mru_tstamp(yyin);
|
|
|
|
|
push_include_stack(path);
|
|
|
|
|
yypush_buffer_state(yy_create_buffer(yyin, YY_BUF_SIZE));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(path);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
void include_filename(char *filename, int search)
|
|
|
|
|
{
|
|
|
|
|
FILE *include_file = NULL;
|
|
|
|
|
struct stat my_stat;
|
|
|
|
|
char *fullpath = NULL;
|
|
|
|
|
|
2009-07-24 11:56:07 +00:00
|
|
|
if (search) {
|
2010-06-26 13:13:52 -07:00
|
|
|
if (preprocess_only)
|
|
|
|
|
fprintf(yyout, "\n\n##included <%s>\n", filename);
|
2009-07-24 11:56:07 +00:00
|
|
|
include_file = search_path(filename, &fullpath);
|
|
|
|
|
} else {
|
2010-06-26 13:13:52 -07:00
|
|
|
if (preprocess_only)
|
|
|
|
|
fprintf(yyout, "\n\n##included \"%s\"\n", filename);
|
2009-07-24 07:35:39 +00:00
|
|
|
fullpath = strdup(filename);
|
|
|
|
|
include_file = fopen(fullpath, "r");
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 11:56:07 +00:00
|
|
|
if (!include_file)
|
2010-06-04 18:47:44 -07:00
|
|
|
yyerror(_("Could not open '%s'"),
|
|
|
|
|
fullpath ? fullpath: filename);
|
2009-07-24 07:35:39 +00:00
|
|
|
|
|
|
|
|
if (fstat(fileno(include_file), &my_stat))
|
|
|
|
|
yyerror(_("fstat failed for '%s'"), fullpath);
|
|
|
|
|
|
|
|
|
|
if (S_ISREG(my_stat.st_mode)) {
|
|
|
|
|
yyin = include_file;
|
2010-09-14 12:22:02 -07:00
|
|
|
update_mru_tstamp(include_file);
|
2009-07-24 07:35:39 +00:00
|
|
|
PDEBUG("Opened include \"%s\"\n", fullpath);
|
2010-06-04 18:47:44 -07:00
|
|
|
push_include_stack(fullpath);
|
2009-07-24 07:35:39 +00:00
|
|
|
yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
|
2012-08-16 16:26:03 -07:00
|
|
|
} else if (S_ISDIR(my_stat.st_mode)) {
|
|
|
|
|
struct cb_struct data = { fullpath, filename };
|
2009-07-24 07:35:39 +00:00
|
|
|
fclose(include_file);
|
|
|
|
|
include_file = NULL;
|
2012-08-16 16:26:03 -07:00
|
|
|
if (dirat_for_each(NULL, fullpath, &data, include_dir_cb)) {
|
|
|
|
|
yyerror(_("Could not process include directory"
|
|
|
|
|
" '%s' in '%s'"), fullpath, filename);;
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
2009-07-24 12:18:12 +00:00
|
|
|
|
|
|
|
|
if (fullpath)
|
|
|
|
|
free(fullpath);
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
%}
|
|
|
|
|
|
2012-01-02 16:49:31 -08:00
|
|
|
CARET "^"
|
2006-04-11 21:52:54 +00:00
|
|
|
OPEN_BRACE \{
|
|
|
|
|
CLOSE_BRACE \}
|
|
|
|
|
SLASH \/
|
|
|
|
|
COLON :
|
|
|
|
|
END_OF_RULE [,]
|
|
|
|
|
RANGE -
|
2009-08-20 15:41:10 +00:00
|
|
|
MODE_CHARS ([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
|
2007-11-29 18:06:53 +00:00
|
|
|
MODES {MODE_CHARS}+
|
2006-04-11 21:52:54 +00:00
|
|
|
WS [[:blank:]]
|
|
|
|
|
NUMBER [[:digit:]]+
|
2012-02-16 07:46:43 -08:00
|
|
|
|
|
|
|
|
ID_CHARS [^ \t\n"!,]
|
|
|
|
|
ID {ID_CHARS}|(,{ID_CHARS})
|
|
|
|
|
IDS {ID}+
|
|
|
|
|
POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+]
|
|
|
|
|
POST_VAR_ID {POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS})
|
2012-02-16 07:49:12 -08:00
|
|
|
LIST_VALUE_ID_CHARS [^ \t\n"!,]{-}[()]
|
|
|
|
|
LIST_VALUE_ID {LIST_VALUE_ID_CHARS}+
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
ID_CHARS_NOEQ [^ \t\n"!,]{-}[=]
|
|
|
|
|
ID_NOEQ {ID_CHARS_NOEQ}|(,{ID_CHARS_NOEQ})
|
|
|
|
|
IDS_NOEQ {ID_NOEQ}+
|
2006-04-11 21:52:54 +00:00
|
|
|
ALLOWED_QUOTED_ID [^\0"]|\\\"
|
|
|
|
|
QUOTED_ID \"{ALLOWED_QUOTED_ID}*\"
|
|
|
|
|
|
2012-02-16 07:46:43 -08:00
|
|
|
IP {NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER}
|
|
|
|
|
|
2012-01-02 16:48:53 -08:00
|
|
|
HAT hat{WS}*
|
|
|
|
|
PROFILE profile{WS}*
|
2006-04-11 21:52:54 +00:00
|
|
|
KEYWORD [[:alpha:]_]+
|
|
|
|
|
VARIABLE_NAME [[:alpha:]][[:alnum:]_]*
|
|
|
|
|
SET_VAR_PREFIX @
|
|
|
|
|
SET_VARIABLE {SET_VAR_PREFIX}(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
|
|
|
|
|
PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
|
|
|
|
|
QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
|
|
|
|
|
|
2012-01-02 16:48:34 -08:00
|
|
|
OPEN_PAREN \(
|
|
|
|
|
CLOSE_PAREN \)
|
2012-02-16 07:49:12 -08:00
|
|
|
COMMA \,
|
2006-04-11 21:52:54 +00:00
|
|
|
EQUALS =
|
|
|
|
|
ADD_ASSIGN \+=
|
2007-11-16 09:37:31 +00:00
|
|
|
ARROW ->
|
2008-04-06 18:55:46 +00:00
|
|
|
LT_EQUAL <=
|
2006-04-11 21:52:54 +00:00
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
%x SUB_ID
|
|
|
|
|
%x SUB_VALUE
|
2012-02-16 07:51:33 -08:00
|
|
|
%x EXTCOND_MODE
|
2007-07-27 20:29:47 +00:00
|
|
|
%x NETWORK_MODE
|
2012-02-16 07:49:12 -08:00
|
|
|
%x LIST_VAL_MODE
|
2006-04-11 21:52:54 +00:00
|
|
|
%x ASSIGN_MODE
|
2008-04-06 18:55:46 +00:00
|
|
|
%x RLIMIT_MODE
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
%x MOUNT_MODE
|
2009-07-23 21:18:37 +00:00
|
|
|
%x CHANGE_PROFILE_MODE
|
2009-07-24 07:35:39 +00:00
|
|
|
%x INCLUDE
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%%
|
|
|
|
|
|
2012-02-16 07:59:23 -08:00
|
|
|
%{
|
|
|
|
|
/* Copied directly into yylex function */
|
|
|
|
|
if (parser_token) {
|
|
|
|
|
int t = parser_token;
|
|
|
|
|
parser_token = 0;
|
|
|
|
|
return t;
|
|
|
|
|
}
|
|
|
|
|
%}
|
|
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
<INCLUDE>{
|
|
|
|
|
{WS}+ { /* Eat whitespace */ }
|
|
|
|
|
\<([^\> \t\n]+)\> { /* <filename> */
|
|
|
|
|
char *filename = strdup(yytext);
|
2009-07-24 12:18:12 +00:00
|
|
|
filename[strlen(filename) - 1] = '\0';
|
|
|
|
|
include_filename(filename + 1, 1);
|
2009-07-24 07:35:39 +00:00
|
|
|
free(filename);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\"([^\" \t\n]+)\" { /* "filename" */
|
|
|
|
|
char *filename = strdup(yytext);
|
2009-07-24 12:18:12 +00:00
|
|
|
filename[strlen(filename) - 1] = '\0';
|
|
|
|
|
include_filename(filename + 1, 0);
|
2009-07-24 07:35:39 +00:00
|
|
|
free(filename);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[^\<\>\"{WS}]+ { /* filename */
|
|
|
|
|
include_filename(yytext, 0);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<<EOF>> {
|
2010-03-12 01:50:26 -08:00
|
|
|
fclose(yyin);
|
2010-06-04 18:47:44 -07:00
|
|
|
pop_include_stack();
|
2009-07-24 07:35:39 +00:00
|
|
|
yypop_buffer_state();
|
|
|
|
|
if ( !YY_CURRENT_BUFFER ) yyterminate();
|
|
|
|
|
}
|
|
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<INITIAL,MOUNT_MODE>{
|
|
|
|
|
{VARIABLE_NAME}/{WS}*= {
|
2012-02-16 07:53:04 -08:00
|
|
|
/* we match to the = in the lexer so that
|
|
|
|
|
* can switch scanner state. By the time
|
|
|
|
|
* the parser see the = it may be to late
|
|
|
|
|
* as bison may have requested the next
|
|
|
|
|
* token from the scanner
|
|
|
|
|
*/
|
Subject: Fix mount rule preprocessor output
Currently, mount rule preprocessor output is incorrect:
$ echo '/t { mount options=ro /s -> /d, }' | apparmor_parser -p
/t { mountmount =ro /s -> /d, }
$ echo '/t { mount options in (ro) /s -> /d, }' | apparmor_parser -p
/t { mountmount in (ro) /s -> /d, }
This is due to incorrect placement of DUMP_PREPROCESS in parser_lex.l.
With this patch, the output is correct:
$ echo '/t { mount options=ro /s -> /d, }' | apparmor_parser -p
/t { mount options=ro /s -> /d, }
$ echo '/t { mount options in (ro) /s -> /d, }' | apparmor_parser -p
/t { mount options in (ro) /s -> /d,
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2013-06-25 15:46:57 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-02-16 07:53:04 -08:00
|
|
|
PDEBUG("conditional %s=\n", yytext);
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
yy_push_state(EXTCOND_MODE);
|
|
|
|
|
return TOK_CONDID;
|
|
|
|
|
}
|
2012-03-26 06:17:40 -07:00
|
|
|
{VARIABLE_NAME}/{WS}+in{WS}*\( {
|
|
|
|
|
/* we match to 'in' in the lexer so that
|
|
|
|
|
* we can switch scanner state. By the time
|
|
|
|
|
* the parser see the 'in' it may be to late
|
|
|
|
|
* as bison may have requested the next
|
|
|
|
|
* token from the scanner
|
|
|
|
|
*/
|
Subject: Fix mount rule preprocessor output
Currently, mount rule preprocessor output is incorrect:
$ echo '/t { mount options=ro /s -> /d, }' | apparmor_parser -p
/t { mountmount =ro /s -> /d, }
$ echo '/t { mount options in (ro) /s -> /d, }' | apparmor_parser -p
/t { mountmount in (ro) /s -> /d, }
This is due to incorrect placement of DUMP_PREPROCESS in parser_lex.l.
With this patch, the output is correct:
$ echo '/t { mount options=ro /s -> /d, }' | apparmor_parser -p
/t { mount options=ro /s -> /d, }
$ echo '/t { mount options in (ro) /s -> /d, }' | apparmor_parser -p
/t { mount options in (ro) /s -> /d,
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2013-06-25 15:46:57 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-03-26 06:17:40 -07:00
|
|
|
PDEBUG("conditional %s=\n", yytext);
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
yy_push_state(EXTCOND_MODE);
|
|
|
|
|
return TOK_CONDID;
|
|
|
|
|
}
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
}
|
2012-02-16 07:53:04 -08:00
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<SUB_ID>{
|
2012-02-16 07:46:43 -08:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Ugh, this is a gross hack. I used to use
|
2012-02-16 07:46:43 -08:00
|
|
|
* {IDS} to match all TOK_IDs, but that would
|
2006-04-11 21:52:54 +00:00
|
|
|
* also match TOK_MODE + TOK_END_OF_RULE
|
|
|
|
|
* without any spaces in between (because it's
|
|
|
|
|
* a longer match). So now, when I want to
|
|
|
|
|
* match any random string, I go into a
|
2009-07-24 11:56:07 +00:00
|
|
|
* separate state. */
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:44 -08:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
2010-03-08 21:49:16 -08:00
|
|
|
PDEBUG("Found sub name: \"%s\"\n", yylval.id);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[^\n] {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<SUB_VALUE>{
|
|
|
|
|
({IDS}|{QUOTED_ID}) {
|
|
|
|
|
/* Ugh, this is a gross hack. I used to use
|
|
|
|
|
* {IDS} to match all TOK_IDs, but that would
|
|
|
|
|
* also match TOK_MODE + TOK_END_OF_RULE
|
|
|
|
|
* without any spaces in between (because it's
|
|
|
|
|
* a longer match). So now, when I want to
|
|
|
|
|
* match any random string, I go into a
|
|
|
|
|
* separate state. */
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found sub value: \"%s\"\n", yylval.id);
|
|
|
|
|
yy_pop_state();
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[^\n] {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:49:12 -08:00
|
|
|
<LIST_VAL_MODE>{
|
2012-01-02 16:48:34 -08:00
|
|
|
{CLOSE_PAREN} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-02-16 07:49:12 -08:00
|
|
|
PDEBUG("listval: )\n");
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2012-01-02 16:48:34 -08:00
|
|
|
return TOK_CLOSEPAREN;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2012-02-16 07:49:12 -08:00
|
|
|
{COMMA} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-02-16 07:49:12 -08:00
|
|
|
PDEBUG("listval: , \n");
|
|
|
|
|
/* East comma, its an optional separator */
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:49:12 -08:00
|
|
|
({LIST_VALUE_ID}|{QUOTED_ID}) {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-02-16 07:49:12 -08:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
PDEBUG("listval: \"%s\"\n", yylval.id);
|
|
|
|
|
return TOK_VALUE;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:31:33 +00:00
|
|
|
[^\n] {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:51:33 -08:00
|
|
|
<EXTCOND_MODE>{
|
|
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
|
|
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
{EQUALS}{WS}*/[^(\n]{-}{WS} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
BEGIN(SUB_VALUE);
|
|
|
|
|
return TOK_EQUALS;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:51:33 -08:00
|
|
|
{EQUALS} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
return TOK_EQUALS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{OPEN_PAREN} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("extcond listv\n");
|
|
|
|
|
/* Don't push state here as this is a transition
|
|
|
|
|
* start condition and we want to return to the start
|
|
|
|
|
* condition that invoked <EXTCOND_MODE> when
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
* LIST_VAL_ID is done
|
2012-02-16 07:51:33 -08:00
|
|
|
*/
|
|
|
|
|
BEGIN(LIST_VAL_MODE);
|
|
|
|
|
return TOK_OPENPAREN;
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-26 06:17:40 -07:00
|
|
|
in {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
return TOK_IN;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:51:33 -08:00
|
|
|
[^\n] {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
/* Something we didn't expect */
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
yyerror(_("Found unexpected character: '%s' %d"), yytext, *yytext);
|
2012-02-16 07:51:33 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
<ASSIGN_MODE>{
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2012-02-16 07:46:43 -08:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:44 -08:00
|
|
|
yylval.var_val = processid(yytext, yyleng);
|
2010-03-08 21:49:16 -08:00
|
|
|
PDEBUG("Found assignment value: \"%s\"\n", yylval.var_val);
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
2010-11-19 01:42:04 -08:00
|
|
|
{END_OF_RULE} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
yylval.id = strdup(yytext);
|
|
|
|
|
yyerror(_("Variable declarations do not accept trailing commas"));
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
\\\n { DUMP_PREPROCESS; current_lineno++ ; }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
\r?\n {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
current_lineno++;
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
2010-11-19 02:27:33 -08:00
|
|
|
[^\n] {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:29:47 +00:00
|
|
|
<NETWORK_MODE>{
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
|
2007-07-27 20:29:47 +00:00
|
|
|
|
2012-02-16 07:46:43 -08:00
|
|
|
{IDS} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.id = strdup(yytext);
|
2007-07-27 20:29:47 +00:00
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
{END_OF_RULE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2007-07-27 20:29:47 +00:00
|
|
|
return TOK_END_OF_RULE;
|
|
|
|
|
}
|
|
|
|
|
[^\n] {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2007-07-27 20:29:47 +00:00
|
|
|
/* Something we didn't expect */
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.id = strdup(yytext);
|
|
|
|
|
yyerror(_("(network_mode) Found unexpected character: '%s'"), yylval.id);
|
2007-07-27 20:29:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2007-07-27 20:29:47 +00:00
|
|
|
current_lineno++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-23 21:18:37 +00:00
|
|
|
<CHANGE_PROFILE_MODE>{
|
|
|
|
|
{ARROW} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
PDEBUG("Matched a change profile arrow\n");
|
2009-07-23 21:18:37 +00:00
|
|
|
return TOK_ARROW;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:46:43 -08:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
2009-07-23 21:18:37 +00:00
|
|
|
/* Ugh, this is a gross hack. I used to use
|
2012-02-16 07:46:43 -08:00
|
|
|
* {IDS} to match all TOK_IDs, but that would
|
2009-07-23 21:18:37 +00:00
|
|
|
* also match TOK_MODE + TOK_END_OF_RULE
|
|
|
|
|
* without any spaces in between (because it's
|
|
|
|
|
* a longer match). So now, when I want to
|
|
|
|
|
* match any random string, I go into a
|
2009-07-24 11:56:07 +00:00
|
|
|
* separate state. */
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:44 -08:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
2010-03-08 21:49:16 -08:00
|
|
|
PDEBUG("Found change profile name: \"%s\"\n", yylval.id);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2009-07-23 21:18:37 +00:00
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
|
2009-07-23 21:18:37 +00:00
|
|
|
[^\n] {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2009-07-23 21:18:37 +00:00
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-06 18:55:46 +00:00
|
|
|
<RLIMIT_MODE>{
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Eat whitespace */ }
|
2008-04-06 18:55:46 +00:00
|
|
|
|
|
|
|
|
|
Update apparmor's handling of rlimits for cpu limit and more natural units
Allow for rlimit cpu to specified which is now supported by the kernel.
Previously the rlimit units where limited to K, M, G and would fail when
KB, MB, GB where used. Allow for both, also allow for units on lengths
of time, by specifying "seconds", "minutes", "hours".. or any unique subset
eg. "s", "sec", "m", "min", "h", "hour" ..
NOTE:
This patch does not extend rlimits to be able to handle setting of tasks
that are confined by other profiles.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2011-08-10 15:53:39 -07:00
|
|
|
-?{NUMBER}[[:alpha:]]* {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.var_val = strdup(yytext);
|
2008-04-06 18:55:46 +00:00
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{KEYWORD} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.id = strdup(yytext);
|
2008-04-06 18:55:46 +00:00
|
|
|
if (strcmp(yytext, "infinity") == 0)
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
{LT_EQUAL} { DUMP_PREPROCESS; return TOK_LE; }
|
2008-04-06 18:55:46 +00:00
|
|
|
|
|
|
|
|
{END_OF_RULE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2008-04-06 18:55:46 +00:00
|
|
|
return TOK_END_OF_RULE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\\\n {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2008-04-06 18:55:46 +00:00
|
|
|
current_lineno++;
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2008-04-06 18:55:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2008-04-06 18:55:46 +00:00
|
|
|
current_lineno++;
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2008-04-06 18:55:46 +00:00
|
|
|
}
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<MOUNT_MODE>{
|
|
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
|
|
|
|
|
|
|
|
|
|
{ARROW} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("Matched arrow\n");
|
|
|
|
|
return TOK_ARROW;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
({IDS_NOEQ}|{PATHNAME}|{QUOTED_ID}) {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found ID: \"%s\"\n", yylval.id);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{END_OF_RULE} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
yy_pop_state();
|
|
|
|
|
return TOK_END_OF_RULE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[^\n] {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
current_lineno++;
|
|
|
|
|
yy_pop_state();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-02 16:47:32 -08:00
|
|
|
#include/.*\r?\n { /* include */
|
|
|
|
|
PDEBUG("Matched #include\n");
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(INCLUDE);
|
2012-01-02 16:47:32 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#.*\r?\n { /* normal comment */
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("comment(%d): %s\n", current_lineno, yytext);
|
|
|
|
|
current_lineno++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{END_OF_RULE} { DUMP_PREPROCESS; return TOK_END_OF_RULE; }
|
|
|
|
|
|
2012-01-02 16:49:31 -08:00
|
|
|
{CARET} {
|
2012-01-02 16:47:32 -08:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:49:31 -08:00
|
|
|
PDEBUG("Matched hat ^\n");
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
yy_push_state(SUB_ID);
|
2012-01-02 16:49:31 -08:00
|
|
|
return TOK_CARET;
|
2012-01-02 16:47:32 -08:00
|
|
|
}
|
|
|
|
|
{ARROW} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("Matched a arrow\n");
|
|
|
|
|
return TOK_ARROW;
|
|
|
|
|
}
|
|
|
|
|
{EQUALS} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("Matched equals for assignment\n");
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(ASSIGN_MODE);
|
2012-01-02 16:47:32 -08:00
|
|
|
return TOK_EQUALS;
|
|
|
|
|
}
|
|
|
|
|
{ADD_ASSIGN} {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
PDEBUG("Matched additive value assignment\n");
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(ASSIGN_MODE);
|
2012-01-02 16:47:32 -08:00
|
|
|
return TOK_ADD_ASSIGN;
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
{SET_VARIABLE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.set_var = strdup(yytext);
|
|
|
|
|
PDEBUG("Found set variable %s\n", yylval.set_var);
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_SET_VAR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{BOOL_VARIABLE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.bool_var = strdup(yytext);
|
|
|
|
|
PDEBUG("Found boolean variable %s\n", yylval.bool_var);
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_BOOL_VAR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{OPEN_BRACE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
PDEBUG("Open Brace\n");
|
|
|
|
|
return TOK_OPEN;
|
|
|
|
|
}
|
|
|
|
|
{CLOSE_BRACE} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
PDEBUG("Close Brace\n");
|
|
|
|
|
return TOK_CLOSE;
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-02 16:48:44 -08:00
|
|
|
({PATHNAME}|{QPATHNAME}) {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-01-02 16:48:44 -08:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
2010-03-08 21:49:16 -08:00
|
|
|
PDEBUG("Found id: \"%s\"\n", yylval.id);
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:56:53 -08:00
|
|
|
({MODES})/([[:space:],]) {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.mode = strdup(yytext);
|
|
|
|
|
PDEBUG("Found modes: %s\n", yylval.mode);
|
2006-04-11 21:52:54 +00:00
|
|
|
return TOK_MODE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:48:24 +00:00
|
|
|
{HAT} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
yy_push_state(SUB_ID);
|
2007-07-27 20:48:24 +00:00
|
|
|
return TOK_HAT;
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-02 16:48:53 -08:00
|
|
|
{PROFILE} {
|
|
|
|
|
DUMP_PREPROCESS;
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
yy_push_state(SUB_ID);
|
2012-01-02 16:48:53 -08:00
|
|
|
return TOK_PROFILE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:18:48 +00:00
|
|
|
{COLON} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2007-11-16 09:18:48 +00:00
|
|
|
PDEBUG("Found a colon\n");
|
|
|
|
|
return TOK_COLON;
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-02 16:48:34 -08:00
|
|
|
{OPEN_PAREN} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2012-02-16 07:49:12 -08:00
|
|
|
PDEBUG("listval (\n");
|
|
|
|
|
yy_push_state(LIST_VAL_MODE);
|
2012-01-02 16:48:34 -08:00
|
|
|
return TOK_OPENPAREN;
|
2007-11-16 09:31:33 +00:00
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:18:48 +00:00
|
|
|
{VARIABLE_NAME} {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
2006-04-11 21:52:54 +00:00
|
|
|
int token = get_keyword_token(yytext);
|
|
|
|
|
|
|
|
|
|
/* special cases */
|
|
|
|
|
switch (token) {
|
|
|
|
|
case -1:
|
|
|
|
|
/* no token found */
|
2010-03-08 21:49:16 -08:00
|
|
|
yylval.id = processunquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found (var) id: \"%s\"\n", yylval.id);
|
2007-11-16 09:18:48 +00:00
|
|
|
return TOK_ID;
|
2006-04-11 21:52:54 +00:00
|
|
|
break;
|
2008-04-06 18:55:46 +00:00
|
|
|
case TOK_RLIMIT:
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(RLIMIT_MODE);
|
2008-04-06 18:55:46 +00:00
|
|
|
break;
|
2007-07-27 20:29:47 +00:00
|
|
|
case TOK_NETWORK:
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(NETWORK_MODE);
|
2007-07-27 20:29:47 +00:00
|
|
|
break;
|
2009-07-23 21:18:37 +00:00
|
|
|
case TOK_CHANGE_PROFILE:
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_push_state(CHANGE_PROFILE_MODE);
|
2009-07-23 21:18:37 +00:00
|
|
|
break;
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
case TOK_MOUNT:
|
|
|
|
|
case TOK_REMOUNT:
|
|
|
|
|
case TOK_UMOUNT:
|
|
|
|
|
PDEBUG("Entering mount\n");
|
|
|
|
|
yy_push_state(MOUNT_MODE);
|
|
|
|
|
break;
|
2006-04-11 21:52:54 +00:00
|
|
|
default: /* nothing */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return token;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
\r?\n { DUMP_PREPROCESS; current_lineno++ ; }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
[^\n] {
|
2010-06-26 13:13:52 -07:00
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Something we didn't expect */
|
2008-05-29 18:58:18 +00:00
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
%%
|