mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 00:14:44 +01:00
parser: convert deny flag from bool to rule_mode
We need to be able to support more rule types than allow and deny so convert to an enum. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
parent
f76d134b6c
commit
355730d8c7
14 changed files with 82 additions and 74 deletions
|
|
@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds)
|
|||
}
|
||||
}
|
||||
|
||||
unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied):
|
||||
unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p):
|
||||
af_rule("unix"), addr(NULL), peer_addr(NULL)
|
||||
{
|
||||
if (type_p != 0xffffffff) {
|
||||
|
|
@ -106,7 +106,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied):
|
|||
}
|
||||
perms = AA_VALID_NET_PERMS;
|
||||
audit = audit_p;
|
||||
deny = denied;
|
||||
rule_mode = rule_mode_p;
|
||||
}
|
||||
|
||||
unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
|
|
@ -193,7 +193,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
|
|||
yyerror(_("Memory allocation error."));
|
||||
if (sock_type_n != -1)
|
||||
mask = 1 << sock_type_n;
|
||||
if (!deny) {
|
||||
if (rule_mode != RULE_DENY) {
|
||||
prof.net.allow[AF_UNIX] |= mask;
|
||||
if (audit == AUDIT_FORCE)
|
||||
prof.net.audit[AF_UNIX] |= mask;
|
||||
|
|
@ -334,7 +334,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
write_to_prot(buffer);
|
||||
if ((mask & AA_NET_CREATE) && !has_peer_conds()) {
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
|
||||
map_perms(AA_NET_CREATE),
|
||||
map_perms(audit == AUDIT_FORCE ? AA_NET_CREATE : 0),
|
||||
dfaflags))
|
||||
|
|
@ -359,7 +359,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
tmp << "\\x00";
|
||||
|
||||
buf = tmp.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
|
||||
map_perms(AA_NET_BIND),
|
||||
map_perms(audit == AUDIT_FORCE ? AA_NET_BIND : 0),
|
||||
dfaflags))
|
||||
|
|
@ -384,7 +384,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD;
|
||||
if (mask & local_mask) {
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
|
||||
map_perms(mask & local_mask),
|
||||
map_perms(audit == AUDIT_FORCE ? mask & local_mask : 0),
|
||||
dfaflags))
|
||||
|
|
@ -398,7 +398,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
/* TODO: backlog conditional: for now match anything*/
|
||||
tmp << "..";
|
||||
buf = tmp.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
|
||||
map_perms(AA_NET_LISTEN),
|
||||
map_perms(audit == AUDIT_FORCE ? AA_NET_LISTEN : 0),
|
||||
dfaflags))
|
||||
|
|
@ -411,7 +411,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
/* TODO: sockopt conditional: for now match anything */
|
||||
tmp << "..";
|
||||
buf = tmp.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY,
|
||||
map_perms(AA_NET_OPT),
|
||||
map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0),
|
||||
dfaflags))
|
||||
|
|
@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
|
|||
goto fail;
|
||||
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
|
||||
goto fail;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@ public:
|
|||
char *addr;
|
||||
char *peer_addr;
|
||||
|
||||
unix_rule(unsigned int type_p, audit_t audit_p, bool denied);
|
||||
unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p);
|
||||
unix_rule(perms_t perms, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds);
|
||||
virtual ~unix_rule()
|
||||
|
|
|
|||
|
|
@ -275,20 +275,20 @@ int dbus_rule::gen_policy_re(Profile &prof)
|
|||
}
|
||||
|
||||
if (perms & AA_DBUS_BIND) {
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms & AA_DBUS_BIND,
|
||||
audit == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0,
|
||||
2, vec, dfaflags, false))
|
||||
goto fail;
|
||||
}
|
||||
if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
|
||||
if (!prof.policy.rules->add_rule_vec(deny,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY,
|
||||
perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
|
||||
audit == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0,
|
||||
6, vec, dfaflags, false))
|
||||
goto fail;
|
||||
}
|
||||
if (perms & AA_DBUS_EAVESDROP) {
|
||||
if (!prof.policy.rules->add_rule_vec(deny,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY,
|
||||
perms & AA_DBUS_EAVESDROP,
|
||||
audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0,
|
||||
1, vec, dfaflags, false))
|
||||
|
|
|
|||
|
|
@ -741,7 +741,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
|
|||
* if a data match is required this only has AA_MATCH_CONT perms
|
||||
* else it has full perms
|
||||
*/
|
||||
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, tmpperms, tmpaudit, 4,
|
||||
vec, dfaflags, false))
|
||||
goto fail;
|
||||
count++;
|
||||
|
|
@ -752,7 +752,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
|
|||
if (!build_mnt_opts(optsbuf, opts))
|
||||
goto fail;
|
||||
vec[4] = optsbuf.c_str();
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms,
|
||||
(audit == AUDIT_FORCE ? perms : 0),
|
||||
5, vec, dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -794,7 +794,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count,
|
|||
opt_flags & MS_BIND_FLAGS))
|
||||
goto fail;
|
||||
vec[3] = flagsbuf;
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
4, vec,
|
||||
dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -836,7 +836,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
|
|||
opt_flags & MS_MAKE_FLAGS))
|
||||
goto fail;
|
||||
vec[3] = flagsbuf;
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
4, vec,
|
||||
dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -879,7 +879,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count,
|
|||
opt_flags & MS_MOVE_FLAGS))
|
||||
goto fail;
|
||||
vec[3] = flagsbuf;
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
4, vec,
|
||||
dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -931,7 +931,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
|
|||
tmpaudit = audit == AUDIT_FORCE ? perms : 0;
|
||||
}
|
||||
/* rule for match without required data || data MATCH_CONT */
|
||||
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, tmpperms, tmpaudit, 4,
|
||||
vec, dfaflags, false))
|
||||
goto fail;
|
||||
count++;
|
||||
|
|
@ -942,7 +942,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
|
|||
if (!build_mnt_opts(optsbuf, opts))
|
||||
goto fail;
|
||||
vec[4] = optsbuf.c_str();
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms,
|
||||
audit == AUDIT_FORCE ? perms : 0,
|
||||
5, vec, dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -1034,7 +1034,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
|
|||
if (!convert_entry(mntbuf, mnt_point))
|
||||
goto fail;
|
||||
vec[0] = mntbuf.c_str();
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms,
|
||||
(audit == AUDIT_FORCE ? perms : 0), 1, vec,
|
||||
dfaflags, false))
|
||||
goto fail;
|
||||
|
|
@ -1049,7 +1049,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
|
|||
if (!clear_and_convert_entry(devbuf, device))
|
||||
goto fail;
|
||||
vec[1] = devbuf.c_str();
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms,
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms,
|
||||
(audit == AUDIT_FORCE ? perms : 0), 2, vec,
|
||||
dfaflags, false))
|
||||
goto fail;
|
||||
|
|
|
|||
|
|
@ -230,10 +230,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
|
|||
/* store perms at name match so label doesn't need
|
||||
* to be checked
|
||||
*/
|
||||
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
|
||||
goto fail;
|
||||
/* also provide label match with perm */
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
|
@ -265,10 +265,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
|
|||
}
|
||||
|
||||
if (perms & AA_VALID_SYSV_MQ_PERMS) {
|
||||
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
|
||||
if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
|
||||
goto fail;
|
||||
/* also provide label match with perm */
|
||||
if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
|
||||
if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
|
||||
goto fail;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ struct cod_entry {
|
|||
* just for this executable */
|
||||
perms_t perms; /* perms is 'or' of AA_* bits */
|
||||
audit_t audit;
|
||||
int deny; /* TRUE or FALSE */
|
||||
rule_mode_t rule_mode;
|
||||
|
||||
bool alias_ignore; /* ignore for alias processing */
|
||||
|
||||
|
|
|
|||
|
|
@ -48,8 +48,8 @@ static int file_comp(const void *c1, const void *c2)
|
|||
if (res)
|
||||
return res;
|
||||
|
||||
if ((*e1)->deny != (*e2)->deny)
|
||||
return (*e1)->deny < (*e2)->deny ? -1 : 1;
|
||||
if ((*e1)->rule_mode != (*e2)->rule_mode)
|
||||
return (*e1)->rule_mode < (*e2)->rule_mode ? -1 : 1;
|
||||
|
||||
if ((*e1)->audit != (*e2)->audit)
|
||||
return (*e1)->audit < (*e2)->audit ? -1 : 1;
|
||||
|
|
|
|||
|
|
@ -962,7 +962,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
|
|||
entry->link_name = link_id;
|
||||
entry->perms = perms;
|
||||
entry->audit = AUDIT_UNSPECIFIED;
|
||||
entry->deny = FALSE;
|
||||
entry->rule_mode = RULE_UNSPECIFIED;
|
||||
|
||||
entry->pattern_type = ePatternInvalid;
|
||||
entry->pat.regex = NULL;
|
||||
|
|
@ -986,7 +986,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
|
|||
DUP_STRING(orig, entry, nt_name, err);
|
||||
entry->perms = orig->perms;
|
||||
entry->audit = orig->audit;
|
||||
entry->deny = orig->deny;
|
||||
entry->rule_mode = orig->rule_mode;
|
||||
|
||||
/* XXX - need to create copies of the patterns, too */
|
||||
entry->pattern_type = orig->pattern_type;
|
||||
|
|
|
|||
|
|
@ -627,17 +627,19 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
|||
* than link in the entry.
|
||||
* TODO: split link and change_profile entries earlier
|
||||
*/
|
||||
if (entry->deny) {
|
||||
if (entry->rule_mode == RULE_DENY) {
|
||||
if ((entry->perms & ~AA_LINK_BITS) &&
|
||||
!is_change_profile_perms(entry->perms) &&
|
||||
!dfarules->add_rule(tbuf.c_str(), entry->deny,
|
||||
!dfarules->add_rule(tbuf.c_str(), entry->rule_mode == RULE_DENY,
|
||||
entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
|
||||
entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
|
||||
dfaflags))
|
||||
return FALSE;
|
||||
} else if (!is_change_profile_perms(entry->perms)) {
|
||||
if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms,
|
||||
entry->audit == AUDIT_FORCE ? entry->perms : 0, dfaflags))
|
||||
if (!dfarules->add_rule(tbuf.c_str(),
|
||||
entry->rule_mode == RULE_DENY, entry->perms,
|
||||
entry->audit == AUDIT_FORCE ? entry->perms : 0,
|
||||
dfaflags))
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
|
@ -660,7 +662,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
|||
perms |= LINK_TO_LINK_SUBSET(perms);
|
||||
vec[1] = "/[^/].*";
|
||||
}
|
||||
if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
|
||||
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
|
||||
return FALSE;
|
||||
}
|
||||
if (is_change_profile_perms(entry->perms)) {
|
||||
|
|
@ -711,13 +713,13 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
|||
}
|
||||
|
||||
/* regular change_profile rule */
|
||||
if (!dfarules->add_rule_vec(entry->deny,
|
||||
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY,
|
||||
AA_CHANGE_PROFILE | onexec_perms,
|
||||
0, index - 1, &vec[1], dfaflags, false))
|
||||
return FALSE;
|
||||
|
||||
/* onexec rules - both rules are needed for onexec */
|
||||
if (!dfarules->add_rule_vec(entry->deny, onexec_perms,
|
||||
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms,
|
||||
0, 1, vec, dfaflags, false))
|
||||
return FALSE;
|
||||
|
||||
|
|
@ -726,7 +728,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
|
|||
* unsafe exec transitions
|
||||
*/
|
||||
onexec_perms |= (entry->perms & (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE));
|
||||
if (!dfarules->add_rule_vec(entry->deny, onexec_perms,
|
||||
if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms,
|
||||
0, index, vec, dfaflags, false))
|
||||
return FALSE;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -216,6 +216,7 @@ void add_local_entry(Profile *prof);
|
|||
struct prefixes prefix;
|
||||
IncludeCache_t *includecache;
|
||||
audit_t audit;
|
||||
rule_mode_t rule_mode;
|
||||
}
|
||||
|
||||
%type <id> TOK_ID
|
||||
|
|
@ -258,7 +259,7 @@ void add_local_entry(Profile *prof);
|
|||
%type <boolean> opt_owner_flag
|
||||
%type <boolean> opt_profile_flag
|
||||
%type <boolean> opt_flags
|
||||
%type <boolean> opt_perm_mode
|
||||
%type <rule_mode> opt_rule_mode
|
||||
%type <id> opt_id
|
||||
%type <prefix> opt_prefix
|
||||
%type <fperms> dbus_perm
|
||||
|
|
@ -659,14 +660,14 @@ opt_owner_flag: { /* nothing */ $$ = 0; }
|
|||
| TOK_OWNER { $$ = 1; };
|
||||
| TOK_OTHER { $$ = 2; };
|
||||
|
||||
opt_perm_mode: { /* nothing */ $$ = 0; }
|
||||
| TOK_ALLOW { $$ = 0; }
|
||||
| TOK_DENY { $$ = 1; }
|
||||
opt_rule_mode: { /* nothing */ $$ = RULE_UNSPECIFIED; }
|
||||
| TOK_ALLOW { $$ = RULE_ALLOW; }
|
||||
| TOK_DENY { $$ = RULE_DENY; }
|
||||
|
||||
opt_prefix: opt_audit_flag opt_perm_mode opt_owner_flag
|
||||
opt_prefix: opt_audit_flag opt_rule_mode opt_owner_flag
|
||||
{
|
||||
$$.audit = $1;
|
||||
$$.deny = $2;
|
||||
$$.rule_mode = $2;
|
||||
$$.owner = $3;
|
||||
}
|
||||
|
||||
|
|
@ -687,11 +688,11 @@ rules: rules opt_prefix rule
|
|||
PDEBUG("rules rule: (%s)\n", $3->name);
|
||||
if (!$3)
|
||||
yyerror(_("Assert: `rule' returned NULL."));
|
||||
$3->deny = $2.deny;
|
||||
if (($2.deny && ($3->perms & AA_EXEC_BITS) &&
|
||||
$3->rule_mode = $2.rule_mode;
|
||||
if ((($2.rule_mode == RULE_DENY) && ($3->perms & AA_EXEC_BITS) &&
|
||||
($3->perms & ALL_AA_EXEC_TYPE)))
|
||||
yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'"));
|
||||
else if (!$2.deny && ($3->perms & AA_EXEC_BITS) &&
|
||||
else if (($2.rule_mode != RULE_DENY) && ($3->perms & AA_EXEC_BITS) &&
|
||||
!($3->perms & ALL_AA_EXEC_TYPE) &&
|
||||
!($3->nt_name))
|
||||
yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"));
|
||||
|
|
@ -701,7 +702,7 @@ rules: rules opt_prefix rule
|
|||
else if ($2.owner == 2)
|
||||
$3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
|
||||
/* only set audit ctl quieting if the rule is not audited */
|
||||
if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE))
|
||||
if ((($2.rule_mode == RULE_DENY) && $2.audit != AUDIT_FORCE) || (($2.rule_mode != RULE_DENY) && $2.audit == AUDIT_FORCE))
|
||||
$3->audit = AUDIT_FORCE;
|
||||
add_entry_to_policy($1, $3);
|
||||
$$ = $1;
|
||||
|
|
@ -711,18 +712,18 @@ rules: rules opt_prefix rule
|
|||
rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
|
||||
{
|
||||
struct cod_entry *entry, *tmp;
|
||||
if ($2.deny)
|
||||
if ($2.rule_mode == RULE_DENY)
|
||||
yyerror(_("deny prefix not allowed"));
|
||||
|
||||
PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "",
|
||||
$2.deny ? "deny " : "", $2.owner ? "owner " : "");
|
||||
$2.rule_mode == RULE_DENY ? "deny " : "", $2.owner ? "owner " : "");
|
||||
list_for_each_safe($4->entries, entry, tmp) {
|
||||
entry->next = NULL;
|
||||
if (entry->perms & AA_EXEC_BITS) {
|
||||
if (entry->deny &&
|
||||
if ((entry->rule_mode == RULE_DENY) &&
|
||||
(entry->perms & ALL_AA_EXEC_TYPE))
|
||||
yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'"));
|
||||
else if (!entry->deny &&
|
||||
else if ((entry->rule_mode != RULE_DENY) &&
|
||||
!(entry->perms & ALL_AA_EXEC_TYPE))
|
||||
yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
|
||||
}
|
||||
|
|
@ -731,9 +732,9 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
|
|||
else if ($2.owner == 2)
|
||||
entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
|
||||
|
||||
if ($2.audit == AUDIT_FORCE && !entry->deny)
|
||||
if ($2.audit == AUDIT_FORCE && (entry->rule_mode != RULE_DENY))
|
||||
entry->audit = AUDIT_FORCE;
|
||||
else if ($2.audit != AUDIT_FORCE && entry->deny)
|
||||
else if ($2.audit != AUDIT_FORCE && (entry->rule_mode == RULE_DENY))
|
||||
entry->audit = AUDIT_FORCE;
|
||||
add_entry_to_policy($1, entry);
|
||||
}
|
||||
|
|
@ -760,14 +761,14 @@ rules: rules opt_prefix network_rule
|
|||
* downgrade if needed
|
||||
*/
|
||||
if (entry->family == AF_UNIX) {
|
||||
unix_rule *rule = new unix_rule(entry->type, $2.audit, $2.deny);
|
||||
unix_rule *rule = new unix_rule(entry->type, $2.audit, $2.rule_mode);
|
||||
if (!rule)
|
||||
yyerror(_("Memory allocation error."));
|
||||
$1->rule_ents.push_back(rule);
|
||||
}
|
||||
if (entry->type > SOCK_PACKET) {
|
||||
/* setting mask instead of a bit */
|
||||
if ($2.deny) {
|
||||
if ($2.rule_mode == RULE_DENY) {
|
||||
$1->net.deny[entry->family] |= entry->type;
|
||||
if ($2.audit != AUDIT_FORCE)
|
||||
$1->net.quiet[entry->family] |= entry->type;
|
||||
|
|
@ -777,7 +778,7 @@ rules: rules opt_prefix network_rule
|
|||
$1->net.audit[entry->family] |= entry->type;
|
||||
}
|
||||
} else {
|
||||
if ($2.deny) {
|
||||
if ($2.rule_mode == RULE_DENY) {
|
||||
$1->net.deny[entry->family] |= 1 << entry->type;
|
||||
if ($2.audit != AUDIT_FORCE)
|
||||
$1->net.quiet[entry->family] |= 1 << entry->type;
|
||||
|
|
@ -818,10 +819,10 @@ rules: rules opt_prefix change_profile
|
|||
yyerror(_("Assert: `change_profile' returned NULL."));
|
||||
if ($2.owner)
|
||||
yyerror(_("owner prefix not allowed on unix rules"));
|
||||
if ($2.deny && $2.audit == AUDIT_FORCE) {
|
||||
$3->deny = 1;
|
||||
} else if ($2.deny) {
|
||||
$3->deny = 1;
|
||||
if (($2.rule_mode == RULE_DENY) && $2.audit == AUDIT_FORCE) {
|
||||
$3->rule_mode = RULE_DENY;
|
||||
} else if ($2.rule_mode == RULE_DENY) {
|
||||
$3->rule_mode = RULE_DENY;
|
||||
$3->audit = AUDIT_FORCE;
|
||||
} else if ($2.audit != AUDIT_UNSPECIFIED) {
|
||||
$3->audit = $2.audit;
|
||||
|
|
@ -835,9 +836,9 @@ rules: rules opt_prefix capability
|
|||
if ($2.owner)
|
||||
yyerror(_("owner prefix not allowed on capability rules"));
|
||||
|
||||
if ($2.deny && $2.audit == AUDIT_FORCE) {
|
||||
if ($2.rule_mode == RULE_DENY && $2.audit == AUDIT_FORCE) {
|
||||
$1->caps.deny |= $3;
|
||||
} else if ($2.deny) {
|
||||
} else if ($2.rule_mode == RULE_DENY) {
|
||||
$1->caps.deny |= $3;
|
||||
$1->caps.quiet |= $3;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -135,7 +135,7 @@ int ptrace_rule::gen_policy_re(Profile &prof)
|
|||
|
||||
buf = buffer.str();
|
||||
if (perms & AA_VALID_PTRACE_PERMS) {
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
dfaflags))
|
||||
goto fail;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,6 +70,7 @@ typedef std::list<rule_t *> RuleList;
|
|||
/* Not classes so they can be used in the bison front end */
|
||||
typedef uint32_t perms_t;
|
||||
typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
|
||||
typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY } rule_mode_t;
|
||||
|
||||
/* NOTE: we can not have a constructor for class prefixes. This is
|
||||
* because it will break bison, and we would need to transition to
|
||||
|
|
@ -80,7 +81,7 @@ typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
|
|||
class prefixes {
|
||||
public:
|
||||
audit_t audit;
|
||||
int deny;
|
||||
rule_mode_t rule_mode;
|
||||
int owner;
|
||||
|
||||
ostream &dump(ostream &os)
|
||||
|
|
@ -98,12 +99,16 @@ public:
|
|||
output = false;
|
||||
}
|
||||
|
||||
if (deny) {
|
||||
switch (rule_mode) {
|
||||
case RULE_DENY:
|
||||
if (output)
|
||||
os << " ";
|
||||
|
||||
os << "deny";
|
||||
output = true;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (owner) {
|
||||
|
|
@ -126,7 +131,7 @@ public:
|
|||
{
|
||||
/* Must construct prefix here see note on prefixes */
|
||||
audit = AUDIT_UNSPECIFIED;
|
||||
deny = 0;
|
||||
rule_mode = RULE_UNSPECIFIED;
|
||||
owner = 0;
|
||||
};
|
||||
|
||||
|
|
@ -141,10 +146,10 @@ public:
|
|||
return false;
|
||||
}
|
||||
}
|
||||
if (p.deny && p.audit == AUDIT_FORCE) {
|
||||
deny = 1;
|
||||
} else if (p.deny) {
|
||||
deny = 1;
|
||||
if (p.rule_mode == RULE_DENY && p.audit == AUDIT_FORCE) {
|
||||
rule_mode = RULE_DENY;
|
||||
} else if (p.rule_mode == RULE_DENY) {
|
||||
rule_mode = RULE_DENY;
|
||||
audit = AUDIT_FORCE;
|
||||
} else if (p.audit != AUDIT_UNSPECIFIED) {
|
||||
audit = p.audit;
|
||||
|
|
|
|||
|
|
@ -289,7 +289,7 @@ int signal_rule::gen_policy_re(Profile &prof)
|
|||
|
||||
buf = buffer.str();
|
||||
if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) {
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0,
|
||||
dfaflags))
|
||||
goto fail;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -96,7 +96,7 @@ int userns_rule::gen_policy_re(Profile &prof)
|
|||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS;
|
||||
buf = buffer.str();
|
||||
if (perms & AA_VALID_USERNS_PERMS) {
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms,
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms,
|
||||
audit == AUDIT_FORCE ? perms : 0,
|
||||
dfaflags))
|
||||
goto fail;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue