2006-04-11 21:52:54 +00:00
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2013-10-14 14:34:12 -07:00
|
|
|
* Copyright (c) 2010 - 2013
|
|
|
|
|
* Canonical Ltd. (All rights reserved)
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2010-06-04 18:57:01 -07:00
|
|
|
* along with this program; if not, contact Canonical, Ltd.
|
2006-04-11 21:52:54 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Definitions section */
|
|
|
|
|
/* %option main */
|
|
|
|
|
|
|
|
|
|
/* eliminates need to link with libfl */
|
|
|
|
|
%option noyywrap
|
2010-11-09 13:39:18 -08:00
|
|
|
%option nounput
|
2012-01-02 16:48:24 -08:00
|
|
|
%option stack
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%{
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <libintl.h>
|
2009-07-24 07:35:39 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <dirent.h>
|
2013-11-18 16:23:23 -08:00
|
|
|
|
|
|
|
|
#include <unordered_map>
|
|
|
|
|
#include <string>
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
#define _(s) gettext(s)
|
|
|
|
|
|
|
|
|
|
#include "parser.h"
|
2013-09-27 16:16:37 -07:00
|
|
|
#include "profile.h"
|
2009-07-24 07:35:39 +00:00
|
|
|
#include "parser_include.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
#include "parser_yacc.h"
|
2012-08-16 16:26:03 -07:00
|
|
|
#include "lib.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
#ifdef PDEBUG
|
|
|
|
|
#undef PDEBUG
|
|
|
|
|
#endif
|
2006-04-11 21:52:54 +00:00
|
|
|
/* #define DEBUG */
|
|
|
|
|
#ifdef DEBUG
|
2013-09-12 12:37:04 -07:00
|
|
|
static int yy_top_state(void);
|
2013-11-18 16:23:23 -08:00
|
|
|
#define PDEBUG(fmt, args...) printf("Lexer (Line %d) (state %s): " fmt, current_lineno, state_names[YY_START].c_str(), ## args)
|
2006-04-11 21:52:54 +00:00
|
|
|
#else
|
|
|
|
|
#define PDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
#endif
|
|
|
|
|
#define NPDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
|
2010-06-26 13:13:52 -07:00
|
|
|
#define DUMP_PREPROCESS do { if (preprocess_only) ECHO; } while (0)
|
2013-09-12 12:37:04 -07:00
|
|
|
|
|
|
|
|
#define DUMP_AND_DEBUG(X...) \
|
2013-07-31 09:05:51 -07:00
|
|
|
do { \
|
|
|
|
|
DUMP_PREPROCESS; \
|
2013-09-12 12:37:04 -07:00
|
|
|
PDEBUG(X); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define EAT_TOKEN(X...) DUMP_AND_DEBUG(X)
|
|
|
|
|
|
|
|
|
|
#define RETURN_TOKEN(X) \
|
|
|
|
|
do { \
|
|
|
|
|
DUMP_AND_DEBUG("Matched: %s\n", yytext); \
|
|
|
|
|
return (X); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define POP() \
|
|
|
|
|
do { \
|
2013-11-18 16:23:23 -08:00
|
|
|
DUMP_AND_DEBUG(" (pop_to(%s)): Matched: %s\n", state_names[yy_top_state()].c_str(), yytext); \
|
2013-09-12 12:37:04 -07:00
|
|
|
yy_pop_state(); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define PUSH(X) \
|
|
|
|
|
do { \
|
2013-11-18 16:23:23 -08:00
|
|
|
DUMP_AND_DEBUG(" (push(%s)): Matched: %s\n", state_names[(X)].c_str(), yytext); \
|
2013-09-12 12:37:04 -07:00
|
|
|
yy_push_state(X); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define POP_AND_RETURN(X) \
|
|
|
|
|
do { \
|
|
|
|
|
POP(); \
|
2013-07-31 09:05:51 -07:00
|
|
|
return (X); \
|
|
|
|
|
} while (0)
|
2010-06-26 13:13:52 -07:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
#define PUSH_AND_RETURN(X, Y) \
|
|
|
|
|
do { \
|
|
|
|
|
PUSH(X); \
|
|
|
|
|
return (Y); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
#define BEGIN_AND_RETURN(X, Y) \
|
|
|
|
|
do { \
|
2013-11-18 16:23:23 -08:00
|
|
|
DUMP_AND_DEBUG(" (begin(%s)): Matched: %s\n", state_names[(X)].c_str(), yytext); \
|
2013-09-12 12:37:04 -07:00
|
|
|
BEGIN(X); \
|
|
|
|
|
return (Y); \
|
|
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
|
2010-07-26 09:22:45 -07:00
|
|
|
#define YY_NO_INPUT
|
|
|
|
|
|
2013-11-18 16:23:23 -08:00
|
|
|
#define STATE_TABLE_ENT(X) {X, #X }
|
|
|
|
|
extern unordered_map<int, string> state_names;
|
2012-08-16 16:26:03 -07:00
|
|
|
|
|
|
|
|
struct cb_struct {
|
|
|
|
|
const char *fullpath;
|
|
|
|
|
const char *filename;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int include_dir_cb(__unused DIR *dir, const char *name, struct stat *st,
|
|
|
|
|
void *data)
|
|
|
|
|
{
|
|
|
|
|
struct cb_struct *d = (struct cb_struct *) data;
|
|
|
|
|
|
|
|
|
|
char *path;
|
|
|
|
|
|
|
|
|
|
if (asprintf(&path, "%s/%s", d->fullpath, name) < 0)
|
|
|
|
|
yyerror("Out of memory");
|
|
|
|
|
|
2013-10-14 14:34:12 -07:00
|
|
|
if (is_blacklisted(name, path)) {
|
|
|
|
|
free(path);
|
2012-08-16 16:26:03 -07:00
|
|
|
return 0;
|
2013-10-14 14:34:12 -07:00
|
|
|
}
|
2012-08-16 16:26:03 -07:00
|
|
|
|
|
|
|
|
if (S_ISREG(st->st_mode)) {
|
|
|
|
|
if (!(yyin = fopen(path,"r")))
|
|
|
|
|
yyerror(_("Could not open '%s' in '%s'"), path, d->filename);
|
|
|
|
|
PDEBUG("Opened include \"%s\" in \"%s\"\n", path, d->filename);
|
|
|
|
|
update_mru_tstamp(yyin);
|
|
|
|
|
push_include_stack(path);
|
|
|
|
|
yypush_buffer_state(yy_create_buffer(yyin, YY_BUF_SIZE));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(path);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 07:35:39 +00:00
|
|
|
void include_filename(char *filename, int search)
|
|
|
|
|
{
|
|
|
|
|
FILE *include_file = NULL;
|
|
|
|
|
struct stat my_stat;
|
|
|
|
|
char *fullpath = NULL;
|
|
|
|
|
|
2009-07-24 11:56:07 +00:00
|
|
|
if (search) {
|
2010-06-26 13:13:52 -07:00
|
|
|
if (preprocess_only)
|
|
|
|
|
fprintf(yyout, "\n\n##included <%s>\n", filename);
|
2009-07-24 11:56:07 +00:00
|
|
|
include_file = search_path(filename, &fullpath);
|
|
|
|
|
} else {
|
2010-06-26 13:13:52 -07:00
|
|
|
if (preprocess_only)
|
|
|
|
|
fprintf(yyout, "\n\n##included \"%s\"\n", filename);
|
2009-07-24 07:35:39 +00:00
|
|
|
fullpath = strdup(filename);
|
|
|
|
|
include_file = fopen(fullpath, "r");
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-24 11:56:07 +00:00
|
|
|
if (!include_file)
|
2010-06-04 18:47:44 -07:00
|
|
|
yyerror(_("Could not open '%s'"),
|
|
|
|
|
fullpath ? fullpath: filename);
|
2009-07-24 07:35:39 +00:00
|
|
|
|
|
|
|
|
if (fstat(fileno(include_file), &my_stat))
|
|
|
|
|
yyerror(_("fstat failed for '%s'"), fullpath);
|
|
|
|
|
|
|
|
|
|
if (S_ISREG(my_stat.st_mode)) {
|
|
|
|
|
yyin = include_file;
|
2010-09-14 12:22:02 -07:00
|
|
|
update_mru_tstamp(include_file);
|
2009-07-24 07:35:39 +00:00
|
|
|
PDEBUG("Opened include \"%s\"\n", fullpath);
|
2010-06-04 18:47:44 -07:00
|
|
|
push_include_stack(fullpath);
|
2009-07-24 07:35:39 +00:00
|
|
|
yypush_buffer_state(yy_create_buffer( yyin, YY_BUF_SIZE ));
|
2012-08-16 16:26:03 -07:00
|
|
|
} else if (S_ISDIR(my_stat.st_mode)) {
|
|
|
|
|
struct cb_struct data = { fullpath, filename };
|
2009-07-24 07:35:39 +00:00
|
|
|
fclose(include_file);
|
|
|
|
|
include_file = NULL;
|
2012-08-16 16:26:03 -07:00
|
|
|
if (dirat_for_each(NULL, fullpath, &data, include_dir_cb)) {
|
|
|
|
|
yyerror(_("Could not process include directory"
|
|
|
|
|
" '%s' in '%s'"), fullpath, filename);;
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
2009-07-24 12:18:12 +00:00
|
|
|
|
|
|
|
|
if (fullpath)
|
|
|
|
|
free(fullpath);
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
%}
|
|
|
|
|
|
2012-01-02 16:49:31 -08:00
|
|
|
CARET "^"
|
2006-04-11 21:52:54 +00:00
|
|
|
OPEN_BRACE \{
|
|
|
|
|
CLOSE_BRACE \}
|
|
|
|
|
SLASH \/
|
|
|
|
|
COLON :
|
|
|
|
|
END_OF_RULE [,]
|
|
|
|
|
RANGE -
|
2009-08-20 15:41:10 +00:00
|
|
|
MODE_CHARS ([RrWwaLlMmkXx])|(([Pp]|[Cc])[Xx])|(([Pp]|[Cc])?([IiUu])[Xx])
|
2007-11-29 18:06:53 +00:00
|
|
|
MODES {MODE_CHARS}+
|
2006-04-11 21:52:54 +00:00
|
|
|
WS [[:blank:]]
|
|
|
|
|
NUMBER [[:digit:]]+
|
2012-02-16 07:46:43 -08:00
|
|
|
|
|
|
|
|
ID_CHARS [^ \t\n"!,]
|
|
|
|
|
ID {ID_CHARS}|(,{ID_CHARS})
|
|
|
|
|
IDS {ID}+
|
|
|
|
|
POST_VAR_ID_CHARS [^ \t\n"!,]{-}[=\+]
|
|
|
|
|
POST_VAR_ID {POST_VAR_ID_CHARS}|(,{POST_VAR_ID_CHARS})
|
2012-02-16 07:49:12 -08:00
|
|
|
LIST_VALUE_ID_CHARS [^ \t\n"!,]{-}[()]
|
|
|
|
|
LIST_VALUE_ID {LIST_VALUE_ID_CHARS}+
|
2013-07-31 09:05:51 -07:00
|
|
|
QUOTED_LIST_VALUE_ID {LIST_VALUE_ID}|\"{LIST_VALUE_ID}\"
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
ID_CHARS_NOEQ [^ \t\n"!,]{-}[=]
|
2013-09-12 12:37:04 -07:00
|
|
|
LEADING_ID_CHARS_NOEQ [^ \t\n"!,]{-}[=()+&]
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
ID_NOEQ {ID_CHARS_NOEQ}|(,{ID_CHARS_NOEQ})
|
2013-07-31 09:05:51 -07:00
|
|
|
IDS_NOEQ {LEADING_ID_CHARS_NOEQ}{ID_NOEQ}*
|
2006-04-11 21:52:54 +00:00
|
|
|
ALLOWED_QUOTED_ID [^\0"]|\\\"
|
|
|
|
|
QUOTED_ID \"{ALLOWED_QUOTED_ID}*\"
|
|
|
|
|
|
2012-02-16 07:46:43 -08:00
|
|
|
IP {NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER}
|
|
|
|
|
|
2012-01-02 16:48:53 -08:00
|
|
|
HAT hat{WS}*
|
|
|
|
|
PROFILE profile{WS}*
|
2006-04-11 21:52:54 +00:00
|
|
|
KEYWORD [[:alpha:]_]+
|
|
|
|
|
VARIABLE_NAME [[:alpha:]][[:alnum:]_]*
|
|
|
|
|
SET_VAR_PREFIX @
|
|
|
|
|
SET_VARIABLE {SET_VAR_PREFIX}(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
|
|
|
|
|
|
|
|
|
PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
|
|
|
|
|
QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
|
|
|
|
|
|
2012-01-02 16:48:34 -08:00
|
|
|
OPEN_PAREN \(
|
|
|
|
|
CLOSE_PAREN \)
|
2012-02-16 07:49:12 -08:00
|
|
|
COMMA \,
|
2006-04-11 21:52:54 +00:00
|
|
|
EQUALS =
|
|
|
|
|
ADD_ASSIGN \+=
|
2007-11-16 09:37:31 +00:00
|
|
|
ARROW ->
|
2008-04-06 18:55:46 +00:00
|
|
|
LT_EQUAL <=
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
/* IF adding new state please update state_names table at eof */
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
%x SUB_ID
|
|
|
|
|
%x SUB_VALUE
|
2012-02-16 07:51:33 -08:00
|
|
|
%x EXTCOND_MODE
|
2013-07-31 09:05:51 -07:00
|
|
|
%x EXTCONDLIST_MODE
|
2007-07-27 20:29:47 +00:00
|
|
|
%x NETWORK_MODE
|
2012-02-16 07:49:12 -08:00
|
|
|
%x LIST_VAL_MODE
|
2013-07-31 09:05:51 -07:00
|
|
|
%x LIST_COND_MODE
|
|
|
|
|
%x LIST_COND_VAL
|
|
|
|
|
%x LIST_COND_PAREN_VAL
|
2006-04-11 21:52:54 +00:00
|
|
|
%x ASSIGN_MODE
|
2008-04-06 18:55:46 +00:00
|
|
|
%x RLIMIT_MODE
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
%x MOUNT_MODE
|
2013-07-31 09:05:51 -07:00
|
|
|
%x DBUS_MODE
|
2009-07-23 21:18:37 +00:00
|
|
|
%x CHANGE_PROFILE_MODE
|
2009-07-24 07:35:39 +00:00
|
|
|
%x INCLUDE
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
%%
|
|
|
|
|
|
2012-02-16 07:59:23 -08:00
|
|
|
%{
|
|
|
|
|
/* Copied directly into yylex function */
|
|
|
|
|
if (parser_token) {
|
|
|
|
|
int t = parser_token;
|
|
|
|
|
parser_token = 0;
|
|
|
|
|
return t;
|
|
|
|
|
}
|
|
|
|
|
%}
|
|
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
<INITIAL,INCLUDE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE>{
|
|
|
|
|
{WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ }
|
|
|
|
|
}
|
2009-07-24 07:35:39 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
<INCLUDE>{
|
|
|
|
|
(\<([^\> \t\n]+)\>|\"([^\" \t\n]+)\") { /* <filename> */
|
2014-02-05 13:39:24 -05:00
|
|
|
char *filename = strndup(yytext, yyleng - 1);
|
2013-09-12 12:37:04 -07:00
|
|
|
include_filename(filename + 1, *filename == '<');
|
2009-07-24 07:35:39 +00:00
|
|
|
free(filename);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2013-09-12 12:37:04 -07:00
|
|
|
}
|
2009-07-24 07:35:39 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
[^\<\>\" \t\n]+ { /* filename */
|
2009-07-24 07:35:39 +00:00
|
|
|
include_filename(yytext, 0);
|
2012-01-02 16:48:24 -08:00
|
|
|
yy_pop_state();
|
2013-09-12 12:37:04 -07:00
|
|
|
}
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<<EOF>> {
|
2010-03-12 01:50:26 -08:00
|
|
|
fclose(yyin);
|
2010-06-04 18:47:44 -07:00
|
|
|
pop_include_stack();
|
2009-07-24 07:35:39 +00:00
|
|
|
yypop_buffer_state();
|
2013-09-12 12:37:04 -07:00
|
|
|
if ( !YY_CURRENT_BUFFER )
|
|
|
|
|
yyterminate();
|
2009-07-24 07:35:39 +00:00
|
|
|
}
|
|
|
|
|
|
2013-07-31 09:05:51 -07:00
|
|
|
<INITIAL,MOUNT_MODE,DBUS_MODE>{
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
{VARIABLE_NAME}/{WS}*= {
|
2013-09-12 12:37:04 -07:00
|
|
|
/* we match to the = in the lexer so that we can switch scanner
|
|
|
|
|
* state. By the time the parser see the = it may be too late
|
|
|
|
|
* as bison may have requested the next token from the scanner
|
|
|
|
|
*/
|
|
|
|
|
int token = get_keyword_token(yytext);
|
|
|
|
|
|
|
|
|
|
if (token == TOK_PEER) {
|
|
|
|
|
PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID);
|
|
|
|
|
} else {
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-03-26 06:17:40 -07:00
|
|
|
{VARIABLE_NAME}/{WS}+in{WS}*\( {
|
2013-09-12 12:37:04 -07:00
|
|
|
/* we match to 'in' in the lexer so that we can switch scanner
|
|
|
|
|
* state. By the time the parser see the 'in' it may be to
|
|
|
|
|
* late as bison may have requested the next token from the
|
|
|
|
|
* scanner
|
|
|
|
|
*/
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
|
|
|
|
|
}
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
}
|
2012-02-16 07:53:04 -08:00
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<SUB_ID>{
|
2013-09-12 12:37:04 -07:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
|
|
|
|
/* Go into separate state to match generic ID strings */
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
POP_AND_RETURN(TOK_ID);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
<SUB_VALUE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
|
|
|
|
/* Go into separate state to match generic VALUE strings */
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
POP_AND_RETURN(TOK_VALUE);
|
|
|
|
|
}
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:49:12 -08:00
|
|
|
<LIST_VAL_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{CLOSE_PAREN} { POP_AND_RETURN(TOK_CLOSEPAREN); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{COMMA} { EAT_TOKEN("listval: ,\n"); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
({LIST_VALUE_ID}|{QUOTED_ID}) {
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_VALUE);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2012-02-16 07:51:33 -08:00
|
|
|
<EXTCOND_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{EQUALS}{WS}*/[^(\n]{-}{WS} { BEGIN_AND_RETURN(SUB_VALUE, TOK_EQUALS);}
|
2012-02-16 07:51:33 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{EQUALS} { RETURN_TOKEN(TOK_EQUALS); }
|
2012-02-16 07:51:33 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
/* Don't push state here as this is a transition start condition and
|
|
|
|
|
* we want to return to the start condition that invoked <EXTCOND_MODE>
|
|
|
|
|
* when LIST_VAL_ID is done
|
|
|
|
|
*/
|
|
|
|
|
{OPEN_PAREN} { BEGIN_AND_RETURN(LIST_VAL_MODE, TOK_OPENPAREN); }
|
2012-02-16 07:51:33 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
in { RETURN_TOKEN(TOK_IN); }
|
2012-02-16 07:51:33 -08:00
|
|
|
}
|
|
|
|
|
|
2013-07-31 09:05:51 -07:00
|
|
|
<LIST_COND_VAL>{
|
|
|
|
|
({LIST_VALUE_ID}|{QUOTED_LIST_VALUE_ID}) {
|
2013-09-12 12:37:04 -07:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
POP_AND_RETURN(TOK_VALUE);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<LIST_COND_PAREN_VAL>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{CLOSE_PAREN} { POP(); }
|
2013-07-31 09:05:51 -07:00
|
|
|
|
|
|
|
|
({LIST_VALUE_ID}|{QUOTED_LIST_VALUE_ID}) {
|
2013-09-12 12:37:04 -07:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_VALUE);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<LIST_COND_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{CLOSE_PAREN} { POP_AND_RETURN(TOK_CLOSEPAREN); }
|
2013-07-31 09:05:51 -07:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{COMMA} { EAT_TOKEN("listcond: , \n"); }
|
2013-07-31 09:05:51 -07:00
|
|
|
|
|
|
|
|
{ID_CHARS_NOEQ}+ {
|
2013-09-12 12:37:04 -07:00
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_CONDID);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
|
|
|
|
|
{EQUALS}{WS}*{OPEN_PAREN} {
|
2013-09-12 12:37:04 -07:00
|
|
|
PUSH_AND_RETURN(LIST_COND_PAREN_VAL, TOK_EQUALS);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
|
|
|
|
|
{EQUALS} {
|
2013-09-12 12:37:04 -07:00
|
|
|
PUSH_AND_RETURN(LIST_COND_VAL, TOK_EQUALS);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<EXTCONDLIST_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{EQUALS} { RETURN_TOKEN(TOK_EQUALS); }
|
2013-07-31 09:05:51 -07:00
|
|
|
|
|
|
|
|
{OPEN_PAREN} {
|
2013-09-12 12:37:04 -07:00
|
|
|
/* Don't push state here as this is a transition
|
|
|
|
|
* start condition and we want to return to the start
|
|
|
|
|
* condition that invoked <EXTCONDLIST_MODE> when
|
|
|
|
|
* LIST_VAL_ID is done
|
|
|
|
|
*/
|
|
|
|
|
BEGIN_AND_RETURN(LIST_COND_MODE, TOK_OPENPAREN);
|
|
|
|
|
}
|
2013-07-31 09:05:51 -07:00
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
<ASSIGN_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
|
|
|
|
yylval.var_val = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_VALUE);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{END_OF_RULE} {
|
|
|
|
|
yylval.id = strdup(yytext);
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
yyerror(_("Variable declarations do not accept trailing commas"));
|
|
|
|
|
}
|
2010-11-19 01:42:04 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
\\\n { DUMP_PREPROCESS; current_lineno++ ; }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
\r?\n {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
current_lineno++;
|
|
|
|
|
yy_pop_state();
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-07-27 20:29:47 +00:00
|
|
|
<NETWORK_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{IDS} {
|
|
|
|
|
yylval.id = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_ID);
|
|
|
|
|
}
|
2007-07-27 20:29:47 +00:00
|
|
|
}
|
|
|
|
|
|
2009-07-23 21:18:37 +00:00
|
|
|
<CHANGE_PROFILE_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{ARROW} { RETURN_TOKEN(TOK_ARROW); }
|
2009-07-23 21:18:37 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
({IDS}|{QUOTED_ID}) {
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
POP_AND_RETURN(TOK_ID);
|
|
|
|
|
}
|
2009-07-23 21:18:37 +00:00
|
|
|
}
|
|
|
|
|
|
2008-04-06 18:55:46 +00:00
|
|
|
<RLIMIT_MODE>{
|
Update apparmor's handling of rlimits for cpu limit and more natural units
Allow for rlimit cpu to specified which is now supported by the kernel.
Previously the rlimit units where limited to K, M, G and would fail when
KB, MB, GB where used. Allow for both, also allow for units on lengths
of time, by specifying "seconds", "minutes", "hours".. or any unique subset
eg. "s", "sec", "m", "min", "h", "hour" ..
NOTE:
This patch does not extend rlimits to be able to handle setting of tasks
that are confined by other profiles.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2011-08-10 15:53:39 -07:00
|
|
|
-?{NUMBER}[[:alpha:]]* {
|
2013-09-12 12:37:04 -07:00
|
|
|
yylval.var_val = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_VALUE);
|
|
|
|
|
}
|
2008-04-06 18:55:46 +00:00
|
|
|
|
|
|
|
|
{KEYWORD} {
|
2013-09-12 12:37:04 -07:00
|
|
|
yylval.id = strdup(yytext);
|
|
|
|
|
if (strcmp(yytext, "infinity") == 0)
|
|
|
|
|
RETURN_TOKEN(TOK_VALUE);
|
|
|
|
|
RETURN_TOKEN(TOK_ID);
|
|
|
|
|
}
|
2008-04-06 18:55:46 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{LT_EQUAL} { RETURN_TOKEN(TOK_LE); }
|
2008-04-06 18:55:46 +00:00
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-07-31 09:05:51 -07:00
|
|
|
<DBUS_MODE>{
|
|
|
|
|
send { RETURN_TOKEN(TOK_SEND); }
|
|
|
|
|
receive { RETURN_TOKEN(TOK_RECEIVE); }
|
|
|
|
|
bind { RETURN_TOKEN(TOK_BIND); }
|
|
|
|
|
read { RETURN_TOKEN(TOK_READ); }
|
|
|
|
|
write { RETURN_TOKEN(TOK_WRITE); }
|
parser: Add dbus eavesdrop permission support to apparmor_parser
Allows for the policy writer to grant permission to eavesdrop on the
specified bus. Some example rules for granting the eavesdrop permission
are:
# Grant send, receive, bind, and eavesdrop
dbus,
# Grant send, receive, bind, and eavesdrop on the session bus
dbus bus=session,
# Grant send and eavesdrop on the system bus
dbus (send eavesdrop) bus=system,
# Grant eavesdrop on any bus
dbus eavesdrop,
Eavesdropping rules can contain the bus conditional. Any other
conditionals are not compatible with eavesdropping rules and the parser
will return an error.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2013-12-06 11:17:43 -08:00
|
|
|
eavesdrop { RETURN_TOKEN(TOK_EAVESDROP); }
|
2013-07-31 09:05:51 -07:00
|
|
|
{OPEN_PAREN} {
|
|
|
|
|
yy_push_state(LIST_VAL_MODE);
|
|
|
|
|
RETURN_TOKEN(TOK_OPENPAREN);
|
|
|
|
|
}
|
|
|
|
|
(r|w|rw|wr)/([[:space:],]) {
|
|
|
|
|
yylval.mode = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_MODE);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<MOUNT_MODE,DBUS_MODE>{
|
2013-09-12 12:37:04 -07:00
|
|
|
{ARROW} { RETURN_TOKEN(TOK_ARROW); }
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
({IDS_NOEQ}|{PATHNAME}|{QUOTED_ID}) {
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_ID);
|
|
|
|
|
}
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
}
|
|
|
|
|
|
2014-02-02 19:23:10 -10:00
|
|
|
#include/.*\r?\n {
|
|
|
|
|
/* Don't use push here as we don't want #include echoed out. It needs
|
|
|
|
|
* to be handled specially
|
|
|
|
|
*/
|
|
|
|
|
yy_push_state(INCLUDE);
|
|
|
|
|
}
|
2012-01-02 16:47:32 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
#.*\r?\n { /* normal comment */
|
|
|
|
|
DUMP_AND_DEBUG("comment(%d): %s\n", current_lineno, yytext);
|
|
|
|
|
current_lineno++;
|
|
|
|
|
}
|
2012-01-02 16:47:32 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{CARET} { PUSH_AND_RETURN(SUB_ID, TOK_CARET); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{ARROW} { RETURN_TOKEN(TOK_ARROW); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{EQUALS} { PUSH_AND_RETURN(ASSIGN_MODE, TOK_EQUALS); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{ADD_ASSIGN} { PUSH_AND_RETURN(ASSIGN_MODE, TOK_ADD_ASSIGN); }
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{SET_VARIABLE} {
|
|
|
|
|
yylval.set_var = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_SET_VAR);
|
|
|
|
|
}
|
2007-07-27 20:48:24 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{BOOL_VARIABLE} {
|
|
|
|
|
yylval.bool_var = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_BOOL_VAR);
|
|
|
|
|
}
|
2012-01-02 16:48:53 -08:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{OPEN_BRACE} { RETURN_TOKEN(TOK_OPEN); }
|
2007-11-16 09:18:48 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{CLOSE_BRACE} { RETURN_TOKEN(TOK_CLOSE); }
|
2007-11-16 09:31:33 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
({PATHNAME}|{QPATHNAME}) {
|
|
|
|
|
yylval.id = processid(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_ID);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
({MODES})/([[:space:],]) {
|
|
|
|
|
yylval.mode = strdup(yytext);
|
|
|
|
|
RETURN_TOKEN(TOK_MODE);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
{HAT} { PUSH_AND_RETURN(SUB_ID, TOK_HAT); }
|
|
|
|
|
|
|
|
|
|
{PROFILE} { PUSH_AND_RETURN(SUB_ID, TOK_PROFILE); }
|
|
|
|
|
|
|
|
|
|
{COLON} { RETURN_TOKEN(TOK_COLON); }
|
|
|
|
|
|
|
|
|
|
{OPEN_PAREN} { PUSH_AND_RETURN(LIST_VAL_MODE, TOK_OPENPAREN); }
|
|
|
|
|
|
|
|
|
|
{VARIABLE_NAME} {
|
|
|
|
|
int token = get_keyword_token(yytext);
|
|
|
|
|
int state = INITIAL;
|
|
|
|
|
|
|
|
|
|
/* special cases */
|
|
|
|
|
switch (token) {
|
|
|
|
|
case -1:
|
|
|
|
|
/* no token found */
|
|
|
|
|
yylval.id = processunquoted(yytext, yyleng);
|
|
|
|
|
RETURN_TOKEN(TOK_ID);
|
|
|
|
|
break;
|
|
|
|
|
case TOK_RLIMIT:
|
|
|
|
|
state = RLIMIT_MODE;
|
|
|
|
|
break;
|
|
|
|
|
case TOK_NETWORK:
|
|
|
|
|
state = NETWORK_MODE;
|
|
|
|
|
break;
|
|
|
|
|
case TOK_CHANGE_PROFILE:
|
|
|
|
|
state = CHANGE_PROFILE_MODE;
|
|
|
|
|
break;
|
|
|
|
|
case TOK_MOUNT:
|
|
|
|
|
case TOK_REMOUNT:
|
|
|
|
|
case TOK_UMOUNT:
|
|
|
|
|
state = MOUNT_MODE;
|
|
|
|
|
break;
|
|
|
|
|
case TOK_DBUS:
|
|
|
|
|
state = DBUS_MODE;
|
|
|
|
|
break;
|
|
|
|
|
default: /* nothing */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
PUSH_AND_RETURN(state, token);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
<INITIAL,NETWORK_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE>{
|
|
|
|
|
{END_OF_RULE} {
|
|
|
|
|
if (YY_START != INITIAL)
|
|
|
|
|
yy_pop_state();
|
|
|
|
|
RETURN_TOKEN(TOK_END_OF_RULE);
|
|
|
|
|
}
|
2010-06-26 13:13:52 -07:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
\r?\n {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
current_lineno++;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-09-12 12:37:04 -07:00
|
|
|
<INITIAL,SUB_ID,SUB_VALUE,LIST_VAL_MODE,EXTCOND_MODE,LIST_COND_VAL,LIST_COND_PAREN_VAL,LIST_COND_MODE,EXTCONDLIST_MODE,ASSIGN_MODE,NETWORK_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE>{
|
|
|
|
|
[^\n] {
|
|
|
|
|
DUMP_PREPROCESS;
|
|
|
|
|
/* Something we didn't expect */
|
|
|
|
|
yyerror(_("Found unexpected character: '%s'"), yytext);
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
%%
|
2013-09-12 12:37:04 -07:00
|
|
|
|
|
|
|
|
/* Create a table mapping lexer state number to the name used in the
|
|
|
|
|
* in the code. This allows for better debug output
|
|
|
|
|
*/
|
2013-11-18 16:23:23 -08:00
|
|
|
unordered_map<int, string> state_names = {
|
2013-09-12 12:37:04 -07:00
|
|
|
STATE_TABLE_ENT(INITIAL),
|
|
|
|
|
STATE_TABLE_ENT(SUB_ID),
|
|
|
|
|
STATE_TABLE_ENT(SUB_VALUE),
|
|
|
|
|
STATE_TABLE_ENT(EXTCOND_MODE),
|
|
|
|
|
STATE_TABLE_ENT(EXTCONDLIST_MODE),
|
|
|
|
|
STATE_TABLE_ENT(NETWORK_MODE),
|
|
|
|
|
STATE_TABLE_ENT(LIST_VAL_MODE),
|
2013-09-27 16:13:22 -07:00
|
|
|
STATE_TABLE_ENT(LIST_COND_MODE),
|
|
|
|
|
STATE_TABLE_ENT(LIST_COND_VAL),
|
|
|
|
|
STATE_TABLE_ENT(LIST_COND_PAREN_VAL),
|
2013-09-12 12:37:04 -07:00
|
|
|
STATE_TABLE_ENT(ASSIGN_MODE),
|
|
|
|
|
STATE_TABLE_ENT(RLIMIT_MODE),
|
|
|
|
|
STATE_TABLE_ENT(MOUNT_MODE),
|
2013-09-27 16:13:22 -07:00
|
|
|
STATE_TABLE_ENT(DBUS_MODE),
|
2013-09-12 12:37:04 -07:00
|
|
|
STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
|
|
|
|
|
STATE_TABLE_ENT(INCLUDE),
|
|
|
|
|
};
|