mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

parser: convert the stored audit from a bit mask to a bool

Browse source 
This delays the convertion of the audit flag until passing to the
backend. This is a step towards fix the parser front end so that it
doesn't use encoded permission mappings.

Note: the patch embedds the bool conversion into a struct to ensure
the compiler will fail to build unless every use is fixed. The
struct is removed in the following patch.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2021-06-11 03:07:54 -07:00
parent 4fd1f97102
commit 44f3be091a
21 changed files with 102 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
parser/af_rule.cc
View file

@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer)
ostream &af_rule::dump_prefix(ostream &os) ostream &af_rule::dump_prefix(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";

4
parser/af_rule.h
View file

@ -45,12 +45,12 @@ public:
char *label; char *label;
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
bool deny; bool deny;
af_rule(const char *name): af_name(name), sock_type(NULL), af_rule(const char *name): af_name(name), sock_type(NULL),
sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL),
peer_label(NULL), perms(0), audit(0), deny(0) peer_label(NULL), perms(0), audit({ false }), deny(0)
{} {}
virtual ~af_rule() virtual ~af_rule()

18
parser/af_unix.cc
View file

@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
yyerror("socket rule: invalid socket type '%d'", type_p); yyerror("socket rule: invalid socket type '%d'", type_p);
} }
perms = AA_VALID_NET_PERMS; perms = AA_VALID_NET_PERMS;
audit = audit_p ? AA_VALID_NET_PERMS : 0; audit.audit = audit_p;
deny = denied; deny = denied;
} }
@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
mask = 1 << sock_type_n; mask = 1 << sock_type_n;
if (!deny) { if (!deny) {
prof.net.allow[AF_UNIX] |= mask; prof.net.allow[AF_UNIX] |= mask;
if (audit) if (audit.audit)
prof.net.audit[AF_UNIX] |= mask; prof.net.audit[AF_UNIX] |= mask;
} else { } else {
/* deny rules have to be dropped because the downgrade makes /* deny rules have to be dropped because the downgrade makes
@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_CREATE), map_perms(AA_NET_CREATE),
map_perms(audit & AA_NET_CREATE), map_perms(audit.audit ? AA_NET_CREATE : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
mask &= ~AA_NET_CREATE; mask &= ~AA_NET_CREATE;
@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_BIND), map_perms(AA_NET_BIND),
map_perms(audit & AA_NET_BIND), map_perms(audit.audit ? AA_NET_BIND : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
/* clear if auto, else generic need to generate addr below */ /* clear if auto, else generic need to generate addr below */
@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & local_mask), map_perms(mask & local_mask),
map_perms(audit & local_mask), map_perms(audit.audit ? mask & local_mask : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_LISTEN), map_perms(AA_NET_LISTEN),
map_perms(audit & AA_NET_LISTEN), map_perms(audit.audit ? AA_NET_LISTEN : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -412,8 +412,8 @@ int unix_rule::gen_policy_re(Profile &prof)
tmp << ".."; tmp << "..";
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & AA_NET_OPT), map_perms(AA_NET_OPT),
map_perms(audit & AA_NET_OPT), map_perms(audit.audit ? AA_NET_OPT : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
goto fail; goto fail;
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit), dfaflags)) if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
goto fail; goto fail;
} }

10
parser/dbus.cc
View file

@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds)
dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
struct cond_entry *peer_conds): struct cond_entry *peer_conds):
bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL),
perms(0), audit(0), deny(0) perms(0), audit( { false } ), deny(0)
{ {
int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; int name_is_subject_cond = 0, message_rule = 0, service_rule = 0;
@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
ostream &dbus_rule::dump(ostream &os) ostream &dbus_rule::dump(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof)
if (perms & AA_DBUS_BIND) { if (perms & AA_DBUS_BIND) {
if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND,
audit & AA_DBUS_BIND, audit.audit ? perms & AA_DBUS_BIND : 0,
2, vec, dfaflags, false)) 2, vec, dfaflags, false))
goto fail; goto fail;
} }
if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
if (!prof.policy.rules->add_rule_vec(deny, if (!prof.policy.rules->add_rule_vec(deny,
perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE), audit.audit ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0,
6, vec, dfaflags, false)) 6, vec, dfaflags, false))
goto fail; goto fail;
} }
if (perms & AA_DBUS_EAVESDROP) { if (perms & AA_DBUS_EAVESDROP) {
if (!prof.policy.rules->add_rule_vec(deny, if (!prof.policy.rules->add_rule_vec(deny,
perms & AA_DBUS_EAVESDROP, perms & AA_DBUS_EAVESDROP,
audit & AA_DBUS_EAVESDROP, audit.audit ? perms & AA_DBUS_EAVESDROP : 0,
1, vec, dfaflags, false)) 1, vec, dfaflags, false))
goto fail; goto fail;
} }

2
parser/dbus.h
View file

@ -40,7 +40,7 @@ public:
char *interface; char *interface;
char *member; char *member;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
dbus_rule(perms_t perms_p, struct cond_entry *conds, dbus_rule(perms_t perms_p, struct cond_entry *conds,

52
parser/mount.cc
View file

@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
struct cond_entry *dst_conds unused, char *mnt_point_p, struct cond_entry *dst_conds unused, char *mnt_point_p,
perms_t perms_p): perms_t perms_p):
mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL), mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
flagsv(0), opt_flagsv(0), audit(0), deny(0) flagsv(0), opt_flagsv(0), audit( { false } ), deny(0)
{ {
/* FIXME: dst_conds are ignored atm */ /* FIXME: dst_conds are ignored atm */
dev_type = extract_fstype(&src_conds); dev_type = extract_fstype(&src_conds);
@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os)
os << " -> " << trans; os << " -> " << trans;
const char *prefix = deny ? "deny" : ""; const char *prefix = deny ? "deny" : "";
os << " " << prefix << "(0x" << hex << perms << "/0x" << audit << ")"; os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit ? perms : 0) << ")";
os << ",\n"; os << ",\n";
return os; return os;
@ -699,7 +699,6 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
std::string optsbuf; std::string optsbuf;
char class_mount_hdr[64]; char class_mount_hdr[64];
const char *vec[5]; const char *vec[5];
perms_t tmpperms;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT); sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@ -727,14 +726,20 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (opts) perms_t tmpperms, tmpaudit;
if (opts) {
tmpperms = AA_MATCH_CONT; tmpperms = AA_MATCH_CONT;
else tmpaudit = 0;
} else {
/* dependent on full expansion of any data match perms */
tmpperms = perms; tmpperms = perms;
tmpaudit = audit.audit ? perms : 0;
/* rule for match without required data || data MATCH_CONT */ }
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, /* match for up to but not including data
audit | AA_AUDIT_MNT_DATA, 4, * if a data match is required this only has AA_MATCH_CONT perms
* else it has full perms
*/
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
vec, dfaflags, false)) vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -746,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
goto fail; goto fail;
vec[4] = optsbuf.c_str(); vec[4] = optsbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
audit | AA_AUDIT_MNT_DATA, (audit.audit ? perms : 0),
5, vec, dfaflags, false)) 5, vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -787,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count,
opt_flags & MS_BIND_FLAGS)) opt_flags & MS_BIND_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, 4, vec, if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -828,7 +833,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
opt_flags & MS_MAKE_FLAGS)) opt_flags & MS_MAKE_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, 4, vec, if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -870,7 +875,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count,
opt_flags & MS_MOVE_FLAGS)) opt_flags & MS_MOVE_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, 4, vec, if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -891,7 +896,6 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
std::string optsbuf; std::string optsbuf;
char class_mount_hdr[64]; char class_mount_hdr[64];
const char *vec[5]; const char *vec[5];
perms_t tmpperms;
sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT); sprintf(class_mount_hdr, "\\x%02x", AA_CLASS_MOUNT);
@ -913,14 +917,16 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (opts) perms_t tmpperms, tmpaudit;
if (opts) {
tmpperms = AA_MATCH_CONT; tmpperms = AA_MATCH_CONT;
else tmpaudit = 0;
} else {
tmpperms = perms; tmpperms = perms;
tmpaudit = audit.audit ? perms : 0;
}
/* rule for match without required data || data MATCH_CONT */ /* rule for match without required data || data MATCH_CONT */
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
audit | AA_AUDIT_MNT_DATA, 4,
vec, dfaflags, false)) vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -932,7 +938,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
goto fail; goto fail;
vec[4] = optsbuf.c_str(); vec[4] = optsbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
audit | AA_AUDIT_MNT_DATA, audit.audit ? perms : 0,
5, vec, dfaflags, false)) 5, vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -1023,7 +1029,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
if (!convert_entry(mntbuf, mnt_point)) if (!convert_entry(mntbuf, mnt_point))
goto fail; goto fail;
vec[0] = mntbuf.c_str(); vec[0] = mntbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, 1, vec, if (!prof.policy.rules->add_rule_vec(deny, perms,
(audit.audit ? perms : 0), 1, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -1037,7 +1044,8 @@ int mnt_rule::gen_policy_re(Profile &prof)
if (!clear_and_convert_entry(devbuf, device)) if (!clear_and_convert_entry(devbuf, device))
goto fail; goto fail;
vec[1] = devbuf.c_str(); vec[1] = devbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, 2, vec, if (!prof.policy.rules->add_rule_vec(deny, perms,
(audit.audit ? perms : 0), 2, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;

2
parser/mount.h
View file

@ -144,7 +144,7 @@ public:
std::vector<unsigned int> flagsv, opt_flagsv; std::vector<unsigned int> flagsv, opt_flagsv;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
mnt_rule(struct cond_entry *src_conds, char *device_p, mnt_rule(struct cond_entry *src_conds, char *device_p,

12
parser/mqueue.cc
View file

@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds)
} }
mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p):
qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(0), deny(0) qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({false}), deny(0)
{ {
move_conditionals(conds); move_conditionals(conds);
free_cond_list(conds); free_cond_list(conds);
@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_
ostream &mqueue_rule::dump(ostream &os) ostream &mqueue_rule::dump(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
/* store perms at name match so label doesn't need /* store perms at name match so label doesn't need
* to be checked * to be checked
*/ */
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit, 1, vec, dfaflags, false)) if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, 1, vec, dfaflags, false))
goto fail; goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, size, vec, dfaflags, false)) if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, size, vec, dfaflags, false))
goto fail; goto fail;
} }
} }
@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
} }
if (perms & AA_VALID_SYSV_MQ_PERMS) { if (perms & AA_VALID_SYSV_MQ_PERMS) {
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit, 1, vec, dfaflags, false)) if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, 1, vec, dfaflags, false))
goto fail; goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(deny, perms, audit, size, vec, dfaflags, false)) if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit ? perms : 0, size, vec, dfaflags, false))
goto fail; goto fail;
} }
} }

2
parser/mqueue.h
View file

@ -88,7 +88,7 @@ public:
char *qname; char *qname;
char *label; char *label;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL);

2
parser/parser.h
View file

@ -130,7 +130,7 @@ struct cod_entry {
Profile *prof; /* Special profile defined Profile *prof; /* Special profile defined
* just for this executable */ * just for this executable */
perms_t perms; /* perms is 'or' of AA_* bits */ perms_t perms; /* perms is 'or' of AA_* bits */
int audit; /* audit flags for perms */ struct { bool audit; } audit; /* audit flags for perms */
int deny; /* TRUE or FALSE */ int deny; /* TRUE or FALSE */
int alias_ignore; /* ignore for alias processing */ int alias_ignore; /* ignore for alias processing */

4
parser/parser_merge.c
View file

@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2)
if ((*e1)->deny != (*e2)->deny) if ((*e1)->deny != (*e2)->deny)
return (*e1)->deny < (*e2)->deny ? -1 : 1; return (*e1)->deny < (*e2)->deny ? -1 : 1;
if ((*e1)->audit != (*e2)->audit) if ((*e1)->audit.audit != (*e2)->audit.audit)
return (*e1)->audit < (*e2)->audit ? -1 : 1; return (*e1)->audit.audit < (*e2)->audit.audit ? -1 : 1;
return strcmp((*e1)->name, (*e2)->name); return strcmp((*e1)->name, (*e2)->name);
} }

2
parser/parser_misc.c
View file

@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
entry->name = id; entry->name = id;
entry->link_name = link_id; entry->link_name = link_id;
entry->perms = perms; entry->perms = perms;
entry->audit = 0; entry->audit.audit = false;
entry->deny = FALSE; entry->deny = FALSE;
entry->pattern_type = ePatternInvalid; entry->pattern_type = ePatternInvalid;

8
parser/parser_regex.c
View file

@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
!is_change_profile_perms(entry->perms) && !is_change_profile_perms(entry->perms) &&
!dfarules->add_rule(tbuf.c_str(), entry->deny, !dfarules->add_rule(tbuf.c_str(), entry->deny,
entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), entry->audit.audit ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
dfaflags)) dfaflags))
return FALSE; return FALSE;
} else if (!is_change_profile_perms(entry->perms)) { } else if (!is_change_profile_perms(entry->perms)) {
if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms,
entry->audit, dfaflags)) entry->audit.audit ? entry->perms : 0, dfaflags))
return FALSE; return FALSE;
} }
@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
perms |= LINK_TO_LINK_SUBSET(perms); perms |= LINK_TO_LINK_SUBSET(perms);
vec[1] = "/[^/].*"; vec[1] = "/[^/].*";
} }
if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit & AA_LINK_BITS, 2, vec, dfaflags, false)) if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
return FALSE; return FALSE;
} }
if (is_change_profile_perms(entry->perms)) { if (is_change_profile_perms(entry->perms)) {
@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
int index = 1; int index = 1;
uint32_t onexec_perms = AA_ONEXEC; uint32_t onexec_perms = AA_ONEXEC;
if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit && warn_change_profile) {
/* don't have profile name here, so until this code /* don't have profile name here, so until this code
* gets refactored just throw out a generic warning * gets refactored just throw out a generic warning
*/ */

40
parser/parser_yacc.y
View file

@ -700,7 +700,7 @@ rules: rules opt_prefix rule
$3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
/* only set audit ctl quieting if the rule is not audited */ /* only set audit ctl quieting if the rule is not audited */
if (($2.deny && !$2.audit) || (!$2.deny && $2.audit)) if (($2.deny && !$2.audit) || (!$2.deny && $2.audit))
$3->audit = $3->perms & ~ALL_AA_EXEC_TYPE; $3->audit.audit = true;
add_entry_to_policy($1, $3); add_entry_to_policy($1, $3);
$$ = $1; $$ = $1;
@ -731,9 +731,9 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
if ($2.audit && !entry->deny) if ($2.audit && !entry->deny)
entry->audit = entry->perms & ~ALL_AA_EXEC_TYPE; entry->audit.audit = true;
else if (!$2.audit && entry->deny) else if (!$2.audit && entry->deny)
entry->audit = entry->perms & ~ALL_AA_EXEC_TYPE; entry->audit.audit = true;
add_entry_to_policy($1, entry); add_entry_to_policy($1, entry);
} }
$4->entries = NULL; $4->entries = NULL;
@ -800,9 +800,9 @@ rules: rules opt_prefix mnt_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
@ -817,9 +817,9 @@ rules: rules opt_prefix dbus_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -833,9 +833,9 @@ rules: rules opt_prefix signal_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -849,9 +849,9 @@ rules: rules opt_prefix ptrace_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -865,9 +865,9 @@ rules: rules opt_prefix unix_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -881,9 +881,9 @@ rules: rules opt_prefix userns_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -901,9 +901,9 @@ rules: rules opt_prefix change_profile
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
add_entry_to_policy($1, $3); add_entry_to_policy($1, $3);
$$ = $1; $$ = $1;
@ -936,9 +936,9 @@ rules: rules opt_prefix mqueue_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit = $3->perms; $3->audit.audit = true;
} else if ($2.audit) { } else if ($2.audit) {
$3->audit = $3->perms; $3->audit.audit = true;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -1821,7 +1821,7 @@ void add_local_entry(Profile *prof)
sprintf(name, "%s//%s", prof->parent->name, prof->name); sprintf(name, "%s//%s", prof->parent->name, prof->name);
entry = new_entry(name, prof->local_perms, NULL); entry = new_entry(name, prof->local_perms, NULL);
entry->audit = prof->local_audit; entry->audit.audit = prof->local_audit.local_audit;
entry->nt_name = trans; entry->nt_name = trans;
if (!entry) if (!entry)
yyerror(_("Memory allocation error.")); yyerror(_("Memory allocation error."));

5
parser/profile.h
View file

@ -191,7 +191,7 @@ public:
/* int default_deny; */ /* TRUE or FALSE */ /* int default_deny; */ /* TRUE or FALSE */
int local; int local;
perms_t local_perms; perms_t local_perms;
int local_audit; struct { bool local_audit; } local_audit;
Profile *parent; Profile *parent;
@ -222,7 +222,8 @@ public:
xattrs.name = NULL; xattrs.name = NULL;
local_perms = 0; local_perms = 0;
local = local_audit = 0; local = 0;
local_audit.local_audit = false;
parent = NULL; parent = NULL;

6
parser/ptrace.cc
View file

@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds)
} }
ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
peer_label(NULL), audit(0), deny(0) peer_label(NULL), audit( { false } ), deny(0)
{ {
if (perms_p) { if (perms_p) {
if (perms_p & ~AA_VALID_PTRACE_PERMS) if (perms_p & ~AA_VALID_PTRACE_PERMS)
@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
ostream &ptrace_rule::dump(ostream &os) ostream &ptrace_rule::dump(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (perms & AA_VALID_PTRACE_PERMS) { if (perms & AA_VALID_PTRACE_PERMS) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/ptrace.h
View file

@ -34,7 +34,7 @@ class ptrace_rule: public rule_t {
public: public:
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
ptrace_rule(perms_t perms, struct cond_entry *conds); ptrace_rule(perms_t perms, struct cond_entry *conds);

6
parser/signal.cc
View file

@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds)
} }
signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
signals(), peer_label(NULL), audit(0), deny(0) signals(), peer_label(NULL), audit( { false} ), deny(0)
{ {
if (perms_p) { if (perms_p) {
perms = perms_p; perms = perms_p;
@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
ostream &signal_rule::dump(ostream &os) ostream &signal_rule::dump(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/signal.h
View file

@ -40,7 +40,7 @@ public:
Signals signals; Signals signals;
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
signal_rule(perms_t perms, struct cond_entry *conds); signal_rule(perms_t perms, struct cond_entry *conds);

7
parser/userns.cc
View file

@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds)
} }
userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
audit(0), deny(0) audit({false}), deny(0)
{ {
if (perms_p) { if (perms_p) {
if (perms_p & ~AA_VALID_USERNS_PERMS) if (perms_p & ~AA_VALID_USERNS_PERMS)
@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
ostream &userns_rule::dump(ostream &os) ostream &userns_rule::dump(ostream &os)
{ {
if (audit) if (audit.audit)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -100,7 +100,8 @@ int userns_rule::gen_policy_re(Profile &prof)
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS; buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS;
buf = buffer.str(); buf = buffer.str();
if (perms & AA_VALID_USERNS_PERMS) { if (perms & AA_VALID_USERNS_PERMS) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms,
audit.audit ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/userns.h
View file

@ -27,7 +27,7 @@ class userns_rule: public rule_t {
void move_conditionals(struct cond_entry *conds); void move_conditionals(struct cond_entry *conds);
public: public:
perms_t perms; perms_t perms;
int audit; struct { bool audit; } audit;
int deny; int deny;
userns_rule(perms_t perms, struct cond_entry *conds); userns_rule(perms_t perms, struct cond_entry *conds);