2006-04-12 03:09:10 +00:00
|
|
|
/* $Id$ */
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdarg.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <libintl.h>
|
|
|
|
|
#define _(s) gettext(s)
|
|
|
|
|
|
|
|
|
|
/* #define DEBUG */
|
|
|
|
|
|
|
|
|
|
#include "parser.h"
|
2007-02-27 02:29:16 +00:00
|
|
|
#include "libapparmor_re/apparmor_re.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
enum error_type {
|
|
|
|
|
e_no_error,
|
|
|
|
|
e_parse_error,
|
|
|
|
|
e_buffer_overflow
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* filter_escapes: scan input for any escape characters
|
|
|
|
|
* and remove, and reduce double \\ to a single
|
|
|
|
|
* NOTE: modifies in place the contents of the name argument */
|
|
|
|
|
static void filter_escapes(char *name)
|
|
|
|
|
{
|
|
|
|
|
char *sptr, *dptr;
|
|
|
|
|
BOOL bEscape = 0;
|
|
|
|
|
|
|
|
|
|
if (!name) /* shouldn't happen */
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
sptr = dptr = name;
|
|
|
|
|
while (*sptr) {
|
|
|
|
|
if (*sptr == '\\') {
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
} else {
|
|
|
|
|
++sptr;
|
|
|
|
|
bEscape = TRUE;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
} else if (dptr < sptr) {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
} else {
|
|
|
|
|
dptr++;
|
|
|
|
|
sptr++;
|
|
|
|
|
}
|
|
|
|
|
bEscape = 0;
|
|
|
|
|
}
|
|
|
|
|
*dptr = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Filters out multiple slashes (except if the first two are slashes,
|
|
|
|
|
* that's a distinct namespace in linux) and trailing slashes.
|
|
|
|
|
* NOTE: modifies in place the contents of the path argument */
|
|
|
|
|
|
|
|
|
|
static void filter_slashes(char *path)
|
|
|
|
|
{
|
|
|
|
|
char *sptr, *dptr;
|
|
|
|
|
BOOL seen_slash = 0;
|
|
|
|
|
int len;
|
|
|
|
|
|
|
|
|
|
if (!path || (strlen(path) < 2))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
sptr = dptr = path;
|
|
|
|
|
|
|
|
|
|
/* special case for linux // namespace */
|
|
|
|
|
if (sptr[0] == '/' && sptr[1] == '/' && sptr[2] != '/') {
|
|
|
|
|
sptr += 2;
|
|
|
|
|
dptr += 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (*sptr) {
|
|
|
|
|
if (*sptr == '/') {
|
|
|
|
|
if (seen_slash) {
|
|
|
|
|
++sptr;
|
|
|
|
|
} else {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
seen_slash = TRUE;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
seen_slash = 0;
|
|
|
|
|
if (dptr < sptr) {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
} else {
|
|
|
|
|
dptr++;
|
|
|
|
|
sptr++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
*dptr = 0;
|
2007-03-14 22:00:39 +00:00
|
|
|
|
|
|
|
|
if (regex_type != AARE_DFA) {
|
|
|
|
|
/* eliminate trailing slashes for versions of apparmor that
|
|
|
|
|
* do not use the dfa engine.
|
|
|
|
|
* Versions of apparmor which use the dfa engine use the
|
|
|
|
|
* trailing / to differentiate between file and directory
|
|
|
|
|
* matches
|
|
|
|
|
*/
|
|
|
|
|
len = strlen(path);
|
|
|
|
|
if (len > 2 && path[len -1] == '/') {
|
|
|
|
|
path[len - 1] = 0;
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
static pattern_t convert_aaregex_to_pcre(const char *aare, int anchor,
|
|
|
|
|
char *pcre, size_t pcre_size)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
|
|
|
|
#define STORE(_src, _dest, _len) \
|
2007-02-27 02:29:16 +00:00
|
|
|
if ((const char*)_dest + _len > (pcre + pcre_size)){ \
|
2006-04-11 21:52:54 +00:00
|
|
|
error = e_buffer_overflow; \
|
|
|
|
|
} else { \
|
|
|
|
|
memcpy(_dest, _src, _len); \
|
|
|
|
|
_dest += _len; \
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
int ret = TRUE;
|
|
|
|
|
/* flag to indicate input error */
|
|
|
|
|
enum error_type error;
|
|
|
|
|
|
|
|
|
|
const char *sptr;
|
|
|
|
|
char *dptr;
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
|
|
|
|
|
BOOL bEscape = 0; /* flag to indicate escape */
|
|
|
|
|
int ingrouping = 0; /* flag to indicate {} context */
|
|
|
|
|
int incharclass = 0; /* flag to indicate [ ] context */
|
|
|
|
|
|
|
|
|
|
error = e_no_error;
|
|
|
|
|
ptype = ePatternBasic; /* assume no regex */
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
sptr = aare;
|
|
|
|
|
dptr = pcre;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
if (anchor)
|
|
|
|
|
/* anchor beginning of regular expression */
|
|
|
|
|
*dptr++ = '^';
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
while (error == e_no_error && *sptr) {
|
|
|
|
|
switch (*sptr) {
|
|
|
|
|
|
|
|
|
|
case '\\':
|
|
|
|
|
/* concurrent escapes are allowed now and
|
|
|
|
|
* output as two consecutive escapes so that
|
|
|
|
|
* pcre won't interpret them
|
|
|
|
|
* \\\{...\\\} will be emitted as \\\{...\\\}
|
|
|
|
|
* for pcre matching. For string matching
|
|
|
|
|
* and globbing only one escape is output
|
|
|
|
|
* this is done by stripping later
|
|
|
|
|
*/
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
STORE("\\\\", dptr, 2);
|
|
|
|
|
} else {
|
|
|
|
|
bEscape = TRUE;
|
|
|
|
|
++sptr;
|
|
|
|
|
continue; /*skip turning bEscape off */
|
|
|
|
|
} /* bEscape */
|
2007-02-01 20:18:50 +00:00
|
|
|
break;
|
2006-04-11 21:52:54 +00:00
|
|
|
case '*':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* '*' is a PCRE special character */
|
|
|
|
|
/* We store an escaped *, in case we
|
|
|
|
|
* end up using this regex buffer (i.e another
|
|
|
|
|
* non-escaped regex follows)
|
|
|
|
|
*/
|
|
|
|
|
STORE("\\*", dptr, 2);
|
|
|
|
|
} else {
|
2007-03-14 22:00:39 +00:00
|
|
|
if ((dptr > pcre) && *(dptr - 1) == '/') {
|
|
|
|
|
#if 0
|
2009-07-24 07:34:30 +00:00
|
|
|
// handle comment containing use
|
|
|
|
|
// of C comment characters
|
|
|
|
|
// /* /*/ and /** to describe paths
|
|
|
|
|
//
|
|
|
|
|
// modify what is emitted for * and **
|
|
|
|
|
// when used as the only path
|
|
|
|
|
// component
|
|
|
|
|
// ex.
|
|
|
|
|
// /* /*/ /**/ /**
|
|
|
|
|
// this prevents these expressions
|
|
|
|
|
// from matching directories or
|
|
|
|
|
// invalid paths
|
|
|
|
|
// in these case * and ** must
|
|
|
|
|
// match at least 1 character to
|
|
|
|
|
// get a valid path element.
|
|
|
|
|
// ex.
|
|
|
|
|
// /foo/* -> should not match /foo/
|
|
|
|
|
// /foo/*bar -> should match /foo/bar
|
|
|
|
|
// /*/foo -> should not match //foo
|
2007-03-14 22:00:39 +00:00
|
|
|
#endif
|
2007-03-14 22:35:55 +00:00
|
|
|
const char *s = sptr;
|
2007-03-14 22:00:39 +00:00
|
|
|
while (*s == '*')
|
|
|
|
|
s++;
|
2007-03-14 22:35:55 +00:00
|
|
|
if (*s == '/' || !*s) {
|
2008-12-04 10:44:02 +00:00
|
|
|
STORE("[^/\\x00]", dptr, 8);
|
2007-03-14 22:35:55 +00:00
|
|
|
}
|
2007-03-14 22:00:39 +00:00
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
if (*(sptr + 1) == '*') {
|
|
|
|
|
/* is this the first regex form we
|
|
|
|
|
* have seen and also the end of
|
|
|
|
|
* pattern? If so, we can use
|
|
|
|
|
* optimised tail globbing rather
|
|
|
|
|
* than full regex.
|
|
|
|
|
*/
|
|
|
|
|
if (*(sptr + 2) == '\0' &&
|
|
|
|
|
ptype == ePatternBasic) {
|
|
|
|
|
ptype = ePatternTailGlob;
|
|
|
|
|
} else {
|
|
|
|
|
ptype = ePatternRegex;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-04 10:44:02 +00:00
|
|
|
STORE("[^\\x00]*", dptr, 8);
|
2006-04-11 21:52:54 +00:00
|
|
|
sptr++;
|
|
|
|
|
} else {
|
|
|
|
|
ptype = ePatternRegex;
|
2008-12-04 10:44:02 +00:00
|
|
|
STORE("[^/\\x00]*", dptr, 9);
|
2006-04-11 21:52:54 +00:00
|
|
|
} /* *(sptr+1) == '*' */
|
|
|
|
|
} /* bEscape */
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '?':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* ? is not a PCRE regex character
|
|
|
|
|
* so no need to escape, just skip
|
|
|
|
|
* transform
|
|
|
|
|
*/
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
} else {
|
|
|
|
|
ptype = ePatternRegex;
|
2008-12-04 10:44:02 +00:00
|
|
|
STORE("[^/\\x00]", dptr, 8);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '[':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* [ is a PCRE special character */
|
|
|
|
|
STORE("\\[", dptr, 2);
|
|
|
|
|
} else {
|
|
|
|
|
incharclass = 1;
|
|
|
|
|
ptype = ePatternRegex;
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ']':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* ] is a PCRE special character */
|
|
|
|
|
STORE("\\]", dptr, 2);
|
|
|
|
|
} else {
|
|
|
|
|
incharclass = 0;
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '{':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* { is a PCRE special character */
|
|
|
|
|
STORE("\\{", dptr, 2);
|
|
|
|
|
} else {
|
2008-11-07 01:31:19 +00:00
|
|
|
if (ingrouping) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Illegal open {, nesting groupings not allowed\n"),
|
|
|
|
|
progname);
|
|
|
|
|
} else {
|
|
|
|
|
ingrouping = 1;
|
2006-04-11 21:52:54 +00:00
|
|
|
ptype = ePatternRegex;
|
|
|
|
|
STORE("(", dptr, 1);
|
2008-11-07 01:31:19 +00:00
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '}':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* { is a PCRE special character */
|
|
|
|
|
STORE("\\}", dptr, 2);
|
|
|
|
|
} else {
|
2008-11-07 01:31:19 +00:00
|
|
|
if (ingrouping <= 1) {
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
|
|
|
|
|
if (ingrouping == 1) {
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Invalid number of items between {}\n"),
|
|
|
|
|
progname);
|
|
|
|
|
|
|
|
|
|
ingrouping = 0; /* prevent further errors */
|
|
|
|
|
|
|
|
|
|
} else { /* ingrouping == 0 */
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Invalid close }, no matching open { detected\n"),
|
|
|
|
|
progname);
|
|
|
|
|
}
|
|
|
|
|
} else { /* ingrouping > 1 */
|
2008-11-07 01:31:19 +00:00
|
|
|
ingrouping = 0;
|
2006-04-11 21:52:54 +00:00
|
|
|
STORE(")", dptr, 1);
|
|
|
|
|
}
|
|
|
|
|
} /* bEscape */
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ',':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* , is not a PCRE regex character
|
|
|
|
|
* so no need to escape, just skip
|
|
|
|
|
* transform
|
|
|
|
|
*/
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
} else {
|
|
|
|
|
if (ingrouping) {
|
2008-11-07 01:31:19 +00:00
|
|
|
++ingrouping;
|
2006-04-11 21:52:54 +00:00
|
|
|
STORE("|", dptr, 1);
|
|
|
|
|
} else {
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
/* these are special outside of character
|
|
|
|
|
* classes but not in them */
|
|
|
|
|
case '^':
|
|
|
|
|
case '$':
|
|
|
|
|
if (incharclass) {
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
} else {
|
|
|
|
|
STORE("\\", dptr, 1);
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Not a subdomain regex, but needs to be
|
|
|
|
|
* escaped as it is a pcre metacharacter which
|
|
|
|
|
* we don't want to support. We always escape
|
|
|
|
|
* these, so no need to check bEscape
|
|
|
|
|
*/
|
|
|
|
|
case '.':
|
|
|
|
|
case '+':
|
|
|
|
|
case '|':
|
|
|
|
|
case '(':
|
|
|
|
|
case ')':
|
|
|
|
|
STORE("\\", dptr, 1);
|
|
|
|
|
// fall through to default
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
STORE(sptr, dptr, 1);
|
|
|
|
|
break;
|
|
|
|
|
} /* switch (*sptr) */
|
|
|
|
|
|
|
|
|
|
bEscape = FALSE;
|
|
|
|
|
++sptr;
|
|
|
|
|
} /* while error == e_no_error && *sptr) */
|
|
|
|
|
|
|
|
|
|
if (ingrouping > 0 || incharclass) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Unclosed grouping or character class, expecting close }\n"),
|
|
|
|
|
progname);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* anchor end and terminate pattern string */
|
2007-02-27 02:29:16 +00:00
|
|
|
if ((error == e_no_error) && anchor) {
|
|
|
|
|
STORE("$" , dptr, 1);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
if (error == e_no_error) {
|
2007-02-27 02:29:16 +00:00
|
|
|
STORE("", dptr, 1);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
/* check error again, as above STORE may have set it */
|
|
|
|
|
if (error != e_no_error) {
|
|
|
|
|
if (error == e_buffer_overflow) {
|
|
|
|
|
PERROR(_("%s: Internal buffer overflow detected, %d characters exceeded\n"),
|
|
|
|
|
progname, PATH_MAX);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: Unable to parse input line '%s'\n"),
|
2007-02-27 02:29:16 +00:00
|
|
|
progname, aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
ret = FALSE;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
out:
|
|
|
|
|
if (ret == FALSE)
|
|
|
|
|
ptype = ePatternInvalid;
|
|
|
|
|
return ptype;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int process_pcre_entry(struct cod_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */
|
|
|
|
|
int ret = TRUE;
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
|
|
|
|
|
if (!entry) /* shouldn't happen */
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
|
|
|
|
ptype = convert_aaregex_to_pcre(entry->name, 1, tbuf, PATH_MAX + 3);
|
|
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
entry->pattern_type = ptype;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Only use buffer (tbuf) that we built above, if we
|
|
|
|
|
* identified a pattern requiring full regex support.
|
|
|
|
|
*/
|
|
|
|
|
if (ptype == ePatternRegex) {
|
|
|
|
|
int pattlen = strlen(tbuf);
|
|
|
|
|
|
|
|
|
|
if ((entry->pat.regex = malloc(pattlen + 1))) {
|
|
|
|
|
const char *errorreason;
|
|
|
|
|
int errpos;
|
|
|
|
|
|
|
|
|
|
strcpy(entry->pat.regex, tbuf);
|
|
|
|
|
|
|
|
|
|
if ((entry->pat.compiled =
|
|
|
|
|
pcre_compile(entry->pat.regex, 0,
|
|
|
|
|
&errorreason, &errpos,
|
|
|
|
|
NULL))) {
|
|
|
|
|
/* NULL out tables, kernel will use a
|
|
|
|
|
* private version
|
|
|
|
|
*/
|
|
|
|
|
entry->pat.compiled->tables = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: Failed to compile regex '%s' [original: '%s']\n"),
|
|
|
|
|
progname, entry->pat.regex,
|
|
|
|
|
entry->name);
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: error near "),
|
|
|
|
|
progname);
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < errpos; i++) {
|
|
|
|
|
fputc('.', stderr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fputc('^', stderr);
|
|
|
|
|
fputc('\n', stderr);
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: error reason: '%s'\n"),
|
|
|
|
|
progname, errorreason);
|
|
|
|
|
|
|
|
|
|
free(entry->pat.regex);
|
|
|
|
|
entry->pat.regex = NULL;
|
|
|
|
|
|
|
|
|
|
ret = FALSE;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
PERROR(_("%s: Failed to compile regex '%s' [original: '%s'] - malloc failed\n"),
|
|
|
|
|
progname, entry->pat.regex, entry->name);
|
|
|
|
|
|
|
|
|
|
ret = FALSE;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* not a regex, scan input for any escape characters
|
|
|
|
|
* and remove, and reduce double \\ to a single */
|
|
|
|
|
filter_escapes(entry->name);
|
|
|
|
|
} /* ptype == ePatternRegex */
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
char tbuf[PATH_MAX + 3]; /* +3 for ^, $ and \0 */
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
|
|
|
|
|
if (!entry) /* shouldn't happen */
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
2009-07-23 21:18:37 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, PATH_MAX + 3);
|
|
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
entry->pattern_type = ptype;
|
|
|
|
|
|
|
|
|
|
/* ix implies m but the apparmor module does not add m bit to
|
|
|
|
|
* dfa states like it does for pcre
|
|
|
|
|
*/
|
2008-04-16 04:44:21 +00:00
|
|
|
if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
|
2007-11-16 09:35:57 +00:00
|
|
|
entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
|
2008-04-16 04:44:21 +00:00
|
|
|
if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
|
2007-11-16 09:35:57 +00:00
|
|
|
entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
|
|
|
|
|
|
2008-04-09 23:56:31 +00:00
|
|
|
/* relying on ptrace and change_profile not getting merged earlier */
|
|
|
|
|
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
/* the link bit on the first pair entry should not get masked
|
|
|
|
|
* out by a deny rule, as both pieces of the link pair must
|
|
|
|
|
* match. audit info for the link is carried on the second
|
|
|
|
|
* entry of the pair
|
|
|
|
|
*/
|
|
|
|
|
if (entry->deny && (entry->mode & AA_LINK_BITS)) {
|
|
|
|
|
if (!aare_add_rule(dfarules, tbuf, entry->deny,
|
|
|
|
|
entry->mode & ~AA_LINK_BITS,
|
|
|
|
|
entry->audit & ~AA_LINK_BITS))
|
|
|
|
|
return FALSE;
|
2009-07-23 21:18:37 +00:00
|
|
|
} else if (entry->mode & ~AA_CHANGE_PROFILE) {
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
if (!aare_add_rule(dfarules, tbuf, entry->deny, entry->mode,
|
|
|
|
|
entry->audit))
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2008-04-09 23:56:31 +00:00
|
|
|
|
2007-11-16 09:36:42 +00:00
|
|
|
if (entry->mode & (AA_LINK_BITS)) {
|
|
|
|
|
/* add the pair rule */
|
|
|
|
|
char lbuf[PATH_MAX + 8];
|
|
|
|
|
int perms = AA_LINK_BITS & entry->mode;
|
2008-03-13 16:46:19 +00:00
|
|
|
char *vec[2];
|
|
|
|
|
vec[0] = tbuf;
|
2007-11-16 09:37:31 +00:00
|
|
|
if (entry->link_name) {
|
2008-03-13 16:46:19 +00:00
|
|
|
ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, PATH_MAX + 8);
|
|
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
2008-03-13 16:49:10 +00:00
|
|
|
if (entry->subset)
|
|
|
|
|
perms |= LINK_TO_LINK_SUBSET(perms);
|
2008-03-13 16:46:19 +00:00
|
|
|
vec[1] = lbuf;
|
2007-11-16 09:37:31 +00:00
|
|
|
} else {
|
|
|
|
|
perms |= LINK_TO_LINK_SUBSET(perms);
|
2008-03-13 16:46:19 +00:00
|
|
|
vec[1] = "/[^/].*";
|
2007-11-16 09:37:31 +00:00
|
|
|
}
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
if (!aare_add_rule_vec(dfarules, entry->deny, perms, entry->audit & AA_LINK_BITS, 2, vec))
|
2007-11-16 09:36:42 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2007-11-16 09:18:48 +00:00
|
|
|
if (entry->mode & AA_CHANGE_PROFILE) {
|
2008-03-13 16:46:19 +00:00
|
|
|
if (entry->namespace) {
|
|
|
|
|
char *vec[2];
|
2009-07-23 21:18:37 +00:00
|
|
|
char lbuf[PATH_MAX + 8];
|
|
|
|
|
ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8);
|
|
|
|
|
vec[0] = lbuf;
|
|
|
|
|
vec[1] = tbuf;
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec))
|
2008-03-13 16:46:19 +00:00
|
|
|
return FALSE;
|
|
|
|
|
} else {
|
2009-07-23 21:18:37 +00:00
|
|
|
if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0))
|
2008-03-13 16:46:19 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2007-11-16 09:18:48 +00:00
|
|
|
}
|
2008-04-09 09:04:08 +00:00
|
|
|
if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
|
|
|
|
|
int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
|
|
|
|
|
if (entry->namespace) {
|
|
|
|
|
char *vec[2];
|
|
|
|
|
vec[0] = entry->namespace;
|
|
|
|
|
vec[1] = entry->name;
|
|
|
|
|
if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec))
|
|
|
|
|
return FALSE;
|
|
|
|
|
} else {
|
|
|
|
|
if (!aare_add_rule(dfarules, entry->name, 0, mode, 0))
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
2007-11-16 09:36:42 +00:00
|
|
|
return TRUE;
|
2007-02-27 02:29:16 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int post_process_entries(struct codomain *cod)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
|
|
|
|
int ret = TRUE, rc;
|
|
|
|
|
struct cod_entry *entry;
|
2007-02-27 02:29:16 +00:00
|
|
|
int count = 0;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
list_for_each(cod->entries, entry) {
|
2006-04-11 21:52:54 +00:00
|
|
|
filter_slashes(entry->name);
|
2007-02-27 02:29:16 +00:00
|
|
|
if (regex_type == AARE_DFA)
|
|
|
|
|
rc = process_dfa_entry(cod->dfarules, entry);
|
|
|
|
|
else
|
|
|
|
|
rc = process_pcre_entry(entry);
|
2006-04-11 21:52:54 +00:00
|
|
|
if (!rc)
|
|
|
|
|
ret = FALSE;
|
2007-02-27 02:29:16 +00:00
|
|
|
count++;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
cod->dfarule_count = count;
|
2006-04-11 21:52:54 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int process_regex(struct codomain *cod)
|
|
|
|
|
{
|
2007-02-27 02:29:16 +00:00
|
|
|
int error = -1;
|
2008-11-07 01:31:19 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
if (regex_type == AARE_DFA) {
|
|
|
|
|
cod->dfarules = aare_new_ruleset(0);
|
|
|
|
|
if (!cod->dfarules)
|
|
|
|
|
goto out;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
2007-02-27 02:29:16 +00:00
|
|
|
if (!post_process_entries(cod))
|
|
|
|
|
goto out;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
if (regex_type == AARE_DFA && cod->dfarule_count > 0) {
|
|
|
|
|
cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size);
|
2008-06-08 08:56:37 +00:00
|
|
|
aare_delete_ruleset(cod->dfarules);
|
|
|
|
|
cod->dfarules = NULL;
|
|
|
|
|
if (!cod->dfa)
|
2007-02-27 02:29:16 +00:00
|
|
|
goto out;
|
|
|
|
|
/*
|
|
|
|
|
if (cod->dfa_size == 0) {
|
|
|
|
|
PERROR(_("profile %s: has merged rules (%s) with "
|
|
|
|
|
"multiple x modifiers\n"),
|
|
|
|
|
cod->name, (char *) cod->dfa);
|
|
|
|
|
free(cod->dfa);
|
|
|
|
|
cod->dfa = NULL;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
*/
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
/*
|
|
|
|
|
* Post process subdomain(s):
|
|
|
|
|
*
|
|
|
|
|
* They are chained from the toplevel subdomain pointer
|
|
|
|
|
* thru each <codomain> next pointer.
|
|
|
|
|
|
|
|
|
|
* i.e first subdomain is list->subdomain
|
|
|
|
|
* second subdomain is list->subdomain->next
|
|
|
|
|
*
|
|
|
|
|
* N.B sub-subdomains are not valid so:
|
|
|
|
|
* if (list->subdomain) {
|
|
|
|
|
* assert(list->subdomain->subdomain == NULL)
|
|
|
|
|
* }
|
|
|
|
|
*/
|
|
|
|
|
if (process_hat_regex(cod) != 0)
|
2007-02-27 02:29:16 +00:00
|
|
|
goto out;
|
2007-02-01 20:18:50 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
2006-04-11 21:52:54 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 07:34:11 +00:00
|
|
|
void reset_regex(void)
|
|
|
|
|
{
|
|
|
|
|
aare_reset_matchflags();
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
#ifdef UNIT_TEST
|
|
|
|
|
#define MY_TEST(statement, error) \
|
|
|
|
|
if (!(statement)) { \
|
|
|
|
|
PERROR("FAIL: %s\n", error); \
|
|
|
|
|
rc = 1; \
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Guh, fake routine */
|
|
|
|
|
void yyerror(char *msg, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list arg;
|
|
|
|
|
char buf[PATH_MAX];
|
|
|
|
|
|
|
|
|
|
va_start(arg, msg);
|
|
|
|
|
vsnprintf(buf, sizeof(buf), msg, arg);
|
|
|
|
|
va_end(arg);
|
|
|
|
|
|
|
|
|
|
PERROR(_("AppArmor parser error: %s\n"), buf);
|
|
|
|
|
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
/* Guh, fake symbol */
|
|
|
|
|
char *progname;
|
|
|
|
|
|
|
|
|
|
static int test_filter_escapes(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
char *test_string;
|
|
|
|
|
|
|
|
|
|
test_string = strdup("foo\\\\foo");
|
|
|
|
|
filter_escapes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "foo\\foo") == 0, "simple filter for \\\\");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("foo\\foo");
|
|
|
|
|
filter_escapes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "foofoo") == 0, "simple filter for \\f");
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int test_filter_slashes(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
char *test_string;
|
|
|
|
|
|
|
|
|
|
test_string = strdup("///foo//////f//oo////////////////");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/foo/f/oo") == 0, "simple tests");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("/foo/f/oo");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/foo/f/oo") == 0, "simple test for no changes");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("/");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/") == 0, "simple test for '/'");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "") == 0, "simple test for ''");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("//usr");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "//usr") == 0, "simple test for // namespace");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("//");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "//") == 0, "simple test 2 for // namespace");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("///usr");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/usr") == 0, "simple test for ///usr");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("///");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/") == 0, "simple test for ///");
|
|
|
|
|
|
|
|
|
|
test_string = strdup("/a/");
|
|
|
|
|
filter_slashes(test_string);
|
|
|
|
|
MY_TEST(strcmp(test_string, "/a") == 0, "simple test for /a/");
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-14 22:00:39 +00:00
|
|
|
int regex_type = AARE_PCRE;
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
int main(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
|
|
retval = test_filter_escapes();
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
rc = retval;
|
|
|
|
|
|
|
|
|
|
retval = test_filter_slashes();
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
rc = retval;
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
#endif /* UNIT_TEST */
|