Add profile names that are independent of attachment specification

Add the ability to specify the name and attachment of the profile
separately. It does not allow for the attachment specification to
begin with a variable however since variables in profile names is not
currently support this shouldn't be and issue.

Signed-off-by: John Johansen <john.johansen@canonical.com>

parser/parser.h

@@ -88,6 +88,7 @@ struct alt_name {
 struct codomain {
 	char *namespace;
 	char *name;				/* codomain name */
+	char *attachment;
 	struct alt_name *altnames;
 	void *xmatch;
 	size_t xmatch_size;

parser/parser_alias.c

@@ -159,6 +159,7 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
 {
 	struct alias_rule **t = (struct alias_rule **) nodep;
 	struct codomain *cod = target_cod;
+	char *name;
 	int len;
 
 	if (value == preorder || value == endorder)
@@ -166,9 +167,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
 
 	len = strlen((*t)->from);
 
-	if (cod->name && strncmp((*t)->from, cod->name, len) == 0) {
+	if (cod->attachment)
+		name = cod->attachment;
+	else
+		name = cod->name;
+
+	if (name && strncmp((*t)->from, name, len) == 0) {
 		struct alt_name *alt;
-		char *new = do_alias(*t, cod->name);
+		char *new = do_alias(*t, name);
 		if (!new)
 			return;
 		/* aliases create alternate names */

parser/parser_policy.c

@@ -736,6 +736,8 @@ void free_policy(struct codomain *cod)
 		free(cod->dfa);
 	if (cod->name)
 		free(cod->name);
+	if (cod->attachment)
+		free(cod->attachment);
 	if (cod->namespace)
 		free(cod->namespace);
 	if (cod->network_allowed)

parser/parser_regex.c

@@ -388,14 +388,17 @@ static int process_profile_name_xmatch(struct codomain *cod)
 	const char *name;
 
 	/* don't filter_slashes for profile names */
-	name = local_name(cod->name);
+	if (cod->attachment)
+		name = cod->attachment;
+	else
+		name = local_name(cod->name);
 	ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
 					&cod->xmatch_len);
 
 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
 		return FALSE;
-	} else if (ptype == ePatternBasic && !cod->altnames) {
+	} else if (ptype == ePatternBasic && !(cod->altnames || cod->attachment)) {
 		/* no regex so do not set xmatch */
 		cod->xmatch = NULL;
 		cod->xmatch_len = 0;

parser/parser_yacc.y

@@ -190,6 +190,7 @@ void add_local_entry(struct codomain *cod);
 %type <boolean> opt_owner_flag
 %type <boolean> opt_profile_flag
 %type <id>	opt_namespace
+%type <id>	opt_id
 %type <transition> opt_named_transition
 
 %%
@@ -213,22 +214,31 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
 opt_namespace: { /* nothing */ $$ = NULL; }
 	| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
 
-profile_base: TOK_ID flags TOK_OPEN rules TOK_CLOSE
+opt_id: { /* nothing */ $$ = NULL; }
+	| TOK_ID { $$ = $1; }
+
+profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
 	{
-		struct codomain *cod = $4;
+		struct codomain *cod = $5;
 
 		if (!cod) {
 			yyerror(_("Memory allocation error."));
 		}
 
 		cod->name = $1;
-		cod->flags = $2;
+		cod->attachment = $2;
+		if ($2 && $2[0] != '/')
+			/* we don't support variables as part of the profile
+			 * name or attachment atm
+			 */
+			yyerror(_("Profile attachment must begin with a '/'."));
+		cod->flags = $3;
 		if (force_complain)
 			cod->flags.complain = 1;
 
 		post_process_nt_entries(cod);
 		PDEBUG("%s: flags='%s%s'\n",
-		       $2,
+		       $3,
 		       cod->flags.complain ? "complain, " : "",
 		       cod->flags.audit ? "audit" : "");