2006-04-11 21:52:54 +00:00
|
|
|
/*
|
2007-04-11 08:12:51 +00:00
|
|
|
* Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
|
|
|
|
|
* NOVELL (All rights reserved)
|
2006-04-11 21:52:54 +00:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
2011-05-02 13:34:58 -07:00
|
|
|
#include <stdlib.h>
|
2006-04-11 21:52:54 +00:00
|
|
|
#include <stdarg.h>
|
|
|
|
|
#include <string.h>
|
2010-07-31 16:00:52 -07:00
|
|
|
#include <linux/limits.h>
|
2014-01-06 14:46:10 -08:00
|
|
|
#include <sys/apparmor.h>
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2014-01-24 10:25:47 -08:00
|
|
|
#include <iomanip>
|
2013-12-16 01:15:17 -08:00
|
|
|
#include <string>
|
2014-01-24 10:25:47 -08:00
|
|
|
#include <sstream>
|
|
|
|
|
|
2013-12-16 01:15:17 -08:00
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
/* #define DEBUG */
|
2023-07-06 16:41:56 -07:00
|
|
|
#include "common_optarg.h"
|
2015-02-12 10:19:16 -08:00
|
|
|
#include "lib.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
#include "parser.h"
|
2013-09-27 16:16:37 -07:00
|
|
|
#include "profile.h"
|
2007-02-27 02:29:16 +00:00
|
|
|
#include "libapparmor_re/apparmor_re.h"
|
2011-03-13 05:49:15 -07:00
|
|
|
#include "libapparmor_re/aare_rules.h"
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
#include "policydb.h"
|
2014-04-07 03:16:50 -07:00
|
|
|
#include "rule.h"
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
enum error_type {
|
|
|
|
|
e_no_error,
|
|
|
|
|
e_parse_error,
|
|
|
|
|
};
|
|
|
|
|
|
2014-01-24 10:47:42 -08:00
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
/* Filters out multiple slashes (except if the first two are slashes,
|
|
|
|
|
* that's a distinct namespace in linux) and trailing slashes.
|
|
|
|
|
* NOTE: modifies in place the contents of the path argument */
|
|
|
|
|
|
2020-08-31 19:01:06 -07:00
|
|
|
void filter_slashes(char *path)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
|
|
|
|
char *sptr, *dptr;
|
|
|
|
|
BOOL seen_slash = 0;
|
|
|
|
|
|
|
|
|
|
if (!path || (strlen(path) < 2))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
sptr = dptr = path;
|
|
|
|
|
|
|
|
|
|
/* special case for linux // namespace */
|
|
|
|
|
if (sptr[0] == '/' && sptr[1] == '/' && sptr[2] != '/') {
|
|
|
|
|
sptr += 2;
|
|
|
|
|
dptr += 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (*sptr) {
|
|
|
|
|
if (*sptr == '/') {
|
|
|
|
|
if (seen_slash) {
|
|
|
|
|
++sptr;
|
|
|
|
|
} else {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
seen_slash = TRUE;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
seen_slash = 0;
|
|
|
|
|
if (dptr < sptr) {
|
|
|
|
|
*dptr++ = *sptr++;
|
|
|
|
|
} else {
|
|
|
|
|
dptr++;
|
|
|
|
|
sptr++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
*dptr = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-12 10:19:16 -08:00
|
|
|
static error_type append_glob(std::string &pcre, int glob,
|
|
|
|
|
const char *default_glob, const char *null_glob)
|
|
|
|
|
{
|
|
|
|
|
switch (glob) {
|
|
|
|
|
case glob_default:
|
|
|
|
|
pcre.append(default_glob);
|
|
|
|
|
break;
|
|
|
|
|
case glob_null:
|
|
|
|
|
pcre.append(null_glob);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
PERROR(_("%s: Invalid glob type %d\n"), progname, glob);
|
|
|
|
|
return e_parse_error;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return e_no_error;
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-16 01:15:17 -08:00
|
|
|
/* converts the apparmor regex in aare and appends pcre regex output
|
|
|
|
|
* to pcre string */
|
2015-02-12 10:19:16 -08:00
|
|
|
pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
|
2014-04-07 03:16:50 -07:00
|
|
|
std::string& pcre, int *first_re_pos)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
2009-07-30 06:09:19 +00:00
|
|
|
#define update_re_pos(X) if (!(*first_re_pos)) { *first_re_pos = (X); }
|
2013-11-05 14:33:51 -08:00
|
|
|
#define MAX_ALT_DEPTH 50
|
2009-07-30 06:09:19 +00:00
|
|
|
*first_re_pos = 0;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
int ret = TRUE;
|
|
|
|
|
/* flag to indicate input error */
|
|
|
|
|
enum error_type error;
|
|
|
|
|
|
|
|
|
|
const char *sptr;
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
|
|
|
|
|
BOOL bEscape = 0; /* flag to indicate escape */
|
|
|
|
|
int ingrouping = 0; /* flag to indicate {} context */
|
|
|
|
|
int incharclass = 0; /* flag to indicate [ ] context */
|
2016-01-25 12:48:34 -08:00
|
|
|
int grouping_count[MAX_ALT_DEPTH] = {0};
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
error = e_no_error;
|
|
|
|
|
ptype = ePatternBasic; /* assume no regex */
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
sptr = aare;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2023-07-08 19:49:34 -07:00
|
|
|
if (parseopts.dump & DUMP_DFA_RULE_EXPR)
|
2010-07-23 13:29:35 +02:00
|
|
|
fprintf(stderr, "aare: %s -> ", aare);
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
if (anchor)
|
|
|
|
|
/* anchor beginning of regular expression */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("^");
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
while (error == e_no_error && *sptr) {
|
|
|
|
|
switch (*sptr) {
|
|
|
|
|
|
|
|
|
|
case '\\':
|
|
|
|
|
/* concurrent escapes are allowed now and
|
|
|
|
|
* output as two consecutive escapes so that
|
|
|
|
|
* pcre won't interpret them
|
|
|
|
|
* \\\{...\\\} will be emitted as \\\{...\\\}
|
|
|
|
|
* for pcre matching. For string matching
|
|
|
|
|
* and globbing only one escape is output
|
|
|
|
|
* this is done by stripping later
|
|
|
|
|
*/
|
|
|
|
|
if (bEscape) {
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\\\");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
|
|
|
|
bEscape = TRUE;
|
|
|
|
|
++sptr;
|
|
|
|
|
continue; /*skip turning bEscape off */
|
|
|
|
|
} /* bEscape */
|
2007-02-01 20:18:50 +00:00
|
|
|
break;
|
2006-04-11 21:52:54 +00:00
|
|
|
case '*':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* '*' is a PCRE special character */
|
|
|
|
|
/* We store an escaped *, in case we
|
|
|
|
|
* end up using this regex buffer (i.e another
|
|
|
|
|
* non-escaped regex follows)
|
|
|
|
|
*/
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\*");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-16 01:15:17 -08:00
|
|
|
if ((pcre.length() > 0) && pcre[pcre.length() - 1] == '/') {
|
2007-03-14 22:00:39 +00:00
|
|
|
#if 0
|
2009-07-24 07:34:30 +00:00
|
|
|
// handle comment containing use
|
|
|
|
|
// of C comment characters
|
|
|
|
|
// /* /*/ and /** to describe paths
|
|
|
|
|
//
|
|
|
|
|
// modify what is emitted for * and **
|
|
|
|
|
// when used as the only path
|
|
|
|
|
// component
|
|
|
|
|
// ex.
|
|
|
|
|
// /* /*/ /**/ /**
|
|
|
|
|
// this prevents these expressions
|
|
|
|
|
// from matching directories or
|
|
|
|
|
// invalid paths
|
|
|
|
|
// in these case * and ** must
|
|
|
|
|
// match at least 1 character to
|
|
|
|
|
// get a valid path element.
|
|
|
|
|
// ex.
|
|
|
|
|
// /foo/* -> should not match /foo/
|
|
|
|
|
// /foo/*bar -> should match /foo/bar
|
|
|
|
|
// /*/foo -> should not match //foo
|
2007-03-14 22:00:39 +00:00
|
|
|
#endif
|
2007-03-14 22:35:55 +00:00
|
|
|
const char *s = sptr;
|
2007-03-14 22:00:39 +00:00
|
|
|
while (*s == '*')
|
|
|
|
|
s++;
|
2015-02-12 10:19:16 -08:00
|
|
|
if (*s == '/' || !*s)
|
|
|
|
|
error = append_glob(pcre, glob, "[^/\\x00]", "[^/]");
|
2007-03-14 22:00:39 +00:00
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
if (*(sptr + 1) == '*') {
|
|
|
|
|
/* is this the first regex form we
|
|
|
|
|
* have seen and also the end of
|
|
|
|
|
* pattern? If so, we can use
|
|
|
|
|
* optimised tail globbing rather
|
|
|
|
|
* than full regex.
|
|
|
|
|
*/
|
2009-07-30 06:09:19 +00:00
|
|
|
update_re_pos(sptr - aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
if (*(sptr + 2) == '\0' &&
|
|
|
|
|
ptype == ePatternBasic) {
|
|
|
|
|
ptype = ePatternTailGlob;
|
|
|
|
|
} else {
|
|
|
|
|
ptype = ePatternRegex;
|
|
|
|
|
}
|
2015-02-12 10:19:16 -08:00
|
|
|
error = append_glob(pcre, glob, "[^\\x00]*", ".*");
|
2006-04-11 21:52:54 +00:00
|
|
|
sptr++;
|
|
|
|
|
} else {
|
2009-07-30 06:09:19 +00:00
|
|
|
update_re_pos(sptr - aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
ptype = ePatternRegex;
|
2015-02-12 10:19:16 -08:00
|
|
|
error = append_glob(pcre, glob, "[^/\\x00]*", "[^/]*");
|
2006-04-11 21:52:54 +00:00
|
|
|
} /* *(sptr+1) == '*' */
|
|
|
|
|
} /* bEscape */
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '?':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* ? is not a PCRE regex character
|
|
|
|
|
* so no need to escape, just skip
|
|
|
|
|
* transform
|
|
|
|
|
*/
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2009-07-30 06:09:19 +00:00
|
|
|
update_re_pos(sptr - aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
ptype = ePatternRegex;
|
2019-08-17 03:06:11 -07:00
|
|
|
switch (glob) {
|
|
|
|
|
case glob_default:
|
|
|
|
|
pcre.append("[^/\\x00]");
|
|
|
|
|
break;
|
|
|
|
|
case glob_null:
|
|
|
|
|
pcre.append("[^/]");
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
PERROR(_("%s: Invalid glob type %d\n"), progname, glob);
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '[':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* [ is a PCRE special character */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\[");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2009-07-30 06:09:19 +00:00
|
|
|
update_re_pos(sptr - aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
incharclass = 1;
|
|
|
|
|
ptype = ePatternRegex;
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ']':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* ] is a PCRE special character */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\]");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-11-05 14:37:53 -08:00
|
|
|
if (incharclass == 0) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Invalid close ], no matching open [ detected\n"), progname);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
incharclass = 0;
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '{':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* { is a PCRE special character */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\{");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-10 12:22:32 -08:00
|
|
|
if (incharclass) {
|
|
|
|
|
/* don't expand inside [] */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("{");
|
2008-11-07 01:31:19 +00:00
|
|
|
} else {
|
2013-12-10 12:22:32 -08:00
|
|
|
update_re_pos(sptr - aare);
|
|
|
|
|
ingrouping++;
|
|
|
|
|
if (ingrouping >= MAX_ALT_DEPTH) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Exceeded maximum nesting of {}\n"), progname);
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
grouping_count[ingrouping] = 0;
|
|
|
|
|
ptype = ePatternRegex;
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("(");
|
2013-12-10 12:22:32 -08:00
|
|
|
}
|
|
|
|
|
} /* incharclass */
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case '}':
|
|
|
|
|
if (bEscape) {
|
|
|
|
|
/* { is a PCRE special character */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\}");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-10 12:22:32 -08:00
|
|
|
if (incharclass) {
|
|
|
|
|
/* don't expand inside [] */
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("}");
|
2013-12-10 12:22:32 -08:00
|
|
|
} else {
|
|
|
|
|
if (grouping_count[ingrouping] == 0) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Invalid number of items between {}\n"), progname);
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2013-12-10 12:22:32 -08:00
|
|
|
}
|
|
|
|
|
ingrouping--;
|
|
|
|
|
if (ingrouping < 0) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Invalid close }, no matching open { detected\n"), progname);
|
|
|
|
|
ingrouping = 0;
|
|
|
|
|
}
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(")");
|
2013-12-10 12:22:32 -08:00
|
|
|
} /* incharclass */
|
2006-04-11 21:52:54 +00:00
|
|
|
} /* bEscape */
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ',':
|
|
|
|
|
if (bEscape) {
|
2013-12-10 12:22:32 -08:00
|
|
|
if (incharclass) {
|
|
|
|
|
/* escape inside char class is a
|
|
|
|
|
* valid matching char for '\'
|
|
|
|
|
*/
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\,");
|
2013-12-10 12:22:32 -08:00
|
|
|
} else {
|
|
|
|
|
/* ',' is not a PCRE regex character
|
|
|
|
|
* so no need to escape, just skip
|
|
|
|
|
* transform
|
|
|
|
|
*/
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2013-12-10 12:22:32 -08:00
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-10 12:22:32 -08:00
|
|
|
if (ingrouping && !incharclass) {
|
2013-11-05 14:33:51 -08:00
|
|
|
grouping_count[ingrouping]++;
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("|");
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
/* these are special outside of character
|
|
|
|
|
* classes but not in them */
|
|
|
|
|
case '^':
|
|
|
|
|
case '$':
|
|
|
|
|
if (incharclass) {
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
} else {
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\");
|
|
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Not a subdomain regex, but needs to be
|
|
|
|
|
* escaped as it is a pcre metacharacter which
|
|
|
|
|
* we don't want to support. We always escape
|
|
|
|
|
* these, so no need to check bEscape
|
|
|
|
|
*/
|
|
|
|
|
case '.':
|
|
|
|
|
case '+':
|
|
|
|
|
case '|':
|
|
|
|
|
case '(':
|
|
|
|
|
case ')':
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("\\");
|
2020-06-01 03:06:28 -07:00
|
|
|
/* Fall through */
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
default:
|
2013-12-06 06:01:12 -08:00
|
|
|
if (bEscape) {
|
2015-02-12 10:19:16 -08:00
|
|
|
const char *pos = sptr;
|
|
|
|
|
int c;
|
|
|
|
|
if ((c = str_escseq(&pos, "")) != -1) {
|
|
|
|
|
/* valid escape we don't want to
|
|
|
|
|
* interpret here */
|
|
|
|
|
pcre.append("\\");
|
|
|
|
|
pcre.append(sptr, pos - sptr);
|
|
|
|
|
sptr += (pos - sptr) - 1;
|
|
|
|
|
} else {
|
|
|
|
|
/* quoting mark used for something that
|
|
|
|
|
* does not need to be quoted; give a
|
|
|
|
|
* warning */
|
2020-08-28 08:35:45 -07:00
|
|
|
pwarn(WARN_FORMAT, "Character %c was quoted"
|
2015-02-12 10:19:16 -08:00
|
|
|
"unnecessarily, dropped preceding"
|
|
|
|
|
" quote ('\\') character\n",
|
|
|
|
|
*sptr);
|
|
|
|
|
pcre.append(1, *sptr);
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
pcre.append(1, *sptr);
|
2006-04-11 21:52:54 +00:00
|
|
|
break;
|
|
|
|
|
} /* switch (*sptr) */
|
|
|
|
|
|
|
|
|
|
bEscape = FALSE;
|
|
|
|
|
++sptr;
|
|
|
|
|
} /* while error == e_no_error && *sptr) */
|
|
|
|
|
|
|
|
|
|
if (ingrouping > 0 || incharclass) {
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
|
|
|
|
|
PERROR(_("%s: Regex grouping error: Unclosed grouping or character class, expecting close }\n"),
|
|
|
|
|
progname);
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-06 06:01:12 -08:00
|
|
|
if ((error == e_no_error) && bEscape) {
|
|
|
|
|
/* trailing backslash quote */
|
|
|
|
|
error = e_parse_error;
|
|
|
|
|
PERROR(_("%s: Regex error: trailing '\\' escape character\n"),
|
|
|
|
|
progname);
|
|
|
|
|
}
|
2006-04-11 21:52:54 +00:00
|
|
|
/* anchor end and terminate pattern string */
|
2007-02-27 02:29:16 +00:00
|
|
|
if ((error == e_no_error) && anchor) {
|
2013-12-16 01:15:17 -08:00
|
|
|
pcre.append("$");
|
2006-04-11 21:52:54 +00:00
|
|
|
}
|
|
|
|
|
/* check error again, as above STORE may have set it */
|
|
|
|
|
if (error != e_no_error) {
|
|
|
|
|
PERROR(_("%s: Unable to parse input line '%s'\n"),
|
2007-02-27 02:29:16 +00:00
|
|
|
progname, aare);
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
ret = FALSE;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
out:
|
|
|
|
|
if (ret == FALSE)
|
|
|
|
|
ptype = ePatternInvalid;
|
2010-07-23 13:29:35 +02:00
|
|
|
|
2023-07-08 19:49:34 -07:00
|
|
|
if (parseopts.dump & DUMP_DFA_RULE_EXPR)
|
2013-12-16 01:15:17 -08:00
|
|
|
fprintf(stderr, "%s\n", pcre.c_str());
|
2010-07-23 13:29:35 +02:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
return ptype;
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-30 06:09:19 +00:00
|
|
|
static const char *local_name(const char *name)
|
|
|
|
|
{
|
|
|
|
|
const char *t;
|
|
|
|
|
|
|
|
|
|
for (t = strstr(name, "//") ; t ; t = strstr(name, "//"))
|
|
|
|
|
name = t + 2;
|
|
|
|
|
|
|
|
|
|
return name;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 10:54:46 -08:00
|
|
|
/*
|
|
|
|
|
* get_xattr_value returns the value of an xattr expression, performing NULL
|
|
|
|
|
* checks along the way. The method returns NULL if the xattr match doesn't
|
|
|
|
|
* have an xattrs (though this case currently isn't permitted by the parser).
|
|
|
|
|
*/
|
|
|
|
|
char *get_xattr_value(struct cond_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
if (!entry->eq)
|
|
|
|
|
return NULL;
|
|
|
|
|
if (!entry->vals)
|
|
|
|
|
return NULL;
|
|
|
|
|
return entry->vals->value;
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-17 05:02:13 -07:00
|
|
|
/* do we want to warn once/profile or just once per compile?? */
|
|
|
|
|
static void warn_once_xattr(const char *name)
|
|
|
|
|
{
|
|
|
|
|
static const char *warned_name = NULL;
|
2020-08-09 14:51:55 -04:00
|
|
|
common_warn_once(name, "xattr attachment conditional ignored", &warned_name);
|
2019-08-17 05:02:13 -07:00
|
|
|
}
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
static int process_profile_name_xmatch(Profile *prof)
|
2009-07-30 06:09:19 +00:00
|
|
|
{
|
2013-12-16 01:15:17 -08:00
|
|
|
std::string tbuf;
|
2009-07-30 06:09:19 +00:00
|
|
|
pattern_t ptype;
|
2021-03-16 03:44:19 -07:00
|
|
|
char *name;
|
2009-07-30 06:09:19 +00:00
|
|
|
|
2018-12-06 10:54:46 -08:00
|
|
|
struct cond_entry *entry;
|
|
|
|
|
const char *xattr_value;
|
|
|
|
|
|
2021-03-16 03:44:19 -07:00
|
|
|
if (prof->attachment) {
|
2013-09-27 16:16:37 -07:00
|
|
|
name = prof->attachment;
|
2021-03-16 03:44:19 -07:00
|
|
|
} else {
|
|
|
|
|
/* don't filter_slashes for profile names, do on attachment */
|
|
|
|
|
name = strdup(local_name(prof->name));
|
|
|
|
|
if (!name)
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
filter_slashes(name);
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(name, 0, glob_default, tbuf,
|
2013-09-27 16:16:37 -07:00
|
|
|
&prof->xmatch_len);
|
2011-03-08 10:12:09 -08:00
|
|
|
if (ptype == ePatternBasic)
|
2013-09-27 16:16:37 -07:00
|
|
|
prof->xmatch_len = strlen(name);
|
2009-07-30 06:09:19 +00:00
|
|
|
|
|
|
|
|
if (ptype == ePatternInvalid) {
|
|
|
|
|
PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
|
2023-05-29 22:12:41 +02:00
|
|
|
if (!prof->attachment)
|
|
|
|
|
free(name);
|
2009-07-30 06:09:19 +00:00
|
|
|
return FALSE;
|
2023-05-29 22:12:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!prof->attachment)
|
|
|
|
|
free(name);
|
|
|
|
|
|
|
|
|
|
if (ptype == ePatternBasic && !(prof->altnames || prof->attachment || prof->xattrs.list)) {
|
2009-07-30 06:09:19 +00:00
|
|
|
/* no regex so do not set xmatch */
|
2013-09-27 16:16:37 -07:00
|
|
|
prof->xmatch = NULL;
|
|
|
|
|
prof->xmatch_len = 0;
|
|
|
|
|
prof->xmatch_size = 0;
|
2009-07-30 06:09:19 +00:00
|
|
|
} else {
|
|
|
|
|
/* build a dfa */
|
2014-04-23 10:57:16 -07:00
|
|
|
aare_rules *rules = new aare_rules();
|
|
|
|
|
if (!rules)
|
2009-07-30 06:09:19 +00:00
|
|
|
return FALSE;
|
2023-07-06 16:41:56 -07:00
|
|
|
if (!rules->add_rule(tbuf.c_str(), 0, AA_MAY_EXEC, 0, parseopts)) {
|
2014-04-23 10:57:16 -07:00
|
|
|
delete rules;
|
2009-07-30 06:09:19 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2013-09-27 16:16:37 -07:00
|
|
|
if (prof->altnames) {
|
2010-02-12 13:49:58 -08:00
|
|
|
struct alt_name *alt;
|
2013-09-27 16:16:37 -07:00
|
|
|
list_for_each(prof->altnames, alt) {
|
2010-02-12 13:49:58 -08:00
|
|
|
int len;
|
2013-12-16 01:15:17 -08:00
|
|
|
tbuf.clear();
|
2021-03-16 03:44:19 -07:00
|
|
|
filter_slashes(alt->name);
|
2011-03-08 10:12:09 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(alt->name, 0,
|
2015-02-12 10:19:16 -08:00
|
|
|
glob_default,
|
|
|
|
|
tbuf, &len);
|
2023-07-06 16:41:56 -07:00
|
|
|
if (!rules->add_rule(tbuf.c_str(), 0, AA_MAY_EXEC, 0, parseopts)) {
|
2014-04-23 10:57:16 -07:00
|
|
|
delete rules;
|
2010-02-12 13:49:58 -08:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-06 10:54:46 -08:00
|
|
|
if (prof->xattrs.list) {
|
2020-04-29 02:18:24 -07:00
|
|
|
if (!(features_supports_domain_xattr && kernel_supports_oob)) {
|
2021-03-16 03:56:58 -07:00
|
|
|
warn_once_xattr(prof->name);
|
2019-08-17 05:02:13 -07:00
|
|
|
free_cond_entry_list(prof->xattrs);
|
|
|
|
|
goto build;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 10:54:46 -08:00
|
|
|
for (entry = prof->xattrs.list; entry; entry = entry->next) {
|
|
|
|
|
xattr_value = get_xattr_value(entry);
|
|
|
|
|
if (!xattr_value)
|
|
|
|
|
xattr_value = "**"; // Default to allowing any value.
|
|
|
|
|
/* len is measured because it's required to
|
|
|
|
|
* convert the regex to pcre, but doesn't impact
|
|
|
|
|
* xmatch_len. The kernel uses the number of
|
|
|
|
|
* xattrs matched to prioritized in addition to
|
|
|
|
|
* xmatch_len.
|
|
|
|
|
*/
|
|
|
|
|
int len;
|
|
|
|
|
tbuf.clear();
|
2019-09-01 10:24:56 -07:00
|
|
|
/* prepend \x00 to every value. This is
|
2020-11-19 12:30:04 -08:00
|
|
|
* done to separate the existence of the
|
2019-09-01 10:24:56 -07:00
|
|
|
* xattr from a null value match.
|
|
|
|
|
*
|
|
|
|
|
* if an xattr exists, a single \x00 will
|
|
|
|
|
* be done before matching any of the
|
|
|
|
|
* xattr_value data.
|
|
|
|
|
*
|
|
|
|
|
* the pattern for a required xattr
|
|
|
|
|
* \x00{value_match}\x-1
|
|
|
|
|
* optional xattr (null alternation)
|
|
|
|
|
* {\x00{value_match},}\x-1
|
|
|
|
|
*/
|
|
|
|
|
tbuf.append("\\x00");
|
2018-12-06 10:54:46 -08:00
|
|
|
convert_aaregex_to_pcre(xattr_value, 0,
|
2019-08-17 03:06:11 -07:00
|
|
|
glob_null, tbuf,
|
2018-12-06 10:54:46 -08:00
|
|
|
&len);
|
2023-07-06 16:41:56 -07:00
|
|
|
if (!rules->append_rule(tbuf.c_str(), true, true, parseopts)) {
|
2018-12-06 10:54:46 -08:00
|
|
|
delete rules;
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-17 05:02:13 -07:00
|
|
|
build:
|
2023-07-06 16:41:56 -07:00
|
|
|
prof->xmatch = rules->create_dfa(&prof->xmatch_size, &prof->xmatch_len, parseopts, true);
|
2014-04-23 10:57:16 -07:00
|
|
|
delete rules;
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!prof->xmatch)
|
2009-07-30 06:09:19 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-06 01:28:43 -07:00
|
|
|
static int warn_change_profile = 1;
|
|
|
|
|
|
2021-06-09 00:56:59 -07:00
|
|
|
static bool is_change_profile_perms(perms_t perms)
|
2016-05-31 15:32:08 -05:00
|
|
|
{
|
|
|
|
|
/**
|
|
|
|
|
* A change_profile entry will have the AA_CHANGE_PROFILE bit set.
|
|
|
|
|
* It could also have the (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE) bits
|
|
|
|
|
* set by the frontend parser. That means that it is incorrect to
|
|
|
|
|
* identify change_profile modes using a test like this:
|
|
|
|
|
*
|
2021-06-09 00:56:59 -07:00
|
|
|
* (perms & ~AA_CHANGE_PROFILE)
|
2016-05-31 15:32:08 -05:00
|
|
|
*
|
|
|
|
|
* The above test would incorrectly return true on a
|
|
|
|
|
* change_profile mode that has the
|
|
|
|
|
* (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE) bits set.
|
|
|
|
|
*/
|
2021-06-09 00:56:59 -07:00
|
|
|
return perms & AA_CHANGE_PROFILE;
|
2016-05-31 15:32:08 -05:00
|
|
|
}
|
|
|
|
|
|
2014-04-23 10:57:16 -07:00
|
|
|
static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
2007-02-27 02:29:16 +00:00
|
|
|
{
|
2013-12-16 01:15:17 -08:00
|
|
|
std::string tbuf;
|
2007-02-27 02:29:16 +00:00
|
|
|
pattern_t ptype;
|
2009-07-30 06:09:19 +00:00
|
|
|
int pos;
|
2007-02-27 02:29:16 +00:00
|
|
|
|
|
|
|
|
if (!entry) /* shouldn't happen */
|
|
|
|
|
return TRUE;
|
|
|
|
|
|
2009-07-23 21:18:37 +00:00
|
|
|
|
2021-06-09 00:56:59 -07:00
|
|
|
if (!is_change_profile_perms(entry->perms))
|
2009-07-30 06:09:19 +00:00
|
|
|
filter_slashes(entry->name);
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(entry->name, 0, glob_default, tbuf, &pos);
|
2007-02-27 02:29:16 +00:00
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
|
|
|
|
|
entry->pattern_type = ptype;
|
|
|
|
|
|
|
|
|
|
/* ix implies m but the apparmor module does not add m bit to
|
|
|
|
|
* dfa states like it does for pcre
|
|
|
|
|
*/
|
2021-06-09 00:56:59 -07:00
|
|
|
if ((entry->perms >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
|
|
|
|
|
entry->perms |= AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT;
|
|
|
|
|
if ((entry->perms >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
|
|
|
|
|
entry->perms |= AA_OLD_EXEC_MMAP << AA_USER_SHIFT;
|
2007-11-16 09:35:57 +00:00
|
|
|
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
/* the link bit on the first pair entry should not get masked
|
|
|
|
|
* out by a deny rule, as both pieces of the link pair must
|
|
|
|
|
* match. audit info for the link is carried on the second
|
|
|
|
|
* entry of the pair
|
2015-03-23 11:25:48 -07:00
|
|
|
*
|
|
|
|
|
* So if a deny rule only record it if there are permissions other
|
|
|
|
|
* than link in the entry.
|
|
|
|
|
* TODO: split link and change_profile entries earlier
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
*/
|
2021-09-09 01:42:51 -07:00
|
|
|
if (entry->rule_mode == RULE_DENY) {
|
2021-06-09 00:56:59 -07:00
|
|
|
if ((entry->perms & ~AA_LINK_BITS) &&
|
|
|
|
|
!is_change_profile_perms(entry->perms) &&
|
2021-09-09 01:42:51 -07:00
|
|
|
!dfarules->add_rule(tbuf.c_str(), entry->rule_mode == RULE_DENY,
|
2021-06-09 00:56:59 -07:00
|
|
|
entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
|
2021-08-30 14:31:03 -07:00
|
|
|
entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
|
2023-07-06 16:41:56 -07:00
|
|
|
parseopts))
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
return FALSE;
|
2021-06-09 00:56:59 -07:00
|
|
|
} else if (!is_change_profile_perms(entry->perms)) {
|
2021-09-09 01:42:51 -07:00
|
|
|
if (!dfarules->add_rule(tbuf.c_str(),
|
|
|
|
|
entry->rule_mode == RULE_DENY, entry->perms,
|
|
|
|
|
entry->audit == AUDIT_FORCE ? entry->perms : 0,
|
2023-07-06 16:41:56 -07:00
|
|
|
parseopts))
|
Add Audit control to AppArmor through, the use of audit and deny
key words. Deny is also used to subtract permissions from the
profiles permission set.
the audit key word can be prepended to any file, network, or capability
rule, to force a selective audit when that rule is matched. Audit
permissions accumulate just like standard permissions.
eg.
audit /bin/foo rw,
will force an audit message when the file /bin/foo is opened for
read or write.
audit /etc/shadow w,
/etc/shadow r,
will force an audit message when /etc/shadow is opened for writing.
The audit message is per permission bit so only opening the file
for read access will not, force an audit message.
audit can also be used in block form instead of prepending audit
to every rule.
audit {
/bin/foo rw,
/etc/shadow w,
}
/etc/shadow r, # don't audit r access to /etc/shadow
the deny key word can be prepended to file, network and capability
rules, to result in a denial of permissions when matching that rule.
The deny rule specifically does 3 things
- it gives AppArmor the ability to remember what has been denied
so that the tools don't prompt for what has been denied in
previous profiling sessions.
- it subtracts globally from the allowed permissions. Deny permissions
accumulate in the the deny set just as allow permissions accumulate
then, the deny set is subtracted from the allow set.
- it quiets known rejects. The default audit behavior of deny rules
is to quiet known rejects so that audit logs are not flooded
with already known rejects. To have known rejects logged prepend
the audit keyword to the deny rule. Deny rules do not have a
block form.
eg.
deny /foo/bar rw,
audit deny /etc/shadow w,
audit {
deny owner /blah w,
deny other /foo w,
deny /etc/shadow w,
}
2008-03-13 17:39:03 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2008-04-09 23:56:31 +00:00
|
|
|
|
2021-06-09 00:56:59 -07:00
|
|
|
if (entry->perms & (AA_LINK_BITS)) {
|
2007-11-16 09:36:42 +00:00
|
|
|
/* add the pair rule */
|
2013-12-16 01:15:17 -08:00
|
|
|
std::string lbuf;
|
2021-06-09 00:56:59 -07:00
|
|
|
int perms = AA_LINK_BITS & entry->perms;
|
2013-10-01 10:59:04 -07:00
|
|
|
const char *vec[2];
|
2009-07-30 06:09:19 +00:00
|
|
|
int pos;
|
2013-12-16 01:15:17 -08:00
|
|
|
vec[0] = tbuf.c_str();
|
2007-11-16 09:37:31 +00:00
|
|
|
if (entry->link_name) {
|
2021-03-14 08:50:16 -07:00
|
|
|
filter_slashes(entry->link_name);
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(entry->link_name, 0, glob_default, lbuf, &pos);
|
2008-03-13 16:46:19 +00:00
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
2008-03-13 16:49:10 +00:00
|
|
|
if (entry->subset)
|
|
|
|
|
perms |= LINK_TO_LINK_SUBSET(perms);
|
2013-12-16 01:15:17 -08:00
|
|
|
vec[1] = lbuf.c_str();
|
2007-11-16 09:37:31 +00:00
|
|
|
} else {
|
|
|
|
|
perms |= LINK_TO_LINK_SUBSET(perms);
|
2008-03-13 16:46:19 +00:00
|
|
|
vec[1] = "/[^/].*";
|
2007-11-16 09:37:31 +00:00
|
|
|
}
|
2023-07-06 16:41:56 -07:00
|
|
|
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, parseopts, false))
|
2007-11-16 09:36:42 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2021-06-09 00:56:59 -07:00
|
|
|
if (is_change_profile_perms(entry->perms)) {
|
2013-10-01 10:59:04 -07:00
|
|
|
const char *vec[3];
|
2015-06-12 15:25:10 -07:00
|
|
|
std::string lbuf, xbuf;
|
2016-03-18 17:28:51 -05:00
|
|
|
autofree char *ns = NULL;
|
|
|
|
|
autofree char *name = NULL;
|
2012-03-26 06:11:16 -07:00
|
|
|
int index = 1;
|
2016-05-31 15:32:08 -05:00
|
|
|
uint32_t onexec_perms = AA_ONEXEC;
|
2012-03-26 06:11:16 -07:00
|
|
|
|
2023-07-06 16:41:56 -07:00
|
|
|
if ((parseopts.warn & WARN_RULE_DOWNGRADED) && entry->audit == AUDIT_FORCE && warn_change_profile) {
|
2015-06-06 01:28:43 -07:00
|
|
|
/* don't have profile name here, so until this code
|
|
|
|
|
* gets refactored just throw out a generic warning
|
|
|
|
|
*/
|
|
|
|
|
fprintf(stderr, "Warning kernel does not support audit modifier for change_profile rule.\n");
|
|
|
|
|
warn_change_profile = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-06-12 15:25:10 -07:00
|
|
|
if (entry->onexec) {
|
|
|
|
|
ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
|
|
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
vec[0] = xbuf.c_str();
|
|
|
|
|
} else
|
|
|
|
|
/* allow change_profile for all execs */
|
2015-06-12 15:25:10 -07:00
|
|
|
vec[0] = "/[^/\\x00][^\\x00]*";
|
2012-03-26 06:11:16 -07:00
|
|
|
|
2020-04-29 02:18:24 -07:00
|
|
|
if (!features_supports_stacking) {
|
2016-03-18 17:28:51 -05:00
|
|
|
bool stack;
|
|
|
|
|
|
|
|
|
|
if (!parse_label(&stack, &ns, &name,
|
|
|
|
|
tbuf.c_str(), false)) {
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (stack) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
_("The current kernel does not support stacking of named transitions: %s\n"),
|
|
|
|
|
tbuf.c_str());
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ns)
|
|
|
|
|
vec[index++] = ns;
|
|
|
|
|
vec[index++] = name;
|
|
|
|
|
} else {
|
|
|
|
|
vec[index++] = tbuf.c_str();
|
|
|
|
|
}
|
2012-03-26 06:11:16 -07:00
|
|
|
|
|
|
|
|
/* regular change_profile rule */
|
2021-09-09 01:42:51 -07:00
|
|
|
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY,
|
2016-05-31 15:32:08 -05:00
|
|
|
AA_CHANGE_PROFILE | onexec_perms,
|
2023-07-06 16:41:56 -07:00
|
|
|
0, index - 1, &vec[1], parseopts, false))
|
2012-03-26 06:11:16 -07:00
|
|
|
return FALSE;
|
2016-05-31 15:32:08 -05:00
|
|
|
|
2012-03-26 06:11:16 -07:00
|
|
|
/* onexec rules - both rules are needed for onexec */
|
2021-09-09 01:42:51 -07:00
|
|
|
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms,
|
2023-07-06 16:41:56 -07:00
|
|
|
0, 1, vec, parseopts, false))
|
2012-03-26 06:11:16 -07:00
|
|
|
return FALSE;
|
2016-05-31 15:32:08 -05:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* pick up any exec bits, from the frontend parser, related to
|
|
|
|
|
* unsafe exec transitions
|
|
|
|
|
*/
|
2021-06-09 00:56:59 -07:00
|
|
|
onexec_perms |= (entry->perms & (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE));
|
2021-09-09 01:42:51 -07:00
|
|
|
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms,
|
2023-07-06 16:41:56 -07:00
|
|
|
0, index, vec, parseopts, false))
|
2012-03-26 06:11:16 -07:00
|
|
|
return FALSE;
|
2007-11-16 09:18:48 +00:00
|
|
|
}
|
2007-11-16 09:36:42 +00:00
|
|
|
return TRUE;
|
2007-02-27 02:29:16 +00:00
|
|
|
}
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
int post_process_entries(Profile *prof)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
2010-07-31 16:00:52 -07:00
|
|
|
int ret = TRUE;
|
2006-04-11 21:52:54 +00:00
|
|
|
struct cod_entry *entry;
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
list_for_each(prof->entries, entry) {
|
|
|
|
|
if (!process_dfa_entry(prof->dfa.rules, entry))
|
2006-04-11 21:52:54 +00:00
|
|
|
ret = FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
int process_profile_regex(Profile *prof)
|
2006-04-11 21:52:54 +00:00
|
|
|
{
|
2007-02-27 02:29:16 +00:00
|
|
|
int error = -1;
|
2008-11-07 01:31:19 +00:00
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!process_profile_name_xmatch(prof))
|
2013-09-27 16:11:00 -07:00
|
|
|
goto out;
|
|
|
|
|
|
2014-04-23 10:57:16 -07:00
|
|
|
prof->dfa.rules = new aare_rules();
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!prof->dfa.rules)
|
2013-09-27 16:11:00 -07:00
|
|
|
goto out;
|
2009-07-30 06:09:19 +00:00
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!post_process_entries(prof))
|
2007-02-27 02:29:16 +00:00
|
|
|
goto out;
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2014-04-23 10:57:16 -07:00
|
|
|
if (prof->dfa.rules->rule_count > 0) {
|
2019-02-08 11:32:16 -08:00
|
|
|
int xmatch_len = 0;
|
2014-04-23 10:57:16 -07:00
|
|
|
prof->dfa.dfa = prof->dfa.rules->create_dfa(&prof->dfa.size,
|
2023-07-06 16:41:56 -07:00
|
|
|
&xmatch_len, parseopts, true);
|
2014-04-23 10:57:16 -07:00
|
|
|
delete prof->dfa.rules;
|
2013-09-27 16:16:37 -07:00
|
|
|
prof->dfa.rules = NULL;
|
|
|
|
|
if (!prof->dfa.dfa)
|
2007-02-27 02:29:16 +00:00
|
|
|
goto out;
|
|
|
|
|
/*
|
2013-09-27 16:16:37 -07:00
|
|
|
if (prof->dfa_size == 0) {
|
2007-02-27 02:29:16 +00:00
|
|
|
PERROR(_("profile %s: has merged rules (%s) with "
|
|
|
|
|
"multiple x modifiers\n"),
|
2013-09-27 16:16:37 -07:00
|
|
|
prof->name, (char *) prof->dfa);
|
|
|
|
|
free(prof->dfa);
|
|
|
|
|
prof->dfa = NULL;
|
2007-02-27 02:29:16 +00:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
*/
|
|
|
|
|
}
|
2007-02-01 20:18:50 +00:00
|
|
|
|
2007-02-27 02:29:16 +00:00
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
2006-04-11 21:52:54 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-07 03:16:50 -07:00
|
|
|
int build_list_val_expr(std::string& buffer, struct value_list *list)
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
{
|
|
|
|
|
struct value_list *ent;
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
int pos;
|
|
|
|
|
|
|
|
|
|
if (!list) {
|
2014-01-24 10:47:42 -08:00
|
|
|
buffer.append(default_match_pattern);
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-16 01:17:21 -08:00
|
|
|
buffer.append("(");
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(list->value, 0, glob_default, buffer, &pos);
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
list_for_each(list->next, ent) {
|
2013-12-16 01:17:21 -08:00
|
|
|
buffer.append("|");
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(ent->value, 0, glob_default, buffer, &pos);
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
2013-12-16 01:17:21 -08:00
|
|
|
buffer.append(")");
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
fail:
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-07 03:16:50 -07:00
|
|
|
int convert_entry(std::string& buffer, char *entry)
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
{
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
int pos;
|
|
|
|
|
|
|
|
|
|
if (entry) {
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre(entry, 0, glob_default, buffer, &pos);
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
} else {
|
2014-01-24 10:47:42 -08:00
|
|
|
buffer.append(default_match_pattern);
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
}
|
2013-12-16 01:15:17 -08:00
|
|
|
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-07 03:16:50 -07:00
|
|
|
int clear_and_convert_entry(std::string& buffer, char *entry)
|
2014-01-24 10:47:42 -08:00
|
|
|
{
|
|
|
|
|
buffer.clear();
|
|
|
|
|
return convert_entry(buffer, entry);
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-22 17:56:08 -03:00
|
|
|
static std::vector<std::pair<bignum, bignum>> regex_range_generator(bignum start, bignum end)
|
|
|
|
|
{
|
|
|
|
|
std::vector<std::pair<bignum, bignum>> forward;
|
|
|
|
|
std::vector<std::pair<bignum, bignum>> reverse;
|
|
|
|
|
bignum next, prev;
|
|
|
|
|
|
|
|
|
|
while (start <= end) {
|
|
|
|
|
next = bignum::upper_bound_regex(start);
|
|
|
|
|
if (next > end)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
forward.emplace_back(start, next);
|
|
|
|
|
start = next + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (!end.negative && end >= start) {
|
|
|
|
|
prev = bignum::lower_bound_regex(end);
|
|
|
|
|
if (prev < start || prev.negative)
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
reverse.emplace_back(prev, end);
|
|
|
|
|
end = prev - 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!end.negative && start <= end) {
|
|
|
|
|
forward.emplace_back(start, end);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
forward.insert(forward.end(), reverse.rbegin(), reverse.rend());
|
|
|
|
|
return forward;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static std::string generate_regex_range(bignum start, bignum end)
|
|
|
|
|
{
|
|
|
|
|
std::ostringstream result;
|
|
|
|
|
std::vector<std::pair<bignum, bignum>> regex_range;
|
|
|
|
|
int j;
|
2023-09-13 10:24:35 -03:00
|
|
|
regex_range = regex_range_generator(std::move(start), std::move(end));
|
2023-08-22 17:56:08 -03:00
|
|
|
for (auto &i: regex_range) {
|
|
|
|
|
bignum sstart = i.first;
|
|
|
|
|
bignum send = i.second;
|
2023-08-23 10:49:53 -03:00
|
|
|
if (sstart.base == 16) {
|
|
|
|
|
for (j = (size_t) sstart.size(); j < 32; j++)
|
|
|
|
|
result << '0';
|
|
|
|
|
}
|
2023-08-22 17:56:08 -03:00
|
|
|
for (j = sstart.size() - 1; j >= 0; j--) {
|
2023-08-23 10:48:11 -03:00
|
|
|
result << std::nouppercase;
|
2023-08-22 17:56:08 -03:00
|
|
|
if (sstart[j] == send[j]) {
|
2023-08-23 10:48:11 -03:00
|
|
|
if (sstart[j] >= 10)
|
|
|
|
|
result << '[';
|
2023-08-22 17:56:08 -03:00
|
|
|
result << std::hex << sstart[j];
|
2023-08-23 10:48:11 -03:00
|
|
|
if (sstart[j] >= 10)
|
|
|
|
|
result << std::uppercase << std::hex << sstart[j] << ']';
|
2023-08-22 17:56:08 -03:00
|
|
|
} else {
|
|
|
|
|
if (sstart[j] < 10 && send[j] >= 10) {
|
|
|
|
|
result << '[';
|
|
|
|
|
result << std::hex << sstart[j];
|
|
|
|
|
if (sstart[j] < 9) {
|
|
|
|
|
result << '-';
|
|
|
|
|
result << '9';
|
|
|
|
|
}
|
|
|
|
|
if (send[j] > 10) {
|
|
|
|
|
result << 'a';
|
|
|
|
|
result << '-';
|
|
|
|
|
}
|
|
|
|
|
result << std::hex << send[j];
|
2023-08-23 10:48:11 -03:00
|
|
|
if (send[j] > 10) {
|
|
|
|
|
result << 'A';
|
|
|
|
|
result << '-';
|
|
|
|
|
}
|
|
|
|
|
result << std::uppercase << std::hex << send[j];
|
2023-08-22 17:56:08 -03:00
|
|
|
result << ']';
|
|
|
|
|
} else {
|
|
|
|
|
result << '[';
|
|
|
|
|
result << std::hex << sstart[j];
|
|
|
|
|
result << '-';
|
|
|
|
|
result << std::hex << send[j];
|
2023-08-23 10:48:11 -03:00
|
|
|
if (sstart[j] >= 10) {
|
|
|
|
|
result << std::uppercase << std::hex << sstart[j];
|
|
|
|
|
result << '-';
|
|
|
|
|
result << std::uppercase << std::hex << send[j];
|
|
|
|
|
}
|
2023-08-22 17:56:08 -03:00
|
|
|
result << ']';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (&i != ®ex_range.back())
|
|
|
|
|
result << ",";
|
|
|
|
|
}
|
|
|
|
|
return result.str();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int convert_range(std::string& buffer, bignum start, bignum end)
|
|
|
|
|
{
|
|
|
|
|
pattern_t ptype;
|
|
|
|
|
int pos;
|
|
|
|
|
|
2023-09-13 10:24:35 -03:00
|
|
|
std::string regex_range = generate_regex_range(std::move(start), std::move(end));
|
2023-08-22 17:56:08 -03:00
|
|
|
|
|
|
|
|
if (!regex_range.empty()) {
|
|
|
|
|
ptype = convert_aaregex_to_pcre(regex_range.c_str(), 0, glob_default, buffer, &pos);
|
|
|
|
|
if (ptype == ePatternInvalid)
|
|
|
|
|
return FALSE;
|
|
|
|
|
} else {
|
|
|
|
|
buffer.append(default_match_pattern);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2014-04-07 03:16:50 -07:00
|
|
|
int post_process_policydb_ents(Profile *prof)
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
{
|
2014-04-07 03:16:50 -07:00
|
|
|
for (RuleList::iterator i = prof->rule_ents.begin(); i != prof->rule_ents.end(); i++) {
|
2023-07-03 23:52:57 -07:00
|
|
|
if ((*i)->skip())
|
2021-09-19 00:59:45 -07:00
|
|
|
continue;
|
2014-04-07 03:16:50 -07:00
|
|
|
if ((*i)->gen_policy_re(*prof) == RULE_ERROR)
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-31 09:05:51 -07:00
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-03 13:45:44 -07:00
|
|
|
#define MAKE_STR(X) #X
|
|
|
|
|
#define CLASS_STR(X) "\\d" MAKE_STR(X)
|
|
|
|
|
#define MAKE_SUB_STR(X) "\\000" MAKE_STR(X)
|
|
|
|
|
#define CLASS_SUB_STR(X, Y) MAKE_STR(X) MAKE_SUB_STR(Y)
|
2014-04-15 15:00:28 -07:00
|
|
|
|
2014-04-23 10:59:07 -07:00
|
|
|
static const char *mediates_file = CLASS_STR(AA_CLASS_FILE);
|
2014-04-15 15:00:28 -07:00
|
|
|
static const char *mediates_mount = CLASS_STR(AA_CLASS_MOUNT);
|
|
|
|
|
static const char *mediates_dbus = CLASS_STR(AA_CLASS_DBUS);
|
2014-04-23 11:35:29 -07:00
|
|
|
static const char *mediates_signal = CLASS_STR(AA_CLASS_SIGNAL);
|
2014-04-23 11:38:04 -07:00
|
|
|
static const char *mediates_ptrace = CLASS_STR(AA_CLASS_PTRACE);
|
parser: first step implementing fine grained mediation for unix domain sockets
This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
|
|
|
static const char *mediates_extended_net = CLASS_STR(AA_CLASS_NET);
|
2018-07-24 04:40:25 -07:00
|
|
|
static const char *mediates_netv8 = CLASS_STR(AA_CLASS_NETV8);
|
parser: first step implementing fine grained mediation for unix domain sockets
This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
|
|
|
static const char *mediates_net_unix = CLASS_SUB_STR(AA_CLASS_NET, AF_UNIX);
|
2022-09-29 17:40:18 -03:00
|
|
|
static const char *mediates_ns = CLASS_STR(AA_CLASS_NS);
|
2022-02-07 19:15:11 -03:00
|
|
|
static const char *mediates_posix_mqueue = CLASS_STR(AA_CLASS_POSIX_MQUEUE);
|
|
|
|
|
static const char *mediates_sysv_mqueue = CLASS_STR(AA_CLASS_SYSV_MQUEUE);
|
2023-03-20 12:28:53 -03:00
|
|
|
static const char *mediates_io_uring = CLASS_STR(AA_CLASS_IO_URING);
|
2014-04-15 15:00:28 -07:00
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
int process_profile_policydb(Profile *prof)
|
2012-02-16 08:14:46 -08:00
|
|
|
{
|
|
|
|
|
int error = -1;
|
|
|
|
|
|
2014-04-23 10:57:16 -07:00
|
|
|
prof->policy.rules = new aare_rules();
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!prof->policy.rules)
|
2013-09-27 16:11:00 -07:00
|
|
|
goto out;
|
Add mount rules
Add the ability to control mounting and unmounting
The basic form of the rules are.
[audit] [deny] mount [conds]* [device] [ -> [conds] path],
[audit] [deny] remount [conds]* [path],
[audit] [deny] umount [conds]* [path],
[audit] [deny] pivotroot [oldroot=<value>] <path> -> <profile>
remount is just a short cut for mount options=remount
where [conds] can be
fstype=<expr>
options=<expr>
conds follow the extended conditional syntax of allowing either:
* a single value after the equals, which has the same character range as
regular IDS (ie most anything but it can't be terminated with a , (comma)
and if spaces or other characters are needed it can be quoted
eg.
options=foo
options = foo
options="foo bar"
* a list of values after the equals, the list of values is enclosed within
parenthesis () and its has a slightly reduced character set but again
elements can be quoted.
the separation between elements is whitespace and commas.
eg.
options=(foo bar)
options=(foo, bar)
options=(foo , bar)
options=(foo,bar)
The rules are flexible and follow a similar pattern as network, capability,
etc.
mount, # allow all mounts, but not umount or pivotroot
mount fstype=procfs, # allow mounting procfs anywhere
mount options=(bind, ro) /foo -> /bar, # readonly bind mount
mount /dev/sda -> /mnt,
mount /dev/sd** -> /mnt/**,
mount fstype=overlayfs options=(rw,upperdir=/tmp/upper/,lowerdir=/) overlay -> /mnt/
umount,
umount /m*,
Currently variables and regexs are are supported on the device and mount
point. ie.
mount <devince> -> <mount point>,
Regexes are supported in fstype and options. The options have a further
caveat that regexs only work if the option is fs specific option.
eg. options=(upperdir=/tmp/*,lowerdir=/)
regex's will not currently work against the standard options like ro, rw
nosuid
Conditionals (fstype) can only be applied to the device (source) at this
time and will be disregarded in situations where the mount is manipulating
an existing mount (bind, remount).
Options can be specified multiple times
mount option=rw option=(nosuid,upperdir=/foo),
and will be combined together into a single set of values
The ordering of the standard mount options (rw,ro, ...) does not matter
but the ordering of fs specific options does.
Specifying that the value of a particular option does not matter can be
acheived by providing both the positive and negative forms of and option
option=(rw,ro) options=(suid,nosuid)
For the fs specific options specifying that a particular value does not
matter is achieve using a regex with alternations.
Improvements to the syntax and order restrictions are planned for the
future.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-24 04:19:38 -08:00
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
if (!post_process_policydb_ents(prof))
|
2012-02-16 08:14:46 -08:00
|
|
|
goto out;
|
|
|
|
|
|
2014-04-15 15:00:28 -07:00
|
|
|
/* insert entries to show indicate what compiler/policy expects
|
|
|
|
|
* to be supported
|
|
|
|
|
*/
|
|
|
|
|
|
2022-09-29 17:40:18 -03:00
|
|
|
if (features_supports_userns &&
|
2023-07-06 16:41:56 -07:00
|
|
|
!prof->policy.rules->add_rule(mediates_ns, 0, AA_MAY_READ, 0, parseopts))
|
2022-09-29 17:40:18 -03:00
|
|
|
goto out;
|
2024-06-13 15:22:31 -03:00
|
|
|
|
|
|
|
|
/* don't add mediated classes to unconfined profiles */
|
|
|
|
|
if (prof->flags.mode != MODE_UNCONFINED &&
|
|
|
|
|
prof->flags.mode != MODE_DEFAULT_ALLOW) {
|
|
|
|
|
/* note: this activates fs based unix domain sockets mediation on connect */
|
|
|
|
|
if (kernel_abi_version > 5 &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_file, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_mount &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_mount, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_dbus &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_dbus, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_signal &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_signal, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_ptrace &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_ptrace, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_networkv8 &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_netv8, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_unix &&
|
|
|
|
|
(!prof->policy.rules->add_rule(mediates_extended_net, 0, AA_MAY_READ, 0, parseopts) ||
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_net_unix, 0, AA_MAY_READ, 0, parseopts)))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_posix_mqueue &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_posix_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_sysv_mqueue &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_sysv_mqueue, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
if (features_supports_io_uring &&
|
|
|
|
|
!prof->policy.rules->add_rule(mediates_io_uring, 0, AA_MAY_READ, 0, parseopts))
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2014-04-23 11:35:29 -07:00
|
|
|
|
2014-04-23 10:57:16 -07:00
|
|
|
if (prof->policy.rules->rule_count > 0) {
|
2019-02-08 11:32:16 -08:00
|
|
|
int xmatch_len = 0;
|
|
|
|
|
prof->policy.dfa = prof->policy.rules->create_dfa(&prof->policy.size,
|
2023-07-06 16:41:56 -07:00
|
|
|
&xmatch_len, parseopts, false);
|
2014-04-23 10:57:16 -07:00
|
|
|
delete prof->policy.rules;
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
prof->policy.rules = NULL;
|
|
|
|
|
if (!prof->policy.dfa)
|
2012-02-16 08:14:46 -08:00
|
|
|
goto out;
|
2014-04-15 15:01:05 -07:00
|
|
|
} else {
|
2014-04-23 10:57:16 -07:00
|
|
|
delete prof->policy.rules;
|
2014-04-15 15:01:05 -07:00
|
|
|
prof->policy.rules = NULL;
|
2012-02-16 08:14:46 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
out:
|
2014-04-23 10:57:16 -07:00
|
|
|
delete prof->policy.rules;
|
2014-04-15 15:01:05 -07:00
|
|
|
prof->policy.rules = NULL;
|
|
|
|
|
|
2012-02-16 08:14:46 -08:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
#ifdef UNIT_TEST
|
2013-09-27 16:16:37 -07:00
|
|
|
|
|
|
|
|
#include "unit_test.h"
|
|
|
|
|
|
2016-01-25 12:05:50 -08:00
|
|
|
#define MY_FILTER_TEST(input, expected_str) \
|
|
|
|
|
do { \
|
|
|
|
|
char *test_string = NULL; \
|
|
|
|
|
char *output_string = NULL; \
|
|
|
|
|
\
|
|
|
|
|
test_string = strdup((input)); \
|
|
|
|
|
filter_slashes(test_string); \
|
|
|
|
|
asprintf(&output_string, "simple filter / conversion for '%s'\texpected = '%s'\tresult = '%s'", \
|
|
|
|
|
(input), (expected_str), test_string); \
|
|
|
|
|
MY_TEST(strcmp(test_string, (expected_str)) == 0, output_string); \
|
|
|
|
|
\
|
|
|
|
|
free(test_string); \
|
|
|
|
|
free(output_string); \
|
|
|
|
|
} \
|
|
|
|
|
while (0)
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
static int test_filter_slashes(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
|
2016-01-25 12:05:50 -08:00
|
|
|
MY_FILTER_TEST("///foo//////f//oo////////////////", "/foo/f/oo/");
|
|
|
|
|
MY_FILTER_TEST("/foo/f/oo", "/foo/f/oo");
|
|
|
|
|
MY_FILTER_TEST("/", "/");
|
|
|
|
|
MY_FILTER_TEST("", "");
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2016-01-25 12:05:50 -08:00
|
|
|
/* tests for "//" namespace */
|
|
|
|
|
MY_FILTER_TEST("//usr", "//usr");
|
|
|
|
|
MY_FILTER_TEST("//", "//");
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2016-01-25 12:05:50 -08:00
|
|
|
/* tests for not "//" namespace */
|
|
|
|
|
MY_FILTER_TEST("///usr", "/usr");
|
|
|
|
|
MY_FILTER_TEST("///", "/");
|
2006-04-11 21:52:54 +00:00
|
|
|
|
2016-01-25 12:05:50 -08:00
|
|
|
MY_FILTER_TEST("/a/", "/a/");
|
2006-04-11 21:52:54 +00:00
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-12 10:19:16 -08:00
|
|
|
#define MY_REGEX_EXT_TEST(glob, input, expected_str, expected_type) \
|
2013-12-03 11:30:46 -08:00
|
|
|
do { \
|
2013-12-16 01:15:17 -08:00
|
|
|
std::string tbuf; \
|
|
|
|
|
std::string tbuf2 = "testprefix"; \
|
|
|
|
|
char *output_string = NULL; \
|
|
|
|
|
std::string expected_str2; \
|
2013-12-03 11:30:46 -08:00
|
|
|
pattern_t ptype; \
|
|
|
|
|
int pos; \
|
|
|
|
|
\
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre((input), 0, glob, tbuf, &pos); \
|
2013-12-03 11:30:46 -08:00
|
|
|
asprintf(&output_string, "simple regex conversion for '%s'\texpected = '%s'\tresult = '%s'", \
|
2014-01-24 10:21:30 -08:00
|
|
|
(input), (expected_str), tbuf.c_str()); \
|
2013-12-16 01:15:17 -08:00
|
|
|
MY_TEST(strcmp(tbuf.c_str(), (expected_str)) == 0, output_string); \
|
2013-12-03 11:30:46 -08:00
|
|
|
MY_TEST(ptype == (expected_type), "simple regex conversion type check for '" input "'"); \
|
2013-12-16 01:15:17 -08:00
|
|
|
free(output_string); \
|
|
|
|
|
/* ensure convert_aaregex_to_pcre appends only to passed ref string */ \
|
|
|
|
|
expected_str2 = tbuf2; \
|
|
|
|
|
expected_str2.append((expected_str)); \
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre((input), 0, glob, tbuf2, &pos); \
|
|
|
|
|
asprintf(&output_string, "simple regex conversion %sfor '%s'\texpected = '%s'\tresult = '%s'", \
|
|
|
|
|
glob == glob_null ? "with null allowed in glob " : "",\
|
2013-12-16 01:15:17 -08:00
|
|
|
(input), expected_str2.c_str(), tbuf2.c_str()); \
|
|
|
|
|
MY_TEST((tbuf2 == expected_str2), output_string); \
|
2014-01-24 10:21:30 -08:00
|
|
|
free(output_string); \
|
2013-12-03 11:30:46 -08:00
|
|
|
} \
|
|
|
|
|
while (0)
|
|
|
|
|
|
2015-02-12 10:19:16 -08:00
|
|
|
#define MY_REGEX_TEST(input, expected_str, expected_type) MY_REGEX_EXT_TEST(glob_default, input, expected_str, expected_type)
|
|
|
|
|
|
|
|
|
|
|
2013-12-03 11:30:46 -08:00
|
|
|
#define MY_REGEX_FAIL_TEST(input) \
|
|
|
|
|
do { \
|
2013-12-16 01:15:17 -08:00
|
|
|
std::string tbuf; \
|
2013-12-03 11:30:46 -08:00
|
|
|
pattern_t ptype; \
|
|
|
|
|
int pos; \
|
|
|
|
|
\
|
2015-02-12 10:19:16 -08:00
|
|
|
ptype = convert_aaregex_to_pcre((input), 0, glob_default, tbuf, &pos); \
|
2013-12-03 11:30:46 -08:00
|
|
|
MY_TEST(ptype == ePatternInvalid, "simple regex conversion invalid type check for '" input "'"); \
|
|
|
|
|
} \
|
|
|
|
|
while (0)
|
|
|
|
|
|
|
|
|
|
static int test_aaregex_to_pcre(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
|
|
MY_REGEX_TEST("/most/basic/test", "/most/basic/test", ePatternBasic);
|
|
|
|
|
|
2013-12-06 06:01:12 -08:00
|
|
|
MY_REGEX_FAIL_TEST("\\");
|
2013-12-03 11:30:46 -08:00
|
|
|
MY_REGEX_TEST("\\\\", "\\\\", ePatternBasic);
|
2013-12-06 06:01:12 -08:00
|
|
|
MY_REGEX_TEST("\\blort", "blort", ePatternBasic);
|
2013-12-03 11:30:46 -08:00
|
|
|
MY_REGEX_TEST("\\\\blort", "\\\\blort", ePatternBasic);
|
2013-12-06 06:01:12 -08:00
|
|
|
MY_REGEX_FAIL_TEST("blort\\");
|
2013-12-03 11:30:46 -08:00
|
|
|
MY_REGEX_TEST("blort\\\\", "blort\\\\", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("*", "[^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("blort*", "blort[^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("*blort", "[^/\\x00]*blort", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("\\*", "\\*", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("blort\\*", "blort\\*", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\*blort", "\\*blort", ePatternBasic);
|
|
|
|
|
|
|
|
|
|
/* simple quoting */
|
|
|
|
|
MY_REGEX_TEST("\\[", "\\[", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\]", "\\]", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\?", "?", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\{", "\\{", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\}", "\\}", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\,", ",", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("^", "\\^", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("$", "\\$", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST(".", "\\.", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("+", "\\+", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("|", "\\|", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("(", "\\(", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST(")", "\\)", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\^", "\\^", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\$", "\\$", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\.", "\\.", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\+", "\\+", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\|", "\\|", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\(", "\\(", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\)", "\\)", ePatternBasic);
|
|
|
|
|
|
|
|
|
|
/* simple character class tests */
|
|
|
|
|
MY_REGEX_TEST("[blort]", "[blort]", ePatternRegex);
|
|
|
|
|
MY_REGEX_FAIL_TEST("[blort");
|
|
|
|
|
MY_REGEX_FAIL_TEST("b[lort");
|
|
|
|
|
MY_REGEX_FAIL_TEST("blort[");
|
|
|
|
|
MY_REGEX_FAIL_TEST("blort]");
|
|
|
|
|
MY_REGEX_FAIL_TEST("blo]rt");
|
|
|
|
|
MY_REGEX_FAIL_TEST("]blort");
|
2013-12-06 06:07:24 -08:00
|
|
|
MY_REGEX_TEST("b[lor]t", "b[lor]t", ePatternRegex);
|
2013-12-03 11:30:46 -08:00
|
|
|
|
|
|
|
|
/* simple alternation tests */
|
|
|
|
|
MY_REGEX_TEST("{alpha,beta}", "(alpha|beta)", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("baz{alpha,beta}blort", "baz(alpha|beta)blort", ePatternRegex);
|
|
|
|
|
MY_REGEX_FAIL_TEST("{beta}");
|
|
|
|
|
MY_REGEX_FAIL_TEST("biz{beta");
|
|
|
|
|
MY_REGEX_FAIL_TEST("biz}beta");
|
|
|
|
|
MY_REGEX_FAIL_TEST("biz{be,ta");
|
|
|
|
|
MY_REGEX_FAIL_TEST("biz,be}ta");
|
|
|
|
|
MY_REGEX_FAIL_TEST("biz{}beta");
|
|
|
|
|
|
|
|
|
|
/* nested alternations */
|
|
|
|
|
MY_REGEX_TEST("{{alpha,blort,nested},beta}", "((alpha|blort|nested)|beta)", ePatternRegex);
|
|
|
|
|
MY_REGEX_FAIL_TEST("{{alpha,blort,nested}beta}");
|
|
|
|
|
MY_REGEX_TEST("{{alpha,{blort,nested}},beta}", "((alpha|(blort|nested))|beta)", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{{alpha,alpha{blort,nested}}beta,beta}", "((alpha|alpha(blort|nested))beta|beta)", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{{alpha,alpha{blort,nested}}beta,beta}", "((alpha|alpha(blort|nested))beta|beta)", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{{a,b{c,d}}e,{f,{g,{h{i,j,k},l}m},n}o}", "((a|b(c|d))e|(f|(g|(h(i|j|k)|l)m)|n)o)", ePatternRegex);
|
2013-12-06 06:07:24 -08:00
|
|
|
/* max nesting depth = 50 */
|
|
|
|
|
MY_REGEX_TEST("{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a,b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b}b,blort}",
|
|
|
|
|
"(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a(a|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)|b)b|blort)", ePatternRegex);
|
|
|
|
|
MY_REGEX_FAIL_TEST("{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a{a,b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b},b}b,blort}");
|
|
|
|
|
|
|
|
|
|
/* simple single char */
|
|
|
|
|
MY_REGEX_TEST("blor?t", "blor[^/\\x00]t", ePatternRegex);
|
|
|
|
|
|
|
|
|
|
/* simple globbing */
|
|
|
|
|
MY_REGEX_TEST("/*", "/[^/\\x00][^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("/blort/*", "/blort/[^/\\x00][^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("/*/blort", "/[^/\\x00][^/\\x00]*/blort", ePatternRegex);
|
2013-12-06 11:00:05 -08:00
|
|
|
MY_REGEX_TEST("/*/", "/[^/\\x00][^/\\x00]*/", ePatternRegex);
|
2013-12-06 06:07:24 -08:00
|
|
|
MY_REGEX_TEST("/**", "/[^/\\x00][^\\x00]*", ePatternTailGlob);
|
|
|
|
|
MY_REGEX_TEST("/blort/**", "/blort/[^/\\x00][^\\x00]*", ePatternTailGlob);
|
|
|
|
|
MY_REGEX_TEST("/**/blort", "/[^/\\x00][^\\x00]*/blort", ePatternRegex);
|
2013-12-06 11:00:05 -08:00
|
|
|
MY_REGEX_TEST("/**/", "/[^/\\x00][^\\x00]*/", ePatternRegex);
|
2013-12-06 06:07:24 -08:00
|
|
|
|
|
|
|
|
/* more complicated quoting */
|
|
|
|
|
MY_REGEX_FAIL_TEST("\\\\[");
|
|
|
|
|
MY_REGEX_FAIL_TEST("\\\\]");
|
|
|
|
|
MY_REGEX_TEST("\\\\?", "\\\\[^/\\x00]", ePatternRegex);
|
|
|
|
|
MY_REGEX_FAIL_TEST("\\\\{");
|
|
|
|
|
MY_REGEX_FAIL_TEST("\\\\}");
|
|
|
|
|
MY_REGEX_TEST("\\\\,", "\\\\,", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\^", "\\\\\\^", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\$", "\\\\\\$", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\.", "\\\\\\.", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\+", "\\\\\\+", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\|", "\\\\\\|", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\(", "\\\\\\(", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\\\)", "\\\\\\)", ePatternBasic);
|
2015-02-12 10:19:16 -08:00
|
|
|
MY_REGEX_TEST("\\000", "\\000", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\x00", "\\x00", ePatternBasic);
|
|
|
|
|
MY_REGEX_TEST("\\d000", "\\d000", ePatternBasic);
|
2013-12-03 11:30:46 -08:00
|
|
|
|
2013-12-10 12:22:32 -08:00
|
|
|
/* more complicated character class tests */
|
|
|
|
|
/* -- embedded alternations */
|
|
|
|
|
MY_REGEX_TEST("b[\\lor]t", "b[lor]t", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("b[{a,b}]t", "b[{a,b}]t", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{alpha,b[{a,b}]t,gamma}", "(alpha|b[{a,b}]t|gamma)", ePatternRegex);
|
|
|
|
|
|
|
|
|
|
/* pcre will ignore the '\' before '\{', but it should be okay
|
|
|
|
|
* for us to pass this on to pcre as '\{' */
|
|
|
|
|
MY_REGEX_TEST("b[\\{a,b\\}]t", "b[\\{a,b\\}]t", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{alpha,b[\\{a,b\\}]t,gamma}", "(alpha|b[\\{a,b\\}]t|gamma)", ePatternRegex);
|
|
|
|
|
MY_REGEX_TEST("{alpha,b[\\{a\\,b\\}]t,gamma}", "(alpha|b[\\{a\\,b\\}]t|gamma)", ePatternRegex);
|
|
|
|
|
|
2015-02-12 10:19:16 -08:00
|
|
|
/* test different globbing behavior conversion */
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/**", "/foo/[^/\\x00][^\\x00]*", ePatternTailGlob);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/**", "/foo/[^/].*", ePatternTailGlob);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/f**", "/foo/f[^\\x00]*", ePatternTailGlob);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/f**", "/foo/f.*", ePatternTailGlob);
|
|
|
|
|
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/*", "/foo/[^/\\x00][^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/*", "/foo/[^/][^/]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/f*", "/foo/f[^/\\x00]*", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/f*", "/foo/f[^/]*", ePatternRegex);
|
|
|
|
|
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/**.ext", "/foo/[^\\x00]*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/**.ext", "/foo/.*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/f**.ext", "/foo/f[^\\x00]*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/f**.ext", "/foo/f.*\\.ext", ePatternRegex);
|
|
|
|
|
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/*.ext", "/foo/[^/\\x00]*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/*.ext", "/foo/[^/]*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_default, "/foo/f*.ext", "/foo/f[^/\\x00]*\\.ext", ePatternRegex);
|
|
|
|
|
MY_REGEX_EXT_TEST(glob_null, "/foo/f*.ext", "/foo/f[^/]*\\.ext", ePatternRegex);
|
|
|
|
|
|
2013-12-03 11:30:46 -08:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
int main(void)
|
|
|
|
|
{
|
|
|
|
|
int rc = 0;
|
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
|
|
retval = test_filter_slashes();
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
rc = retval;
|
|
|
|
|
|
2013-12-03 11:30:46 -08:00
|
|
|
retval = test_aaregex_to_pcre();
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
rc = retval;
|
|
|
|
|
|
2006-04-11 21:52:54 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
#endif /* UNIT_TEST */
|