diff --git a/parser/af_rule.cc b/parser/af_rule.cc index 3c46543ae..9c0a9d04a 100644 --- a/parser/af_rule.cc +++ b/parser/af_rule.cc @@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer) ostream &af_rule::dump_prefix(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; diff --git a/parser/af_rule.h b/parser/af_rule.h index 8bd91626a..88b1503fc 100644 --- a/parser/af_rule.h +++ b/parser/af_rule.h @@ -45,12 +45,12 @@ public: char *label; char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; bool deny; af_rule(const char *name): af_name(name), sock_type(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), - peer_label(NULL), perms(0), audit(false ), deny(0) + peer_label(NULL), perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) {} virtual ~af_rule() diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 2090fd29e..f586a8f67 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds) } } -unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): +unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied): af_rule("unix"), addr(NULL), peer_addr(NULL) { if (type_p != 0xffffffff) { @@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): yyerror("socket rule: invalid socket type '%d'", type_p); } perms = AA_VALID_NET_PERMS; - audit = audit_p; + audit.audit_mode = audit_p; deny = denied; } @@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) { mask = 1 << sock_type_n; if (!deny) { prof.net.allow[AF_UNIX] |= mask; - if (audit) + if (audit.audit_mode == AUDIT_FORCE) prof.net.audit[AF_UNIX] |= mask; } else { /* deny rules have to be dropped because the downgrade makes @@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_CREATE), - map_perms(audit ? AA_NET_CREATE : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0), dfaflags)) goto fail; mask &= ~AA_NET_CREATE; @@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_BIND), - map_perms(audit ? AA_NET_BIND : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0), dfaflags)) goto fail; /* clear if auto, else generic need to generate addr below */ @@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mask & local_mask), - map_perms(audit ? mask & local_mask : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0), dfaflags)) goto fail; } @@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_LISTEN), - map_perms(audit ? AA_NET_LISTEN : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0), dfaflags)) goto fail; } @@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_OPT), - map_perms(audit ? AA_NET_OPT : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0), dfaflags)) goto fail; } @@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof) goto fail; buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) goto fail; } diff --git a/parser/af_unix.h b/parser/af_unix.h index e36168072..26615d26c 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -37,7 +37,7 @@ public: char *addr; char *peer_addr; - unix_rule(unsigned int type_p, bool audit_p, bool denied); + unix_rule(unsigned int type_p, audit_t audit_p, bool denied); unix_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *peer_conds); virtual ~unix_rule() diff --git a/parser/dbus.cc b/parser/dbus.cc index 8fc8c4a9c..8999acda0 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds) dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds): bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), - perms(0), audit(false), deny(0) + perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) { int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; @@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, ostream &dbus_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof) if (perms & AA_DBUS_BIND) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, - audit ? perms & AA_DBUS_BIND : 0, + audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, 2, vec, dfaflags, false)) goto fail; } if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (!prof.policy.rules->add_rule_vec(deny, perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), - audit ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, + audit.audit_mode == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, 6, vec, dfaflags, false)) goto fail; } if (perms & AA_DBUS_EAVESDROP) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_EAVESDROP, - audit ? perms & AA_DBUS_EAVESDROP : 0, + audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, 1, vec, dfaflags, false)) goto fail; } diff --git a/parser/dbus.h b/parser/dbus.h index a7d8f89af..37b83f5f9 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -40,7 +40,7 @@ public: char *interface; char *member; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; dbus_rule(perms_t perms_p, struct cond_entry *conds, diff --git a/parser/mount.cc b/parser/mount.cc index 921625296..7a8cad7c9 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p, struct cond_entry *dst_conds unused, char *mnt_point_p, perms_t perms_p): mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL), - flagsv(0), opt_flagsv(0), audit(false), deny(0) + flagsv(0), opt_flagsv(0), audit({AUDIT_UNSPECIFIED}), deny(0) { /* FIXME: dst_conds are ignored atm */ dev_type = extract_fstype(&src_conds); @@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os) os << " -> " << trans; const char *prefix = deny ? "deny" : ""; - os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit ? perms : 0) << ")"; + os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit_mode != AUDIT_UNSPECIFIED ? perms : 0) << ")"; os << ",\n"; return os; @@ -733,7 +733,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, } else { /* dependent on full expansion of any data match perms */ tmpperms = perms; - tmpaudit = audit ? perms : 0; + tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; } /* match for up to but not including data * if a data match is required this only has AA_MATCH_CONT perms @@ -751,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 5, vec, dfaflags, false)) goto fail; count++; @@ -792,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count, opt_flags & MS_BIND_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -834,7 +834,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count, opt_flags & MS_MAKE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -877,7 +877,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count, opt_flags & MS_MOVE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -926,7 +926,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, tmpaudit = 0; } else { tmpperms = perms; - tmpaudit = audit ? perms : 0; + tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; } /* rule for match without required data || data MATCH_CONT */ if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, @@ -941,7 +941,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - audit ? perms : 0, + audit.audit_mode == AUDIT_FORCE ? perms : 0, 5, vec, dfaflags, false)) goto fail; count++; @@ -1033,7 +1033,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[0] = mntbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), 1, vec, + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 1, vec, dfaflags, false)) goto fail; count++; @@ -1048,7 +1048,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[1] = devbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), 2, vec, + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 2, vec, dfaflags, false)) goto fail; count++; diff --git a/parser/mount.h b/parser/mount.h index 26dee1f17..7d73e2d32 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -144,7 +144,7 @@ public: std::vector flagsv, opt_flagsv; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; mnt_rule(struct cond_entry *src_conds, char *device_p, diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 6a84ca841..1a54d1b37 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds) } mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): - qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(false), deny(0) + qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { move_conditionals(conds); free_cond_list(conds); @@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_ ostream &mqueue_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) /* store perms at name match so label doesn't need * to be checked */ - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } @@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) } if (perms & AA_VALID_SYSV_MQ_PERMS) { - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, size, vec, dfaflags, false)) goto fail; } } diff --git a/parser/mqueue.h b/parser/mqueue.h index 703544e74..b8fd38ca0 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -88,7 +88,7 @@ public: char *qname; char *label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); diff --git a/parser/parser.h b/parser/parser.h index 8fe08c551..6448b4a8a 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -46,6 +46,7 @@ class Profile; class rule_t; typedef uint32_t perms_t; +typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t; #define MODULE_NAME "apparmor" @@ -91,7 +92,7 @@ extern dfaflags_t werrflags; typedef enum pattern_t pattern_t; struct prefixes { - int audit; + audit_t audit; int deny; int owner; }; @@ -130,7 +131,7 @@ struct cod_entry { Profile *prof; /* Special profile defined * just for this executable */ perms_t perms; /* perms is 'or' of AA_* bits */ - bool audit; /* audit flags for perms */ + struct { audit_t audit_mode; } audit; int deny; /* TRUE or FALSE */ int alias_ignore; /* ignore for alias processing */ diff --git a/parser/parser_merge.c b/parser/parser_merge.c index b93103aa1..d9ce9f629 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2) if ((*e1)->deny != (*e2)->deny) return (*e1)->deny < (*e2)->deny ? -1 : 1; - if ((*e1)->audit != (*e2)->audit) - return (*e1)->audit < (*e2)->audit ? -1 : 1; + if ((*e1)->audit.audit_mode != (*e2)->audit.audit_mode) + return (*e1)->audit.audit_mode < (*e2)->audit.audit_mode ? -1 : 1; return strcmp((*e1)->name, (*e2)->name); } diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 9fe38c8c3..1af6f996f 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id) entry->name = id; entry->link_name = link_id; entry->perms = perms; - entry->audit = false; + entry->audit.audit_mode = AUDIT_UNSPECIFIED; entry->deny = FALSE; entry->pattern_type = ePatternInvalid; @@ -985,7 +985,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) DUP_STRING(orig, entry, link_name, err); DUP_STRING(orig, entry, nt_name, err); entry->perms = orig->perms; - entry->audit = orig->audit; + entry->audit.audit_mode = orig->audit.audit_mode; entry->deny = orig->deny; /* XXX - need to create copies of the patterns, too */ diff --git a/parser/parser_regex.c b/parser/parser_regex.c index dd177ae41..f459b80d5 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) !is_change_profile_perms(entry->perms) && !dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), - entry->audit ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, + entry->audit.audit_mode == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, dfaflags)) return FALSE; } else if (!is_change_profile_perms(entry->perms)) { if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, - entry->audit ? entry->perms : 0, dfaflags)) + entry->audit.audit_mode == AUDIT_FORCE ? entry->perms : 0, dfaflags)) return FALSE; } @@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) perms |= LINK_TO_LINK_SUBSET(perms); vec[1] = "/[^/].*"; } - if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) + if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit_mode == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) return FALSE; } if (is_change_profile_perms(entry->perms)) { @@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) int index = 1; uint32_t onexec_perms = AA_ONEXEC; - if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { + if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit_mode == AUDIT_FORCE && warn_change_profile) { /* don't have profile name here, so until this code * gets refactored just throw out a generic warning */ diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 4275bac43..8cfa8eb8f 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -214,6 +214,7 @@ void add_local_entry(Profile *prof); int boolean; struct prefixes prefix; IncludeCache_t *includecache; + audit_t audit; } %type TOK_ID @@ -252,7 +253,7 @@ void add_local_entry(Profile *prof); %type id_or_var %type opt_id_or_var %type opt_subset_flag -%type opt_audit_flag +%type opt_audit_flag %type opt_owner_flag %type opt_profile_flag %type opt_flags @@ -650,8 +651,8 @@ opt_subset_flag: { /* nothing */ $$ = 0; } | TOK_SUBSET { $$ = 1; } | TOK_LE { $$ = 1; } -opt_audit_flag: { /* nothing */ $$ = 0; } - | TOK_AUDIT { $$ = 1; }; +opt_audit_flag: { /* nothing */ $$ = AUDIT_UNSPECIFIED; } + | TOK_AUDIT { $$ = AUDIT_FORCE; }; opt_owner_flag: { /* nothing */ $$ = 0; } | TOK_OWNER { $$ = 1; }; @@ -699,8 +700,8 @@ rules: rules opt_prefix rule else if ($2.owner == 2) $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ - if (($2.deny && !$2.audit) || (!$2.deny && $2.audit)) - $3->audit = true; + if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE)) + $3->audit.audit_mode = AUDIT_FORCE; add_entry_to_policy($1, $3); $$ = $1; @@ -713,7 +714,7 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE if ($2.deny) yyerror(_("deny prefix not allowed")); - PDEBUG("matched: %s%s%sblock\n", $2.audit ? "audit " : "", + PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "", $2.deny ? "deny " : "", $2.owner ? "owner " : ""); list_for_each_safe($4->entries, entry, tmp) { entry->next = NULL; @@ -730,10 +731,10 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE else if ($2.owner == 2) entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); - if ($2.audit && !entry->deny) - entry->audit = true; - else if (!$2.audit && entry->deny) - entry->audit = true; + if ($2.audit == AUDIT_FORCE && !entry->deny) + entry->audit.audit_mode = AUDIT_FORCE; + else if ($2.audit != AUDIT_FORCE && entry->deny) + entry->audit.audit_mode = AUDIT_FORCE; add_entry_to_policy($1, entry); } $4->entries = NULL; @@ -768,21 +769,21 @@ rules: rules opt_prefix network_rule /* setting mask instead of a bit */ if ($2.deny) { $1->net.deny[entry->family] |= entry->type; - if (!$2.audit) + if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= entry->type; } else { $1->net.allow[entry->family] |= entry->type; - if ($2.audit) + if ($2.audit == AUDIT_FORCE) $1->net.audit[entry->family] |= entry->type; } } else { if ($2.deny) { $1->net.deny[entry->family] |= 1 << entry->type; - if (!$2.audit) + if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= 1 << entry->type; } else { $1->net.allow[entry->family] |= 1 << entry->type; - if ($2.audit) + if ($2.audit == AUDIT_FORCE) $1->net.audit[entry->family] |= 1 << entry->type; } } @@ -796,13 +797,13 @@ rules: rules opt_prefix mnt_rule { if ($2.owner) yyerror(_("owner prefix not allowed on mount rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); @@ -813,13 +814,13 @@ rules: rules opt_prefix dbus_rule { if ($2.owner) yyerror(_("owner prefix not allowed on dbus rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -829,13 +830,13 @@ rules: rules opt_prefix signal_rule { if ($2.owner) yyerror(_("owner prefix not allowed on signal rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -845,13 +846,13 @@ rules: rules opt_prefix ptrace_rule { if ($2.owner) yyerror(_("owner prefix not allowed on ptrace rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -861,13 +862,13 @@ rules: rules opt_prefix unix_rule { if ($2.owner) yyerror(_("owner prefix not allowed on unix rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -881,9 +882,9 @@ rules: rules opt_prefix userns_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit == AUDIT_FORCE) { + $3->audit.audit_mode = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -897,13 +898,13 @@ rules: rules opt_prefix change_profile yyerror(_("Assert: `change_profile' returned NULL.")); if ($2.owner) yyerror(_("owner prefix not allowed on unix rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } add_entry_to_policy($1, $3); $$ = $1; @@ -914,14 +915,14 @@ rules: rules opt_prefix capability if ($2.owner) yyerror(_("owner prefix not allowed on capability rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $1->caps.deny |= $3; } else if ($2.deny) { $1->caps.deny |= $3; $1->caps.quiet |= $3; } else { $1->caps.allow |= $3; - if ($2.audit) + if ($2.audit != AUDIT_UNSPECIFIED) $1->caps.audit |= $3; } @@ -936,9 +937,9 @@ rules: rules opt_prefix mqueue_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit == AUDIT_FORCE) { + $3->audit.audit_mode = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -1821,7 +1822,7 @@ void add_local_entry(Profile *prof) sprintf(name, "%s//%s", prof->parent->name, prof->name); entry = new_entry(name, prof->local_perms, NULL); - entry->audit = prof->local_audit; + entry->audit.audit_mode = prof->local_audit.audit_mode; entry->nt_name = trans; if (!entry) yyerror(_("Memory allocation error.")); diff --git a/parser/profile.h b/parser/profile.h index feb655926..9e8c0f3c9 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -191,7 +191,7 @@ public: /* int default_deny; */ /* TRUE or FALSE */ int local; perms_t local_perms; - bool local_audit; + struct { audit_t audit_mode; } local_audit; Profile *parent; @@ -223,7 +223,7 @@ public: local_perms = 0; local = 0; - local_audit = false; + local_audit.audit_mode = AUDIT_UNSPECIFIED; parent = NULL; diff --git a/parser/ptrace.cc b/parser/ptrace.cc index bae55423f..2875f1088 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds) } ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): - peer_label(NULL), audit(false), deny(0) + peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_PTRACE_PERMS) @@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): ostream &ptrace_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_PTRACE_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/ptrace.h b/parser/ptrace.h index 86383ff2f..217a0bee8 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -34,7 +34,7 @@ class ptrace_rule: public rule_t { public: char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; ptrace_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/signal.cc b/parser/signal.cc index ff913fb71..84a27a758 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds) } signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): - signals(), peer_label(NULL), audit(false), deny(0) + signals(), peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { perms = perms_p; @@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): ostream &signal_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/signal.h b/parser/signal.h index 1e7cf1ab0..26a7dab6d 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -40,7 +40,7 @@ public: Signals signals; char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; signal_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/userns.cc b/parser/userns.cc index 5821e6fc3..a6fbd94f4 100644 --- a/parser/userns.cc +++ b/parser/userns.cc @@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds) } userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): - audit(false), deny(0) + audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_USERNS_PERMS) @@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): ostream &userns_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -101,7 +101,7 @@ int userns_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_USERNS_PERMS) { if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, - audit ? perms : 0, + audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/userns.h b/parser/userns.h index 6308aff2f..11fd082fb 100644 --- a/parser/userns.h +++ b/parser/userns.h @@ -27,7 +27,7 @@ class userns_rule: public rule_t { void move_conditionals(struct cond_entry *conds); public: perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; userns_rule(perms_t perms, struct cond_entry *conds);