2014-04-07 11:41:25 -07:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2014
|
|
|
|
|
* Canonical Ltd. (All rights reserved)
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc. or Canonical
|
|
|
|
|
* Ltd.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef __AA_RULE_H
|
|
|
|
|
#define __AA_RULE_H
|
|
|
|
|
|
|
|
|
|
#include <list>
|
|
|
|
|
#include <ostream>
|
|
|
|
|
|
|
|
|
|
#include "policydb.h"
|
|
|
|
|
|
2021-09-04 03:28:18 -07:00
|
|
|
using namespace std;
|
|
|
|
|
|
2014-04-07 11:41:25 -07:00
|
|
|
class Profile;
|
|
|
|
|
|
|
|
|
|
#define RULE_NOT_SUPPORTED 0
|
|
|
|
|
#define RULE_ERROR -1
|
|
|
|
|
#define RULE_OK 1
|
|
|
|
|
|
|
|
|
|
class rule_t {
|
|
|
|
|
public:
|
|
|
|
|
virtual ~rule_t() { };
|
|
|
|
|
|
|
|
|
|
//virtual bool operator<(rule_t const &rhs)const = 0;
|
|
|
|
|
virtual std::ostream &dump(std::ostream &os) = 0;
|
2021-09-08 00:25:28 -07:00
|
|
|
|
|
|
|
|
// Follow methods in order of being called by the parse
|
|
|
|
|
|
|
|
|
|
// called when profile is finished parsing
|
|
|
|
|
virtual void post_parse_profile(Profile &prof __attribute__ ((unused))) { };
|
|
|
|
|
|
|
|
|
|
// called before final expansion of variables. So implied rules
|
|
|
|
|
// can reference variables
|
|
|
|
|
virtual void add_implied_rules(Profile &prof __attribute__ ((unused))) { };
|
|
|
|
|
|
|
|
|
|
// currently only called post parse
|
|
|
|
|
// needs to change to being interatively called during parse
|
|
|
|
|
// to support expansion in include names and profile names
|
2014-04-07 11:41:25 -07:00
|
|
|
virtual int expand_variables(void) = 0;
|
2021-09-08 00:25:28 -07:00
|
|
|
|
|
|
|
|
// called late frontend to generate data for regex backend
|
2014-04-07 11:41:25 -07:00
|
|
|
virtual int gen_policy_re(Profile &prof) = 0;
|
2020-08-09 14:51:55 -04:00
|
|
|
|
|
|
|
|
protected:
|
|
|
|
|
const char *warned_name = NULL;
|
|
|
|
|
virtual void warn_once(const char *name, const char *msg);
|
|
|
|
|
virtual void warn_once(const char *name) = 0;
|
|
|
|
|
|
|
|
|
|
|
2014-04-07 11:41:25 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
std::ostream &operator<<(std::ostream &os, rule_t &rule);
|
|
|
|
|
|
|
|
|
|
typedef std::list<rule_t *> RuleList;
|
|
|
|
|
|
2021-09-04 03:28:18 -07:00
|
|
|
/* Not classes so they can be used in the bison front end */
|
|
|
|
|
typedef uint32_t perms_t;
|
|
|
|
|
typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
|
2021-09-09 01:42:51 -07:00
|
|
|
typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY } rule_mode_t;
|
2021-09-04 03:28:18 -07:00
|
|
|
|
|
|
|
|
/* NOTE: we can not have a constructor for class prefixes. This is
|
|
|
|
|
* because it will break bison, and we would need to transition to
|
|
|
|
|
* the C++ bison bindings. Instead get around this by using a
|
|
|
|
|
* special rule class that inherits prefixes and handles the
|
|
|
|
|
* contruction
|
|
|
|
|
*/
|
|
|
|
|
class prefixes {
|
|
|
|
|
public:
|
|
|
|
|
audit_t audit;
|
2021-09-09 01:42:51 -07:00
|
|
|
rule_mode_t rule_mode;
|
2021-09-04 03:28:18 -07:00
|
|
|
int owner;
|
|
|
|
|
|
|
|
|
|
ostream &dump(ostream &os)
|
|
|
|
|
{
|
|
|
|
|
bool output = true;
|
|
|
|
|
|
|
|
|
|
switch (audit) {
|
|
|
|
|
case AUDIT_FORCE:
|
|
|
|
|
os << "audit";
|
|
|
|
|
break;
|
|
|
|
|
case AUDIT_QUIET:
|
|
|
|
|
os << "quiet";
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
output = false;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-09 01:42:51 -07:00
|
|
|
switch (rule_mode) {
|
|
|
|
|
case RULE_DENY:
|
2021-09-04 03:28:18 -07:00
|
|
|
if (output)
|
|
|
|
|
os << " ";
|
|
|
|
|
|
|
|
|
|
os << "deny";
|
|
|
|
|
output = true;
|
2021-09-09 01:42:51 -07:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
2021-09-04 03:28:18 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (owner) {
|
|
|
|
|
if (output)
|
|
|
|
|
os << " ";
|
|
|
|
|
os << "owner";
|
|
|
|
|
output = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (output)
|
|
|
|
|
os << " ";
|
|
|
|
|
|
|
|
|
|
return os;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
class prefix_rule_t: public rule_t, public prefixes {
|
|
|
|
|
public:
|
|
|
|
|
prefix_rule_t()
|
|
|
|
|
{
|
|
|
|
|
/* Must construct prefix here see note on prefixes */
|
|
|
|
|
audit = AUDIT_UNSPECIFIED;
|
2021-09-09 01:42:51 -07:00
|
|
|
rule_mode = RULE_UNSPECIFIED;
|
2021-09-04 03:28:18 -07:00
|
|
|
owner = 0;
|
|
|
|
|
};
|
|
|
|
|
|
2022-09-01 09:56:45 -07:00
|
|
|
virtual bool valid_prefix(const prefixes &p, const char *&error) = 0;
|
2021-09-04 03:28:18 -07:00
|
|
|
|
2022-09-01 09:56:45 -07:00
|
|
|
virtual bool add_prefix(const prefixes &p, const char *&error) {
|
2021-09-04 03:28:18 -07:00
|
|
|
if (!valid_prefix(p, error))
|
|
|
|
|
return false;
|
|
|
|
|
if (p.audit != AUDIT_UNSPECIFIED && audit != p.audit) {
|
|
|
|
|
if (audit != AUDIT_UNSPECIFIED) {
|
|
|
|
|
error = "conflicting audit prefix";
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-09 01:42:51 -07:00
|
|
|
if (p.rule_mode == RULE_DENY && p.audit == AUDIT_FORCE) {
|
|
|
|
|
rule_mode = RULE_DENY;
|
|
|
|
|
} else if (p.rule_mode == RULE_DENY) {
|
|
|
|
|
rule_mode = RULE_DENY;
|
2021-09-04 03:28:18 -07:00
|
|
|
audit = AUDIT_FORCE;
|
|
|
|
|
} else if (p.audit != AUDIT_UNSPECIFIED) {
|
|
|
|
|
audit = p.audit;
|
|
|
|
|
}
|
|
|
|
|
owner = p.owner;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
virtual ostream &dump(ostream &os) {
|
|
|
|
|
prefixes::dump(os);
|
|
|
|
|
|
|
|
|
|
return os;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
class perms_rule_t: public prefix_rule_t {
|
|
|
|
|
public:
|
|
|
|
|
perms_rule_t(): perms(0) { };
|
|
|
|
|
|
|
|
|
|
/* defaut perms, override/mask off if none default used */
|
|
|
|
|
virtual ostream &dump(ostream &os) {
|
|
|
|
|
|
|
|
|
|
return os;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
perms_t perms;
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
2014-04-07 11:41:25 -07:00
|
|
|
#endif /* __AA_RULE_H */
|
|
|
|
|
|
