From fd9a6fe13350c05126c2f44aa1344f94dcb69c34 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Wed, 9 Jun 2021 00:56:59 -0700 Subject: [PATCH] parser: int mode to perms Move from using and int for permissions bit mask to a perms_t type. Also move any perms mask that uses the name mode to perms to avoid confusing it with other uses of mode. Signed-off-by: John Johansen --- parser/af_rule.cc | 26 +++---- parser/af_rule.h | 4 +- parser/af_unix.cc | 26 +++---- parser/af_unix.h | 4 +- parser/dbus.cc | 54 ++++++------- parser/dbus.h | 6 +- parser/immunix.h | 2 +- parser/mount.cc | 8 +- parser/mqueue.cc | 52 ++++++------- parser/mqueue.h | 6 +- parser/network.c | 4 +- parser/network.h | 2 +- parser/parser.h | 12 +-- parser/parser_alias.c | 2 +- parser/parser_merge.c | 4 +- parser/parser_misc.c | 172 ++++++++++++++++++++--------------------- parser/parser_policy.c | 28 +++---- parser/parser_regex.c | 34 ++++---- parser/parser_yacc.y | 166 +++++++++++++++++++-------------------- parser/profile.h | 5 +- parser/ptrace.cc | 30 +++---- parser/ptrace.h | 6 +- parser/signal.cc | 26 +++---- parser/signal.h | 6 +- parser/userns.cc | 20 ++--- parser/userns.h | 4 +- 26 files changed, 356 insertions(+), 353 deletions(-) diff --git a/parser/af_rule.cc b/parser/af_rule.cc index dc86c590b..3c46543ae 100644 --- a/parser/af_rule.cc +++ b/parser/af_rule.cc @@ -101,32 +101,32 @@ ostream &af_rule::dump_prefix(ostream &os) ostream &af_rule::dump_local(ostream &os) { - if (mode != AA_VALID_NET_PERMS) { + if (perms != AA_VALID_NET_PERMS) { os << " ("; - if (mode & AA_NET_SEND) + if (perms & AA_NET_SEND) os << "send "; - if (mode & AA_NET_RECEIVE) + if (perms & AA_NET_RECEIVE) os << "receive "; - if (mode & AA_NET_CREATE) + if (perms & AA_NET_CREATE) os << "create "; - if (mode & AA_NET_SHUTDOWN) + if (perms & AA_NET_SHUTDOWN) os << "shutdown "; - if (mode & AA_NET_CONNECT) + if (perms & AA_NET_CONNECT) os << "connect "; - if (mode & AA_NET_SETATTR) + if (perms & AA_NET_SETATTR) os << "setattr "; - if (mode & AA_NET_GETATTR) + if (perms & AA_NET_GETATTR) os << "getattr "; - if (mode & AA_NET_BIND) + if (perms & AA_NET_BIND) os << "bind "; - if (mode & AA_NET_ACCEPT) + if (perms & AA_NET_ACCEPT) os << "accept "; - if (mode & AA_NET_LISTEN) + if (perms & AA_NET_LISTEN) os << "listen "; - if (mode & AA_NET_SETOPT) + if (perms & AA_NET_SETOPT) os << "setopt "; - if (mode & AA_NET_GETOPT) + if (perms & AA_NET_GETOPT) os << "getopt "; os << ")"; } diff --git a/parser/af_rule.h b/parser/af_rule.h index ef4080550..400402205 100644 --- a/parser/af_rule.h +++ b/parser/af_rule.h @@ -44,13 +44,13 @@ public: int proto_n; char *label; char *peer_label; - int mode; + perms_t perms; int audit; bool deny; af_rule(const char *name): af_name(name), sock_type(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), - peer_label(NULL), mode(0), audit(0), deny(0) + peer_label(NULL), perms(0), audit(0), deny(0) {} virtual ~af_rule() diff --git a/parser/af_unix.cc b/parser/af_unix.cc index db3aa08ca..2e469e3fd 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -32,9 +32,9 @@ /* See unix(7) for autobind address definition */ #define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]"; -int parse_unix_mode(const char *str_mode, int *mode, int fail) +int parse_unix_perms(const char *str_perms, perms_t *perms, int fail) { - return parse_X_mode("unix", AA_VALID_NET_PERMS, str_mode, mode, fail); + return parse_X_perms("unix", AA_VALID_NET_PERMS, str_perms, perms, fail); } @@ -104,26 +104,26 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied): if (!sock_type) yyerror("socket rule: invalid socket type '%d'", type_p); } - mode = AA_VALID_NET_PERMS; + perms = AA_VALID_NET_PERMS; audit = audit_p ? AA_VALID_NET_PERMS : 0; deny = denied; } -unix_rule::unix_rule(int mode_p, struct cond_entry *conds, +unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds): af_rule("unix"), addr(NULL), peer_addr(NULL) { move_conditionals(conds); move_peer_conditionals(peer_conds); - if (mode_p) { - mode = mode_p; - if (mode & ~AA_VALID_NET_PERMS) - yyerror("mode contains invalid permissions for unix socket rules\n"); - else if ((mode & ~AA_PEER_NET_PERMS) && has_peer_conds()) + if (perms_p) { + perms = perms_p; + if (perms & ~AA_VALID_NET_PERMS) + yyerror("perms contains invalid permissions for unix socket rules\n"); + else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds()) yyerror("unix socket 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n"); } else { - mode = AA_VALID_NET_PERMS; + perms = AA_VALID_NET_PERMS; } free_cond_list(conds); @@ -187,7 +187,7 @@ static void writeu16(std::ostringstream &o, int v) #define CMD_OPT 4 void unix_rule::downgrade_rule(Profile &prof) { - unsigned int mask = (unsigned int) -1; + perms_t mask = (perms_t) -1; if (!prof.net.allow && !prof.alloc_net_table()) yyerror(_("Memory allocation error.")); @@ -309,7 +309,7 @@ int unix_rule::gen_policy_re(Profile &prof) std::ostringstream buffer; std::string buf; - int mask = mode; + perms_t mask = perms; /* always generate a downgraded rule. This doesn't change generated * policy size and allows the binary policy to be loaded against @@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof) goto fail; buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mode & AA_PEER_NET_PERMS), map_perms(audit), dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit), dfaflags)) goto fail; } diff --git a/parser/af_unix.h b/parser/af_unix.h index 2d2d70e1f..e36168072 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -24,7 +24,7 @@ #include "profile.h" #include "af_rule.h" -int parse_unix_mode(const char *str_mode, int *mode, int fail); +int parse_unix_perms(const char *str_mode, perms_t *perms, int fail); class unix_rule: public af_rule { void write_to_prot(std::ostringstream &buffer); @@ -38,7 +38,7 @@ public: char *peer_addr; unix_rule(unsigned int type_p, bool audit_p, bool denied); - unix_rule(int mode, struct cond_entry *conds, + unix_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *peer_conds); virtual ~unix_rule() { diff --git a/parser/dbus.cc b/parser/dbus.cc index d02b90dd2..9ea17ff32 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -30,9 +30,9 @@ #include "dbus.h" -int parse_dbus_mode(const char *str_mode, int *mode, int fail) +int parse_dbus_perms(const char *str_perms, perms_t *perms, int fail) { - return parse_X_mode("DBus", AA_VALID_DBUS_PERMS, str_mode, mode, fail); + return parse_X_perms("DBus", AA_VALID_DBUS_PERMS, str_perms, perms, fail); } void dbus_rule::move_conditionals(struct cond_entry *conds) @@ -66,10 +66,10 @@ void dbus_rule::move_conditionals(struct cond_entry *conds) } } -dbus_rule::dbus_rule(int mode_p, struct cond_entry *conds, +dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds): bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), - mode(0), audit(0), deny(0) + perms(0), audit(0), deny(0) { int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; @@ -93,27 +93,27 @@ dbus_rule::dbus_rule(int mode_p, struct cond_entry *conds, if (message_rule && service_rule) yyerror("dbus rule contains message conditionals and service conditionals\n"); - /* Copy mode. If no mode was specified, assign an implied mode. */ - if (mode_p) { - mode = mode_p; - if (mode & ~AA_VALID_DBUS_PERMS) - yyerror("mode contains unknown dbus access\n"); - else if (message_rule && (mode & AA_DBUS_BIND)) + /* Copy perms. If no perms was specified, assign an implied perms. */ + if (perms_p) { + perms = perms_p; + if (perms & ~AA_VALID_DBUS_PERMS) + yyerror("perms contains unknown dbus access\n"); + else if (message_rule && (perms & AA_DBUS_BIND)) yyerror("dbus \"bind\" access cannot be used with message rule conditionals\n"); - else if (service_rule && (mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE))) + else if (service_rule && (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE))) yyerror("dbus \"send\" and/or \"receive\" accesses cannot be used with service rule conditionals\n"); - else if (mode & AA_DBUS_EAVESDROP && + else if (perms & AA_DBUS_EAVESDROP && (path || interface || member || peer_label || name)) { yyerror("dbus \"eavesdrop\" access can only contain a bus conditional\n"); } } else { if (message_rule) - mode = (AA_DBUS_SEND | AA_DBUS_RECEIVE); + perms = (AA_DBUS_SEND | AA_DBUS_RECEIVE); else if (service_rule) - mode = (AA_DBUS_BIND); + perms = (AA_DBUS_BIND); else - mode = AA_VALID_DBUS_PERMS; + perms = AA_VALID_DBUS_PERMS; } free_cond_list(conds); @@ -129,19 +129,19 @@ ostream &dbus_rule::dump(ostream &os) os << "dbus ( "; - if (mode & AA_DBUS_SEND) + if (perms & AA_DBUS_SEND) os << "send "; - if (mode & AA_DBUS_RECEIVE) + if (perms & AA_DBUS_RECEIVE) os << "receive "; - if (mode & AA_DBUS_BIND) + if (perms & AA_DBUS_BIND) os << "bind "; - if (mode & AA_DBUS_EAVESDROP) + if (perms & AA_DBUS_EAVESDROP) os << "eavesdrop "; os << ")"; if (bus) os << " bus=\"" << bus << "\""; - if ((mode & AA_DBUS_BIND) && name) + if ((perms & AA_DBUS_BIND) && name) os << " name=\"" << name << "\""; if (path) os << " path=\"" << path << "\""; @@ -150,7 +150,7 @@ ostream &dbus_rule::dump(ostream &os) if (member) os << " member=\"" << member << "\""; - if (!(mode & AA_DBUS_BIND) && (peer_label || name)) { + if (!(perms & AA_DBUS_BIND) && (peer_label || name)) { os << " peer=( "; if (peer_label) os << "label=\"" << peer_label << "\" "; @@ -277,22 +277,22 @@ int dbus_rule::gen_policy_re(Profile &prof) vec[5] = default_match_pattern; } - if (mode & AA_DBUS_BIND) { - if (!prof.policy.rules->add_rule_vec(deny, mode & AA_DBUS_BIND, + if (perms & AA_DBUS_BIND) { + if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, audit & AA_DBUS_BIND, 2, vec, dfaflags, false)) goto fail; } - if (mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { + if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (!prof.policy.rules->add_rule_vec(deny, - mode & (AA_DBUS_SEND | AA_DBUS_RECEIVE), + perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), audit & (AA_DBUS_SEND | AA_DBUS_RECEIVE), 6, vec, dfaflags, false)) goto fail; } - if (mode & AA_DBUS_EAVESDROP) { + if (perms & AA_DBUS_EAVESDROP) { if (!prof.policy.rules->add_rule_vec(deny, - mode & AA_DBUS_EAVESDROP, + perms & AA_DBUS_EAVESDROP, audit & AA_DBUS_EAVESDROP, 1, vec, dfaflags, false)) goto fail; diff --git a/parser/dbus.h b/parser/dbus.h index f736cc3e4..7345e88aa 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -23,7 +23,7 @@ #include "rule.h" #include "profile.h" -extern int parse_dbus_mode(const char *str_mode, int *mode, int fail); +extern int parse_dbus_perms(const char *str_mode, perms_t *mode, int fail); class dbus_rule: public rule_t { void move_conditionals(struct cond_entry *conds); @@ -39,11 +39,11 @@ public: char *path; char *interface; char *member; - int mode; + perms_t perms; int audit; int deny; - dbus_rule(int mode_p, struct cond_entry *conds, + dbus_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds); virtual ~dbus_rule() { free(bus); diff --git a/parser/immunix.h b/parser/immunix.h index 9039817b9..357a2d16a 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -98,7 +98,7 @@ #define AA_LINK_BITS ((AA_OLD_MAY_LINK << AA_USER_SHIFT) | \ (AA_OLD_MAY_LINK << AA_OTHER_SHIFT)) -#define SHIFT_MODE(MODE, SHIFT) ((((MODE) & AA_BASE_PERMS) << (SHIFT))\ +#define SHIFT_PERMS(MODE, SHIFT) ((((MODE) & AA_BASE_PERMS) << (SHIFT))\ | ((MODE) & ~AA_FILE_PERMS)) #define SHIFT_TO_BASE(MODE, SHIFT) ((((MODE) & AA_FILE_PERMS) >> (SHIFT))\ | ((MODE) & ~AA_FILE_PERMS)) diff --git a/parser/mount.cc b/parser/mount.cc index 4716c3049..533aef202 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -1057,7 +1057,7 @@ fail: void mnt_rule::post_process(Profile &prof) { if (trans) { - unsigned int mode = 0; + perms_t perms = 0; int n = add_entry_to_x_table(&prof, trans); if (!n) { PERROR("Profile %s has too many specified profile transitions.\n", prof.name); @@ -1065,11 +1065,11 @@ void mnt_rule::post_process(Profile &prof) } if (allow & AA_USER_EXEC) - mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT); + perms |= SHIFT_PERMS(n << 10, AA_USER_SHIFT); if (allow & AA_OTHER_EXEC) - mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT); + perms |= SHIFT_PERMS(n << 10, AA_OTHER_SHIFT); allow = ((allow & ~AA_ALL_EXEC_MODIFIERS) | - (mode & AA_ALL_EXEC_MODIFIERS)); + (perms & AA_ALL_EXEC_MODIFIERS)); trans = NULL; } diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 1fde03c2a..ae8efe8f1 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -25,9 +25,9 @@ #include #include -int parse_mqueue_mode(const char *str_mode, int *mode, int fail) +int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail) { - return parse_X_mode("mqueue", AA_VALID_MQUEUE_PERMS, str_mode, mode, fail); + return parse_X_perms("mqueue", AA_VALID_MQUEUE_PERMS, str_perms, perms, fail); } static bool is_all_digits(char *str) @@ -86,7 +86,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds) } } -mqueue_rule::mqueue_rule(int mode_p, struct cond_entry *conds, char *qname_p): +mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(0), deny(0) { move_conditionals(conds); @@ -94,20 +94,20 @@ mqueue_rule::mqueue_rule(int mode_p, struct cond_entry *conds, char *qname_p): if (qname) validate_qname(); - if (mode_p) { + if (perms_p) { // do we want to allow perms to imply type like we do for // qname? - if (qtype == mqueue_posix && (mode_p & ~AA_VALID_POSIX_MQ_PERMS)) { - yyerror("mode contains invalid permissions for mqueue type=posix\n"); - } else if (qtype == mqueue_sysv && (mode_p & ~AA_VALID_SYSV_MQ_PERMS)) { - yyerror("mode contains invalid permissions for mqueue type=sysv\n"); - } else if (mode_p & ~AA_VALID_MQUEUE_PERMS) { - yyerror("mode contains invalid permissions for mqueue\n"); + if (qtype == mqueue_posix && (perms_p & ~AA_VALID_POSIX_MQ_PERMS)) { + yyerror("perms contains invalid permissions for mqueue type=posix\n"); + } else if (qtype == mqueue_sysv && (perms_p & ~AA_VALID_SYSV_MQ_PERMS)) { + yyerror("perms contains invalid permissions for mqueue type=sysv\n"); + } else if (perms_p & ~AA_VALID_MQUEUE_PERMS) { + yyerror("perms contains invalid permissions for mqueue\n"); } - mode = mode_p; + perms = perms_p; } else { // default to all perms - mode = AA_VALID_MQUEUE_PERMS; + perms = AA_VALID_MQUEUE_PERMS; } qname = qname_p; @@ -129,22 +129,22 @@ ostream &mqueue_rule::dump(ostream &os) else if (qtype == mqueue_sysv) os << "type=sysv"; - if (mode != AA_VALID_MQUEUE_PERMS) { + if (perms != AA_VALID_MQUEUE_PERMS) { os << "("; - if (mode & AA_MQUEUE_WRITE) + if (perms & AA_MQUEUE_WRITE) os << "write "; - if (mode & AA_MQUEUE_READ) + if (perms & AA_MQUEUE_READ) os << "read "; - if (mode & AA_MQUEUE_OPEN) + if (perms & AA_MQUEUE_OPEN) os << "open "; - if (mode & AA_MQUEUE_CREATE) + if (perms & AA_MQUEUE_CREATE) os << "create "; - if (mode & AA_MQUEUE_DELETE) + if (perms & AA_MQUEUE_DELETE) os << "delete "; - if (mode & AA_MQUEUE_SETATTR) + if (perms & AA_MQUEUE_SETATTR) os << "setattr "; - if (mode & AA_MQUEUE_GETATTR) + if (perms & AA_MQUEUE_GETATTR) os << "getattr "; os << ")"; @@ -229,14 +229,14 @@ int mqueue_rule::gen_policy_re(Profile &prof) vec[1] = anyone_match_pattern; } - if (mode & AA_VALID_POSIX_MQ_PERMS) { + if (perms & AA_VALID_POSIX_MQ_PERMS) { /* store perms at name match so label doesn't need * to be checked */ - if (!label && !prof.policy.rules->add_rule_vec(deny, mode, audit, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, mode, audit, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit, size, vec, dfaflags, false)) goto fail; } } @@ -267,11 +267,11 @@ int mqueue_rule::gen_policy_re(Profile &prof) vec[1] = anyone_match_pattern; } - if (mode & AA_VALID_SYSV_MQ_PERMS) { - if (!label && !prof.policy.rules->add_rule_vec(deny, mode, audit, 1, vec, dfaflags, false)) + if (perms & AA_VALID_SYSV_MQ_PERMS) { + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, mode, audit, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit, size, vec, dfaflags, false)) goto fail; } } diff --git a/parser/mqueue.h b/parser/mqueue.h index fdbc0d38d..d1be8de62 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -79,7 +79,7 @@ typedef enum mqueue_type { } mqueue_type; -int parse_mqueue_mode(const char *str_mode, int *mode, int fail); +int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail); class mqueue_rule: public rule_t { void move_conditionals(struct cond_entry *conds); @@ -87,11 +87,11 @@ public: mqueue_type qtype; char *qname; char *label; - int mode; + perms_t perms; int audit; int deny; - mqueue_rule(int mode, struct cond_entry *conds, char *qname = NULL); + mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); virtual ~mqueue_rule() { free(qname); diff --git a/parser/network.c b/parser/network.c index 043aa1b9d..756bcf186 100644 --- a/parser/network.c +++ b/parser/network.c @@ -32,9 +32,9 @@ #include "network.h" -int parse_net_mode(const char *str_mode, int *mode, int fail) +int parse_net_perms(const char *str_mode, perms_t *mode, int fail) { - return parse_X_mode("net", AA_VALID_NET_PERMS, str_mode, mode, fail); + return parse_X_perms("net", AA_VALID_NET_PERMS, str_mode, mode, fail); } /* Bleah C++ doesn't have non-trivial designated initializers so we just diff --git a/parser/network.h b/parser/network.h index d51c5299e..3481cb72c 100644 --- a/parser/network.h +++ b/parser/network.h @@ -100,7 +100,7 @@ static inline uint32_t map_perms(uint32_t mask) }; -int parse_net_mode(const char *str_mode, int *mode, int fail); +int parse_net_perms(const char *str_mode, perms_t *perms, int fail); extern struct aa_network_entry *new_network_ent(unsigned int family, unsigned int type, unsigned int protocol); diff --git a/parser/parser.h b/parser/parser.h index ac8103b6c..c460c30c7 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -45,6 +45,8 @@ using namespace std; class Profile; class rule_t; +typedef uint32_t perms_t; + #define MODULE_NAME "apparmor" /* Global variable to pass token to lexer. Will be replaced by parameter @@ -127,8 +129,8 @@ struct cod_entry { char *nt_name; Profile *prof; /* Special profile defined * just for this executable */ - int mode; /* mode is 'or' of AA_* bits */ - int audit; /* audit flags for mode */ + perms_t perms; /* perms is 'or' of AA_* bits */ + int audit; /* audit flags for perms */ int deny; /* TRUE or FALSE */ int alias_ignore; /* ignore for alias processing */ @@ -449,12 +451,12 @@ extern char *processunquoted(const char *string, int len); extern int get_keyword_token(const char *keyword); extern int get_rlimit(const char *name); extern char *process_var(const char *var); -extern int parse_mode(const char *mode); -extern int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail); +extern perms_t parse_perms(const char *permstr); +extern int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail); bool label_contains_ns(const char *label); bool parse_label(bool *_stack, char **_ns, char **_name, const char *label, bool yyerr); -extern struct cod_entry *new_entry(char *id, int mode, char *link_id); +extern struct cod_entry *new_entry(char *id, perms_t perms, char *link_id); /* returns -1 if value != true or false, otherwise 0 == false, 1 == true */ extern int str_to_boolean(const char* str); diff --git a/parser/parser_alias.c b/parser/parser_alias.c index b96d18f87..6dacb076e 100644 --- a/parser/parser_alias.c +++ b/parser/parser_alias.c @@ -120,7 +120,7 @@ static void process_entries(const void *nodep, VISIT value, int level unused) len = strlen((*t)->from); list_for_each(target_list, entry) { - if ((entry->mode & AA_SHARED_PERMS) || entry->alias_ignore) + if ((entry->perms & AA_SHARED_PERMS) || entry->alias_ignore) continue; if (entry->name && strncmp((*t)->from, entry->name, len) == 0) { char *n = do_alias(*t, entry->name); diff --git a/parser/parser_merge.c b/parser/parser_merge.c index 489821841..edce208db 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -89,12 +89,12 @@ static int process_file_entries(Profile *prof) } /* check for merged x consistency */ - if (!is_merged_x_consistent(cur->mode, next->mode)) { + if (!is_merged_x_consistent(cur->perms, next->perms)) { PERROR(_("profile %s: has merged rule %s with conflicting x modifiers\n"), prof->name, cur->name); return -1; } - cur->mode |= next->mode; + cur->perms |= next->perms; cur->audit |= next->audit; cur->next = next->next; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 36d847ca2..7c38a9c3d 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -540,139 +540,139 @@ void warn_uppercase(void) } } -static int parse_sub_mode(const char *str_mode, const char *mode_desc unused) +static perms_t parse_sub_perms(const char *str_perms, const char *perms_desc unused) { -#define IS_DIFF_QUAL(mode, q) (((mode) & AA_MAY_EXEC) && (((mode) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE))) +#define IS_DIFF_QUAL(perms, q) (((perms) & AA_MAY_EXEC) && (((perms) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE))) - int mode = 0; + perms_t perms = 0; const char *p; - PDEBUG("Parsing mode: %s\n", str_mode); + PDEBUG("Parsing perms: %s\n", str_perms); - if (!str_mode) + if (!str_perms) return 0; - p = str_mode; + p = str_perms; while (*p) { char thisc = *p; char next = *(p + 1); char lower; - int tmode = 0; + perms_t tperms = 0; reeval: switch (thisc) { case COD_READ_CHAR: if (read_implies_exec) { - PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc); - mode |= AA_MAY_READ | AA_OLD_EXEC_MMAP; + PDEBUG("Parsing perms: found %s READ imply X\n", perms_desc); + perms |= AA_MAY_READ | AA_OLD_EXEC_MMAP; } else { - PDEBUG("Parsing mode: found %s READ\n", mode_desc); - mode |= AA_MAY_READ; + PDEBUG("Parsing perms: found %s READ\n", perms_desc); + perms |= AA_MAY_READ; } break; case COD_WRITE_CHAR: - PDEBUG("Parsing mode: found %s WRITE\n", mode_desc); - if ((mode & AA_MAY_APPEND) && !(mode & AA_MAY_WRITE)) + PDEBUG("Parsing perms: found %s WRITE\n", perms_desc); + if ((perms & AA_MAY_APPEND) && !(perms & AA_MAY_WRITE)) yyerror(_("Conflict 'a' and 'w' perms are mutually exclusive.")); - mode |= AA_MAY_WRITE | AA_MAY_APPEND; + perms |= AA_MAY_WRITE | AA_MAY_APPEND; break; case COD_APPEND_CHAR: - PDEBUG("Parsing mode: found %s APPEND\n", mode_desc); - if (mode & AA_MAY_WRITE) + PDEBUG("Parsing perms: found %s APPEND\n", perms_desc); + if (perms & AA_MAY_WRITE) yyerror(_("Conflict 'a' and 'w' perms are mutually exclusive.")); - mode |= AA_MAY_APPEND; + perms |= AA_MAY_APPEND; break; case COD_LINK_CHAR: - PDEBUG("Parsing mode: found %s LINK\n", mode_desc); - mode |= AA_OLD_MAY_LINK; + PDEBUG("Parsing perms: found %s LINK\n", perms_desc); + perms |= AA_OLD_MAY_LINK; break; case COD_LOCK_CHAR: - PDEBUG("Parsing mode: found %s LOCK\n", mode_desc); - mode |= AA_OLD_MAY_LOCK; + PDEBUG("Parsing perms: found %s LOCK\n", perms_desc); + perms |= AA_OLD_MAY_LOCK; break; case COD_INHERIT_CHAR: - PDEBUG("Parsing mode: found INHERIT\n"); - if (mode & AA_EXEC_MODIFIERS) { + PDEBUG("Parsing perms: found INHERIT\n"); + if (perms & AA_EXEC_MODIFIERS) { yyerror(_("Exec qualifier 'i' invalid, conflicting qualifier already specified")); } else { if (next != tolower(next)) warn_uppercase(); - mode |= (AA_EXEC_INHERIT | AA_MAY_EXEC); + perms |= (AA_EXEC_INHERIT | AA_MAY_EXEC); p++; /* skip 'x' */ } break; case COD_UNSAFE_UNCONFINED_CHAR: - tmode = AA_EXEC_UNSAFE; + tperms = AA_EXEC_UNSAFE; pwarn(WARN_DANGEROUS, _("Unconfined exec qualifier (%c%c) allows some dangerous environment variables " "to be passed to the unconfined process; 'man 5 apparmor.d' for details.\n"), COD_UNSAFE_UNCONFINED_CHAR, COD_EXEC_CHAR); /* fall through */ case COD_UNCONFINED_CHAR: - tmode |= AA_EXEC_UNCONFINED | AA_MAY_EXEC; - PDEBUG("Parsing mode: found UNCONFINED\n"); - if (IS_DIFF_QUAL(mode, tmode)) { + tperms |= AA_EXEC_UNCONFINED | AA_MAY_EXEC; + PDEBUG("Parsing perms: found UNCONFINED\n"); + if (IS_DIFF_QUAL(perms, tperms)) { yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), thisc); } else { if (next != tolower(next)) warn_uppercase(); - mode |= tmode; + perms |= tperms; p++; /* skip 'x' */ } - tmode = 0; + tperms = 0; break; case COD_UNSAFE_PROFILE_CHAR: case COD_UNSAFE_LOCAL_CHAR: - tmode = AA_EXEC_UNSAFE; + tperms = AA_EXEC_UNSAFE; /* fall through */ case COD_PROFILE_CHAR: case COD_LOCAL_CHAR: if (tolower(thisc) == COD_UNSAFE_PROFILE_CHAR) - tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC; + tperms |= AA_EXEC_PROFILE | AA_MAY_EXEC; else { - tmode |= AA_EXEC_LOCAL | AA_MAY_EXEC; + tperms |= AA_EXEC_LOCAL | AA_MAY_EXEC; } - PDEBUG("Parsing mode: found PROFILE\n"); + PDEBUG("Parsing perms: found PROFILE\n"); if (tolower(next) == COD_INHERIT_CHAR) { - tmode |= AA_EXEC_INHERIT; - if (IS_DIFF_QUAL(mode, tmode)) { + tperms |= AA_EXEC_INHERIT; + if (IS_DIFF_QUAL(perms, tperms)) { yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next); } else { - mode |= tmode; + perms |= tperms; p += 2; /* skip x */ } } else if (tolower(next) == COD_UNSAFE_UNCONFINED_CHAR) { - tmode |= AA_EXEC_PUX; - if (IS_DIFF_QUAL(mode, tmode)) { + tperms |= AA_EXEC_PUX; + if (IS_DIFF_QUAL(perms, tperms)) { yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next); } else { - mode |= tmode; + perms |= tperms; p += 2; /* skip x */ } - } else if (IS_DIFF_QUAL(mode, tmode)) { + } else if (IS_DIFF_QUAL(perms, tperms)) { yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), thisc); } else { if (next != tolower(next)) warn_uppercase(); - mode |= tmode; + perms |= tperms; p++; /* skip 'x' */ } - tmode = 0; + tperms = 0; break; case COD_MMAP_CHAR: - PDEBUG("Parsing mode: found %s MMAP\n", mode_desc); - mode |= AA_OLD_EXEC_MMAP; + PDEBUG("Parsing perms: found %s MMAP\n", perms_desc); + perms |= AA_OLD_EXEC_MMAP; break; case COD_EXEC_CHAR: @@ -680,7 +680,7 @@ reeval: * but invalid for regular x transitions * sort it out later. */ - mode |= AA_MAY_EXEC; + perms |= AA_MAY_EXEC; break; /* error cases */ @@ -695,13 +695,13 @@ reeval: case COD_INHERIT_CHAR: case COD_MMAP_CHAR: case COD_EXEC_CHAR: - PDEBUG("Parsing mode: found invalid upper case char %c\n", thisc); + PDEBUG("Parsing perms: found invalid upper case char %c\n", thisc); warn_uppercase(); thisc = lower; goto reeval; break; default: - yyerror(_("Internal: unexpected mode character '%c' in input"), + yyerror(_("Internal: unexpected perms character '%c' in input"), thisc); break; } @@ -711,33 +711,33 @@ reeval: p++; } - PDEBUG("Parsed mode: %s 0x%x\n", str_mode, mode); + PDEBUG("Parsed perms: %s 0x%x\n", str_perms, perms); - return mode; + return perms; } -int parse_mode(const char *str_mode) +perms_t parse_perms(const char *str_perms) { - int tmp, mode = 0; - tmp = parse_sub_mode(str_mode, ""); - mode = SHIFT_MODE(tmp, AA_USER_SHIFT); - mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT); - if (mode & ~AA_VALID_PERMS) - yyerror(_("Internal error generated invalid perm 0x%llx\n"), mode); - return mode; + perms_t tmp, perms = 0; + tmp = parse_sub_perms(str_perms, ""); + perms = SHIFT_PERMS(tmp, AA_USER_SHIFT); + perms |= SHIFT_PERMS(tmp, AA_OTHER_SHIFT); + if (perms & ~AA_VALID_PERMS) + yyerror(_("Internal error generated invalid perm 0x%llx\n"), perms); + return perms; } -static int parse_X_sub_mode(const char *X, const char *str_mode, int *result, int fail, const char *mode_desc unused) +static int parse_X_sub_perms(const char *X, const char *str_perms, perms_t *result, int fail, const char *perms_desc unused) { - int mode = 0; + perms_t perms = 0; const char *p; - PDEBUG("Parsing %s mode: %s\n", X, str_mode); + PDEBUG("Parsing %s perms: %s\n", X, str_perms); - if (!str_mode) + if (!str_perms) return 0; - p = str_mode; + p = str_perms; while (*p) { char current = *p; char lower; @@ -745,14 +745,14 @@ static int parse_X_sub_mode(const char *X, const char *str_mode, int *result, in reeval: switch (current) { case COD_READ_CHAR: - PDEBUG("Parsing %s mode: found %s READ\n", X, mode_desc); - mode |= AA_DBUS_RECEIVE; + PDEBUG("Parsing %s perms: found %s READ\n", X, perms_desc); + perms |= AA_DBUS_RECEIVE; break; case COD_WRITE_CHAR: - PDEBUG("Parsing %s mode: found %s WRITE\n", X, - mode_desc); - mode |= AA_DBUS_SEND; + PDEBUG("Parsing %s perms: found %s WRITE\n", X, + perms_desc); + perms |= AA_DBUS_SEND; break; /* error cases */ @@ -762,7 +762,7 @@ reeval: switch (lower) { case COD_READ_CHAR: case COD_WRITE_CHAR: - PDEBUG("Parsing %s mode: found invalid upper case char %c\n", + PDEBUG("Parsing %s perms: found invalid upper case char %c\n", X, current); warn_uppercase(); current = lower; @@ -770,7 +770,7 @@ reeval: break; default: if (fail) - yyerror(_("Internal: unexpected %s mode character '%c' in input"), + yyerror(_("Internal: unexpected %s perms character '%c' in input"), X, current); else return 0; @@ -781,21 +781,21 @@ reeval: p++; } - PDEBUG("Parsed %s mode: %s 0x%x\n", X, str_mode, mode); + PDEBUG("Parsed %s perms: %s 0x%x\n", X, str_perms, perms); - *result = mode; + *result = perms; return 1; } -int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail) +int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail) { - *mode = 0; - if (!parse_X_sub_mode(X, str_mode, mode, fail, "")) + *perms = 0; + if (!parse_X_sub_perms(X, str_perms, perms, fail, "")) return 0; - if (*mode & ~valid) { + if (*perms & ~valid) { if (fail) yyerror(_("Internal error generated invalid %s perm 0x%x\n"), - X, mode); + X, perms); else return 0; } @@ -950,7 +950,7 @@ alloc_fail: return false; } -struct cod_entry *new_entry(char *id, int mode, char *link_id) +struct cod_entry *new_entry(char *id, perms_t perms, char *link_id) { struct cod_entry *entry = NULL; @@ -960,7 +960,7 @@ struct cod_entry *new_entry(char *id, int mode, char *link_id) entry->name = id; entry->link_name = link_id; - entry->mode = mode; + entry->perms = perms; entry->audit = 0; entry->deny = FALSE; @@ -984,7 +984,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) DUP_STRING(orig, entry, name, err); DUP_STRING(orig, entry, link_name, err); DUP_STRING(orig, entry, nt_name, err); - entry->mode = orig->mode; + entry->perms = orig->perms; entry->audit = orig->audit; entry->deny = orig->deny; @@ -1043,20 +1043,20 @@ void debug_cod_entries(struct cod_entry *list) printf("--- Entries ---\n"); list_for_each(list, item) { - printf("Mode:\t"); - if (HAS_CHANGE_PROFILE(item->mode)) + printf("Perms:\t"); + if (HAS_CHANGE_PROFILE(item->perms)) printf(" change_profile"); - if (HAS_EXEC_UNSAFE(item->mode)) + if (HAS_EXEC_UNSAFE(item->perms)) printf(" unsafe"); - debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_USER_SHIFT)); + debug_base_perm_mask(SHIFT_TO_BASE(item->perms, AA_USER_SHIFT)); printf(":"); - debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_OTHER_SHIFT)); + debug_base_perm_mask(SHIFT_TO_BASE(item->perms, AA_OTHER_SHIFT)); if (item->name) printf("\tName:\t(%s)\n", item->name); else printf("\tName:\tNULL\n"); - if (AA_LINK_BITS & item->mode) + if (AA_LINK_BITS & item->perms) printf("\tlink:\t(%s)\n", item->link_name ? item->link_name : "/**"); } diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 2f66ab26f..cbf17677c 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -101,10 +101,10 @@ static int add_named_transition(Profile *prof, struct cod_entry *entry) free(entry->nt_name); entry->nt_name = NULL; return AA_EXEC_LOCAL >> 10; - } else if (((entry->mode & AA_USER_EXEC_MODIFIERS) == - SHIFT_MODE(AA_EXEC_LOCAL, AA_USER_SHIFT)) || - ((entry->mode & AA_OTHER_EXEC_MODIFIERS) == - SHIFT_MODE(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) { + } else if (((entry->perms & AA_USER_EXEC_MODIFIERS) == + SHIFT_PERMS(AA_EXEC_LOCAL, AA_USER_SHIFT)) || + ((entry->perms & AA_OTHER_EXEC_MODIFIERS) == + SHIFT_PERMS(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) { if (strcmp(entry->nt_name, entry->name) == 0) { free(entry->nt_name); entry->nt_name = NULL; @@ -199,31 +199,31 @@ static bool add_proc_access(Profile *prof, const char *rule) void post_process_file_entries(Profile *prof) { struct cod_entry *entry; - int cp_mode = 0; + perms_t cp_perms = 0; list_for_each(prof->entries, entry) { if (entry->nt_name) { - int mode = 0; + perms_t perms = 0; int n = add_named_transition(prof, entry); if (!n) { PERROR("Profile %s has too many specified profile transitions.\n", prof->name); exit(1); } - if (entry->mode & AA_USER_EXEC) - mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT); - if (entry->mode & AA_OTHER_EXEC) - mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT); - entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) | - (mode & AA_ALL_EXEC_MODIFIERS)); + if (entry->perms & AA_USER_EXEC) + perms |= SHIFT_PERMS(n << 10, AA_USER_SHIFT); + if (entry->perms & AA_OTHER_EXEC) + perms |= SHIFT_PERMS(n << 10, AA_OTHER_SHIFT); + entry->perms = ((entry->perms & ~AA_ALL_EXEC_MODIFIERS) | + (perms & AA_ALL_EXEC_MODIFIERS)); } /* FIXME: currently change_profile also implies onexec */ - cp_mode |= entry->mode & (AA_CHANGE_PROFILE); + cp_perms |= entry->perms & (AA_CHANGE_PROFILE); } /* if there are change_profile rules, this implies that we need * access to some /proc/ interfaces */ - if (cp_mode & AA_CHANGE_PROFILE) { + if (cp_perms & AA_CHANGE_PROFILE) { if (!add_proc_access(prof, CHANGEPROFILE_PATH)) exit(1); } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 8cd8f15d3..517b7e472 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -575,7 +575,7 @@ build: static int warn_change_profile = 1; -static bool is_change_profile_mode(int mode) +static bool is_change_profile_perms(perms_t perms) { /** * A change_profile entry will have the AA_CHANGE_PROFILE bit set. @@ -583,13 +583,13 @@ static bool is_change_profile_mode(int mode) * set by the frontend parser. That means that it is incorrect to * identify change_profile modes using a test like this: * - * (mode & ~AA_CHANGE_PROFILE) + * (perms & ~AA_CHANGE_PROFILE) * * The above test would incorrectly return true on a * change_profile mode that has the * (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE) bits set. */ - return mode & AA_CHANGE_PROFILE; + return perms & AA_CHANGE_PROFILE; } static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) @@ -602,7 +602,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) return TRUE; - if (!is_change_profile_mode(entry->mode)) + if (!is_change_profile_perms(entry->perms)) filter_slashes(entry->name); ptype = convert_aaregex_to_pcre(entry->name, 0, glob_default, tbuf, &pos); if (ptype == ePatternInvalid) @@ -613,10 +613,10 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) /* ix implies m but the apparmor module does not add m bit to * dfa states like it does for pcre */ - if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT) - entry->mode |= AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT; - if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT) - entry->mode |= AA_OLD_EXEC_MMAP << AA_USER_SHIFT; + if ((entry->perms >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT) + entry->perms |= AA_OLD_EXEC_MMAP << AA_OTHER_SHIFT; + if ((entry->perms >> AA_USER_SHIFT) & AA_EXEC_INHERIT) + entry->perms |= AA_OLD_EXEC_MMAP << AA_USER_SHIFT; /* the link bit on the first pair entry should not get masked * out by a deny rule, as both pieces of the link pair must @@ -628,23 +628,23 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) * TODO: split link and change_profile entries earlier */ if (entry->deny) { - if ((entry->mode & ~AA_LINK_BITS) && - !is_change_profile_mode(entry->mode) && + if ((entry->perms & ~AA_LINK_BITS) && + !is_change_profile_perms(entry->perms) && !dfarules->add_rule(tbuf.c_str(), entry->deny, - entry->mode & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), + entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), entry->audit & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), dfaflags)) return FALSE; - } else if (!is_change_profile_mode(entry->mode)) { - if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->mode, + } else if (!is_change_profile_perms(entry->perms)) { + if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, entry->audit, dfaflags)) return FALSE; } - if (entry->mode & (AA_LINK_BITS)) { + if (entry->perms & (AA_LINK_BITS)) { /* add the pair rule */ std::string lbuf; - int perms = AA_LINK_BITS & entry->mode; + int perms = AA_LINK_BITS & entry->perms; const char *vec[2]; int pos; vec[0] = tbuf.c_str(); @@ -663,7 +663,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit & AA_LINK_BITS, 2, vec, dfaflags, false)) return FALSE; } - if (is_change_profile_mode(entry->mode)) { + if (is_change_profile_perms(entry->perms)) { const char *vec[3]; std::string lbuf, xbuf; autofree char *ns = NULL; @@ -725,7 +725,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) * pick up any exec bits, from the frontend parser, related to * unsafe exec transitions */ - onexec_perms |= (entry->mode & (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE)); + onexec_perms |= (entry->perms & (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE)); if (!dfarules->add_rule_vec(entry->deny, onexec_perms, 0, index, vec, dfaflags, false)) return FALSE; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index f8a6baa59..c325b0249 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -63,10 +63,10 @@ int parser_token = 0; -struct cod_entry *do_file_rule(char *id, int mode, char *link_id, char *nt); +struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt); mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src, struct cond_entry *dst_conds, char *dst, - int mode); + perms_t perms); mnt_rule *do_pivot_rule(struct cond_entry *old, char *root, char *transition); static void abi_features(char *filename, bool search); @@ -202,7 +202,7 @@ void add_local_entry(Profile *prof); mqueue_rule *mqueue_entry; flagvals flags; - int fmode; + perms_t fperms; uint64_t cap; unsigned int allowed_protocol; char *set_var; @@ -220,7 +220,7 @@ void add_local_entry(Profile *prof); %type TOK_CONDID %type TOK_CONDLISTID %type TOK_MODE -%type file_mode +%type file_perms %type profile_base %type profile %type rules @@ -259,33 +259,33 @@ void add_local_entry(Profile *prof); %type opt_perm_mode %type opt_id %type opt_prefix -%type dbus_perm -%type dbus_perms -%type opt_dbus_perm +%type dbus_perm +%type dbus_perms +%type opt_dbus_perm %type dbus_rule -%type signal_perm -%type signal_perms -%type opt_signal_perm +%type signal_perm +%type signal_perms +%type opt_signal_perm %type signal_rule -%type ptrace_perm -%type ptrace_perms -%type opt_ptrace_perm +%type ptrace_perm +%type ptrace_perms +%type opt_ptrace_perm %type ptrace_rule -%type net_perm -%type net_perms -%type opt_net_perm +%type net_perm +%type net_perms +%type opt_net_perm %type unix_rule %type opt_target %type opt_named_transition %type opt_exec_mode %type opt_file -%type userns_perm -%type userns_perms -%type opt_userns_perm +%type userns_perm +%type userns_perms +%type opt_userns_perm %type userns_rule -%type mqueue_perm -%type mqueue_perms -%type opt_mqueue_perm +%type mqueue_perm +%type mqueue_perms +%type opt_mqueue_perm %type mqueue_rule %% @@ -686,21 +686,21 @@ rules: rules opt_prefix rule if (!$3) yyerror(_("Assert: `rule' returned NULL.")); $3->deny = $2.deny; - if (($2.deny && ($3->mode & AA_EXEC_BITS) && - ($3->mode & ALL_AA_EXEC_TYPE))) - yyerror(_("Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); - else if (!$2.deny && ($3->mode & AA_EXEC_BITS) && - !($3->mode & ALL_AA_EXEC_TYPE) && + if (($2.deny && ($3->perms & AA_EXEC_BITS) && + ($3->perms & ALL_AA_EXEC_TYPE))) + yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); + else if (!$2.deny && ($3->perms & AA_EXEC_BITS) && + !($3->perms & ALL_AA_EXEC_TYPE) && !($3->nt_name)) - yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'")); + yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'")); if ($2.owner == 1) - $3->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); + $3->perms &= (AA_USER_PERMS | AA_SHARED_PERMS); else if ($2.owner == 2) - $3->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS); + $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ if (($2.deny && !$2.audit) || (!$2.deny && $2.audit)) - $3->audit = $3->mode & ~ALL_AA_EXEC_TYPE; + $3->audit = $3->perms & ~ALL_AA_EXEC_TYPE; add_entry_to_policy($1, $3); $$ = $1; @@ -717,23 +717,23 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE $2.deny ? "deny " : "", $2.owner ? "owner " : ""); list_for_each_safe($4->entries, entry, tmp) { entry->next = NULL; - if (entry->mode & AA_EXEC_BITS) { + if (entry->perms & AA_EXEC_BITS) { if (entry->deny && - (entry->mode & ALL_AA_EXEC_TYPE)) - yyerror(_("Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); + (entry->perms & ALL_AA_EXEC_TYPE)) + yyerror(_("Invalid perms, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'")); else if (!entry->deny && - !(entry->mode & ALL_AA_EXEC_TYPE)) - yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'")); + !(entry->perms & ALL_AA_EXEC_TYPE)) + yyerror(_("Invalid perms, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'")); } if ($2.owner == 1) - entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); + entry->perms &= (AA_USER_PERMS | AA_SHARED_PERMS); else if ($2.owner == 2) - entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS); + entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); if ($2.audit && !entry->deny) - entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE; + entry->audit = entry->perms & ~ALL_AA_EXEC_TYPE; else if (!$2.audit && entry->deny) - entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE; + entry->audit = entry->perms & ~ALL_AA_EXEC_TYPE; add_entry_to_policy($1, entry); } $4->entries = NULL; @@ -817,9 +817,9 @@ rules: rules opt_prefix dbus_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -833,9 +833,9 @@ rules: rules opt_prefix signal_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -849,9 +849,9 @@ rules: rules opt_prefix ptrace_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -865,9 +865,9 @@ rules: rules opt_prefix unix_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -881,9 +881,9 @@ rules: rules opt_prefix userns_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -901,9 +901,9 @@ rules: rules opt_prefix change_profile $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } add_entry_to_policy($1, $3); $$ = $1; @@ -936,9 +936,9 @@ rules: rules opt_prefix mqueue_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit = $3->mode; + $3->audit = $3->perms; } else if ($2.audit) { - $3->audit = $3->mode; + $3->audit = $3->perms; } $1->rule_ents.push_back($3); $$ = $1; @@ -1183,12 +1183,12 @@ opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; } opt_file: { /* nothing */ $$ = 0; } | TOK_FILE { $$ = 1; } -frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE +frule: id_or_var file_perms opt_named_transition TOK_END_OF_RULE { $$ = do_file_rule($1, $2, NULL, $3); }; -frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE +frule: file_perms opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE { if ($2 && ($1 & ~AA_LINK_BITS)) yyerror(_("subset can only be used with link rules.")); @@ -1223,19 +1223,19 @@ file_rule: TOK_FILE TOK_END_OF_RULE file_rule_tail: opt_exec_mode frule { if ($1 != EXEC_MODE_EMPTY) { - if (!($2->mode & AA_EXEC_BITS)) + if (!($2->perms & AA_EXEC_BITS)) yyerror(_("unsafe rule missing exec permissions")); if ($1 == EXEC_MODE_UNSAFE) { - $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) & + $2->perms |= (($2->perms & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE; } else if ($1 == EXEC_MODE_SAFE) - $2->mode &= ~ALL_AA_EXEC_UNSAFE; + $2->perms &= ~ALL_AA_EXEC_UNSAFE; } $$ = $2; }; -file_rule_tail: opt_exec_mode id_or_var file_mode id_or_var +file_rule_tail: opt_exec_mode id_or_var file_perms id_or_var { /* Oopsie, we appear to be missing an EOL marker. If we * were *smart*, we could work around it. Since we're @@ -1387,7 +1387,7 @@ dbus_perm: TOK_VALUE else if (strcmp($1, "eavesdrop") == 0) $$ = AA_DBUS_EAVESDROP; else if ($1) { - parse_dbus_mode($1, &$$, 1); + parse_dbus_perms($1, &$$, 1); } else $$ = 0; @@ -1402,7 +1402,7 @@ dbus_perm: TOK_VALUE | TOK_EAVESDROP { $$ = AA_DBUS_EAVESDROP; } | TOK_MODE { - parse_dbus_mode($1, &$$, 1); + parse_dbus_perms($1, &$$, 1); free($1); } @@ -1457,7 +1457,7 @@ net_perm: TOK_VALUE else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0) $$ = AA_NET_RECEIVE; else if ($1) { - parse_net_mode($1, &$$, 1); + parse_net_perms($1, &$$, 1); } else $$ = 0; @@ -1480,7 +1480,7 @@ net_perm: TOK_VALUE | TOK_WRITE { $$ = AA_NET_SEND; } | TOK_MODE { - parse_unix_mode($1, &$$, 1); + parse_unix_perms($1, &$$, 1); free($1); } @@ -1515,7 +1515,7 @@ signal_perm: TOK_VALUE else if (strcmp($1, "receive") == 0 || strcmp($1, "read") == 0) $$ = AA_MAY_RECEIVE; else if ($1) { - parse_signal_mode($1, &$$, 1); + parse_signal_perms($1, &$$, 1); } else $$ = 0; @@ -1528,7 +1528,7 @@ signal_perm: TOK_VALUE | TOK_WRITE { $$ = AA_MAY_SEND; } | TOK_MODE { - parse_signal_mode($1, &$$, 1); + parse_signal_perms($1, &$$, 1); free($1); } @@ -1557,7 +1557,7 @@ ptrace_perm: TOK_VALUE else if (strcmp($1, "readby") == 0) $$ = AA_MAY_READBY; else if ($1) - parse_ptrace_mode($1, &$$, 1); + parse_ptrace_perms($1, &$$, 1); else $$ = 0; @@ -1571,7 +1571,7 @@ ptrace_perm: TOK_VALUE | TOK_READBY { $$ = AA_MAY_READBY; } | TOK_MODE { - parse_ptrace_mode($1, &$$, 1); + parse_ptrace_perms($1, &$$, 1); free($1); } @@ -1632,7 +1632,7 @@ mqueue_perm: TOK_VALUE else if (strcmp($1, "read") == 0) $$ = AA_MQUEUE_READ; else if ($1) { - parse_mqueue_mode($1, &$$, 1); + parse_mqueue_perms($1, &$$, 1); } else $$ = 0; @@ -1648,7 +1648,7 @@ mqueue_perm: TOK_VALUE | TOK_READ { $$ = AA_MQUEUE_READ; } | TOK_MODE { - parse_mqueue_mode($1, &$$, 1); + parse_mqueue_perms($1, &$$, 1); free($1); } @@ -1674,18 +1674,18 @@ mqueue_rule: TOK_MQUEUE opt_mqueue_perm opt_conds TOK_END_OF_RULE hat_start: TOK_CARET {} | TOK_HAT {} -file_mode: TOK_MODE +file_perms: TOK_MODE { /* A single TOK_MODE maps to the same permission in all * of user::other */ - $$ = parse_mode($1); + $$ = parse_perms($1); free($1); } change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK_END_OF_RULE { struct cod_entry *entry; - int mode = AA_CHANGE_PROFILE; + perms_t perms = AA_CHANGE_PROFILE; int exec_mode = $2; char *exec = $3; char *target = $4; @@ -1694,9 +1694,9 @@ change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK /* exec bits required to trigger rule conflict if * for overlapping safe and unsafe exec rules */ - mode |= AA_EXEC_BITS; + perms |= AA_EXEC_BITS; if (exec_mode == EXEC_MODE_UNSAFE) - mode |= ALL_AA_EXEC_UNSAFE; + perms |= ALL_AA_EXEC_UNSAFE; else if (exec_mode == EXEC_MODE_SAFE && !features_supports_stacking) { pwarn(WARN_RULE_DOWNGRADED, "downgrading change_profile safe rule to unsafe due to lack of necessary kernel support\n"); @@ -1720,7 +1720,7 @@ change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK yyerror(_("Memory allocation error.")); } - entry = new_entry(target, mode, exec); + entry = new_entry(target, perms, exec); if (!entry) yyerror(_("Memory allocation error.")); @@ -1793,11 +1793,11 @@ void yyerror(const char *msg, ...) exit(1); } -struct cod_entry *do_file_rule(char *id, int mode, char *link_id, char *nt) +struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt) { struct cod_entry *entry; - PDEBUG("Matched: tok_id (%s) tok_mode (0x%x)\n", id, mode); - entry = new_entry(id, mode, link_id); + PDEBUG("Matched: tok_id (%s) tok_perms (0x%x)\n", id, perms); + entry = new_entry(id, perms, link_id); if (!entry) yyerror(_("Memory allocation error.")); entry->nt_name = nt; @@ -1811,7 +1811,7 @@ struct cod_entry *do_file_rule(char *id, int mode, char *link_id, char *nt) void add_local_entry(Profile *prof) { /* ugh this has to be called after the hat is attached to its parent */ - if (prof->local_mode) { + if (prof->local_perms) { struct cod_entry *entry; char *trans = (char *) malloc(strlen(prof->parent->name) + strlen(prof->name) + 3); @@ -1820,7 +1820,7 @@ void add_local_entry(Profile *prof) yyerror(_("Memory allocation error.")); sprintf(name, "%s//%s", prof->parent->name, prof->name); - entry = new_entry(name, prof->local_mode, NULL); + entry = new_entry(name, prof->local_perms, NULL); entry->audit = prof->local_audit; entry->nt_name = trans; if (!entry) @@ -1859,7 +1859,7 @@ int verify_mnt_conds(struct cond_entry *conds, int src) mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src, struct cond_entry *dst_conds, char *dst, - int mode) + perms_t perms) { if (verify_mnt_conds(src_conds, MNT_SRC_OPT) != 0) yyerror(_("bad mount rule")); @@ -1871,7 +1871,7 @@ mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src, if (dst_conds) yyerror(_("mount point conditions not currently supported")); - mnt_rule *ent = new mnt_rule(src_conds, src, dst_conds, dst, mode); + mnt_rule *ent = new mnt_rule(src_conds, src, dst_conds, dst, perms); if (!ent) { yyerror(_("Memory allocation error.")); } diff --git a/parser/profile.h b/parser/profile.h index 5606baa46..59ba23309 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -190,7 +190,7 @@ public: /* char *sub_name; */ /* subdomain name or NULL */ /* int default_deny; */ /* TRUE or FALSE */ int local; - int local_mode; /* true if local, not hat */ + perms_t local_perms; int local_audit; Profile *parent; @@ -221,7 +221,8 @@ public: xattrs.list = NULL; xattrs.name = NULL; - local = local_mode = local_audit = 0; + local_perms = 0; + local = local_audit = 0; parent = NULL; diff --git a/parser/ptrace.cc b/parser/ptrace.cc index d13a7fade..19005cc51 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -24,9 +24,9 @@ #include #include -int parse_ptrace_mode(const char *str_mode, int *mode, int fail) +int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail) { - return parse_X_mode("ptrace", AA_VALID_PTRACE_PERMS, str_mode, mode, fail); + return parse_X_perms("ptrace", AA_VALID_PTRACE_PERMS, str_perms, perms, fail); } void ptrace_rule::move_conditionals(struct cond_entry *conds) @@ -47,15 +47,15 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds) } } -ptrace_rule::ptrace_rule(int mode_p, struct cond_entry *conds): +ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): peer_label(NULL), audit(0), deny(0) { - if (mode_p) { - if (mode_p & ~AA_VALID_PTRACE_PERMS) - yyerror("mode contains invalid permissions for ptrace\n"); - mode = mode_p; + if (perms_p) { + if (perms_p & ~AA_VALID_PTRACE_PERMS) + yyerror("perms contains invalid permissions for ptrace\n"); + perms = perms_p; } else { - mode = AA_VALID_PTRACE_PERMS; + perms = AA_VALID_PTRACE_PERMS; } move_conditionals(conds); @@ -71,16 +71,16 @@ ostream &ptrace_rule::dump(ostream &os) os << "ptrace"; - if (mode != AA_VALID_PTRACE_PERMS) { + if (perms != AA_VALID_PTRACE_PERMS) { os << " ("; - if (mode & AA_MAY_READ) + if (perms & AA_MAY_READ) os << "read "; - if (mode & AA_MAY_READBY) + if (perms & AA_MAY_READBY) os << "readby "; - if (mode & AA_MAY_TRACE) + if (perms & AA_MAY_TRACE) os << "trace "; - if (mode & AA_MAY_TRACEDBY) + if (perms & AA_MAY_TRACEDBY) os << "tracedby "; os << ")"; } @@ -136,8 +136,8 @@ int ptrace_rule::gen_policy_re(Profile &prof) } buf = buffer.str(); - if (mode & AA_VALID_PTRACE_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode, audit, + if (perms & AA_VALID_PTRACE_PERMS) { + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, dfaflags)) goto fail; } diff --git a/parser/ptrace.h b/parser/ptrace.h index 8c320c076..966ab2bd8 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -27,17 +27,17 @@ #define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \ AA_MAY_TRACEDBY) -int parse_ptrace_mode(const char *str_mode, int *mode, int fail); +int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail); class ptrace_rule: public rule_t { void move_conditionals(struct cond_entry *conds); public: char *peer_label; - int mode; + perms_t perms; int audit; int deny; - ptrace_rule(int mode, struct cond_entry *conds); + ptrace_rule(perms_t perms, struct cond_entry *conds); virtual ~ptrace_rule() { free(peer_label); diff --git a/parser/signal.cc b/parser/signal.cc index c80dab6fb..629459224 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -116,9 +116,9 @@ static const char *const sig_names[MAXMAPPED_SIG + 1] = { }; -int parse_signal_mode(const char *str_mode, int *mode, int fail) +int parse_signal_perms(const char *str_perms, perms_t *perms, int fail) { - return parse_X_mode("signal", AA_VALID_SIGNAL_PERMS, str_mode, mode, fail); + return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail); } static int find_signal_mapping(const char *sig) @@ -173,15 +173,15 @@ void signal_rule::move_conditionals(struct cond_entry *conds) } } -signal_rule::signal_rule(int mode_p, struct cond_entry *conds): +signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): signals(), peer_label(NULL), audit(0), deny(0) { - if (mode_p) { - mode = mode_p; - if (mode & ~AA_VALID_SIGNAL_PERMS) - yyerror("mode contains invalid permission for signals\n"); + if (perms_p) { + perms = perms_p; + if (perms & ~AA_VALID_SIGNAL_PERMS) + yyerror("perms contains invalid permission for signals\n"); } else { - mode = AA_VALID_SIGNAL_PERMS; + perms = AA_VALID_SIGNAL_PERMS; } move_conditionals(conds); @@ -198,12 +198,12 @@ ostream &signal_rule::dump(ostream &os) os << "signal"; - if (mode != AA_VALID_SIGNAL_PERMS) { + if (perms != AA_VALID_SIGNAL_PERMS) { os << " ("; - if (mode & AA_MAY_SEND) + if (perms & AA_MAY_SEND) os << "send "; - if (mode & AA_MAY_RECEIVE) + if (perms & AA_MAY_RECEIVE) os << "receive "; os << ")"; } @@ -291,8 +291,8 @@ int signal_rule::gen_policy_re(Profile &prof) } buf = buffer.str(); - if (mode & (AA_MAY_SEND | AA_MAY_RECEIVE)) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode, audit, + if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, dfaflags)) goto fail; } diff --git a/parser/signal.h b/parser/signal.h index b73aeb68a..dc5d19368 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -31,7 +31,7 @@ typedef set Signals; -int parse_signal_mode(const char *str_mode, int *mode, int fail); +int parse_signal_perms(const char *str_perms, perms_t *perms, int fail); class signal_rule: public rule_t { void extract_sigs(struct value_list **list); @@ -39,11 +39,11 @@ class signal_rule: public rule_t { public: Signals signals; char *peer_label; - int mode; + perms_t perms; int audit; int deny; - signal_rule(int mode, struct cond_entry *conds); + signal_rule(perms_t perms, struct cond_entry *conds); virtual ~signal_rule() { signals.clear(); free(peer_label); diff --git a/parser/userns.cc b/parser/userns.cc index a83d05904..203726d3d 100644 --- a/parser/userns.cc +++ b/parser/userns.cc @@ -40,17 +40,17 @@ void userns_rule::move_conditionals(struct cond_entry *conds) } } -userns_rule::userns_rule(int mode_p, struct cond_entry *conds): +userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): audit(0), deny(0) { - if (mode_p) { - if (mode_p & ~AA_VALID_USERNS_PERMS) - yyerror("mode contains invalid permissions for userns\n"); - mode = mode_p; + if (perms_p) { + if (perms_p & ~AA_VALID_USERNS_PERMS) + yyerror("perms contains invalid permissions for userns\n"); + perms = perms_p; } else { /* default to all perms */ - mode = AA_VALID_USERNS_PERMS; + perms = AA_VALID_USERNS_PERMS; } move_conditionals(conds); @@ -66,8 +66,8 @@ ostream &userns_rule::dump(ostream &os) os << "userns "; - if (mode != AA_VALID_USERNS_PERMS) { - if (mode & AA_USERNS_CREATE) + if (perms != AA_VALID_USERNS_PERMS) { + if (perms & AA_USERNS_CREATE) os << "create "; } @@ -99,8 +99,8 @@ int userns_rule::gen_policy_re(Profile &prof) buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NS; buf = buffer.str(); - if (mode & AA_VALID_USERNS_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode, audit, + if (perms & AA_VALID_USERNS_PERMS) { + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit, dfaflags)) goto fail; } diff --git a/parser/userns.h b/parser/userns.h index 9337da285..52f727841 100644 --- a/parser/userns.h +++ b/parser/userns.h @@ -26,11 +26,11 @@ class userns_rule: public rule_t { void move_conditionals(struct cond_entry *conds); public: - int mode; + perms_t perms; int audit; int deny; - userns_rule(int mode, struct cond_entry *conds); + userns_rule(perms_t perms, struct cond_entry *conds); virtual ~userns_rule() { };