Add support for bare change_profile rule

allow specifying the change_profile keyword

  change_profile,

to grant all permissions change_profile permissions

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>

parser/parser_lex.l

@@ -612,7 +612,7 @@ LT_EQUAL	<=
 	PUSH_AND_RETURN(state, token);
 }
 
-<INITIAL,NETWORK_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
+<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
 	{END_OF_RULE}	{
 		if (YY_START != INITIAL)
 			POP_NODUMP();

parser/parser_yacc.y

@@ -1481,6 +1481,20 @@ file_mode: TOK_MODE
 		free($1);
 	}
 
+change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE
+	{
+		struct cod_entry *entry;
+		char *rule = strdup("**");
+		if (!rule)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("Matched change_profile,\n");
+		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL);
+		if (!entry)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("change_profile,\n");
+		$$ = entry;
+	};
+
 change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;

parser/tst/equality.sh

@@ -458,6 +458,10 @@ verify_binary_equality "Deny of ungranted perm" \
 		       "/t { /foo/[abc] r, }"
 
 
+verify_binary_equality "change_profile == change_profile -> **" \
+		       "/t { change_profile, }" \
+		       "/t { change_profile -> **, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1

parser/tst/simple_tests/change_profile/bare_ok_1.sd

@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile,
+}