diff --git a/parser/af_rule.h b/parser/af_rule.h index bc06e6193..3d9adeeee 100644 --- a/parser/af_rule.h +++ b/parser/af_rule.h @@ -80,7 +80,8 @@ public: virtual bool is_mergeable(void) { return true; } virtual int cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; af_rule const &trhs = (rule_cast(rhs)); diff --git a/parser/dbus.h b/parser/dbus.h index a273bffe5..71186f1e1 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -65,7 +65,8 @@ public: virtual bool is_mergeable(void) { return true; } virtual int cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; dbus_rule const &trhs = (rule_cast(rhs)); diff --git a/parser/io_uring.h b/parser/io_uring.h index d363c5443..b4d4d9fed 100644 --- a/parser/io_uring.h +++ b/parser/io_uring.h @@ -52,7 +52,8 @@ public: virtual bool is_mergeable(void) { return true; } virtual int cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; return null_strcmp(label, diff --git a/parser/mount.cc b/parser/mount.cc index f61bf3435..6c7d15a6a 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -649,8 +649,8 @@ static int cmp_vec_int(std::vector const &lhs, } int mnt_rule::cmp(rule_t const &rhs) const { - // for now don't do merging of perms, only exact match - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res != 0) return res; mnt_rule const &rhs_mnt = rule_cast(rhs); diff --git a/parser/mqueue.h b/parser/mqueue.h index da5e414b8..f53289e8b 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -110,7 +110,8 @@ public: virtual bool is_mergeable(void) { return true; } virtual int cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; mqueue_rule const &trhs = rule_cast(rhs); diff --git a/parser/ptrace.h b/parser/ptrace.h index b129c5795..10472930d 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -55,7 +55,8 @@ public: virtual bool is_mergeable(void) { return true; } virtual int cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; return null_strcmp(peer_label, diff --git a/parser/rule.h b/parser/rule.h index a040333ba..004ae312b 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -364,6 +364,15 @@ public: return perms - (rule_cast(rhs)).perms; } + virtual bool merge(rule_t &rhs) + { + int res = class_rule_t::merge(rhs); + if (!res) + return res; + perms |= (rule_cast(rhs)).perms; + return true; + }; + /* defaut perms, override/mask off if none default used */ virtual ostream &dump(ostream &os) { diff --git a/parser/signal.cc b/parser/signal.cc index 09e144ba0..07fbddb59 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -249,7 +249,8 @@ static int cmp_set_int(Signals const &lhs, Signals const &rhs) int signal_rule::cmp(rule_t const &rhs) const { - int res = perms_rule_t::cmp(rhs); + /* use class_rule_t instead of perms_rule_t to merge perms */ + int res = class_rule_t::cmp(rhs); if (res) return res; signal_rule const &trhs = rule_cast(rhs); diff --git a/parser/userns.h b/parser/userns.h index 0c7f8a5c1..9d17fc203 100644 --- a/parser/userns.h +++ b/parser/userns.h @@ -47,6 +47,7 @@ public: { return perms_rule_t::cmp(rhs); }; + /* merge perms not required atm since there's only one permission */ protected: virtual void warn_once(const char *name) override;