2006-04-12 03:09:10 +00:00
|
|
|
/* $Id$ */
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define _GNU_SOURCE /* for strndup */
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <stdarg.h>
|
|
|
|
|
#include <search.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <libintl.h>
|
|
|
|
|
#define _(s) gettext(s)
|
|
|
|
|
|
|
|
|
|
#include "parser.h"
|
|
|
|
|
#include "parser_yacc.h"
|
|
|
|
|
|
|
|
|
|
/* #define DEBUG */
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
|
#define PDEBUG(fmt, args...) printf("Lexer: " fmt, ## args)
|
|
|
|
|
#else
|
|
|
|
|
#define PDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
#endif
|
|
|
|
|
#define NPDEBUG(fmt, args...) /* Do nothing */
|
|
|
|
|
|
|
|
|
|
void *policy_list = NULL;
|
|
|
|
|
|
|
|
|
|
static int codomain_compare(const void *a, const void *b)
|
|
|
|
|
{
|
2007-11-16 09:18:48 +00:00
|
|
|
struct codomain *A = (struct codomain *) a;
|
2008-04-05 04:57:51 +00:00
|
|
|
struct codomain *B = (struct codomain *) b;
|
2007-11-16 09:18:48 +00:00
|
|
|
|
|
|
|
|
int res = 0;
|
|
|
|
|
if (A->namespace) {
|
|
|
|
|
if (B->namespace)
|
|
|
|
|
res = strcmp(A->namespace, B->namespace);
|
|
|
|
|
else
|
|
|
|
|
res = -1;
|
|
|
|
|
} else if (B->namespace)
|
|
|
|
|
res = 1;
|
|
|
|
|
if (res)
|
|
|
|
|
return res;
|
|
|
|
|
return strcmp(A->name, B->name);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void add_to_list(struct codomain *codomain)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **result;
|
|
|
|
|
|
|
|
|
|
result = (struct codomain **) tsearch(codomain, &policy_list, codomain_compare);
|
|
|
|
|
if (!result) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*result != codomain) {
|
|
|
|
|
PERROR("Multiple definitions for profile %s exist,"
|
|
|
|
|
"bailing out.\n", codomain->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void add_hat_to_policy(struct codomain *cod, struct codomain *hat)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **result;
|
|
|
|
|
|
2007-06-26 21:09:46 +00:00
|
|
|
hat->parent = cod;
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
result = (struct codomain **) tsearch(hat, &(cod->hat_table), codomain_compare);
|
|
|
|
|
if (!result) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (*result != hat) {
|
|
|
|
|
PERROR("Multiple definitions for hat %s in profile %s exist,"
|
|
|
|
|
"bailing out.\n", hat->name, cod->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
entry->next = cod->entries;
|
|
|
|
|
cod->entries = entry;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __merge_rules(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (!codomain_merge_rules(*t)) {
|
|
|
|
|
PERROR(_("ERROR merging rules for profile %s, failed to load\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int post_merge_rules(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __merge_rules);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int merge_hat_rules(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __merge_rules);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-18 17:15:05 +00:00
|
|
|
int die_if_any_regex(void);
|
|
|
|
|
static int die_if_any_hat_regex(struct codomain *cod);
|
|
|
|
|
static int any_regex_entries(struct cod_entry *entry_list);
|
|
|
|
|
|
|
|
|
|
/* only call if regex is not allowed */
|
|
|
|
|
static void __any_regex(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
2006-05-18 16:26:28 +00:00
|
|
|
if (any_regex_entries((*t)->entries)) {
|
2006-04-18 17:15:05 +00:00
|
|
|
PERROR(_("ERROR profile %s contains policy elements not usable with this kernel:\n"
|
|
|
|
|
"\t'*', '?', character ranges, and alternations are not allowed.\n"
|
|
|
|
|
"\t'**' may only be used at the end of a rule.\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
die_if_any_hat_regex(*t);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* only call if regex is not allowed */
|
|
|
|
|
int die_if_any_regex(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __any_regex);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* only call if regex is not allowed */
|
|
|
|
|
static int die_if_any_hat_regex(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __any_regex);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int any_regex_entries(struct cod_entry *entry_list)
|
|
|
|
|
{
|
|
|
|
|
struct cod_entry *entry;
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
list_for_each(entry_list, entry) {
|
2006-04-18 17:15:05 +00:00
|
|
|
if (entry->pattern_type == ePatternRegex)
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
static void __process_regex(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (process_regex(*t) != 0) {
|
|
|
|
|
PERROR(_("ERROR processing regexs for profile %s, failed to load\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int post_process_regex(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __process_regex);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int process_hat_regex(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __process_regex);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __process_variables(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (process_variables(*t) != 0) {
|
|
|
|
|
PERROR(_("ERROR expanding variables for profile %s, failed to load\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int post_process_variables(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __process_variables);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int process_hat_variables(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __process_variables);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-05 05:44:44 +00:00
|
|
|
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/current"
|
|
|
|
|
|
2008-04-06 18:52:47 +00:00
|
|
|
/* add file rules to access /proc files to call change_hat()
|
|
|
|
|
* add file rules to be able to change_hat, this restriction keeps
|
|
|
|
|
* change_hat from being able to access local profiles that are not
|
|
|
|
|
* meant to be used as hats
|
|
|
|
|
*/
|
|
|
|
|
static void __add_hat_rules_parent(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
2008-04-05 05:44:44 +00:00
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
struct cod_entry *entry;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* don't add hat rules if a parent profile with no hats */
|
|
|
|
|
if (!(*t)->hat_table && !(*t)->parent)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* add rule to grant permission to change_hat - AA 2.3 requirement,
|
|
|
|
|
* rules are added to the parent of the hat
|
|
|
|
|
*/
|
|
|
|
|
if ((*t)->parent) {
|
|
|
|
|
char *buffer = malloc(strlen((*t)->name) + 1);
|
|
|
|
|
if (!buffer) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
strcpy(buffer, (*t)->name);
|
|
|
|
|
|
|
|
|
|
entry = new_entry(NULL, buffer, AA_CHANGE_HAT, NULL);
|
|
|
|
|
if (!entry) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy((*t)->parent, entry);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* later
|
|
|
|
|
entry = new_entry(strdup(CHANGEHAT_PATH), AA_MAY_WRITE);
|
|
|
|
|
if (!entry) {
|
|
|
|
|
PERROR(_("ERROR adding hat access rule for profile %s\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy(*t, entry);
|
|
|
|
|
*/
|
2008-04-06 18:52:47 +00:00
|
|
|
twalk((*t)->hat_table, __add_hat_rules_parent);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* add the same hat rules to the hats as the parent so that hats can
|
|
|
|
|
* change to sibling hats
|
|
|
|
|
*/
|
|
|
|
|
static void __add_hat_rules_hats(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* don't add hat rules if a parent profile with no hats */
|
|
|
|
|
if (!(*t)->hat_table && !(*t)->parent)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* hat */
|
|
|
|
|
if ((*t)->parent) {
|
|
|
|
|
struct cod_entry *entry, *new_ent;
|
|
|
|
|
list_for_each((*t)->parent->entries, entry) {
|
|
|
|
|
if (entry->mode & AA_CHANGE_HAT) {
|
|
|
|
|
char *buffer = strdup(entry->name);
|
|
|
|
|
if (!buffer) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
new_ent = new_entry(NULL, buffer,
|
|
|
|
|
AA_CHANGE_HAT, NULL);
|
|
|
|
|
if (!entry) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy((*t), new_ent);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
twalk((*t)->hat_table, __add_hat_rules_hats);
|
2008-04-05 05:44:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int add_hat_rules(void)
|
|
|
|
|
{
|
2008-04-06 18:52:47 +00:00
|
|
|
twalk(policy_list, __add_hat_rules_parent);
|
|
|
|
|
|
|
|
|
|
twalk(policy_list, __add_hat_rules_hats);
|
2008-04-05 05:44:44 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Yuck, is their no other way to pass arguments to a twalk action */
|
|
|
|
|
static int __load_option;
|
|
|
|
|
|
|
|
|
|
static void __load_policy(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (load_codomain(__load_option, *t) != 0) {
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int load_policy(int option)
|
|
|
|
|
{
|
|
|
|
|
__load_option = option;
|
|
|
|
|
twalk(policy_list, __load_policy);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Yuck, is their no other way to pass arguments to a twalk action */
|
|
|
|
|
static sd_serialize *__p;
|
|
|
|
|
|
|
|
|
|
static void __load_hat(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
2007-06-26 21:09:46 +00:00
|
|
|
if (!sd_serialize_profile(__p, *t, 0)) {
|
2006-04-11 21:52:54 +00:00
|
|
|
PERROR(_("ERROR in profile %s, failed to load\n"),
|
|
|
|
|
(*t)->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-06-26 21:09:46 +00:00
|
|
|
static void __load_flattened_hat(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (load_codomain(__load_option, *t) != 0) {
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int load_flattened_hats(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __load_flattened_hat);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
int load_hats(sd_serialize *p, struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
__p = p;
|
|
|
|
|
twalk(cod->hat_table, __load_hat);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __dump_policy(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
debug_cod_list(*t);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void dump_policy(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __dump_policy);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void dump_policy_hats(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
twalk(cod->hat_table, __dump_policy);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Gar */
|
|
|
|
|
static struct codomain *__dump_policy_name;
|
|
|
|
|
|
|
|
|
|
static void __dump_policy_hatnames(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
printf("%s^%s\n", __dump_policy_name->name, (*t)->sub_name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void dump_policy_hatnames(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
__dump_policy_name = cod;
|
|
|
|
|
twalk(cod->hat_table, __dump_policy_hatnames);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __dump_policy_names(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
printf("%s\n", (*t)->name);
|
|
|
|
|
dump_policy_hatnames(*t);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void dump_policy_names(void)
|
|
|
|
|
{
|
|
|
|
|
twalk(policy_list, __dump_policy_names);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* gar, more global arguments */
|
|
|
|
|
struct codomain *__hat_merge_policy;
|
|
|
|
|
|
|
|
|
|
static void __merge_hat(const void *nodep, const VISIT value,
|
|
|
|
|
const int __unused depth)
|
|
|
|
|
{
|
|
|
|
|
struct codomain **t = (struct codomain **) nodep;
|
|
|
|
|
|
|
|
|
|
if (value == preorder || value == endorder)
|
|
|
|
|
return;
|
|
|
|
|
add_hat_to_policy(__hat_merge_policy, (*t));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* merge_hats: merges hat_table into hat_table owned by cod */
|
|
|
|
|
static void merge_hats(struct codomain *cod, void *hats)
|
|
|
|
|
{
|
|
|
|
|
__hat_merge_policy = cod;
|
|
|
|
|
twalk(hats, __merge_hat);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* don't want to free the hat entries in the table, as they were pushed
|
|
|
|
|
* onto the other table. */
|
|
|
|
|
static void empty_destroy(void __unused *nodep)
|
|
|
|
|
{
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct codomain *merge_policy(struct codomain *a, struct codomain *b)
|
|
|
|
|
{
|
|
|
|
|
struct codomain *ret = a;
|
|
|
|
|
struct cod_entry *last;
|
2008-04-06 18:55:27 +00:00
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
if (!a) {
|
|
|
|
|
ret = b;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
if (!b)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
if (a->name || b->name) {
|
|
|
|
|
PERROR("ASSERT: policy merges shouldn't have names %s %s\n",
|
|
|
|
|
a->name ? a->name : "",
|
|
|
|
|
b->name ? b->name : "");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (a->entries) {
|
2007-02-27 02:29:16 +00:00
|
|
|
list_last_entry(a->entries, last);
|
2006-04-11 21:52:54 +00:00
|
|
|
last->next = b->entries;
|
|
|
|
|
} else {
|
|
|
|
|
a->entries = b->entries;
|
|
|
|
|
}
|
|
|
|
|
b->entries = NULL;
|
|
|
|
|
|
|
|
|
|
a->flags.complain = a->flags.complain || b->flags.complain;
|
|
|
|
|
a->flags.audit = a->flags.audit || b->flags.audit;
|
|
|
|
|
|
|
|
|
|
a->capabilities = a->capabilities | b->capabilities;
|
2008-04-06 18:55:27 +00:00
|
|
|
a->audit_caps = a->audit_caps | b->audit_caps;
|
|
|
|
|
a->deny_caps = a->deny_caps | b->deny_caps;
|
|
|
|
|
a->quiet_caps = a->quiet_caps | b->quiet_caps;
|
|
|
|
|
a->set_caps = a->set_caps | b->set_caps;
|
|
|
|
|
|
|
|
|
|
if (a->network_allowed) {
|
|
|
|
|
int i;
|
|
|
|
|
for (i = 0; i < AF_MAX; i++) {
|
|
|
|
|
a->network_allowed[i] |= b->network_allowed[i];
|
|
|
|
|
a->audit_network[i] |= b->audit_network[i];
|
|
|
|
|
a->deny_network[i] |= b->deny_network[i];
|
|
|
|
|
a->quiet_network[i] |= b->quiet_network[i];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
merge_hats(a, b->hat_table);
|
|
|
|
|
tdestroy(b->hat_table, &empty_destroy);
|
|
|
|
|
b->hat_table = NULL;
|
|
|
|
|
|
|
|
|
|
free_policy(b);
|
|
|
|
|
out:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int post_process_policy(void)
|
|
|
|
|
{
|
|
|
|
|
int retval = 0;
|
|
|
|
|
|
2008-04-05 05:44:44 +00:00
|
|
|
retval = add_hat_rules();
|
|
|
|
|
if (retval != 0) {
|
|
|
|
|
PERROR(_("%s: Errors found during postprocessing. Aborting.\n"),
|
|
|
|
|
progname);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
2007-03-30 18:34:37 +00:00
|
|
|
retval = post_process_variables();
|
2006-04-11 21:52:54 +00:00
|
|
|
if (retval != 0) {
|
2007-03-30 18:34:37 +00:00
|
|
|
PERROR(_("%s: Errors found during regex postprocess. Aborting.\n"),
|
2006-04-11 21:52:54 +00:00
|
|
|
progname);
|
2007-03-30 18:34:37 +00:00
|
|
|
return retval;
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
|
2007-03-30 18:34:37 +00:00
|
|
|
retval = post_merge_rules();
|
2006-04-11 21:52:54 +00:00
|
|
|
if (retval != 0) {
|
2007-03-30 18:34:37 +00:00
|
|
|
PERROR(_("%s: Errors found in combining rules postprocessing. Aborting.\n"),
|
2006-04-11 21:52:54 +00:00
|
|
|
progname);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
retval = post_process_regex();
|
|
|
|
|
if (retval != 0) {
|
|
|
|
|
PERROR(_("%s: Errors found during regex postprocess. Aborting.\n"),
|
|
|
|
|
progname);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void free_hat_entry(void *nodep)
|
|
|
|
|
{
|
|
|
|
|
struct codomain *t = (struct codomain *)nodep;
|
|
|
|
|
free_policy(t);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void free_hat_table(void *hat_table)
|
|
|
|
|
{
|
|
|
|
|
if (hat_table)
|
|
|
|
|
tdestroy(hat_table, &free_hat_entry);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void free_policy(struct codomain *cod)
|
|
|
|
|
{
|
|
|
|
|
if (!cod)
|
|
|
|
|
return;
|
|
|
|
|
free_hat_table(cod->hat_table);
|
|
|
|
|
free_cod_entries(cod->entries);
|
2007-02-27 02:29:16 +00:00
|
|
|
if (cod->dfarules)
|
|
|
|
|
aare_delete_ruleset(cod->dfarules);
|
|
|
|
|
if (cod->dfa)
|
|
|
|
|
free(cod->dfa);
|
2006-04-11 21:52:54 +00:00
|
|
|
free(cod);
|
|
|
|
|
}
|
