diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 65d8772f9..0529f80a7 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -22,7 +22,6 @@ #include #include -#include #include #include "network.h" @@ -158,26 +157,10 @@ int unix_rule::expand_variables(void) return 0; } -/* do we want to warn once/profile or just once per compile?? */ -static void warn_once(const char *name, const char *msg) -{ - static const char *warned_name = NULL; - if (warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << "): " << msg << "\n"; - warned_name = name; - } -} - -static void warn_once(const char *name) +void unix_rule::warn_once(const char *name) { - if (warnflags & WARN_RULE_NOT_ENFORCED) - warn_once(name, "extended network unix socket rules not enforced"); + rule_t::warn_once(name, "extended network unix socket rules not enforced"); } static void writeu16(std::ostringstream &o, int v) @@ -327,7 +310,7 @@ int unix_rule::gen_policy_re(Profile &prof) /* only warn if we are building against a kernel * that requires downgrading */ if (warnflags & WARN_RULE_DOWNGRADED) - warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n"); + rule_t::warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n"); /* TODO: add ability to abort instead of downgrade */ return RULE_OK; } diff --git a/parser/af_unix.h b/parser/af_unix.h index d1d1fc8fa..763ed166b 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -58,6 +58,9 @@ public: virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); virtual void post_process(Profile &prof unused) { }; + +protected: + virtual void warn_once(const char *name) override; }; #endif /* __AA_AF_UNIX_H */ diff --git a/parser/dbus.cc b/parser/dbus.cc index b511578cd..290fa5d9d 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -22,7 +22,6 @@ #include #include -#include #include #include "parser.h" @@ -189,20 +188,9 @@ int dbus_rule::expand_variables(void) return 0; } -/* do we want to warn once/profile or just once per compile?? */ -static void warn_once(const char *name) +void dbus_rule::warn_once(const char *name) { - static const char *warned_name = NULL; - - if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << ") dbus rules not enforced\n"; - warned_name = name; - } + rule_t::warn_once(name, "dbus rules not enforced"); } int dbus_rule::gen_policy_re(Profile &prof) diff --git a/parser/dbus.h b/parser/dbus.h index cb113c2ec..f736cc3e4 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -59,7 +59,8 @@ public: virtual int gen_policy_re(Profile &prof); virtual void post_process(Profile &prof unused) { }; - +protected: + virtual void warn_once(const char *name) override; }; #endif /* __AA_DBUS_H */ diff --git a/parser/mount.cc b/parser/mount.cc index cf08245c7..cbf63f6b6 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -216,7 +216,6 @@ #include #include #include -#include #include "parser.h" #include "policydb.h" @@ -565,20 +564,9 @@ static int build_mnt_opts(std::string& buffer, struct value_list *opts) return TRUE; } -/* do we want to warn once/profile or just once per compile?? */ -static void warn_once(const char *name) +void mnt_rule::warn_once(const char *name) { - static const char *warned_name = NULL; - - if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << ") mount rules not enforced\n"; - warned_name = name; - } + rule_t::warn_once(name, "mount rules not enforce"); } int mnt_rule::gen_policy_re(Profile &prof) diff --git a/parser/mount.h b/parser/mount.h index c179fa26b..9ec546cd7 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -149,6 +149,9 @@ public: virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); virtual void post_process(Profile &prof unused); + +protected: + virtual void warn_once(const char *name) override; }; int is_valid_mnt_cond(const char *name, int src); diff --git a/parser/parser.h b/parser/parser.h index ef1ca032f..b500d5f15 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -327,6 +327,7 @@ extern char *current_filename; extern FILE *ofile; extern int read_implies_exec; extern void pwarn(const char *fmt, ...) __attribute__((__format__(__printf__, 1, 2))); +extern void common_warn_once(const char *name, const char *msg, const char **warned_name); /* from parser_main (cannot be used in tst builds) */ extern int force_complain; diff --git a/parser/parser_common.c b/parser/parser_common.c index b0a46aea1..e018e59aa 100644 --- a/parser/parser_common.c +++ b/parser/parser_common.c @@ -15,6 +15,7 @@ * along with this program; if not, contact Novell, Inc. or Canonical, * Ltd. */ +#include #include #include @@ -120,3 +121,17 @@ void pwarn(const char *fmt, ...) free(newfmt); } + +/* do we want to warn once/profile or just once per compile?? */ +void common_warn_once(const char *name, const char *msg, const char **warned_name) +{ + if ((warnflags & WARN_RULE_NOT_ENFORCED) && *warned_name != name) { + cerr << "Warning from profile " << name << " ("; + if (current_filename) + cerr << current_filename; + else + cerr << "stdin"; + cerr << "): " << msg << "\n"; + *warned_name = name; + } +} diff --git a/parser/parser_regex.c b/parser/parser_regex.c index db62c995c..b84c7720b 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -461,16 +461,7 @@ char *get_xattr_value(struct cond_entry *entry) static void warn_once_xattr(const char *name) { static const char *warned_name = NULL; - - if ((warnflags & WARN_RULE_DOWNGRADED) && warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << ") xattr attachment conditional ignored\n"; - warned_name = name; - } + common_warn_once(name, "xattr attachment conditional ignored", &warned_name); } static int process_profile_name_xmatch(Profile *prof) diff --git a/parser/ptrace.cc b/parser/ptrace.cc index e76d69247..d13a7fade 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -22,7 +22,6 @@ #include #include -#include #include int parse_ptrace_mode(const char *str_mode, int *mode, int fail) @@ -100,20 +99,9 @@ int ptrace_rule::expand_variables(void) return expand_entry_variables(&peer_label); } -/* do we want to warn once/profile or just once per compile?? */ -static void warn_once(const char *name) +void ptrace_rule::warn_once(const char *name) { - static const char *warned_name = NULL; - - if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << ") ptrace rules not enforced\n"; - warned_name = name; - } + rule_t::warn_once(name, "ptrace rules not enforced"); } int ptrace_rule::gen_policy_re(Profile &prof) diff --git a/parser/ptrace.h b/parser/ptrace.h index 315d9214b..8c320c076 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -47,6 +47,9 @@ public: virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); virtual void post_process(Profile &prof unused) { }; + +protected: + virtual void warn_once(const char *name) override; }; #endif /* __AA_PTRACE_H */ diff --git a/parser/rule.cc b/parser/rule.cc index 425c1be8a..d30fef28d 100644 --- a/parser/rule.cc +++ b/parser/rule.cc @@ -16,8 +16,16 @@ * Ltd. */ #include "rule.h" +#include "parser.h" +#include std::ostream &operator<<(std::ostream &os, rule_t &rule) { return rule.dump(os); }; + +/* do we want to warn once/profile or just once per compile?? */ +void rule_t::warn_once(const char *name, const char *msg) +{ + common_warn_once(name, msg, &warned_name); +} diff --git a/parser/rule.h b/parser/rule.h index dcf9c7e2d..73e0175af 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -38,6 +38,13 @@ public: virtual int expand_variables(void) = 0; virtual int gen_policy_re(Profile &prof) = 0; virtual void post_process(Profile &prof) = 0; + +protected: + const char *warned_name = NULL; + virtual void warn_once(const char *name, const char *msg); + virtual void warn_once(const char *name) = 0; + + }; std::ostream &operator<<(std::ostream &os, rule_t &rule); diff --git a/parser/signal.cc b/parser/signal.cc index 2b0992a1a..a91ff23b6 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -22,7 +22,6 @@ #include #include -#include #include #include @@ -236,20 +235,9 @@ int signal_rule::expand_variables(void) return expand_entry_variables(&peer_label); } -/* do we want to warn once/profile or just once per compile?? */ -static void warn_once(const char *name) +void signal_rule::warn_once(const char *name) { - static const char *warned_name = NULL; - - if ((warnflags & WARN_RULE_NOT_ENFORCED) && warned_name != name) { - cerr << "Warning from profile " << name << " ("; - if (current_filename) - cerr << current_filename; - else - cerr << "stdin"; - cerr << ") signal rules not enforced\n"; - warned_name = name; - } + rule_t::warn_once(name, "signal rules not enforced"); } int signal_rule::gen_policy_re(Profile &prof) diff --git a/parser/signal.h b/parser/signal.h index f79a3d02f..b73aeb68a 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -53,6 +53,9 @@ public: virtual int expand_variables(void); virtual int gen_policy_re(Profile &prof); virtual void post_process(Profile &prof unused) { }; + +protected: + virtual void warn_once(const char *name) override; }; #endif /* __AA_SIGNAL_H */