2006-04-12 03:09:10 +00:00
|
|
|
/* $Id$ */
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Definitions section */
|
|
|
|
|
/* %option main */
|
|
|
|
|
|
|
|
|
|
/* eliminates need to link with libfl */
|
|
|
|
|
%option noyywrap
|
|
|
|
|
|
|
|
|
|
%{
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <libintl.h>
|
|
|
|
|
#define _(s) gettext(s)
|
|
|
|
|
|
|
|
|
|
#include "parser.h"
|
|
|
|
|
#include "parser_yacc.h"
|
|
|
|
|
|
|
|
|
|
/* #define DEBUG */
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
|
#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
|
|
|
|
|
#else
|
|
|
|
|
#define PDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
#endif
|
|
|
|
|
#define NPDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
|
|
|
|
|
int current_lineno = 1;
|
|
|
|
|
|
|
|
|
|
%}
|
|
|
|
|
|
|
|
|
|
UP "^"
|
|
|
|
|
OPEN_BRACE \{
|
|
|
|
|
CLOSE_BRACE \}
|
|
|
|
|
SLASH \/
|
|
|
|
|
COLON :
|
|
|
|
|
END_OF_RULE [,]
|
|
|
|
|
SEPERATOR {UP}
|
|
|
|
|
RANGE -
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
MODE_CHARS ([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
|
2007-11-29 18:06:53 +00:00
|
|
|
MODES {MODE_CHARS}+
|
2006-04-11 21:52:54 +00:00
|
|
|
WS [[:blank:]]
|
|
|
|
|
NUMBER [[:digit:]]+
|
2007-07-27 20:27:41 +00:00
|
|
|
ID [^ \t\n"!,]|(,[^ \t\n"!])
|
|
|
|
|
POST_VAR_ID [^ =\+\t\n"!,]|(,[^ =\+\t\n"!])
|
2006-04-11 21:52:54 +00:00
|
|
|
IP {NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER}
|
|
|
|
|
ALLOWED_QUOTED_ID [^\0"]|\\\"
|
|
|
|
|
QUOTED_ID \"{ALLOWED_QUOTED_ID}*\"
|
|
|
|
|
|
2007-07-27 20:48:24 +00:00
|
|
|
HAT hat[ \t]+
|
2006-04-11 21:52:54 +00:00
|
|
|
KEYWORD [[:alpha:]_]+
|
|
|
|
|
VARIABLE_NAME [[:alpha:]][[:alnum:]_]*
|
|
|
|
|
SET_VAR_PREFIX @
|
|
|
|
|
SET_VARIABLE {SET_VAR_PREFIX}(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
|
|
|
|
|
PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
|
|
|
|
|
QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
|
|
|
|
|
|
|
|
|
|
FLAGOPEN_PAREN \(
|
|
|
|
|
FLAGCLOSE_PAREN \)
|
|
|
|
|
FLAGSEP \,
|
|
|
|
|
EQUALS =
|
|
|
|
|
ADD_ASSIGN \+=
|
2007-11-16 09:37:31 +00:00
|
|
|
ARROW ->
|
2008-04-06 18:55:46 +00:00
|
|
|
LT_EQUAL <=
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%x SUB_NAME
|
2007-07-27 20:29:47 +00:00
|
|
|
%x NETWORK_MODE
|
2006-04-11 21:52:54 +00:00
|
|
|
%x FLAGS_MODE
|
|
|
|
|
%x ASSIGN_MODE
|
2008-04-06 18:55:46 +00:00
|
|
|
%x RLIMIT_MODE
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%%
|
|
|
|
|
|
|
|
|
|
<SUB_NAME>{
|
|
|
|
|
{ID}+ {
|
|
|
|
|
/* Ugh, this is a gross hack. I used to use
|
|
|
|
|
* {ID}+ to match all TOK_IDs, but that would
|
|
|
|
|
* also match TOK_MODE + TOK_END_OF_RULE
|
|
|
|
|
* without any spaces in between (because it's
|
|
|
|
|
* a longer match). So now, when I want to
|
|
|
|
|
* match any random string, I go into a
|
|
|
|
|
* seperate state. */
|
|
|
|
|
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found sub name: \"%s\"\n", yylval);
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
{QUOTED_ID} {
|
|
|
|
|
/* Ugh, this is a gross hack. I used to use
|
|
|
|
|
* {ID}+ to match all TOK_IDs, but that would
|
|
|
|
|
* also match TOK_MODE + TOK_END_OF_RULE
|
|
|
|
|
* without any spaces in between (because it's
|
|
|
|
|
* a longer match). So now, when I want to
|
|
|
|
|
* match any random string, I go into a
|
|
|
|
|
* seperate state. */
|
|
|
|
|
yylval = (YYSTYPE) processquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found sub name: \"%s\"\n", yylval);
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[^\n] {
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<FLAGS_MODE>{
|
|
|
|
|
{FLAGOPEN_PAREN} {
|
|
|
|
|
PDEBUG("FLag (\n");
|
|
|
|
|
return TOK_FLAG_OPENPAREN;
|
|
|
|
|
}
|
|
|
|
|
{FLAGCLOSE_PAREN} {
|
|
|
|
|
PDEBUG("Flag )\n");
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
return TOK_FLAG_CLOSEPAREN;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:31:33 +00:00
|
|
|
{WS}+ { /* Eat whitespace */ }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
{FLAGSEP} {
|
|
|
|
|
PDEBUG("Flag , \n");
|
|
|
|
|
return TOK_FLAG_SEP;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{EQUALS} {
|
|
|
|
|
PDEBUG("Flag = \n");
|
|
|
|
|
return TOK_EQUALS;
|
|
|
|
|
}
|
|
|
|
|
{KEYWORD} {
|
2007-11-16 09:31:33 +00:00
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
return TOK_FLAG_ID;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:31:33 +00:00
|
|
|
[^\n] {
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<ASSIGN_MODE>{
|
|
|
|
|
{WS}+ { /* Eat whitespace */ }
|
|
|
|
|
|
|
|
|
|
{ID}+ {
|
|
|
|
|
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found assignment value: \"%s\"\n", yylval);
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{QUOTED_ID} {
|
|
|
|
|
yylval = (YYSTYPE) processquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found assignment value: \"%s\"\n", yylval);
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\\\n { current_lineno++ ; }
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
|
|
|
|
current_lineno++;
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:29:47 +00:00
|
|
|
<NETWORK_MODE>{
|
|
|
|
|
{WS}+ { /* Eat whitespace */ }
|
|
|
|
|
|
|
|
|
|
{ID}+ {
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
{END_OF_RULE} {
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
return TOK_END_OF_RULE;
|
|
|
|
|
}
|
|
|
|
|
[^\n] {
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
yyerror(_("(network_mode) Found unexpected character: '%s'"), yylval);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
|
|
|
|
current_lineno++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
#.*\n { /* Comment - ignore */
|
|
|
|
|
current_lineno++;
|
|
|
|
|
PDEBUG("Line no++: %d\n", current_lineno);
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:27:41 +00:00
|
|
|
{END_OF_RULE} { return TOK_END_OF_RULE; }
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
{SEPERATOR} {
|
|
|
|
|
PDEBUG("Matched a seperator\n");
|
|
|
|
|
yylval = (YYSTYPE) yytext;
|
|
|
|
|
BEGIN(SUB_NAME);
|
|
|
|
|
return TOK_SEP;
|
|
|
|
|
}
|
2007-11-16 09:37:31 +00:00
|
|
|
{ARROW} {
|
|
|
|
|
PDEBUG("Matched a arrow\n");
|
|
|
|
|
yylval = (YYSTYPE) yytext;
|
|
|
|
|
return TOK_ARROW;
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
{EQUALS} {
|
|
|
|
|
PDEBUG("Matched equals for assignment\n");
|
|
|
|
|
BEGIN(ASSIGN_MODE);
|
|
|
|
|
return TOK_EQUALS;
|
|
|
|
|
}
|
|
|
|
|
{ADD_ASSIGN} {
|
|
|
|
|
PDEBUG("Matched additive value assignment\n");
|
|
|
|
|
BEGIN(ASSIGN_MODE);
|
|
|
|
|
return TOK_ADD_ASSIGN;
|
|
|
|
|
}
|
2008-04-06 18:55:46 +00:00
|
|
|
<RLIMIT_MODE>{
|
|
|
|
|
{WS}+ { /* Eat whitespace */ }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-?{NUMBER}[kKMG]? {
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{KEYWORD} {
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
if (strcmp(yytext, "infinity") == 0)
|
|
|
|
|
return TOK_VALUE;
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{LT_EQUAL} { return TOK_LE; }
|
|
|
|
|
|
|
|
|
|
{END_OF_RULE} {
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
return TOK_END_OF_RULE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\\\n {
|
|
|
|
|
current_lineno++;
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
\r?\n {
|
|
|
|
|
current_lineno++;
|
|
|
|
|
BEGIN(INITIAL);
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
{SET_VARIABLE} {
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
PDEBUG("Found set variable %s\n", yylval);
|
|
|
|
|
return TOK_SET_VAR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{BOOL_VARIABLE} {
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
PDEBUG("Found boolean variable %s\n", yylval);
|
|
|
|
|
return TOK_BOOL_VAR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{OPEN_BRACE} {
|
|
|
|
|
PDEBUG("Open Brace\n");
|
|
|
|
|
return TOK_OPEN;
|
|
|
|
|
}
|
|
|
|
|
{CLOSE_BRACE} {
|
|
|
|
|
PDEBUG("Close Brace\n");
|
|
|
|
|
return TOK_CLOSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{PATHNAME} {
|
|
|
|
|
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found id: \"%s\"\n", yylval);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{QPATHNAME} {
|
|
|
|
|
yylval = (YYSTYPE) processquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found id: \"%s\"\n", yylval);
|
|
|
|
|
return TOK_ID;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:38:43 +00:00
|
|
|
{MODES} {
|
2006-04-11 21:52:54 +00:00
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
PDEBUG("Found modes: %s\n", yylval);
|
|
|
|
|
return TOK_MODE;
|
|
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:48:24 +00:00
|
|
|
{HAT} {
|
|
|
|
|
BEGIN(SUB_NAME);
|
|
|
|
|
return TOK_HAT;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:18:48 +00:00
|
|
|
{COLON} {
|
|
|
|
|
PDEBUG("Found a colon\n");
|
|
|
|
|
return TOK_COLON;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:31:33 +00:00
|
|
|
{FLAGOPEN_PAREN} {
|
|
|
|
|
PDEBUG("FLag (\n");
|
|
|
|
|
BEGIN(FLAGS_MODE);
|
|
|
|
|
return TOK_FLAG_OPENPAREN;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-16 09:18:48 +00:00
|
|
|
{VARIABLE_NAME} {
|
2006-04-11 21:52:54 +00:00
|
|
|
int token = get_keyword_token(yytext);
|
|
|
|
|
|
|
|
|
|
/* special cases */
|
|
|
|
|
switch (token) {
|
|
|
|
|
case -1:
|
|
|
|
|
/* no token found */
|
2007-11-16 09:18:48 +00:00
|
|
|
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
|
|
|
|
|
PDEBUG("Found id: \"%s\"\n", yylval);
|
|
|
|
|
return TOK_ID;
|
2006-04-11 21:52:54 +00:00
|
|
|
break;
|
|
|
|
|
case TOK_FLAGS:
|
|
|
|
|
BEGIN(FLAGS_MODE);
|
|
|
|
|
break;
|
2008-04-06 18:55:46 +00:00
|
|
|
case TOK_RLIMIT:
|
|
|
|
|
BEGIN(RLIMIT_MODE);
|
|
|
|
|
break;
|
2007-07-27 20:29:47 +00:00
|
|
|
case TOK_NETWORK:
|
|
|
|
|
BEGIN(NETWORK_MODE);
|
|
|
|
|
break;
|
2006-04-11 21:52:54 +00:00
|
|
|
default: /* nothing */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{WS}+ { /* Ignoring whitespace */ }
|
|
|
|
|
|
|
|
|
|
\r?\n { current_lineno++ ; }
|
|
|
|
|
|
|
|
|
|
[^\n] {
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yylval = (YYSTYPE) strdup(yytext);
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yylval);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
%%
|