From 7a318d99f2d8ef24a5a4079db680ff2d988c7151 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 28 Aug 2021 02:11:11 -0700 Subject: [PATCH] parser: convert audit from bool to enum Audit control support is going to be extended to support allowing policy to which rules should quiet auditing. Update the frontend internals to prepare for this. Signed-off-by: John Johansen --- parser/af_rule.cc | 2 +- parser/af_rule.h | 4 +- parser/af_unix.cc | 18 ++++---- parser/af_unix.h | 2 +- parser/dbus.cc | 10 ++--- parser/dbus.h | 2 +- parser/mount.cc | 22 +++++----- parser/mount.h | 2 +- parser/mqueue.cc | 12 +++--- parser/mqueue.h | 2 +- parser/parser.h | 5 ++- parser/parser_merge.c | 4 +- parser/parser_misc.c | 4 +- parser/parser_regex.c | 8 ++-- parser/parser_yacc.y | 95 ++++++++++++++++++++++--------------------- parser/profile.h | 4 +- parser/ptrace.cc | 6 +-- parser/ptrace.h | 2 +- parser/signal.cc | 6 +-- parser/signal.h | 2 +- parser/userns.cc | 6 +-- parser/userns.h | 2 +- 22 files changed, 111 insertions(+), 109 deletions(-) diff --git a/parser/af_rule.cc b/parser/af_rule.cc index 3c46543ae..9c0a9d04a 100644 --- a/parser/af_rule.cc +++ b/parser/af_rule.cc @@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer) ostream &af_rule::dump_prefix(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; diff --git a/parser/af_rule.h b/parser/af_rule.h index 8bd91626a..88b1503fc 100644 --- a/parser/af_rule.h +++ b/parser/af_rule.h @@ -45,12 +45,12 @@ public: char *label; char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; bool deny; af_rule(const char *name): af_name(name), sock_type(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), - peer_label(NULL), perms(0), audit(false ), deny(0) + peer_label(NULL), perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) {} virtual ~af_rule() diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 2090fd29e..f586a8f67 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds) } } -unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): +unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied): af_rule("unix"), addr(NULL), peer_addr(NULL) { if (type_p != 0xffffffff) { @@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): yyerror("socket rule: invalid socket type '%d'", type_p); } perms = AA_VALID_NET_PERMS; - audit = audit_p; + audit.audit_mode = audit_p; deny = denied; } @@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) { mask = 1 << sock_type_n; if (!deny) { prof.net.allow[AF_UNIX] |= mask; - if (audit) + if (audit.audit_mode == AUDIT_FORCE) prof.net.audit[AF_UNIX] |= mask; } else { /* deny rules have to be dropped because the downgrade makes @@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_CREATE), - map_perms(audit ? AA_NET_CREATE : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0), dfaflags)) goto fail; mask &= ~AA_NET_CREATE; @@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_BIND), - map_perms(audit ? AA_NET_BIND : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0), dfaflags)) goto fail; /* clear if auto, else generic need to generate addr below */ @@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mask & local_mask), - map_perms(audit ? mask & local_mask : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0), dfaflags)) goto fail; } @@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_LISTEN), - map_perms(audit ? AA_NET_LISTEN : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0), dfaflags)) goto fail; } @@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_OPT), - map_perms(audit ? AA_NET_OPT : 0), + map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0), dfaflags)) goto fail; } @@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof) goto fail; buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) goto fail; } diff --git a/parser/af_unix.h b/parser/af_unix.h index e36168072..26615d26c 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -37,7 +37,7 @@ public: char *addr; char *peer_addr; - unix_rule(unsigned int type_p, bool audit_p, bool denied); + unix_rule(unsigned int type_p, audit_t audit_p, bool denied); unix_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *peer_conds); virtual ~unix_rule() diff --git a/parser/dbus.cc b/parser/dbus.cc index 8fc8c4a9c..8999acda0 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds) dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds): bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), - perms(0), audit(false), deny(0) + perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) { int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; @@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, ostream &dbus_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof) if (perms & AA_DBUS_BIND) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, - audit ? perms & AA_DBUS_BIND : 0, + audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, 2, vec, dfaflags, false)) goto fail; } if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (!prof.policy.rules->add_rule_vec(deny, perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), - audit ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, + audit.audit_mode == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, 6, vec, dfaflags, false)) goto fail; } if (perms & AA_DBUS_EAVESDROP) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_EAVESDROP, - audit ? perms & AA_DBUS_EAVESDROP : 0, + audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, 1, vec, dfaflags, false)) goto fail; } diff --git a/parser/dbus.h b/parser/dbus.h index a7d8f89af..37b83f5f9 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -40,7 +40,7 @@ public: char *interface; char *member; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; dbus_rule(perms_t perms_p, struct cond_entry *conds, diff --git a/parser/mount.cc b/parser/mount.cc index 921625296..7a8cad7c9 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p, struct cond_entry *dst_conds unused, char *mnt_point_p, perms_t perms_p): mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL), - flagsv(0), opt_flagsv(0), audit(false), deny(0) + flagsv(0), opt_flagsv(0), audit({AUDIT_UNSPECIFIED}), deny(0) { /* FIXME: dst_conds are ignored atm */ dev_type = extract_fstype(&src_conds); @@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os) os << " -> " << trans; const char *prefix = deny ? "deny" : ""; - os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit ? perms : 0) << ")"; + os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit_mode != AUDIT_UNSPECIFIED ? perms : 0) << ")"; os << ",\n"; return os; @@ -733,7 +733,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, } else { /* dependent on full expansion of any data match perms */ tmpperms = perms; - tmpaudit = audit ? perms : 0; + tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; } /* match for up to but not including data * if a data match is required this only has AA_MATCH_CONT perms @@ -751,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 5, vec, dfaflags, false)) goto fail; count++; @@ -792,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count, opt_flags & MS_BIND_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -834,7 +834,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count, opt_flags & MS_MAKE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -877,7 +877,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count, opt_flags & MS_MOVE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -926,7 +926,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, tmpaudit = 0; } else { tmpperms = perms; - tmpaudit = audit ? perms : 0; + tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; } /* rule for match without required data || data MATCH_CONT */ if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, @@ -941,7 +941,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - audit ? perms : 0, + audit.audit_mode == AUDIT_FORCE ? perms : 0, 5, vec, dfaflags, false)) goto fail; count++; @@ -1033,7 +1033,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[0] = mntbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), 1, vec, + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 1, vec, dfaflags, false)) goto fail; count++; @@ -1048,7 +1048,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[1] = devbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit ? perms : 0), 2, vec, + (audit.audit_mode == AUDIT_FORCE ? perms : 0), 2, vec, dfaflags, false)) goto fail; count++; diff --git a/parser/mount.h b/parser/mount.h index 26dee1f17..7d73e2d32 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -144,7 +144,7 @@ public: std::vector flagsv, opt_flagsv; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; mnt_rule(struct cond_entry *src_conds, char *device_p, diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 6a84ca841..1a54d1b37 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds) } mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): - qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(false), deny(0) + qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { move_conditionals(conds); free_cond_list(conds); @@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_ ostream &mqueue_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) /* store perms at name match so label doesn't need * to be checked */ - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } @@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) } if (perms & AA_VALID_SYSV_MQ_PERMS) { - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, size, vec, dfaflags, false)) goto fail; } } diff --git a/parser/mqueue.h b/parser/mqueue.h index 703544e74..b8fd38ca0 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -88,7 +88,7 @@ public: char *qname; char *label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); diff --git a/parser/parser.h b/parser/parser.h index 8fe08c551..6448b4a8a 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -46,6 +46,7 @@ class Profile; class rule_t; typedef uint32_t perms_t; +typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t; #define MODULE_NAME "apparmor" @@ -91,7 +92,7 @@ extern dfaflags_t werrflags; typedef enum pattern_t pattern_t; struct prefixes { - int audit; + audit_t audit; int deny; int owner; }; @@ -130,7 +131,7 @@ struct cod_entry { Profile *prof; /* Special profile defined * just for this executable */ perms_t perms; /* perms is 'or' of AA_* bits */ - bool audit; /* audit flags for perms */ + struct { audit_t audit_mode; } audit; int deny; /* TRUE or FALSE */ int alias_ignore; /* ignore for alias processing */ diff --git a/parser/parser_merge.c b/parser/parser_merge.c index b93103aa1..d9ce9f629 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2) if ((*e1)->deny != (*e2)->deny) return (*e1)->deny < (*e2)->deny ? -1 : 1; - if ((*e1)->audit != (*e2)->audit) - return (*e1)->audit < (*e2)->audit ? -1 : 1; + if ((*e1)->audit.audit_mode != (*e2)->audit.audit_mode) + return (*e1)->audit.audit_mode < (*e2)->audit.audit_mode ? -1 : 1; return strcmp((*e1)->name, (*e2)->name); } diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 9fe38c8c3..1af6f996f 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id) entry->name = id; entry->link_name = link_id; entry->perms = perms; - entry->audit = false; + entry->audit.audit_mode = AUDIT_UNSPECIFIED; entry->deny = FALSE; entry->pattern_type = ePatternInvalid; @@ -985,7 +985,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) DUP_STRING(orig, entry, link_name, err); DUP_STRING(orig, entry, nt_name, err); entry->perms = orig->perms; - entry->audit = orig->audit; + entry->audit.audit_mode = orig->audit.audit_mode; entry->deny = orig->deny; /* XXX - need to create copies of the patterns, too */ diff --git a/parser/parser_regex.c b/parser/parser_regex.c index dd177ae41..f459b80d5 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) !is_change_profile_perms(entry->perms) && !dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), - entry->audit ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, + entry->audit.audit_mode == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, dfaflags)) return FALSE; } else if (!is_change_profile_perms(entry->perms)) { if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, - entry->audit ? entry->perms : 0, dfaflags)) + entry->audit.audit_mode == AUDIT_FORCE ? entry->perms : 0, dfaflags)) return FALSE; } @@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) perms |= LINK_TO_LINK_SUBSET(perms); vec[1] = "/[^/].*"; } - if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) + if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit_mode == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) return FALSE; } if (is_change_profile_perms(entry->perms)) { @@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) int index = 1; uint32_t onexec_perms = AA_ONEXEC; - if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { + if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit_mode == AUDIT_FORCE && warn_change_profile) { /* don't have profile name here, so until this code * gets refactored just throw out a generic warning */ diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 4275bac43..8cfa8eb8f 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -214,6 +214,7 @@ void add_local_entry(Profile *prof); int boolean; struct prefixes prefix; IncludeCache_t *includecache; + audit_t audit; } %type TOK_ID @@ -252,7 +253,7 @@ void add_local_entry(Profile *prof); %type id_or_var %type opt_id_or_var %type opt_subset_flag -%type opt_audit_flag +%type opt_audit_flag %type opt_owner_flag %type opt_profile_flag %type opt_flags @@ -650,8 +651,8 @@ opt_subset_flag: { /* nothing */ $$ = 0; } | TOK_SUBSET { $$ = 1; } | TOK_LE { $$ = 1; } -opt_audit_flag: { /* nothing */ $$ = 0; } - | TOK_AUDIT { $$ = 1; }; +opt_audit_flag: { /* nothing */ $$ = AUDIT_UNSPECIFIED; } + | TOK_AUDIT { $$ = AUDIT_FORCE; }; opt_owner_flag: { /* nothing */ $$ = 0; } | TOK_OWNER { $$ = 1; }; @@ -699,8 +700,8 @@ rules: rules opt_prefix rule else if ($2.owner == 2) $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ - if (($2.deny && !$2.audit) || (!$2.deny && $2.audit)) - $3->audit = true; + if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE)) + $3->audit.audit_mode = AUDIT_FORCE; add_entry_to_policy($1, $3); $$ = $1; @@ -713,7 +714,7 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE if ($2.deny) yyerror(_("deny prefix not allowed")); - PDEBUG("matched: %s%s%sblock\n", $2.audit ? "audit " : "", + PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "", $2.deny ? "deny " : "", $2.owner ? "owner " : ""); list_for_each_safe($4->entries, entry, tmp) { entry->next = NULL; @@ -730,10 +731,10 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE else if ($2.owner == 2) entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); - if ($2.audit && !entry->deny) - entry->audit = true; - else if (!$2.audit && entry->deny) - entry->audit = true; + if ($2.audit == AUDIT_FORCE && !entry->deny) + entry->audit.audit_mode = AUDIT_FORCE; + else if ($2.audit != AUDIT_FORCE && entry->deny) + entry->audit.audit_mode = AUDIT_FORCE; add_entry_to_policy($1, entry); } $4->entries = NULL; @@ -768,21 +769,21 @@ rules: rules opt_prefix network_rule /* setting mask instead of a bit */ if ($2.deny) { $1->net.deny[entry->family] |= entry->type; - if (!$2.audit) + if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= entry->type; } else { $1->net.allow[entry->family] |= entry->type; - if ($2.audit) + if ($2.audit == AUDIT_FORCE) $1->net.audit[entry->family] |= entry->type; } } else { if ($2.deny) { $1->net.deny[entry->family] |= 1 << entry->type; - if (!$2.audit) + if ($2.audit != AUDIT_FORCE) $1->net.quiet[entry->family] |= 1 << entry->type; } else { $1->net.allow[entry->family] |= 1 << entry->type; - if ($2.audit) + if ($2.audit == AUDIT_FORCE) $1->net.audit[entry->family] |= 1 << entry->type; } } @@ -796,13 +797,13 @@ rules: rules opt_prefix mnt_rule { if ($2.owner) yyerror(_("owner prefix not allowed on mount rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); @@ -813,13 +814,13 @@ rules: rules opt_prefix dbus_rule { if ($2.owner) yyerror(_("owner prefix not allowed on dbus rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -829,13 +830,13 @@ rules: rules opt_prefix signal_rule { if ($2.owner) yyerror(_("owner prefix not allowed on signal rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -845,13 +846,13 @@ rules: rules opt_prefix ptrace_rule { if ($2.owner) yyerror(_("owner prefix not allowed on ptrace rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -861,13 +862,13 @@ rules: rules opt_prefix unix_rule { if ($2.owner) yyerror(_("owner prefix not allowed on unix rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -881,9 +882,9 @@ rules: rules opt_prefix userns_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit == AUDIT_FORCE) { + $3->audit.audit_mode = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -897,13 +898,13 @@ rules: rules opt_prefix change_profile yyerror(_("Assert: `change_profile' returned NULL.")); if ($2.owner) yyerror(_("owner prefix not allowed on unix rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit != AUDIT_UNSPECIFIED) { + $3->audit.audit_mode = $2.audit; } add_entry_to_policy($1, $3); $$ = $1; @@ -914,14 +915,14 @@ rules: rules opt_prefix capability if ($2.owner) yyerror(_("owner prefix not allowed on capability rules")); - if ($2.deny && $2.audit) { + if ($2.deny && $2.audit == AUDIT_FORCE) { $1->caps.deny |= $3; } else if ($2.deny) { $1->caps.deny |= $3; $1->caps.quiet |= $3; } else { $1->caps.allow |= $3; - if ($2.audit) + if ($2.audit != AUDIT_UNSPECIFIED) $1->caps.audit |= $3; } @@ -936,9 +937,9 @@ rules: rules opt_prefix mqueue_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = true; - } else if ($2.audit) { - $3->audit = true; + $3->audit.audit_mode = AUDIT_FORCE; + } else if ($2.audit == AUDIT_FORCE) { + $3->audit.audit_mode = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -1821,7 +1822,7 @@ void add_local_entry(Profile *prof) sprintf(name, "%s//%s", prof->parent->name, prof->name); entry = new_entry(name, prof->local_perms, NULL); - entry->audit = prof->local_audit; + entry->audit.audit_mode = prof->local_audit.audit_mode; entry->nt_name = trans; if (!entry) yyerror(_("Memory allocation error.")); diff --git a/parser/profile.h b/parser/profile.h index feb655926..9e8c0f3c9 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -191,7 +191,7 @@ public: /* int default_deny; */ /* TRUE or FALSE */ int local; perms_t local_perms; - bool local_audit; + struct { audit_t audit_mode; } local_audit; Profile *parent; @@ -223,7 +223,7 @@ public: local_perms = 0; local = 0; - local_audit = false; + local_audit.audit_mode = AUDIT_UNSPECIFIED; parent = NULL; diff --git a/parser/ptrace.cc b/parser/ptrace.cc index bae55423f..2875f1088 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds) } ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): - peer_label(NULL), audit(false), deny(0) + peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_PTRACE_PERMS) @@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): ostream &ptrace_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_PTRACE_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/ptrace.h b/parser/ptrace.h index 86383ff2f..217a0bee8 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -34,7 +34,7 @@ class ptrace_rule: public rule_t { public: char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; ptrace_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/signal.cc b/parser/signal.cc index ff913fb71..84a27a758 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds) } signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): - signals(), peer_label(NULL), audit(false), deny(0) + signals(), peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { perms = perms_p; @@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): ostream &signal_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/signal.h b/parser/signal.h index 1e7cf1ab0..26a7dab6d 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -40,7 +40,7 @@ public: Signals signals; char *peer_label; perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; signal_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/userns.cc b/parser/userns.cc index 5821e6fc3..a6fbd94f4 100644 --- a/parser/userns.cc +++ b/parser/userns.cc @@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds) } userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): - audit(false), deny(0) + audit({AUDIT_UNSPECIFIED}), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_USERNS_PERMS) @@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): ostream &userns_rule::dump(ostream &os) { - if (audit) + if (audit.audit_mode == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -101,7 +101,7 @@ int userns_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_USERNS_PERMS) { if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, - audit ? perms : 0, + audit.audit_mode == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/userns.h b/parser/userns.h index 6308aff2f..11fd082fb 100644 --- a/parser/userns.h +++ b/parser/userns.h @@ -27,7 +27,7 @@ class userns_rule: public rule_t { void move_conditionals(struct cond_entry *conds); public: perms_t perms; - bool audit; + struct { audit_t audit_mode; } audit; int deny; userns_rule(perms_t perms, struct cond_entry *conds);