Update change_profile rules to allow specifying the onexec condition

Note: this patch currently overlays onexec with link_name to take advantage of code already being used on link_name. Ideally what needs to happen is entry needs to be split into file, link and change_profile entry classes. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2025-03-04 08:24:42 +01:00 · 2015-06-12 15:25:10 -07:00 · 2015-06-12 15:25:10 -07:00 · 6707489cdc
commit 6707489cdc
parent 95cbbe32e0
4 changed files with 28 additions and 13 deletions
--- a/parser/parser.h
+++ b/parser/parser.h
@ -100,7 +100,10 @@ struct cond_entry_list {
 struct cod_entry {
 	char *ns;
 	char *name;
-	char *link_name;
+	union {
 		char *link_name;
 		char *onexec;
 	};
 	char *nt_name;
 	Profile *prof;		 	/* Special profile defined
 					 * just for this executable */
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@ -443,7 +443,7 @@ LT_EQUAL	<=
 	({IDS}|{QUOTED_ID}) {
 		yylval.id = processid(yytext, yyleng);
-		POP_AND_RETURN(TOK_ID);
+		RETURN_TOKEN(TOK_ID);
 	}
 }
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
 		const char *vec[3];
-		std::string lbuf;
+		std::string lbuf, xbuf;
 		int index = 1;
 		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			warn_change_profile = 0;
 		}
-		/* allow change_profile for all execs */
+		if (entry->onexec) {
-		vec[0] = "/[^\\x00]*";
+			ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
 			if (ptype == ePatternInvalid)
 				return FALSE;
 			vec[0] = xbuf.c_str();
 		} else
 			/* allow change_profile for all execs */
 			vec[0] = "/[^\\x00]*";
 		if (entry->ns) {
 			int pos;
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -1491,36 +1491,42 @@ file_mode: TOK_MODE
 		free($1);
 	}
-change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE
+change_profile: TOK_CHANGE_PROFILE opt_id TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		char *rule = strdup("**");
 		if (!rule)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("Matched change_profile,\n");
-		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
 			yyerror(_("Exec condition must begin with '/'."));
 		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile,\n");
 		$$ = entry;
 	};
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
+change_profile:	TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s)\n", $3);
+		PDEBUG("Matched change_profile: tok_id (%s)\n", $4);
-		entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
 			yyerror(_("Exec condition must begin with '/'."));
 		entry = new_entry(NULL, $4, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile.entry: (%s)\n", entry->name);
 		$$ = entry;
 	};
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
+change_profile:	TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6);
+		PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $5, $7);
-		entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
 			yyerror(_("Exec condition must begin with '/'."));
 		entry = new_entry($5, $7, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile.entry: (%s)\n", entry->name);