From 6707489cdc3f73bf4734370c9dee257e8eff883b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Fri, 12 Jun 2015 15:25:10 -0700 Subject: [PATCH] Update change_profile rules to allow specifying the onexec condition Note: this patch currently overlays onexec with link_name to take advantage of code already being used on link_name. Ideally what needs to happen is entry needs to be split into file, link and change_profile entry classes. Signed-off-by: John Johansen Acked-by: Steve Beattie --- parser/parser.h | 5 ++++- parser/parser_lex.l | 2 +- parser/parser_regex.c | 12 +++++++++--- parser/parser_yacc.y | 22 ++++++++++++++-------- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/parser/parser.h b/parser/parser.h index f27e18b91..2fafb91bc 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -100,7 +100,10 @@ struct cond_entry_list { struct cod_entry { char *ns; char *name; - char *link_name; + union { + char *link_name; + char *onexec; + }; char *nt_name; Profile *prof; /* Special profile defined * just for this executable */ diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 286d9a291..5af788a68 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -443,7 +443,7 @@ LT_EQUAL <= ({IDS}|{QUOTED_ID}) { yylval.id = processid(yytext, yyleng); - POP_AND_RETURN(TOK_ID); + RETURN_TOKEN(TOK_ID); } } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index dc713c82c..30f009fc9 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) } if (entry->mode & AA_CHANGE_PROFILE) { const char *vec[3]; - std::string lbuf; + std::string lbuf, xbuf; int index = 1; if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { @@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) warn_change_profile = 0; } - /* allow change_profile for all execs */ - vec[0] = "/[^\\x00]*"; + if (entry->onexec) { + ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos); + if (ptype == ePatternInvalid) + return FALSE; + vec[0] = xbuf.c_str(); + } else + /* allow change_profile for all execs */ + vec[0] = "/[^\\x00]*"; if (entry->ns) { int pos; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index df3ce1576..4ae5bf3fd 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -1491,36 +1491,42 @@ file_mode: TOK_MODE free($1); } -change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_END_OF_RULE { struct cod_entry *entry; char *rule = strdup("**"); if (!rule) yyerror(_("Memory allocation error.")); PDEBUG("Matched change_profile,\n"); - entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile,\n"); $$ = entry; }; -change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; - PDEBUG("Matched change_profile: tok_id (%s)\n", $3); - entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL); + PDEBUG("Matched change_profile: tok_id (%s)\n", $4); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry(NULL, $4, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile.entry: (%s)\n", entry->name); $$ = entry; }; -change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; - PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6); - entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL); + PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $5, $7); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry($5, $7, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile.entry: (%s)\n", entry->name);