mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
parser: rename rules.h perms_t to perm32_t
There are two distinct declarations of perms_t. rule.h: typedef uint32_t perms_t hfa.h: class perms_t these definitions clash when the front end and backend share more info. To avoid this rename rule.h to perm32_t, and move the definition into perms.h and use it in struct aa_perms. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
e29f5ce5f3
commit
2e18cb9aed
25 changed files with 83 additions and 75 deletions
|
|
@ -33,7 +33,7 @@
|
||||||
/* See unix(7) for autobind address definition */
|
/* See unix(7) for autobind address definition */
|
||||||
#define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
|
#define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
|
||||||
|
|
||||||
int parse_unix_perms(const char *str_perms, perms_t *perms, int fail)
|
int parse_unix_perms(const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("unix", AA_VALID_NET_PERMS, str_perms, perms, fail);
|
return parse_X_perms("unix", AA_VALID_NET_PERMS, str_perms, perms, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -113,7 +113,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode
|
||||||
downgrade = false;
|
downgrade = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds,
|
unix_rule::unix_rule(perm32_t perms_p, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds):
|
struct cond_entry *peer_conds):
|
||||||
af_rule(AF_UNIX), addr(NULL), peer_addr(NULL)
|
af_rule(AF_UNIX), addr(NULL), peer_addr(NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -191,7 +191,7 @@ static void writeu16(std::ostringstream &o, int v)
|
||||||
#define CMD_OPT 4
|
#define CMD_OPT 4
|
||||||
|
|
||||||
void unix_rule::downgrade_rule(Profile &prof) {
|
void unix_rule::downgrade_rule(Profile &prof) {
|
||||||
perms_t mask = (perms_t) -1;
|
perm32_t mask = (perm32_t) -1;
|
||||||
|
|
||||||
if (!prof.net.allow && !prof.net.alloc_net_table())
|
if (!prof.net.allow && !prof.net.alloc_net_table())
|
||||||
yyerror(_("Memory allocation error."));
|
yyerror(_("Memory allocation error."));
|
||||||
|
|
@ -318,7 +318,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
||||||
std::ostringstream buffer;
|
std::ostringstream buffer;
|
||||||
std::string buf;
|
std::string buf;
|
||||||
|
|
||||||
perms_t mask = perms;
|
perm32_t mask = perms;
|
||||||
|
|
||||||
/* always generate a downgraded rule. This doesn't change generated
|
/* always generate a downgraded rule. This doesn't change generated
|
||||||
* policy size and allows the binary policy to be loaded against
|
* policy size and allows the binary policy to be loaded against
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
#include "profile.h"
|
#include "profile.h"
|
||||||
#include "af_rule.h"
|
#include "af_rule.h"
|
||||||
|
|
||||||
int parse_unix_perms(const char *str_mode, perms_t *perms, int fail);
|
int parse_unix_perms(const char *str_mode, perm32_t *perms, int fail);
|
||||||
|
|
||||||
class unix_rule: public af_rule {
|
class unix_rule: public af_rule {
|
||||||
void write_to_prot(std::ostringstream &buffer);
|
void write_to_prot(std::ostringstream &buffer);
|
||||||
|
|
@ -39,7 +39,7 @@ public:
|
||||||
bool downgrade = true;
|
bool downgrade = true;
|
||||||
|
|
||||||
unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p);
|
unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p);
|
||||||
unix_rule(perms_t perms, struct cond_entry *conds,
|
unix_rule(perm32_t perms, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds);
|
struct cond_entry *peer_conds);
|
||||||
virtual ~unix_rule()
|
virtual ~unix_rule()
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@
|
||||||
#include "dbus.h"
|
#include "dbus.h"
|
||||||
|
|
||||||
|
|
||||||
int parse_dbus_perms(const char *str_perms, perms_t *perms, int fail)
|
int parse_dbus_perms(const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("DBus", AA_VALID_DBUS_PERMS, str_perms, perms, fail);
|
return parse_X_perms("DBus", AA_VALID_DBUS_PERMS, str_perms, perms, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -66,7 +66,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
|
dbus_rule::dbus_rule(perm32_t perms_p, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds):
|
struct cond_entry *peer_conds):
|
||||||
perms_rule_t(AA_CLASS_DBUS), bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL)
|
perms_rule_t(AA_CLASS_DBUS), bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
#include "rule.h"
|
#include "rule.h"
|
||||||
#include "profile.h"
|
#include "profile.h"
|
||||||
|
|
||||||
extern int parse_dbus_perms(const char *str_mode, perms_t *mode, int fail);
|
extern int parse_dbus_perms(const char *str_mode, perm32_t *mode, int fail);
|
||||||
|
|
||||||
class dbus_rule: public perms_rule_t {
|
class dbus_rule: public perms_rule_t {
|
||||||
void move_conditionals(struct cond_entry *conds);
|
void move_conditionals(struct cond_entry *conds);
|
||||||
|
|
@ -40,7 +40,7 @@ public:
|
||||||
char *interface;
|
char *interface;
|
||||||
char *member;
|
char *member;
|
||||||
|
|
||||||
dbus_rule(perms_t perms_p, struct cond_entry *conds,
|
dbus_rule(perm32_t perms_p, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds);
|
struct cond_entry *peer_conds);
|
||||||
virtual ~dbus_rule() {
|
virtual ~dbus_rule() {
|
||||||
free(bus);
|
free(bus);
|
||||||
|
|
|
||||||
|
|
@ -47,7 +47,7 @@ void io_uring_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
io_uring_rule::io_uring_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *ring_conds):
|
io_uring_rule::io_uring_rule(perm32_t perms_p, struct cond_entry *conds, struct cond_entry *ring_conds):
|
||||||
perms_rule_t(AA_CLASS_IO_URING), label(NULL)
|
perms_rule_t(AA_CLASS_IO_URING), label(NULL)
|
||||||
{
|
{
|
||||||
if (perms_p) {
|
if (perms_p) {
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ class io_uring_rule: public perms_rule_t {
|
||||||
public:
|
public:
|
||||||
char *label;
|
char *label;
|
||||||
|
|
||||||
io_uring_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *ring_conds);
|
io_uring_rule(perm32_t perms, struct cond_entry *conds, struct cond_entry *ring_conds);
|
||||||
virtual ~io_uring_rule()
|
virtual ~io_uring_rule()
|
||||||
{
|
{
|
||||||
free(label);
|
free(label);
|
||||||
|
|
|
||||||
|
|
@ -478,7 +478,7 @@ static void process_one_option(struct cond_entry *&opts, unsigned int &flags,
|
||||||
|
|
||||||
mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
|
mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
|
||||||
struct cond_entry *dst_conds unused, char *mnt_point_p,
|
struct cond_entry *dst_conds unused, char *mnt_point_p,
|
||||||
perms_t perms_p):
|
perm32_t perms_p):
|
||||||
perms_rule_t(AA_CLASS_MOUNT),
|
perms_rule_t(AA_CLASS_MOUNT),
|
||||||
mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
|
mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
|
||||||
flagsv(0), opt_flagsv(0)
|
flagsv(0), opt_flagsv(0)
|
||||||
|
|
@ -784,7 +784,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
|
||||||
|
|
||||||
vec[3] = flagsbuf;
|
vec[3] = flagsbuf;
|
||||||
|
|
||||||
perms_t tmpperms, tmpaudit;
|
perm32_t tmpperms, tmpaudit;
|
||||||
if (opts) {
|
if (opts) {
|
||||||
tmpperms = AA_MATCH_CONT;
|
tmpperms = AA_MATCH_CONT;
|
||||||
tmpaudit = 0;
|
tmpaudit = 0;
|
||||||
|
|
@ -993,7 +993,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
|
||||||
goto fail;
|
goto fail;
|
||||||
vec[3] = flagsbuf;
|
vec[3] = flagsbuf;
|
||||||
|
|
||||||
perms_t tmpperms, tmpaudit;
|
perm32_t tmpperms, tmpaudit;
|
||||||
if (opts) {
|
if (opts) {
|
||||||
tmpperms = AA_MATCH_CONT;
|
tmpperms = AA_MATCH_CONT;
|
||||||
tmpaudit = 0;
|
tmpaudit = 0;
|
||||||
|
|
@ -1141,7 +1141,7 @@ fail:
|
||||||
void mnt_rule::post_parse_profile(Profile &prof)
|
void mnt_rule::post_parse_profile(Profile &prof)
|
||||||
{
|
{
|
||||||
if (trans) {
|
if (trans) {
|
||||||
perms_t perms = 0;
|
perm32_t perms = 0;
|
||||||
int n = add_entry_to_x_table(&prof, trans);
|
int n = add_entry_to_x_table(&prof, trans);
|
||||||
if (!n) {
|
if (!n) {
|
||||||
PERROR("Profile %s has too many specified profile transitions.\n", prof.name);
|
PERROR("Profile %s has too many specified profile transitions.\n", prof.name);
|
||||||
|
|
|
||||||
|
|
@ -152,7 +152,7 @@ public:
|
||||||
|
|
||||||
mnt_rule(struct cond_entry *src_conds, char *device_p,
|
mnt_rule(struct cond_entry *src_conds, char *device_p,
|
||||||
struct cond_entry *dst_conds unused, char *mnt_point_p,
|
struct cond_entry *dst_conds unused, char *mnt_point_p,
|
||||||
perms_t perms_p);
|
perm32_t perms_p);
|
||||||
virtual ~mnt_rule()
|
virtual ~mnt_rule()
|
||||||
{
|
{
|
||||||
free_value_list(opts);
|
free_value_list(opts);
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@
|
||||||
#include <iostream>
|
#include <iostream>
|
||||||
#include <sstream>
|
#include <sstream>
|
||||||
|
|
||||||
int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail)
|
int parse_mqueue_perms(const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("mqueue", AA_VALID_MQUEUE_PERMS, str_perms, perms, fail);
|
return parse_X_perms("mqueue", AA_VALID_MQUEUE_PERMS, str_perms, perms, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -86,7 +86,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p):
|
mqueue_rule::mqueue_rule(perm32_t perms_p, struct cond_entry *conds, char *qname_p):
|
||||||
// mqueue uses multiple classes, arbitrary choice to represent group
|
// mqueue uses multiple classes, arbitrary choice to represent group
|
||||||
// withing the AST
|
// withing the AST
|
||||||
perms_rule_t(AA_CLASS_POSIX_MQUEUE),
|
perms_rule_t(AA_CLASS_POSIX_MQUEUE),
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ static inline uint32_t map_mqueue_perms(uint32_t mask)
|
||||||
((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
|
((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
|
||||||
}
|
}
|
||||||
|
|
||||||
int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
|
int parse_mqueue_perms(const char *str_perms, perm32_t *perms, int fail);
|
||||||
|
|
||||||
class mqueue_rule: public perms_rule_t {
|
class mqueue_rule: public perms_rule_t {
|
||||||
void move_conditionals(struct cond_entry *conds);
|
void move_conditionals(struct cond_entry *conds);
|
||||||
|
|
@ -93,7 +93,7 @@ public:
|
||||||
char *qname;
|
char *qname;
|
||||||
char *label;
|
char *label;
|
||||||
|
|
||||||
mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL);
|
mqueue_rule(perm32_t perms, struct cond_entry *conds, char *qname = NULL);
|
||||||
virtual ~mqueue_rule()
|
virtual ~mqueue_rule()
|
||||||
{
|
{
|
||||||
free(qname);
|
free(qname);
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
|
|
||||||
#define ALL_TYPES 0x43e
|
#define ALL_TYPES 0x43e
|
||||||
|
|
||||||
int parse_net_perms(const char *str_mode, perms_t *mode, int fail)
|
int parse_net_perms(const char *str_mode, perm32_t *mode, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("net", AA_VALID_NET_PERMS, str_mode, mode, fail);
|
return parse_X_perms("net", AA_VALID_NET_PERMS, str_mode, mode, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -401,7 +401,7 @@ void network_rule::set_netperm(unsigned int family, unsigned int type, unsigned
|
||||||
network_perms[family].second |= protocol;
|
network_perms[family].second |= protocol;
|
||||||
}
|
}
|
||||||
|
|
||||||
network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
|
network_rule::network_rule(perm32_t perms_p, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds):
|
struct cond_entry *peer_conds):
|
||||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||||
{
|
{
|
||||||
|
|
@ -441,7 +441,7 @@ network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
|
network_rule::network_rule(perm32_t perms_p, const char *family, const char *type,
|
||||||
const char *protocol, struct cond_entry *conds,
|
const char *protocol, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds):
|
struct cond_entry *peer_conds):
|
||||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||||
|
|
@ -494,7 +494,7 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
|
network_rule::network_rule(perm32_t perms_p, unsigned int family, unsigned int type):
|
||||||
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
|
||||||
{
|
{
|
||||||
network_map[family].push_back({ family, type, 0xFFFFFFFF });
|
network_map[family].push_back({ family, type, 0xFFFFFFFF });
|
||||||
|
|
@ -653,7 +653,7 @@ std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &s
|
||||||
bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
|
bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
|
||||||
{
|
{
|
||||||
std::string buf;
|
std::string buf;
|
||||||
perms_t cond_perms;
|
perm32_t cond_perms;
|
||||||
std::list<std::ostringstream> ip_streams;
|
std::list<std::ostringstream> ip_streams;
|
||||||
|
|
||||||
for (auto &oss : streams) {
|
for (auto &oss : streams) {
|
||||||
|
|
|
||||||
|
|
@ -107,8 +107,9 @@ static inline uint32_t map_perms(uint32_t mask)
|
||||||
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
|
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
|
||||||
};
|
};
|
||||||
|
|
||||||
int parse_net_perms(const char *str_mode, perms_t *perms, int fail);
|
|
||||||
size_t get_af_max();
|
size_t get_af_max();
|
||||||
|
int parse_net_perms(const char *str_mode, perm32_t *perms, int fail);
|
||||||
int net_find_type_val(const char *type);
|
int net_find_type_val(const char *type);
|
||||||
const char *net_find_type_name(int type);
|
const char *net_find_type_name(int type);
|
||||||
const char *net_find_af_name(unsigned int af);
|
const char *net_find_af_name(unsigned int af);
|
||||||
|
|
@ -158,12 +159,12 @@ public:
|
||||||
* static elements to maintain compatibility with
|
* static elements to maintain compatibility with
|
||||||
* AA_CLASS_NET */
|
* AA_CLASS_NET */
|
||||||
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
|
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
|
||||||
network_rule(perms_t perms_p, struct cond_entry *conds,
|
network_rule(perm32_t perms_p, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds);
|
struct cond_entry *peer_conds);
|
||||||
network_rule(perms_t perms_p, const char *family, const char *type,
|
network_rule(perm32_t perms_p, const char *family, const char *type,
|
||||||
const char *protocol, struct cond_entry *conds,
|
const char *protocol, struct cond_entry *conds,
|
||||||
struct cond_entry *peer_conds);
|
struct cond_entry *peer_conds);
|
||||||
network_rule(perms_t perms_p, unsigned int family, unsigned int type);
|
network_rule(perm32_t perms_p, unsigned int family, unsigned int type);
|
||||||
virtual ~network_rule()
|
virtual ~network_rule()
|
||||||
{
|
{
|
||||||
peer.free_conds();
|
peer.free_conds();
|
||||||
|
|
|
||||||
|
|
@ -122,7 +122,7 @@ struct cod_entry {
|
||||||
char *nt_name;
|
char *nt_name;
|
||||||
Profile *prof; /* Special profile defined
|
Profile *prof; /* Special profile defined
|
||||||
* just for this executable */
|
* just for this executable */
|
||||||
perms_t perms; /* perms is 'or' of AA_* bits */
|
perm32_t perms; /* perms is 'or' of AA_* bits */
|
||||||
audit_t audit;
|
audit_t audit;
|
||||||
rule_mode_t rule_mode;
|
rule_mode_t rule_mode;
|
||||||
|
|
||||||
|
|
@ -450,12 +450,12 @@ extern char *processunquoted(const char *string, int len);
|
||||||
extern int get_keyword_token(const char *keyword);
|
extern int get_keyword_token(const char *keyword);
|
||||||
extern int get_rlimit(const char *name);
|
extern int get_rlimit(const char *name);
|
||||||
extern char *process_var(const char *var);
|
extern char *process_var(const char *var);
|
||||||
extern perms_t parse_perms(const char *permstr);
|
extern perm32_t parse_perms(const char *permstr);
|
||||||
extern int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail);
|
extern int parse_X_perms(const char *X, int valid, const char *str_perms, perm32_t *perms, int fail);
|
||||||
bool label_contains_ns(const char *label);
|
bool label_contains_ns(const char *label);
|
||||||
bool parse_label(bool *_stack, char **_ns, char **_name,
|
bool parse_label(bool *_stack, char **_ns, char **_name,
|
||||||
const char *label, bool yyerr);
|
const char *label, bool yyerr);
|
||||||
extern struct cod_entry *new_entry(char *id, perms_t perms, char *link_id);
|
extern struct cod_entry *new_entry(char *id, perm32_t perms, char *link_id);
|
||||||
|
|
||||||
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
|
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
|
||||||
extern int str_to_boolean(const char* str);
|
extern int str_to_boolean(const char* str);
|
||||||
|
|
|
||||||
|
|
@ -566,12 +566,12 @@ void warn_uppercase(void)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static perms_t parse_sub_perms(const char *str_perms, const char *perms_desc unused)
|
static perm32_t parse_sub_perms(const char *str_perms, const char *perms_desc unused)
|
||||||
{
|
{
|
||||||
|
|
||||||
#define IS_DIFF_QUAL(perms, q) (((perms) & AA_MAY_EXEC) && (((perms) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE)))
|
#define IS_DIFF_QUAL(perms, q) (((perms) & AA_MAY_EXEC) && (((perms) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE)))
|
||||||
|
|
||||||
perms_t perms = 0;
|
perm32_t perms = 0;
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
PDEBUG("Parsing perms: %s\n", str_perms);
|
PDEBUG("Parsing perms: %s\n", str_perms);
|
||||||
|
|
@ -584,7 +584,7 @@ static perms_t parse_sub_perms(const char *str_perms, const char *perms_desc unu
|
||||||
char thisc = *p;
|
char thisc = *p;
|
||||||
char next = *(p + 1);
|
char next = *(p + 1);
|
||||||
char lower;
|
char lower;
|
||||||
perms_t tperms = 0;
|
perm32_t tperms = 0;
|
||||||
|
|
||||||
reeval:
|
reeval:
|
||||||
switch (thisc) {
|
switch (thisc) {
|
||||||
|
|
@ -742,9 +742,9 @@ reeval:
|
||||||
return perms;
|
return perms;
|
||||||
}
|
}
|
||||||
|
|
||||||
perms_t parse_perms(const char *str_perms)
|
perm32_t parse_perms(const char *str_perms)
|
||||||
{
|
{
|
||||||
perms_t tmp, perms = 0;
|
perm32_t tmp, perms = 0;
|
||||||
tmp = parse_sub_perms(str_perms, "");
|
tmp = parse_sub_perms(str_perms, "");
|
||||||
perms = SHIFT_PERMS(tmp, AA_USER_SHIFT);
|
perms = SHIFT_PERMS(tmp, AA_USER_SHIFT);
|
||||||
perms |= SHIFT_PERMS(tmp, AA_OTHER_SHIFT);
|
perms |= SHIFT_PERMS(tmp, AA_OTHER_SHIFT);
|
||||||
|
|
@ -753,9 +753,9 @@ perms_t parse_perms(const char *str_perms)
|
||||||
return perms;
|
return perms;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int parse_X_sub_perms(const char *X, const char *str_perms, perms_t *result, int fail, const char *perms_desc unused)
|
static int parse_X_sub_perms(const char *X, const char *str_perms, perm32_t *result, int fail, const char *perms_desc unused)
|
||||||
{
|
{
|
||||||
perms_t perms = 0;
|
perm32_t perms = 0;
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
PDEBUG("Parsing %s perms: %s\n", X, str_perms);
|
PDEBUG("Parsing %s perms: %s\n", X, str_perms);
|
||||||
|
|
@ -813,7 +813,7 @@ reeval:
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail)
|
int parse_X_perms(const char *X, int valid, const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
*perms = 0;
|
*perms = 0;
|
||||||
if (!parse_X_sub_perms(X, str_perms, perms, fail, ""))
|
if (!parse_X_sub_perms(X, str_perms, perms, fail, ""))
|
||||||
|
|
@ -976,7 +976,7 @@ alloc_fail:
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
|
struct cod_entry *new_entry(char *id, perm32_t perms, char *link_id)
|
||||||
{
|
{
|
||||||
struct cod_entry *entry = NULL;
|
struct cod_entry *entry = NULL;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -584,7 +584,7 @@ build:
|
||||||
|
|
||||||
static int warn_change_profile = 1;
|
static int warn_change_profile = 1;
|
||||||
|
|
||||||
static bool is_change_profile_perms(perms_t perms)
|
static bool is_change_profile_perms(perm32_t perms)
|
||||||
{
|
{
|
||||||
/**
|
/**
|
||||||
* A change_profile entry will have the AA_CHANGE_PROFILE bit set.
|
* A change_profile entry will have the AA_CHANGE_PROFILE bit set.
|
||||||
|
|
|
||||||
|
|
@ -63,10 +63,10 @@
|
||||||
|
|
||||||
int parser_token = 0;
|
int parser_token = 0;
|
||||||
|
|
||||||
struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt);
|
struct cod_entry *do_file_rule(char *id, perm32_t perms, char *link_id, char *nt);
|
||||||
mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
|
mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
|
||||||
struct cond_entry *dst_conds, char *dst,
|
struct cond_entry *dst_conds, char *dst,
|
||||||
perms_t perms);
|
perm32_t perms);
|
||||||
mnt_rule *do_pivot_rule(struct cond_entry *old, char *root,
|
mnt_rule *do_pivot_rule(struct cond_entry *old, char *root,
|
||||||
char *transition);
|
char *transition);
|
||||||
static void abi_features(char *filename, bool search);
|
static void abi_features(char *filename, bool search);
|
||||||
|
|
@ -212,7 +212,7 @@ static void abi_features(char *filename, bool search);
|
||||||
prefix_rule_t *prefix_entry;
|
prefix_rule_t *prefix_entry;
|
||||||
|
|
||||||
flagvals flags;
|
flagvals flags;
|
||||||
perms_t fperms;
|
perm32_t fperms;
|
||||||
uint64_t cap;
|
uint64_t cap;
|
||||||
unsigned int allowed_protocol;
|
unsigned int allowed_protocol;
|
||||||
char *set_var;
|
char *set_var;
|
||||||
|
|
@ -1562,7 +1562,7 @@ file_perms: TOK_MODE
|
||||||
change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK_END_OF_RULE
|
change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK_END_OF_RULE
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
perms_t perms = AA_CHANGE_PROFILE;
|
perm32_t perms = AA_CHANGE_PROFILE;
|
||||||
int exec_mode = $2;
|
int exec_mode = $2;
|
||||||
char *exec = $3;
|
char *exec = $3;
|
||||||
char *target = $4;
|
char *target = $4;
|
||||||
|
|
@ -1670,7 +1670,7 @@ void yyerror(const char *msg, ...)
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt)
|
struct cod_entry *do_file_rule(char *id, perm32_t perms, char *link_id, char *nt)
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
PDEBUG("Matched: tok_id (%s) tok_perms (0x%x)\n", id, perms);
|
PDEBUG("Matched: tok_id (%s) tok_perms (0x%x)\n", id, perms);
|
||||||
|
|
@ -1711,7 +1711,7 @@ int verify_mnt_conds(struct cond_entry *conds, int src)
|
||||||
|
|
||||||
mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
|
mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
|
||||||
struct cond_entry *dst_conds, char *dst,
|
struct cond_entry *dst_conds, char *dst,
|
||||||
perms_t perms)
|
perm32_t perms)
|
||||||
{
|
{
|
||||||
if (verify_mnt_conds(src_conds, MNT_SRC_OPT) != 0)
|
if (verify_mnt_conds(src_conds, MNT_SRC_OPT) != 0)
|
||||||
yyerror(_("bad mount rule"));
|
yyerror(_("bad mount rule"));
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@
|
||||||
#define __AA_PERM_H
|
#define __AA_PERM_H
|
||||||
|
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
#include <sys/apparmor.h>
|
||||||
|
|
||||||
/* same as in immunix.h - make it so they can both be included or used alone */
|
/* same as in immunix.h - make it so they can both be included or used alone */
|
||||||
#ifndef AA_MAY_EXEC
|
#ifndef AA_MAY_EXEC
|
||||||
|
|
@ -42,11 +43,15 @@
|
||||||
|
|
||||||
#define AA_MAY_CHMOD 0x1000 /* pair */
|
#define AA_MAY_CHMOD 0x1000 /* pair */
|
||||||
#define AA_MAY_CHOWN 0x2000 /* pair */
|
#define AA_MAY_CHOWN 0x2000 /* pair */
|
||||||
|
#endif
|
||||||
#define AA_MAY_CHGRP 0x4000 /* pair */
|
#define AA_MAY_CHGRP 0x4000 /* pair */
|
||||||
|
#ifndef AA_MAY_CREATE
|
||||||
#define AA_MAY_LOCK 0x8000 /* LINK_SUBSET overlaid */
|
#define AA_MAY_LOCK 0x8000 /* LINK_SUBSET overlaid */
|
||||||
|
|
||||||
#define AA_EXEC_MMAP 0x00010000
|
#define AA_EXEC_MMAP 0x00010000
|
||||||
|
#endif
|
||||||
#define AA_MAY_MPROT 0x00020000 /* extend conditions */
|
#define AA_MAY_MPROT 0x00020000 /* extend conditions */
|
||||||
|
#ifndef AA_MAY_CREATE
|
||||||
#define AA_MAY_LINK 0x00040000 /* pair */
|
#define AA_MAY_LINK 0x00040000 /* pair */
|
||||||
#endif
|
#endif
|
||||||
#define AA_MAY_SNAPSHOT 0x00080000 /* pair */
|
#define AA_MAY_SNAPSHOT 0x00080000 /* pair */
|
||||||
|
|
@ -80,20 +85,22 @@
|
||||||
#define AA_X_INHERIT 0x40000000
|
#define AA_X_INHERIT 0x40000000
|
||||||
#define AA_X_UNCONFINED 0x80000000
|
#define AA_X_UNCONFINED 0x80000000
|
||||||
|
|
||||||
|
typedef uint32_t perm32_t;
|
||||||
|
|
||||||
struct aa_perms {
|
struct aa_perms {
|
||||||
uint32_t allow;
|
perm32_t allow;
|
||||||
uint32_t deny; /* explicit deny, or conflict if allow also set */
|
perm32_t deny; /* explicit deny, or conflict if allow also set */
|
||||||
|
|
||||||
uint32_t subtree; /* allow perm on full subtree only when allow is set */
|
perm32_t subtree; /* allow perm on full subtree only when allow is set */
|
||||||
uint32_t cond; /* set only when ~allow and ~deny */
|
perm32_t cond; /* set only when ~allow and ~deny */
|
||||||
|
|
||||||
uint32_t kill; /* set only when ~allow | deny */
|
perm32_t kill; /* set only when ~allow | deny */
|
||||||
uint32_t complain; /* accumulates only used when ~allow & ~deny */
|
perm32_t complain; /* accumulates only used when ~allow & ~deny */
|
||||||
uint32_t prompt; /* accumulates only used when ~allow & ~deny */
|
perm32_t prompt; /* accumulates only used when ~allow & ~deny */
|
||||||
|
|
||||||
uint32_t audit; /* set only when allow is set */
|
perm32_t audit; /* set only when allow is set */
|
||||||
uint32_t quiet; /* set only when ~allow | deny */
|
perm32_t quiet; /* set only when ~allow | deny */
|
||||||
uint32_t hide; /* set only when ~allow | deny */
|
perm32_t hide; /* set only when ~allow | deny */
|
||||||
|
|
||||||
|
|
||||||
uint32_t xindex;
|
uint32_t xindex;
|
||||||
|
|
|
||||||
|
|
@ -269,11 +269,11 @@ static bool add_proc_access(Profile *prof, const char *rule)
|
||||||
void post_process_file_entries(Profile *prof)
|
void post_process_file_entries(Profile *prof)
|
||||||
{
|
{
|
||||||
struct cod_entry *entry;
|
struct cod_entry *entry;
|
||||||
perms_t cp_perms = 0;
|
perm32_t cp_perms = 0;
|
||||||
|
|
||||||
list_for_each(prof->entries, entry) {
|
list_for_each(prof->entries, entry) {
|
||||||
if (entry->nt_name) {
|
if (entry->nt_name) {
|
||||||
perms_t perms = 0;
|
perm32_t perms = 0;
|
||||||
int n = add_named_transition(prof, entry);
|
int n = add_named_transition(prof, entry);
|
||||||
if (!n) {
|
if (!n) {
|
||||||
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
|
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@
|
||||||
#include <string>
|
#include <string>
|
||||||
#include <sstream>
|
#include <sstream>
|
||||||
|
|
||||||
int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail)
|
int parse_ptrace_perms(const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("ptrace", AA_VALID_PTRACE_PERMS, str_perms, perms, fail);
|
return parse_X_perms("ptrace", AA_VALID_PTRACE_PERMS, str_perms, perms, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -47,7 +47,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
|
ptrace_rule::ptrace_rule(perm32_t perms_p, struct cond_entry *conds):
|
||||||
perms_rule_t(AA_CLASS_PTRACE), peer_label(NULL)
|
perms_rule_t(AA_CLASS_PTRACE), peer_label(NULL)
|
||||||
{
|
{
|
||||||
if (perms_p) {
|
if (perms_p) {
|
||||||
|
|
|
||||||
|
|
@ -27,14 +27,14 @@
|
||||||
#define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \
|
#define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \
|
||||||
AA_MAY_TRACEDBY)
|
AA_MAY_TRACEDBY)
|
||||||
|
|
||||||
int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail);
|
int parse_ptrace_perms(const char *str_perms, perm32_t *perms, int fail);
|
||||||
|
|
||||||
class ptrace_rule: public perms_rule_t {
|
class ptrace_rule: public perms_rule_t {
|
||||||
void move_conditionals(struct cond_entry *conds);
|
void move_conditionals(struct cond_entry *conds);
|
||||||
public:
|
public:
|
||||||
char *peer_label;
|
char *peer_label;
|
||||||
|
|
||||||
ptrace_rule(perms_t perms, struct cond_entry *conds);
|
ptrace_rule(perm32_t perms, struct cond_entry *conds);
|
||||||
virtual ~ptrace_rule()
|
virtual ~ptrace_rule()
|
||||||
{
|
{
|
||||||
free(peer_label);
|
free(peer_label);
|
||||||
|
|
|
||||||
|
|
@ -22,6 +22,7 @@
|
||||||
#include <list>
|
#include <list>
|
||||||
#include <ostream>
|
#include <ostream>
|
||||||
|
|
||||||
|
#include "perms.h"
|
||||||
#include "policydb.h"
|
#include "policydb.h"
|
||||||
|
|
||||||
using namespace std;
|
using namespace std;
|
||||||
|
|
@ -151,7 +152,6 @@ std::ostream &operator<<(std::ostream &os, rule_t &rule);
|
||||||
typedef std::list<rule_t *> RuleList;
|
typedef std::list<rule_t *> RuleList;
|
||||||
|
|
||||||
/* Not classes so they can be used in the bison front end */
|
/* Not classes so they can be used in the bison front end */
|
||||||
typedef uint32_t perms_t;
|
|
||||||
typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
|
typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
|
||||||
typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY, RULE_PROMPT } rule_mode_t;
|
typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY, RULE_PROMPT } rule_mode_t;
|
||||||
|
|
||||||
|
|
@ -407,7 +407,7 @@ public:
|
||||||
return os;
|
return os;
|
||||||
}
|
}
|
||||||
|
|
||||||
perms_t perms, saved;
|
perm32_t perms, saved;
|
||||||
};
|
};
|
||||||
|
|
||||||
// alternate perms rule class that only does dedup instead of perms merging
|
// alternate perms rule class that only does dedup instead of perms merging
|
||||||
|
|
@ -432,7 +432,7 @@ public:
|
||||||
return os;
|
return os;
|
||||||
}
|
}
|
||||||
|
|
||||||
perms_t perms;
|
perm32_t perms;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -116,7 +116,7 @@ static const char *const sig_names[MAXMAPPED_SIG + 1] = {
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
int parse_signal_perms(const char *str_perms, perms_t *perms, int fail)
|
int parse_signal_perms(const char *str_perms, perm32_t *perms, int fail)
|
||||||
{
|
{
|
||||||
return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail);
|
return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail);
|
||||||
}
|
}
|
||||||
|
|
@ -173,7 +173,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
|
signal_rule::signal_rule(perm32_t perms_p, struct cond_entry *conds):
|
||||||
perms_rule_t(AA_CLASS_SIGNAL), signals(), peer_label(NULL)
|
perms_rule_t(AA_CLASS_SIGNAL), signals(), peer_label(NULL)
|
||||||
{
|
{
|
||||||
if (perms_p) {
|
if (perms_p) {
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@
|
||||||
typedef set<int> Signals;
|
typedef set<int> Signals;
|
||||||
|
|
||||||
int find_signal_mapping(const char *sig);
|
int find_signal_mapping(const char *sig);
|
||||||
int parse_signal_perms(const char *str_perms, perms_t *perms, int fail);
|
int parse_signal_perms(const char *str_perms, perm32_t *perms, int fail);
|
||||||
|
|
||||||
class signal_rule: public perms_rule_t {
|
class signal_rule: public perms_rule_t {
|
||||||
void extract_sigs(struct value_list **list);
|
void extract_sigs(struct value_list **list);
|
||||||
|
|
@ -41,7 +41,7 @@ public:
|
||||||
Signals signals;
|
Signals signals;
|
||||||
char *peer_label;
|
char *peer_label;
|
||||||
|
|
||||||
signal_rule(perms_t perms, struct cond_entry *conds);
|
signal_rule(perm32_t perms, struct cond_entry *conds);
|
||||||
virtual ~signal_rule() {
|
virtual ~signal_rule() {
|
||||||
signals.clear();
|
signals.clear();
|
||||||
free(peer_label);
|
free(peer_label);
|
||||||
|
|
|
||||||
|
|
@ -40,7 +40,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
|
userns_rule::userns_rule(perm32_t perms_p, struct cond_entry *conds):
|
||||||
perms_rule_t(AA_CLASS_NS)
|
perms_rule_t(AA_CLASS_NS)
|
||||||
{
|
{
|
||||||
if (perms_p) {
|
if (perms_p) {
|
||||||
|
|
|
||||||
|
|
@ -26,7 +26,7 @@
|
||||||
class userns_rule: public perms_rule_t {
|
class userns_rule: public perms_rule_t {
|
||||||
void move_conditionals(struct cond_entry *conds);
|
void move_conditionals(struct cond_entry *conds);
|
||||||
public:
|
public:
|
||||||
userns_rule(perms_t perms, struct cond_entry *conds);
|
userns_rule(perm32_t perms, struct cond_entry *conds);
|
||||||
virtual ~userns_rule()
|
virtual ~userns_rule()
|
||||||
{
|
{
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue