parser: convert audit from bool to enum

Audit control support is going to be extended to support allowing
policy to which rules should quiet auditing. Update the frontend
internals to prepare for this.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/af_rule.cc

@@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer)
 
 ostream &af_rule::dump_prefix(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";

parser/af_rule.h

@@ -45,12 +45,12 @@ public:
 	char *label;
 	char *peer_label;
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	bool deny;
 
 	af_rule(const char *name): af_name(name), sock_type(NULL),
 		sock_type_n(-1), proto(NULL), proto_n(0), label(NULL),
-		peer_label(NULL), perms(0), audit(false ), deny(0)
+		peer_label(NULL), perms(0), audit({AUDIT_UNSPECIFIED}), deny(0)
 	{}
 
 	virtual ~af_rule()

parser/af_unix.cc

@@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds)
 	}
 }
 
-unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
+unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied):
 	af_rule("unix"), addr(NULL), peer_addr(NULL)
 {
 	if (type_p != 0xffffffff) {
@@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
 			yyerror("socket rule: invalid socket type '%d'", type_p);
 	}
 	perms = AA_VALID_NET_PERMS;
-	audit = audit_p;
+	audit.audit_mode = audit_p;
 	deny = denied;
 }
 
@@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
 		mask = 1 << sock_type_n;
 	if (!deny) {
 		prof.net.allow[AF_UNIX] |= mask;
-		if (audit)
+		if (audit.audit_mode == AUDIT_FORCE)
 			prof.net.audit[AF_UNIX] |= mask;
 	} else {
 		/* deny rules have to be dropped because the downgrade makes
@@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 		buf = buffer.str();
 		if (!prof.policy.rules->add_rule(buf.c_str(), deny,
 						 map_perms(AA_NET_CREATE),
-						 map_perms(audit ? AA_NET_CREATE : 0),
+						 map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0),
 						 dfaflags))
 			goto fail;
 		mask &= ~AA_NET_CREATE;
@@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 		buf = tmp.str();
 		if (!prof.policy.rules->add_rule(buf.c_str(), deny,
 						 map_perms(AA_NET_BIND),
-						 map_perms(audit ? AA_NET_BIND : 0),
+						 map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0),
 						 dfaflags))
 			goto fail;
 		/* clear if auto, else generic need to generate addr below */
@@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			buf = buffer.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), deny,
 							 map_perms(mask & local_mask),
-							 map_perms(audit ? mask & local_mask : 0),
+							 map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0),
 							 dfaflags))
 				goto fail;
 		}
@@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			buf = tmp.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), deny,
 							 map_perms(AA_NET_LISTEN),
-							 map_perms(audit ? AA_NET_LISTEN : 0),
+							 map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0),
 							 dfaflags))
 				goto fail;
 		}
@@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			buf = tmp.str();
 			if (!prof.policy.rules->add_rule(buf.c_str(), deny,
 							 map_perms(AA_NET_OPT),
-							 map_perms(audit ? AA_NET_OPT : 0),
+							 map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0),
 							 dfaflags))
 				goto fail;
 		}
@@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 			goto fail;
 
 		buf = buffer.str();
-		if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
+		if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
 			goto fail;
 	}
 

parser/af_unix.h

@@ -37,7 +37,7 @@ public:
 	char *addr;
 	char *peer_addr;
 
-	unix_rule(unsigned int type_p, bool audit_p, bool denied);
+	unix_rule(unsigned int type_p, audit_t audit_p, bool denied);
 	unix_rule(perms_t perms, struct cond_entry *conds,
 		  struct cond_entry *peer_conds);
 	virtual ~unix_rule()

parser/dbus.cc

@@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds)
 dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
 	bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL),
-	perms(0), audit(false), deny(0)
+	perms(0), audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	int name_is_subject_cond = 0, message_rule = 0, service_rule = 0;
 
@@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
 
 ostream &dbus_rule::dump(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";
@@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof)
 
 	if (perms & AA_DBUS_BIND) {
 		if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND,
-						     audit ? perms & AA_DBUS_BIND : 0,
+						     audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0,
 						    2, vec, dfaflags, false))
 			goto fail;
 	}
 	if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
 		if (!prof.policy.rules->add_rule_vec(deny,
 				       perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
-						     audit ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0,
+						     audit.audit_mode == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0,
 				       6, vec, dfaflags, false))
 			goto fail;
 	}
 	if (perms & AA_DBUS_EAVESDROP) {
 		if (!prof.policy.rules->add_rule_vec(deny,
 						    perms & AA_DBUS_EAVESDROP,
-						     audit ? perms & AA_DBUS_EAVESDROP : 0,
+						     audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0,
 						    1, vec, dfaflags, false))
 			goto fail;
 	}

parser/dbus.h

@@ -40,7 +40,7 @@ public:
 	char *interface;
 	char *member;
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	dbus_rule(perms_t perms_p, struct cond_entry *conds,

parser/mount.cc

@@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
 		   struct cond_entry *dst_conds unused, char *mnt_point_p,
 		   perms_t perms_p):
 	mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
-	flagsv(0), opt_flagsv(0), audit(false), deny(0)
+	flagsv(0), opt_flagsv(0), audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	/* FIXME: dst_conds are ignored atm */
 	dev_type = extract_fstype(&src_conds);
@@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os)
 		os << " -> " << trans;
 
 	const char *prefix = deny ? "deny" : "";
-	os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit ? perms : 0) << ")";
+	os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit_mode != AUDIT_UNSPECIFIED ? perms : 0) << ")";
 	os << ",\n";
 
 	return os;
@@ -733,7 +733,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
 	} else {
 		/* dependent on full expansion of any data match perms */
 		tmpperms = perms;
-		tmpaudit = audit ? perms : 0;
+		tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0;
 	}
 	/* match for up to but not including data
 	 * if a data match is required this only has AA_MATCH_CONT perms
@@ -751,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
 			goto fail;
 		vec[4] = optsbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, perms,
-						     (audit ? perms : 0),
+						     (audit.audit_mode == AUDIT_FORCE ? perms : 0),
 						     5, vec, dfaflags, false))
 			goto fail;
 		count++;
@@ -792,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count,
 			     opt_flags & MS_BIND_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
-	if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0,
+	if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0,
 					     4, vec,
 					     dfaflags, false))
 		goto fail;
@@ -834,7 +834,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
 			     opt_flags & MS_MAKE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
-	if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0,
+	if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0,
 					     4, vec,
 					     dfaflags, false))
 		goto fail;
@@ -877,7 +877,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count,
 			     opt_flags & MS_MOVE_FLAGS))
 		goto fail;
 	vec[3] = flagsbuf;
-	if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0,
+	if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0,
 					     4, vec,
 					     dfaflags, false))
 		goto fail;
@@ -926,7 +926,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
 		tmpaudit = 0;
 	} else {
 		tmpperms = perms;
-		tmpaudit = audit ? perms : 0;
+		tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0;
 	}
 	/* rule for match without required data || data MATCH_CONT */
 	if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
@@ -941,7 +941,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
 			goto fail;
 		vec[4] = optsbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, perms,
-						     audit ? perms : 0,
+						     audit.audit_mode == AUDIT_FORCE ? perms : 0,
 						     5, vec, dfaflags, false))
 			goto fail;
 		count++;
@@ -1033,7 +1033,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[0] = mntbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, perms,
-					(audit ? perms : 0), 1, vec,
+					(audit.audit_mode == AUDIT_FORCE ? perms : 0), 1, vec,
 					dfaflags, false))
 			goto fail;
 		count++;
@@ -1048,7 +1048,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
 			goto fail;
 		vec[1] = devbuf.c_str();
 		if (!prof.policy.rules->add_rule_vec(deny, perms,
-					(audit ? perms : 0), 2, vec,
+					(audit.audit_mode == AUDIT_FORCE ? perms : 0), 2, vec,
 					dfaflags, false))
 			goto fail;
 		count++;

parser/mount.h

@@ -144,7 +144,7 @@ public:
 	std::vector<unsigned int> flagsv, opt_flagsv;
 
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	mnt_rule(struct cond_entry *src_conds, char *device_p,

parser/mqueue.cc

@@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds)
 }
 
 mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p):
-	qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(false), deny(0)
+	qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	move_conditionals(conds);
 	free_cond_list(conds);
@@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_
 
 ostream &mqueue_rule::dump(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";
@@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 			/* store perms at name match so label doesn't need
 			 * to be checked
 			 */
-			if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false))
+			if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false))
+			if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
 				goto fail;
 		}
 	}
@@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
 		}
 
 		if (perms & AA_VALID_SYSV_MQ_PERMS) {
-			if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, 1, vec, dfaflags, false))
+			if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, 1, vec, dfaflags, false))
 				goto fail;
 			/* also provide label match with perm */
-			if (!prof.policy.rules->add_rule_vec(deny, perms, audit ? perms : 0, size, vec, dfaflags, false))
+			if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, size, vec, dfaflags, false))
 				goto fail;
 		}
 	}

parser/mqueue.h

@@ -88,7 +88,7 @@ public:
 	char *qname;
 	char *label;
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL);

parser/parser.h

@@ -46,6 +46,7 @@ class Profile;
 class rule_t;
 
 typedef uint32_t perms_t;
+typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
 
 #define MODULE_NAME "apparmor"
 
@@ -91,7 +92,7 @@ extern dfaflags_t werrflags;
 typedef enum pattern_t pattern_t;
 
 struct prefixes {
-	int audit;
+	audit_t audit;
 	int deny;
 	int owner;
 };
@@ -130,7 +131,7 @@ struct cod_entry {
 	Profile *prof;		 	/* Special profile defined
 					 * just for this executable */
 	perms_t perms;			/* perms is 'or' of AA_* bits */
-	bool audit;			/* audit flags for perms */
+	struct { audit_t audit_mode; } audit;
 	int deny;			/* TRUE or FALSE */
 
 	int alias_ignore;		/* ignore for alias processing */

parser/parser_merge.c

@@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2)
 	if ((*e1)->deny != (*e2)->deny)
 		return (*e1)->deny < (*e2)->deny ? -1 : 1;
 
-	if ((*e1)->audit != (*e2)->audit)
-		return (*e1)->audit < (*e2)->audit ? -1 : 1;
+	if ((*e1)->audit.audit_mode != (*e2)->audit.audit_mode)
+		return (*e1)->audit.audit_mode < (*e2)->audit.audit_mode ? -1 : 1;
 
 	return strcmp((*e1)->name, (*e2)->name);
 }

parser/parser_misc.c

@@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
 	entry->name = id;
 	entry->link_name = link_id;
 	entry->perms = perms;
-	entry->audit = false;
+	entry->audit.audit_mode = AUDIT_UNSPECIFIED;
 	entry->deny = FALSE;
 
 	entry->pattern_type = ePatternInvalid;
@@ -985,7 +985,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
 	DUP_STRING(orig, entry, link_name, err);
 	DUP_STRING(orig, entry, nt_name, err);
 	entry->perms = orig->perms;
-	entry->audit = orig->audit;
+	entry->audit.audit_mode = orig->audit.audit_mode;
 	entry->deny = orig->deny;
 
 	/* XXX - need to create copies of the patterns, too */

parser/parser_regex.c

@@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		    !is_change_profile_perms(entry->perms) &&
 		    !dfarules->add_rule(tbuf.c_str(), entry->deny,
 					entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
-					entry->audit ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
+					entry->audit.audit_mode == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
 					dfaflags))
 			return FALSE;
 	} else if (!is_change_profile_perms(entry->perms)) {
 		if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms,
-					entry->audit ? entry->perms : 0, dfaflags))
+					entry->audit.audit_mode == AUDIT_FORCE ? entry->perms : 0, dfaflags))
 			return FALSE;
 	}
 
@@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			perms |= LINK_TO_LINK_SUBSET(perms);
 			vec[1] = "/[^/].*";
 		}
-		if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
+		if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit_mode == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
 			return FALSE;
 	}
 	if (is_change_profile_perms(entry->perms)) {
@@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 		int index = 1;
 		uint32_t onexec_perms = AA_ONEXEC;
 
-		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
+		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit_mode == AUDIT_FORCE && warn_change_profile) {
 			/* don't have profile name here, so until this code
 			 * gets refactored just throw out a generic warning
 			 */

parser/parser_yacc.y

@@ -214,6 +214,7 @@ void add_local_entry(Profile *prof);
 	int boolean;
 	struct prefixes prefix;
 	IncludeCache_t *includecache;
+	audit_t audit;
 }
 
 %type <id> 	TOK_ID
@@ -252,7 +253,7 @@ void add_local_entry(Profile *prof);
 %type <id>	id_or_var
 %type <id>	opt_id_or_var
 %type <boolean> opt_subset_flag
-%type <boolean> opt_audit_flag
+%type <audit>	opt_audit_flag
 %type <boolean> opt_owner_flag
 %type <boolean> opt_profile_flag
 %type <boolean> opt_flags
@@ -650,8 +651,8 @@ opt_subset_flag: { /* nothing */ $$ = 0; }
 	| TOK_SUBSET { $$ = 1; }
 	| TOK_LE { $$ = 1; }
 
-opt_audit_flag: { /* nothing */ $$ = 0; }
-	| TOK_AUDIT { $$ = 1; };
+opt_audit_flag: { /* nothing */ $$ = AUDIT_UNSPECIFIED; }
+	| TOK_AUDIT { $$ = AUDIT_FORCE; };
 
 opt_owner_flag: { /* nothing */ $$ = 0; }
 	| TOK_OWNER { $$ = 1; };
@@ -699,8 +700,8 @@ rules:  rules opt_prefix rule
 		else if ($2.owner == 2)
 			$3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
 		/* only set audit ctl quieting if the rule is not audited */
-		if (($2.deny && !$2.audit) || (!$2.deny && $2.audit))
-			$3->audit = true;
+		if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE))
+			$3->audit.audit_mode = AUDIT_FORCE;
 
 		add_entry_to_policy($1, $3);
 		$$ = $1;
@@ -713,7 +714,7 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
 		if ($2.deny)
 			yyerror(_("deny prefix not allowed"));
 
-		PDEBUG("matched: %s%s%sblock\n", $2.audit ? "audit " : "",
+		PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "",
 		       $2.deny ? "deny " : "", $2.owner ? "owner " : "");
 		list_for_each_safe($4->entries, entry, tmp) {
 			entry->next = NULL;
@@ -730,10 +731,10 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
 			else if ($2.owner == 2)
 				entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
 
-			if ($2.audit && !entry->deny)
-				entry->audit = true;
-			else if (!$2.audit && entry->deny)
-				entry->audit = true;
+			if ($2.audit == AUDIT_FORCE && !entry->deny)
+				entry->audit.audit_mode = AUDIT_FORCE;
+			else if ($2.audit != AUDIT_FORCE && entry->deny)
+				entry->audit.audit_mode = AUDIT_FORCE;
 			add_entry_to_policy($1, entry);
 		}
 		$4->entries = NULL;
@@ -768,21 +769,21 @@ rules: rules opt_prefix network_rule
 				/* setting mask instead of a bit */
 				if ($2.deny) {
 					$1->net.deny[entry->family] |= entry->type;
-					if (!$2.audit)
+					if ($2.audit != AUDIT_FORCE)
 						$1->net.quiet[entry->family] |= entry->type;
 				} else {
 					$1->net.allow[entry->family] |= entry->type;
-					if ($2.audit)
+					if ($2.audit == AUDIT_FORCE)
 						$1->net.audit[entry->family] |= entry->type;
 				}
 			} else {
 				if ($2.deny) {
 					$1->net.deny[entry->family] |= 1 << entry->type;
-					if (!$2.audit)
+					if ($2.audit != AUDIT_FORCE)
 						$1->net.quiet[entry->family] |= 1 << entry->type;
 				} else {
 					$1->net.allow[entry->family] |= 1 << entry->type;
-					if ($2.audit)
+					if ($2.audit == AUDIT_FORCE)
 						$1->net.audit[entry->family] |= 1 << entry->type;
 				}
 			}
@@ -796,13 +797,13 @@ rules:  rules opt_prefix mnt_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on mount rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 
 		$1->rule_ents.push_back($3);
@@ -813,13 +814,13 @@ rules:  rules opt_prefix dbus_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on dbus rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -829,13 +830,13 @@ rules:  rules opt_prefix signal_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on signal rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -845,13 +846,13 @@ rules:  rules opt_prefix ptrace_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on ptrace rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -861,13 +862,13 @@ rules:  rules opt_prefix unix_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on unix rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -881,9 +882,9 @@ rules:  rules opt_prefix userns_rule
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit == AUDIT_FORCE) {
+			$3->audit.audit_mode = AUDIT_FORCE;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -897,13 +898,13 @@ rules:	rules opt_prefix change_profile
 			yyerror(_("Assert: `change_profile' returned NULL."));
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on unix rules"));
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit != AUDIT_UNSPECIFIED) {
+			$3->audit.audit_mode = $2.audit;
 		}
 		add_entry_to_policy($1, $3);
 		$$ = $1;
@@ -914,14 +915,14 @@ rules:  rules opt_prefix capability
 		if ($2.owner)
 			yyerror(_("owner prefix not allowed on capability rules"));
 
-		if ($2.deny && $2.audit) {
+		if ($2.deny && $2.audit == AUDIT_FORCE) {
 			$1->caps.deny |= $3;
 		} else if ($2.deny) {
 			$1->caps.deny |= $3;
 			$1->caps.quiet |= $3;
 		} else {
 			$1->caps.allow |= $3;
-			if ($2.audit)
+			if ($2.audit != AUDIT_UNSPECIFIED)
 				$1->caps.audit |= $3;
 		}
 
@@ -936,9 +937,9 @@ rules:  rules opt_prefix mqueue_rule
 			$3->deny = 1;
 		} else if ($2.deny) {
 			$3->deny = 1;
-			$3->audit = true;
-		} else if ($2.audit) {
-			$3->audit = true;
+			$3->audit.audit_mode = AUDIT_FORCE;
+		} else if ($2.audit == AUDIT_FORCE) {
+			$3->audit.audit_mode = AUDIT_FORCE;
 		}
 		$1->rule_ents.push_back($3);
 		$$ = $1;
@@ -1821,7 +1822,7 @@ void add_local_entry(Profile *prof)
 		sprintf(name, "%s//%s", prof->parent->name, prof->name);
 
 		entry = new_entry(name, prof->local_perms, NULL);
-		entry->audit = prof->local_audit;
+		entry->audit.audit_mode = prof->local_audit.audit_mode;
 		entry->nt_name = trans;
 		if (!entry)
 			yyerror(_("Memory allocation error."));

parser/profile.h

@@ -191,7 +191,7 @@ public:
 	/* int default_deny; */			/* TRUE or FALSE */
 	int local;
 	perms_t local_perms;
-	bool local_audit;
+	struct { audit_t audit_mode; } local_audit;
 
 	Profile *parent;
 
@@ -223,7 +223,7 @@ public:
 
 		local_perms = 0;
 		local = 0;
-		local_audit = false;
+		local_audit.audit_mode = AUDIT_UNSPECIFIED;
 
 		parent = NULL;
 

parser/ptrace.cc

@@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds)
 }
 
 ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
-	peer_label(NULL), audit(false), deny(0)
+	peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	if (perms_p) {
 		if (perms_p & ~AA_VALID_PTRACE_PERMS)
@@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
 
 ostream &ptrace_rule::dump(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";
@@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof)
 
 	buf = buffer.str();
 	if (perms & AA_VALID_PTRACE_PERMS) {
-		if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0,
+		if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0,
 						 dfaflags))
 			goto fail;
 	}

parser/ptrace.h

@@ -34,7 +34,7 @@ class ptrace_rule: public rule_t {
 public:
 	char *peer_label;
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	ptrace_rule(perms_t perms, struct cond_entry *conds);

parser/signal.cc

@@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds)
 }
 
 signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
-	signals(), peer_label(NULL), audit(false), deny(0)
+	signals(), peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	if (perms_p) {
 		perms = perms_p;
@@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
 
 ostream &signal_rule::dump(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";
@@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof)
 
 	buf = buffer.str();
 	if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) {
-		if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit ? perms : 0,
+		if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0,
 						 dfaflags))
 			goto fail;
 	}

parser/signal.h

@@ -40,7 +40,7 @@ public:
 	Signals signals;
 	char *peer_label;
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	signal_rule(perms_t perms, struct cond_entry *conds);

parser/userns.cc

@@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds)
 }
 
 userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
-	audit(false), deny(0)
+	audit({AUDIT_UNSPECIFIED}), deny(0)
 {
 	if (perms_p) {
 		if (perms_p & ~AA_VALID_USERNS_PERMS)
@@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
 
 ostream &userns_rule::dump(ostream &os)
 {
-	if (audit)
+	if (audit.audit_mode == AUDIT_FORCE)
 		os << "audit ";
 	if (deny)
 		os << "deny ";
@@ -101,7 +101,7 @@ int userns_rule::gen_policy_re(Profile &prof)
 	buf = buffer.str();
 	if (perms & AA_VALID_USERNS_PERMS) {
 		if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms,
-						 audit ? perms : 0,
+						 audit.audit_mode == AUDIT_FORCE ? perms : 0,
 						 dfaflags))
 			goto fail;
 	}

parser/userns.h

@@ -27,7 +27,7 @@ class userns_rule: public rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
 	perms_t perms;
-	bool audit;
+	struct { audit_t audit_mode; } audit;
 	int deny;
 
 	userns_rule(perms_t perms, struct cond_entry *conds);