diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 8fbdce9af..a9bbf1ad9 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds) } } -unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied): +unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p): af_rule("unix"), addr(NULL), peer_addr(NULL) { if (type_p != 0xffffffff) { @@ -106,7 +106,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied): } perms = AA_VALID_NET_PERMS; audit = audit_p; - deny = denied; + rule_mode = rule_mode_p; } unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds, @@ -193,7 +193,7 @@ void unix_rule::downgrade_rule(Profile &prof) { yyerror(_("Memory allocation error.")); if (sock_type_n != -1) mask = 1 << sock_type_n; - if (!deny) { + if (rule_mode != RULE_DENY) { prof.net.allow[AF_UNIX] |= mask; if (audit == AUDIT_FORCE) prof.net.audit[AF_UNIX] |= mask; @@ -334,7 +334,7 @@ int unix_rule::gen_policy_re(Profile &prof) write_to_prot(buffer); if ((mask & AA_NET_CREATE) && !has_peer_conds()) { buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_NET_CREATE), map_perms(audit == AUDIT_FORCE ? AA_NET_CREATE : 0), dfaflags)) @@ -359,7 +359,7 @@ int unix_rule::gen_policy_re(Profile &prof) tmp << "\\x00"; buf = tmp.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_NET_BIND), map_perms(audit == AUDIT_FORCE ? AA_NET_BIND : 0), dfaflags)) @@ -384,7 +384,7 @@ int unix_rule::gen_policy_re(Profile &prof) AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD; if (mask & local_mask) { buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(mask & local_mask), map_perms(audit == AUDIT_FORCE ? mask & local_mask : 0), dfaflags)) @@ -398,7 +398,7 @@ int unix_rule::gen_policy_re(Profile &prof) /* TODO: backlog conditional: for now match anything*/ tmp << ".."; buf = tmp.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_NET_LISTEN), map_perms(audit == AUDIT_FORCE ? AA_NET_LISTEN : 0), dfaflags)) @@ -411,7 +411,7 @@ int unix_rule::gen_policy_re(Profile &prof) /* TODO: sockopt conditional: for now match anything */ tmp << ".."; buf = tmp.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_NET_OPT), map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0), dfaflags)) @@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof) goto fail; buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) goto fail; } diff --git a/parser/af_unix.h b/parser/af_unix.h index 2ad6e9e84..c7fcf2fcf 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -37,7 +37,7 @@ public: char *addr; char *peer_addr; - unix_rule(unsigned int type_p, audit_t audit_p, bool denied); + unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p); unix_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *peer_conds); virtual ~unix_rule() diff --git a/parser/dbus.cc b/parser/dbus.cc index bcd4536df..92885b323 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -275,20 +275,20 @@ int dbus_rule::gen_policy_re(Profile &prof) } if (perms & AA_DBUS_BIND) { - if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms & AA_DBUS_BIND, audit == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, 2, vec, dfaflags, false)) goto fail; } if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { - if (!prof.policy.rules->add_rule_vec(deny, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), audit == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, 6, vec, dfaflags, false)) goto fail; } if (perms & AA_DBUS_EAVESDROP) { - if (!prof.policy.rules->add_rule_vec(deny, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms & AA_DBUS_EAVESDROP, audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, 1, vec, dfaflags, false)) diff --git a/parser/mount.cc b/parser/mount.cc index 7e0b76823..c365637b0 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -741,7 +741,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, * if a data match is required this only has AA_MATCH_CONT perms * else it has full perms */ - if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, tmpperms, tmpaudit, 4, vec, dfaflags, false)) goto fail; count++; @@ -752,7 +752,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, if (!build_mnt_opts(optsbuf, opts)) goto fail; vec[4] = optsbuf.c_str(); - if (!prof.policy.rules->add_rule_vec(deny, perms, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, (audit == AUDIT_FORCE ? perms : 0), 5, vec, dfaflags, false)) goto fail; @@ -794,7 +794,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count, opt_flags & MS_BIND_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -836,7 +836,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count, opt_flags & MS_MAKE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -879,7 +879,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count, opt_flags & MS_MOVE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -931,7 +931,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, tmpaudit = audit == AUDIT_FORCE ? perms : 0; } /* rule for match without required data || data MATCH_CONT */ - if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, tmpperms, tmpaudit, 4, vec, dfaflags, false)) goto fail; count++; @@ -942,7 +942,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, if (!build_mnt_opts(optsbuf, opts)) goto fail; vec[4] = optsbuf.c_str(); - if (!prof.policy.rules->add_rule_vec(deny, perms, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 5, vec, dfaflags, false)) goto fail; @@ -1034,7 +1034,7 @@ int mnt_rule::gen_policy_re(Profile &prof) if (!convert_entry(mntbuf, mnt_point)) goto fail; vec[0] = mntbuf.c_str(); - if (!prof.policy.rules->add_rule_vec(deny, perms, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, (audit == AUDIT_FORCE ? perms : 0), 1, vec, dfaflags, false)) goto fail; @@ -1049,7 +1049,7 @@ int mnt_rule::gen_policy_re(Profile &prof) if (!clear_and_convert_entry(devbuf, device)) goto fail; vec[1] = devbuf.c_str(); - if (!prof.policy.rules->add_rule_vec(deny, perms, + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, (audit == AUDIT_FORCE ? perms : 0), 2, vec, dfaflags, false)) goto fail; diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 47273580f..4e1538107 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -230,10 +230,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) /* store perms at name match so label doesn't need * to be checked */ - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } @@ -265,10 +265,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) } if (perms & AA_VALID_SYSV_MQ_PERMS) { - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } diff --git a/parser/parser.h b/parser/parser.h index f5a0d5d58..a115ff92a 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -124,7 +124,7 @@ struct cod_entry { * just for this executable */ perms_t perms; /* perms is 'or' of AA_* bits */ audit_t audit; - int deny; /* TRUE or FALSE */ + rule_mode_t rule_mode; bool alias_ignore; /* ignore for alias processing */ diff --git a/parser/parser_merge.c b/parser/parser_merge.c index 6c5603e36..77c295e19 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -48,8 +48,8 @@ static int file_comp(const void *c1, const void *c2) if (res) return res; - if ((*e1)->deny != (*e2)->deny) - return (*e1)->deny < (*e2)->deny ? -1 : 1; + if ((*e1)->rule_mode != (*e2)->rule_mode) + return (*e1)->rule_mode < (*e2)->rule_mode ? -1 : 1; if ((*e1)->audit != (*e2)->audit) return (*e1)->audit < (*e2)->audit ? -1 : 1; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index ee304d7d6..960d4977c 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -962,7 +962,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id) entry->link_name = link_id; entry->perms = perms; entry->audit = AUDIT_UNSPECIFIED; - entry->deny = FALSE; + entry->rule_mode = RULE_UNSPECIFIED; entry->pattern_type = ePatternInvalid; entry->pat.regex = NULL; @@ -986,7 +986,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) DUP_STRING(orig, entry, nt_name, err); entry->perms = orig->perms; entry->audit = orig->audit; - entry->deny = orig->deny; + entry->rule_mode = orig->rule_mode; /* XXX - need to create copies of the patterns, too */ entry->pattern_type = orig->pattern_type; diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 9ad25eb41..fa3b42ad7 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -627,17 +627,19 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) * than link in the entry. * TODO: split link and change_profile entries earlier */ - if (entry->deny) { + if (entry->rule_mode == RULE_DENY) { if ((entry->perms & ~AA_LINK_BITS) && !is_change_profile_perms(entry->perms) && - !dfarules->add_rule(tbuf.c_str(), entry->deny, + !dfarules->add_rule(tbuf.c_str(), entry->rule_mode == RULE_DENY, entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, dfaflags)) return FALSE; } else if (!is_change_profile_perms(entry->perms)) { - if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, - entry->audit == AUDIT_FORCE ? entry->perms : 0, dfaflags)) + if (!dfarules->add_rule(tbuf.c_str(), + entry->rule_mode == RULE_DENY, entry->perms, + entry->audit == AUDIT_FORCE ? entry->perms : 0, + dfaflags)) return FALSE; } @@ -660,7 +662,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) perms |= LINK_TO_LINK_SUBSET(perms); vec[1] = "/[^/].*"; } - if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) + if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) return FALSE; } if (is_change_profile_perms(entry->perms)) { @@ -711,13 +713,13 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) } /* regular change_profile rule */ - if (!dfarules->add_rule_vec(entry->deny, + if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, AA_CHANGE_PROFILE | onexec_perms, 0, index - 1, &vec[1], dfaflags, false)) return FALSE; /* onexec rules - both rules are needed for onexec */ - if (!dfarules->add_rule_vec(entry->deny, onexec_perms, + if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms, 0, 1, vec, dfaflags, false)) return FALSE; @@ -726,7 +728,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) * unsafe exec transitions */ onexec_perms |= (entry->perms & (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE)); - if (!dfarules->add_rule_vec(entry->deny, onexec_perms, + if (!dfarules->add_rule_vec(entry->rule_mode == RULE_DENY, onexec_perms, 0, index, vec, dfaflags, false)) return FALSE; } diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 98dd9901b..476f2e8f6 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -216,6 +216,7 @@ void add_local_entry(Profile *prof); struct prefixes prefix; IncludeCache_t *includecache; audit_t audit; + rule_mode_t rule_mode; } %type TOK_ID @@ -258,7 +259,7 @@ void add_local_entry(Profile *prof); %type opt_owner_flag %type opt_profile_flag %type opt_flags -%type opt_perm_mode +%type opt_rule_mode %type opt_id %type opt_prefix %type dbus_perm @@ -659,14 +660,14 @@ opt_owner_flag: { /* nothing */ $$ = 0; } | TOK_OWNER { $$ = 1; }; | TOK_OTHER { $$ = 2; }; -opt_perm_mode: { /* nothing */ $$ = 0; } - | TOK_ALLOW { $$ = 0; } - | TOK_DENY { $$ = 1; } +opt_rule_mode: { /* nothing */ $$ = RULE_UNSPECIFIED; } + | TOK_ALLOW { $$ = RULE_ALLOW; } + | TOK_DENY { $$ = RULE_DENY; } -opt_prefix: opt_audit_flag opt_perm_mode opt_owner_flag +opt_prefix: opt_audit_flag opt_rule_mode opt_owner_flag { $$.audit = $1; - $$.deny = $2; + $$.rule_mode = $2; $$.owner = $3; } @@ -687,11 +688,11 @@ rules: rules opt_prefix rule PDEBUG("rules rule: (%s)\n", $3->name); if (!$3) yyerror(_("Assert: `rule' returned NULL.")); - $3->deny = $2.deny; - if (($2.deny && ($3->perms & AA_EXEC_BITS) && + $3->rule_mode = $2.rule_mode; + if ((($2.rule_mode == RULE_DENY) && ($3->perms & AA_EXEC_BITS) && ($3->perms & ALL_AA_EXEC_TYPE))) yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); - else if (!$2.deny && ($3->perms & AA_EXEC_BITS) && + else if (($2.rule_mode != RULE_DENY) && ($3->perms & AA_EXEC_BITS) && !($3->perms & ALL_AA_EXEC_TYPE) && !($3->nt_name)) yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'")); @@ -701,7 +702,7 @@ rules: rules opt_prefix rule else if ($2.owner == 2) $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ - if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE)) + if ((($2.rule_mode == RULE_DENY) && $2.audit != AUDIT_FORCE) || (($2.rule_mode != RULE_DENY) && $2.audit == AUDIT_FORCE)) $3->audit = AUDIT_FORCE; add_entry_to_policy($1, $3); $$ = $1; @@ -711,18 +712,18 @@ rules: rules opt_prefix rule rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE { struct cod_entry *entry, *tmp; - if ($2.deny) + if ($2.rule_mode == RULE_DENY) yyerror(_("deny prefix not allowed")); PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "", - $2.deny ? "deny " : "", $2.owner ? "owner " : ""); + $2.rule_mode == RULE_DENY ? "deny " : "", $2.owner ? "owner " : ""); list_for_each_safe($4->entries, entry, tmp) { entry->next = NULL; if (entry->perms & AA_EXEC_BITS) { - if (entry->deny && + if ((entry->rule_mode == RULE_DENY) && (entry->perms & ALL_AA_EXEC_TYPE)) yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); - else if (!entry->deny && + else if ((entry->rule_mode != RULE_DENY) && !(entry->perms & ALL_AA_EXEC_TYPE)) yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'")); } @@ -731,9 +732,9 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE else if ($2.owner == 2) entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); - if ($2.audit == AUDIT_FORCE && !entry->deny) + if ($2.audit == AUDIT_FORCE && (entry->rule_mode != RULE_DENY)) entry->audit = AUDIT_FORCE; - else if ($2.audit != AUDIT_FORCE && entry->deny) + else if ($2.audit != AUDIT_FORCE && (entry->rule_mode == RULE_DENY)) entry->audit = AUDIT_FORCE; add_entry_to_policy($1, entry); } @@ -760,14 +761,14 @@ rules: rules opt_prefix network_rule * downgrade if needed */ if (entry->family == AF_UNIX) { - unix_rule *rule = new unix_rule(entry->type, $2.audit, $2.deny); + unix_rule *rule = new unix_rule(entry->type, $2.audit, $2.rule_mode); if (!rule) yyerror(_("Memory allocation error.")); $1->rule_ents.push_back(rule); } if (entry->type > SOCK_PACKET) { /* setting mask instead of a bit */ - if ($2.deny) { + if ($2.rule_mode == RULE_DENY) { $1->net.deny[entry->family] |= entry->type; if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= entry->type; @@ -777,7 +778,7 @@ rules: rules opt_prefix network_rule $1->net.audit[entry->family] |= entry->type; } } else { - if ($2.deny) { + if ($2.rule_mode == RULE_DENY) { $1->net.deny[entry->family] |= 1 << entry->type; if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= 1 << entry->type; @@ -818,10 +819,10 @@ rules: rules opt_prefix change_profile yyerror(_("Assert: `change_profile' returned NULL.")); if ($2.owner) yyerror(_("owner prefix not allowed on unix rules")); - if ($2.deny && $2.audit == AUDIT_FORCE) { - $3->deny = 1; - } else if ($2.deny) { - $3->deny = 1; + if (($2.rule_mode == RULE_DENY) && $2.audit == AUDIT_FORCE) { + $3->rule_mode = RULE_DENY; + } else if ($2.rule_mode == RULE_DENY) { + $3->rule_mode = RULE_DENY; $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { $3->audit = $2.audit; @@ -835,9 +836,9 @@ rules: rules opt_prefix capability if ($2.owner) yyerror(_("owner prefix not allowed on capability rules")); - if ($2.deny && $2.audit == AUDIT_FORCE) { + if ($2.rule_mode == RULE_DENY && $2.audit == AUDIT_FORCE) { $1->caps.deny |= $3; - } else if ($2.deny) { + } else if ($2.rule_mode == RULE_DENY) { $1->caps.deny |= $3; $1->caps.quiet |= $3; } else { diff --git a/parser/ptrace.cc b/parser/ptrace.cc index 9459ab3c5..1570e80cd 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -135,7 +135,7 @@ int ptrace_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_PTRACE_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/rule.h b/parser/rule.h index aa8ff2c72..000098e5b 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -70,6 +70,7 @@ typedef std::list RuleList; /* Not classes so they can be used in the bison front end */ typedef uint32_t perms_t; typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t; +typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY } rule_mode_t; /* NOTE: we can not have a constructor for class prefixes. This is * because it will break bison, and we would need to transition to @@ -80,7 +81,7 @@ typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t; class prefixes { public: audit_t audit; - int deny; + rule_mode_t rule_mode; int owner; ostream &dump(ostream &os) @@ -98,12 +99,16 @@ public: output = false; } - if (deny) { + switch (rule_mode) { + case RULE_DENY: if (output) os << " "; os << "deny"; output = true; + break; + default: + break; } if (owner) { @@ -126,7 +131,7 @@ public: { /* Must construct prefix here see note on prefixes */ audit = AUDIT_UNSPECIFIED; - deny = 0; + rule_mode = RULE_UNSPECIFIED; owner = 0; }; @@ -141,10 +146,10 @@ public: return false; } } - if (p.deny && p.audit == AUDIT_FORCE) { - deny = 1; - } else if (p.deny) { - deny = 1; + if (p.rule_mode == RULE_DENY && p.audit == AUDIT_FORCE) { + rule_mode = RULE_DENY; + } else if (p.rule_mode == RULE_DENY) { + rule_mode = RULE_DENY; audit = AUDIT_FORCE; } else if (p.audit != AUDIT_UNSPECIFIED) { audit = p.audit; diff --git a/parser/signal.cc b/parser/signal.cc index 461309be5..a1af31463 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -289,7 +289,7 @@ int signal_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/userns.cc b/parser/userns.cc index 84f0fe31d..19bc0f787 100644 --- a/parser/userns.cc +++ b/parser/userns.cc @@ -96,7 +96,7 @@ int userns_rule::gen_policy_re(Profile &prof) buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS; buf = buffer.str(); if (perms & AA_VALID_USERNS_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, + if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, perms, audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail;