From 6d2b2ef2b987dd5041a6d17db92f0d3f8f306b88 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Fri, 27 Sep 2013 17:25:39 -0700
Subject: [PATCH] parser: Generate accept states for denied dbus and mount
 rules

When using the deny rule modifier, accept states were not being
generated for dbus and mount rules. This means that the actions were
being denied, but it was not possible to quiet the auditing of the
actions.

The problem is that the deny and audit members of the dbus_entry and
mnt_entry structs were being used incorrectly. The deny member is a
boolean, not a bitmask. When the deny modifier is exclusively used in a
rule, the deny boolean should be true and the audit mask should be equal
to the perm mask.

Here's the old parser output for denied dbus and mount rules:

  $ dbus="/t { deny dbus, }"
  $ mount="/t { deny mount, }"
  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)

With this patch, the accept states are generated correctly with deny and
quiet masks:

  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 0/40/0/40)
  {7} (0x 0/46/0/46)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {5} (0x 0/2/0/2)

https://launchpad.net/bugs/1226356

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
---
 parser/parser_yacc.y | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index dca8fe205..9aaeaa268 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -658,10 +658,12 @@ rules:  rules opt_prefix mnt_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on mount rules"));
-		if ($2.deny)
-			$3->deny = $3->allow;
-		if ($2.audit)
+		if ($2.deny) {
+			$3->deny = 1;
 			$3->audit = $3->allow;
+		} else if ($2.audit) {
+			$3->audit = $3->allow;
+		}
 		$3->next = $1->mnt_ents;
 		$1->mnt_ents = $3;
 		$$ = $1;
@@ -671,10 +673,12 @@ rules:  rules opt_prefix dbus_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on dbus rules"));
-		if ($2.deny)
-			$3->deny = $3->mode;
-		if ($2.audit)
+		if ($2.deny) {
+			$3->deny = 1;
 			$3->audit = $3->mode;
+		} else if ($2.audit) {
+			$3->audit = $3->mode;
+		}
 		$3->next = $1->dbus_ents;
 		$1->dbus_ents = $3;
 		$$ = $1;