fix named transition, enable cx to imply transition to local profile, without having to specify name

parser/parser_interface.c

@@ -545,6 +545,7 @@ int sd_serialize_xtable(sd_serialize *p, char **table)
 
 	if (!sd_write_array(p, NULL, count))
 		return 0;
+
 	for (i = 4; i < count + 4; i++) {
 		int len = strlen(table[i]) + 1;
 
@@ -555,11 +556,13 @@ int sd_serialize_xtable(sd_serialize *p, char **table)
 			char *tmp = table[i] + 1;
 			strsep(&tmp, ":");
 		}
-		if (!sd_write_strn(p, table[i], len, NULL));
+		if (!sd_write_strn(p, table[i], len, NULL))
 			return 0;
+
 	}
 	if (!sd_write_arrayend(p))
 		return 0;
+
 	if (!sd_write_structend(p))
 		return 0;
 	return 1;

parser/parser_policy.c

@@ -93,32 +93,57 @@ void add_hat_to_policy(struct codomain *cod, struct codomain *hat)
 	}
 }
 
-static int add_named_transition(struct codomain *cod, char *namespace, char *trans)
+static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 {
 	char *name = NULL;
 	int i;
 
 	/* check to see if it is a local transition */
-	if (!namespace) {
-		if (strstr(name, "//")) {
-			free(trans);
-			return AA_EXEC_LOCAL;
+	if (!entry->namespace) {
+		char *sub = strstr(entry->nt_name, "//");
+		/* does the subprofile name match the rule */
+		if (sub && strncmp(cod->name, sub, sub - entry->nt_name) &&
+		    strcmp(sub + 2, entry->name) == 0) {
+			free(entry->nt_name);
+			entry->nt_name = NULL;
+			return AA_EXEC_LOCAL >> 10;
+		} else if (((entry->mode & AA_USER_EXEC_MODIFIERS) ==
+			     SHIFT_MODE(AA_EXEC_LOCAL, AA_USER_SHIFT)) ||
+			    ((entry->mode & AA_OTHER_EXEC_MODIFIERS) ==
+			     SHIFT_MODE(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) {
+			if (strcmp(entry->nt_name, entry->name) == 0) {
+				free(entry->nt_name);
+				entry->nt_name = NULL;
+				return AA_EXEC_LOCAL >> 10;
+			}
+			/* specified as cix so profile name is implicit */
+			name = malloc(strlen(cod->name) + strlen(entry->nt_name)
+				      + 3);
+			if (!name) {
+				PERROR("Memory allocation error\n");
+				exit(1);
+			}
+			sprintf(name, "%s//%s", cod->name, entry->nt_name);
+			free(entry->nt_name);
+			entry->nt_name = name;
 		}
 	}
-	if (namespace) {
-		name = malloc(strlen(namespace) + strlen(trans) + 3);
+	if (entry->namespace) {
+		name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
 		if (!name) {
 			PERROR("Memory allocation error\n");
 			exit(1);
 		}
-		sprintf(name, ":%s:%s", namespace, trans);
-		free(namespace);
-		free(trans);
+		sprintf(name, ":%s:%s", entry->namespace, entry->nt_name);
+		free(entry->namespace);
+		free(entry->nt_name);
+		entry->namespace = NULL;
+		entry->nt_name = NULL;
 	} else {
-		name = trans;
+		name = entry->nt_name;
 	}
 
-	for (i = (AA_EXEC_LOCAL + 1) >> 10; i < AA_EXEC_COUNT; i++) {
+	for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
 		if (!cod->exec_table[i]) {
 			cod->exec_table[i] = name;
 			return i;
@@ -136,10 +161,11 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
 {
 	if (entry->nt_name) {
 		int mode = 0;
-		int n = add_named_transition(cod, entry->namespace, entry->nt_name);
-		if (!n)
+		int n = add_named_transition(cod, entry);
+		if (!n) {
 			PERROR("Profile %s has to many specified profile transitions.\n", cod->name);
-		exit(1);
+			exit(1);
+		}
 		if (entry->mode & AA_USER_EXEC)
 			mode |= SHIFT_MODE(n << 10, AA_USER_SHIFT);
 		if (entry->mode & AA_OTHER_EXEC)

parser/parser_yacc.y

@@ -631,7 +631,6 @@ rules:	rules hat
 		$$ = $1;
 	};
 
-/*
 rules:	rules local_profile
 	{
 		PDEBUG("Matched: hat rule\n");
@@ -641,7 +640,6 @@ rules:	rules local_profile
 		add_local_entry($2);
 		$$ = $1;
 	};
-*/
 
 rules:	rules cond_rule
 	{
@@ -924,6 +922,7 @@ hat: hat_start TOK_ID flags TOK_OPEN rules TOK_CLOSE
 		$$ = cod;
 	};
 
+/*
 local_profile:   opt_audit_flag opt_owner_flag TOK_ID file_mode TOK_ARROW TOK_OPEN rules TOK_CLOSE
 	{
 		int audit = 0, mode = $4;
@@ -964,6 +963,7 @@ local_profile:   opt_audit_flag opt_owner_flag TOK_UNSAFE file_mode TOK_ID TOK_A
 
 		$$ = do_local_profile($8, $5, mode, audit);
 	};
+*/
 
 local_profile:   TOK_PROFILE TOK_ID flags TOK_OPEN rules TOK_CLOSE
 	{