diff --git a/parser/parser_interface.c b/parser/parser_interface.c index 4e252b3f8..075e29c35 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -545,6 +545,7 @@ int sd_serialize_xtable(sd_serialize *p, char **table) if (!sd_write_array(p, NULL, count)) return 0; + for (i = 4; i < count + 4; i++) { int len = strlen(table[i]) + 1; @@ -555,11 +556,13 @@ int sd_serialize_xtable(sd_serialize *p, char **table) char *tmp = table[i] + 1; strsep(&tmp, ":"); } - if (!sd_write_strn(p, table[i], len, NULL)); + if (!sd_write_strn(p, table[i], len, NULL)) return 0; + } if (!sd_write_arrayend(p)) return 0; + if (!sd_write_structend(p)) return 0; return 1; diff --git a/parser/parser_policy.c b/parser/parser_policy.c index 049d1483d..2f48a6ec7 100644 --- a/parser/parser_policy.c +++ b/parser/parser_policy.c @@ -93,32 +93,57 @@ void add_hat_to_policy(struct codomain *cod, struct codomain *hat) } } -static int add_named_transition(struct codomain *cod, char *namespace, char *trans) +static int add_named_transition(struct codomain *cod, struct cod_entry *entry) { char *name = NULL; int i; /* check to see if it is a local transition */ - if (!namespace) { - if (strstr(name, "//")) { - free(trans); - return AA_EXEC_LOCAL; + if (!entry->namespace) { + char *sub = strstr(entry->nt_name, "//"); + /* does the subprofile name match the rule */ + if (sub && strncmp(cod->name, sub, sub - entry->nt_name) && + strcmp(sub + 2, entry->name) == 0) { + free(entry->nt_name); + entry->nt_name = NULL; + return AA_EXEC_LOCAL >> 10; + } else if (((entry->mode & AA_USER_EXEC_MODIFIERS) == + SHIFT_MODE(AA_EXEC_LOCAL, AA_USER_SHIFT)) || + ((entry->mode & AA_OTHER_EXEC_MODIFIERS) == + SHIFT_MODE(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) { + if (strcmp(entry->nt_name, entry->name) == 0) { + free(entry->nt_name); + entry->nt_name = NULL; + return AA_EXEC_LOCAL >> 10; + } + /* specified as cix so profile name is implicit */ + name = malloc(strlen(cod->name) + strlen(entry->nt_name) + + 3); + if (!name) { + PERROR("Memory allocation error\n"); + exit(1); + } + sprintf(name, "%s//%s", cod->name, entry->nt_name); + free(entry->nt_name); + entry->nt_name = name; } } - if (namespace) { - name = malloc(strlen(namespace) + strlen(trans) + 3); + if (entry->namespace) { + name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3); if (!name) { PERROR("Memory allocation error\n"); exit(1); } - sprintf(name, ":%s:%s", namespace, trans); - free(namespace); - free(trans); + sprintf(name, ":%s:%s", entry->namespace, entry->nt_name); + free(entry->namespace); + free(entry->nt_name); + entry->namespace = NULL; + entry->nt_name = NULL; } else { - name = trans; + name = entry->nt_name; } - for (i = (AA_EXEC_LOCAL + 1) >> 10; i < AA_EXEC_COUNT; i++) { + for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) { if (!cod->exec_table[i]) { cod->exec_table[i] = name; return i; @@ -136,10 +161,11 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry) { if (entry->nt_name) { int mode = 0; - int n = add_named_transition(cod, entry->namespace, entry->nt_name); - if (!n) + int n = add_named_transition(cod, entry); + if (!n) { PERROR("Profile %s has to many specified profile transitions.\n", cod->name); - exit(1); + exit(1); + } if (entry->mode & AA_USER_EXEC) mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT); if (entry->mode & AA_OTHER_EXEC) diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index c50e30f76..346e93883 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -631,7 +631,6 @@ rules: rules hat $$ = $1; }; -/* rules: rules local_profile { PDEBUG("Matched: hat rule\n"); @@ -641,7 +640,6 @@ rules: rules local_profile add_local_entry($2); $$ = $1; }; -*/ rules: rules cond_rule { @@ -924,6 +922,7 @@ hat: hat_start TOK_ID flags TOK_OPEN rules TOK_CLOSE $$ = cod; }; +/* local_profile: opt_audit_flag opt_owner_flag TOK_ID file_mode TOK_ARROW TOK_OPEN rules TOK_CLOSE { int audit = 0, mode = $4; @@ -964,6 +963,7 @@ local_profile: opt_audit_flag opt_owner_flag TOK_UNSAFE file_mode TOK_ID TOK_A $$ = do_local_profile($8, $5, mode, audit); }; +*/ local_profile: TOK_PROFILE TOK_ID flags TOK_OPEN rules TOK_CLOSE {