diff --git a/parser/immunix.h b/parser/immunix.h index ca3dc5511..49d77e520 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -30,16 +30,18 @@ #define AA_MAY_READ (1 << 2) #define AA_MAY_APPEND (1 << 3) #define AA_MAY_LINK (1 << 4) -#define AA_EXEC_INHERIT (1 << 5) -#define AA_EXEC_UNCONSTRAINED (1 << 6) -#define AA_EXEC_PROFILE (1 << 7) -#define AA_EXEC_MMAP (1 << 8) -#define AA_EXEC_UNSAFE (1 << 9) +#define AA_MAY_LOCK (1 << 5) +#define AA_EXEC_MMAP (1 << 6) + +#define AA_CHANGE_PROFILE (1 << 26) +#define AA_EXEC_INHERIT (1 << 27) +#define AA_EXEC_UNCONSTRAINED (1 << 28) +#define AA_EXEC_PROFILE (1 << 29) +#define AA_EXEC_UNSAFE (1 << 30) #define AA_EXEC_MODIFIERS (AA_EXEC_INHERIT | \ AA_EXEC_UNCONSTRAINED | \ AA_EXEC_PROFILE) -#define AA_CHANGE_PROFILE (1 << 31) /* Network subdomain extensions. */ #define AA_TCP_CONNECT (1 << 16) @@ -73,12 +75,13 @@ enum pattern_t { #define HAS_MAY_READ(mode) ((mode) & AA_MAY_READ) #define HAS_MAY_WRITE(mode) ((mode) & AA_MAY_WRITE) #define HAS_MAY_APPEND(mode) ((mode) & AA_MAY_APPEND) -#define HAS_MAY_LINK(mode) ((mode) & AA_MAY_LINK) #define HAS_MAY_EXEC(mode) ((mode) & AA_MAY_EXEC) +#define HAS_MAY_LINK(mode) ((mode) & AA_MAY_LINK) +#define HAS_MAY_LOCK(mode) ((mode) & AA_MAY_LOCK) +#define HAS_EXEC_MMAP(mode) ((mode) & AA_EXEC_MMAP) #define HAS_EXEC_INHERIT(mode) ((mode) & AA_EXEC_INHERIT) #define HAS_EXEC_PROFILE(mode) ((mode) & AA_EXEC_PROFILE) #define HAS_EXEC_UNCONSTRAINED(mode) ((mode) & AA_EXEC_UNCONSTRAINED) -#define HAS_EXEC_MMAP(mode) ((mode) & AA_EXEC_MMAP) #define HAS_EXEC_UNSAFE(mode) ((mode) & AA_EXEC_UNSAFE) #define HAS_CHANGE_PROFILE(mode) ((mode) & AA_CHANGE_PROFILE) diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y index c9d784d7b..565662a3b 100644 --- a/parser/libapparmor_re/regexp.y +++ b/parser/libapparmor_re/regexp.y @@ -1495,7 +1495,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules) #define ACCUMULATING_FLAGS \ (AA_MAY_READ | AA_MAY_WRITE | AA_MAY_APPEND | AA_MAY_EXEC | \ - AA_MAY_LINK | AA_EXEC_MMAP | AA_CHANGE_PROFILE) + AA_MAY_LINK | AA_MAY_LOCK | AA_EXEC_MMAP | AA_CHANGE_PROFILE) /** * Compute the permission flags that this state corresponds to. If we diff --git a/parser/parser.h b/parser/parser.h index deb4e536d..987fcd4b7 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -124,13 +124,14 @@ struct var_string { #define COD_WRITE_CHAR 'w' #define COD_APPEND_CHAR 'a' #define COD_EXEC_CHAR 'x' -#define COD_INHERIT_CHAR 'i' #define COD_LINK_CHAR 'l' +#define COD_LOCK_CHAR 'k' +#define COD_MMAP_CHAR 'm' +#define COD_INHERIT_CHAR 'i' #define COD_UNCONSTRAINED_CHAR 'U' #define COD_UNSAFE_UNCONSTRAINED_CHAR 'u' #define COD_PROFILE_CHAR 'P' #define COD_UNSAFE_PROFILE_CHAR 'p' -#define COD_MMAP_CHAR 'm' #define OPTION_ADD 1 #define OPTION_REMOVE 2 diff --git a/parser/parser_lex.l b/parser/parser_lex.l index dda6f96ac..40cbbdfca 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -53,7 +53,7 @@ COLON : END_OF_RULE [,] SEPERATOR {UP} RANGE - -MODES [RrWwaXxIiLlUuPpMm] +MODES ([RrWwaLlMmk]|([Pp][Xx])|([Uu][Xx])|([Ii][Xx]))+ WS [[:blank:]] NUMBER [[:digit:]]+ ID [^ \t\n"!,]|(,[^ \t\n"!]) @@ -334,7 +334,7 @@ ADD_ASSIGN \+= return TOK_ID; } -{MODES}+ { +{MODES} { yylval = (YYSTYPE) strdup(yytext); PDEBUG("Found modes: %s\n", yylval); return TOK_MODE; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 27ffc6fd5..85827cce4 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -472,6 +472,11 @@ reeval: mode |= AA_MAY_LINK; break; + case COD_LOCK_CHAR: + PDEBUG("Parsing mode: found LOCK\n"); + mode |= AA_MAY_LOCK; + break; + case COD_INHERIT_CHAR: PDEBUG("Parsing mode: found INHERIT\n"); if (next != COD_EXEC_CHAR && tolower(next) != COD_EXEC_CHAR) { @@ -734,6 +739,8 @@ void debug_cod_entries(struct cod_entry *list) printf("%c", COD_APPEND_CHAR); if (HAS_MAY_LINK(item->mode)) printf("%c", COD_LINK_CHAR); + if (HAS_MAY_LOCK(item->mode)) + printf("%c", COD_LOCK_CHAR); if (HAS_EXEC_INHERIT(item->mode)) printf("%c", COD_INHERIT_CHAR); if (HAS_EXEC_UNCONSTRAINED(item->mode)) {