Patch by jjohansen@suse.de

Acked-By: Steve Beattie <sbeattie@suse.de>

Add mediation/keywords for locks.

parser/immunix.h

@@ -30,16 +30,18 @@
 #define AA_MAY_READ			(1 << 2)
 #define AA_MAY_APPEND			(1 << 3)
 #define AA_MAY_LINK			(1 << 4)
-#define AA_EXEC_INHERIT 		(1 << 5)
-#define AA_EXEC_UNCONSTRAINED		(1 << 6)
-#define AA_EXEC_PROFILE			(1 << 7)
-#define AA_EXEC_MMAP			(1 << 8)
-#define AA_EXEC_UNSAFE			(1 << 9)
+#define AA_MAY_LOCK			(1 << 5)
+#define AA_EXEC_MMAP			(1 << 6)
+
+#define AA_CHANGE_PROFILE		(1 << 26)
+#define AA_EXEC_INHERIT 		(1 << 27)
+#define AA_EXEC_UNCONSTRAINED		(1 << 28)
+#define AA_EXEC_PROFILE			(1 << 29)
+#define AA_EXEC_UNSAFE			(1 << 30)
 #define AA_EXEC_MODIFIERS		(AA_EXEC_INHERIT | \
 					 AA_EXEC_UNCONSTRAINED | \
 					 AA_EXEC_PROFILE)
 
-#define AA_CHANGE_PROFILE		(1 << 31)
 
 /* Network subdomain extensions.  */
 #define AA_TCP_CONNECT			(1 << 16)
@@ -73,12 +75,13 @@ enum pattern_t {
 #define HAS_MAY_READ(mode)		((mode) & AA_MAY_READ)
 #define HAS_MAY_WRITE(mode)		((mode) & AA_MAY_WRITE)
 #define HAS_MAY_APPEND(mode)		((mode) & AA_MAY_APPEND)
-#define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
 #define HAS_MAY_EXEC(mode)		((mode) & AA_MAY_EXEC)
+#define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
+#define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
+#define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
 #define HAS_EXEC_INHERIT(mode)		((mode) & AA_EXEC_INHERIT)
 #define HAS_EXEC_PROFILE(mode)		((mode) & AA_EXEC_PROFILE)
 #define HAS_EXEC_UNCONSTRAINED(mode)	((mode) & AA_EXEC_UNCONSTRAINED)
-#define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
 #define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
 #define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
 

parser/libapparmor_re/regexp.y

@@ -1495,7 +1495,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 
 #define ACCUMULATING_FLAGS \
 	(AA_MAY_READ | AA_MAY_WRITE | AA_MAY_APPEND | AA_MAY_EXEC | \
-	 AA_MAY_LINK | AA_EXEC_MMAP | AA_CHANGE_PROFILE)
+	 AA_MAY_LINK | AA_MAY_LOCK | AA_EXEC_MMAP | AA_CHANGE_PROFILE)
 
 /**
  * Compute the permission flags that this state corresponds to. If we

parser/parser.h

@@ -124,13 +124,14 @@ struct var_string {
 #define COD_WRITE_CHAR 		'w'
 #define COD_APPEND_CHAR		'a'
 #define COD_EXEC_CHAR 		'x'
-#define COD_INHERIT_CHAR 	'i'
 #define COD_LINK_CHAR 		'l'
+#define COD_LOCK_CHAR		'k'
+#define COD_MMAP_CHAR		'm'
+#define COD_INHERIT_CHAR 	'i'
 #define COD_UNCONSTRAINED_CHAR	'U'
 #define COD_UNSAFE_UNCONSTRAINED_CHAR	'u'
 #define COD_PROFILE_CHAR	'P'
 #define COD_UNSAFE_PROFILE_CHAR	'p'
-#define COD_MMAP_CHAR		'm'
 
 #define OPTION_ADD      1
 #define OPTION_REMOVE   2

parser/parser_lex.l

@@ -53,7 +53,7 @@ COLON		:
 END_OF_RULE	[,]
 SEPERATOR 	{UP}
 RANGE		-
-MODES 		[RrWwaXxIiLlUuPpMm]
+MODES 		([RrWwaLlMmk]|([Pp][Xx])|([Uu][Xx])|([Ii][Xx]))+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
 ID 		[^ \t\n"!,]|(,[^ \t\n"!])
@@ -334,7 +334,7 @@ ADD_ASSIGN	\+=
 			return TOK_ID;
 			}
 
-{MODES}+		{
+{MODES}			{
 			yylval = (YYSTYPE) strdup(yytext);
 			PDEBUG("Found modes: %s\n", yylval);
 			return TOK_MODE;

parser/parser_misc.c

@@ -472,6 +472,11 @@ reeval:
 			mode |= AA_MAY_LINK;
 			break;
 
+		case COD_LOCK_CHAR:
+			PDEBUG("Parsing mode: found LOCK\n");
+			mode |= AA_MAY_LOCK;
+			break;
+
 		case COD_INHERIT_CHAR:
 			PDEBUG("Parsing mode: found INHERIT\n");
 			if (next != COD_EXEC_CHAR && tolower(next) != COD_EXEC_CHAR) {
@@ -734,6 +739,8 @@ void debug_cod_entries(struct cod_entry *list)
 			printf("%c", COD_APPEND_CHAR);
 		if (HAS_MAY_LINK(item->mode))
 			printf("%c", COD_LINK_CHAR);
+		if (HAS_MAY_LOCK(item->mode))
+			printf("%c", COD_LOCK_CHAR);
 		if (HAS_EXEC_INHERIT(item->mode))
 			printf("%c", COD_INHERIT_CHAR);
 		if (HAS_EXEC_UNCONSTRAINED(item->mode)) {