From 2e18cb9aed9c6f34b10231e57c630ed44095c727 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 2 Aug 2023 02:07:36 -0700
Subject: [PATCH] parser: rename rules.h perms_t to perm32_t

There are two distinct declarations of perms_t.
  rule.h: typedef uint32_t perms_t
  hfa.h: class perms_t

these definitions clash when the front end and backend share more info.
To avoid this rename rule.h to perm32_t, and move the definition into
perms.h and use it in struct aa_perms.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/af_unix.cc     |  8 ++++----
 parser/af_unix.h      |  4 ++--
 parser/dbus.cc        |  4 ++--
 parser/dbus.h         |  4 ++--
 parser/io_uring.cc    |  2 +-
 parser/io_uring.h     |  2 +-
 parser/mount.cc       |  8 ++++----
 parser/mount.h        |  2 +-
 parser/mqueue.cc      |  4 ++--
 parser/mqueue.h       |  4 ++--
 parser/network.cc     | 10 +++++-----
 parser/network.h      |  9 +++++----
 parser/parser.h       |  8 ++++----
 parser/parser_misc.c  | 18 +++++++++---------
 parser/parser_regex.c |  2 +-
 parser/parser_yacc.y  | 12 ++++++------
 parser/perms.h        | 27 +++++++++++++++++----------
 parser/profile.cc     |  4 ++--
 parser/ptrace.cc      |  4 ++--
 parser/ptrace.h       |  4 ++--
 parser/rule.h         |  6 +++---
 parser/signal.cc      |  4 ++--
 parser/signal.h       |  4 ++--
 parser/userns.cc      |  2 +-
 parser/userns.h       |  2 +-
 25 files changed, 83 insertions(+), 75 deletions(-)

diff --git a/parser/af_unix.cc b/parser/af_unix.cc
index b1fc38c14..4e3b97077 100644
--- a/parser/af_unix.cc
+++ b/parser/af_unix.cc
@@ -33,7 +33,7 @@
 /* See unix(7) for autobind address definition */
 #define autobind_address_pattern "\\x00[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]";
 
-int parse_unix_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_unix_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("unix", AA_VALID_NET_PERMS, str_perms, perms, fail);
 }
@@ -113,7 +113,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode
 	downgrade = false;
 }
 
-unix_rule::unix_rule(perms_t perms_p, struct cond_entry *conds,
+unix_rule::unix_rule(perm32_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
 	af_rule(AF_UNIX), addr(NULL), peer_addr(NULL)
 {
@@ -191,7 +191,7 @@ static void writeu16(std::ostringstream &o, int v)
 #define CMD_OPT		4
 
 void unix_rule::downgrade_rule(Profile &prof) {
-	perms_t mask = (perms_t) -1;
+	perm32_t mask = (perm32_t) -1;
 
 	if (!prof.net.allow && !prof.net.alloc_net_table())
 		yyerror(_("Memory allocation error."));
@@ -318,7 +318,7 @@ int unix_rule::gen_policy_re(Profile &prof)
 	std::ostringstream buffer;
 	std::string buf;
 
-	perms_t mask = perms;
+	perm32_t mask = perms;
 
 	/* always generate a downgraded rule. This doesn't change generated
 	 * policy size and allows the binary policy to be loaded against
diff --git a/parser/af_unix.h b/parser/af_unix.h
index 03dbfdc64..3441263e9 100644
--- a/parser/af_unix.h
+++ b/parser/af_unix.h
@@ -24,7 +24,7 @@
 #include "profile.h"
 #include "af_rule.h"
 
-int parse_unix_perms(const char *str_mode, perms_t *perms, int fail);
+int parse_unix_perms(const char *str_mode, perm32_t *perms, int fail);
 
 class unix_rule: public af_rule {
 	void write_to_prot(std::ostringstream &buffer);
@@ -39,7 +39,7 @@ public:
 	bool downgrade = true;
 
 	unix_rule(unsigned int type_p, audit_t audit_p, rule_mode_t rule_mode_p);
-	unix_rule(perms_t perms, struct cond_entry *conds,
+	unix_rule(perm32_t perms, struct cond_entry *conds,
 		  struct cond_entry *peer_conds);
 	virtual ~unix_rule()
 	{
diff --git a/parser/dbus.cc b/parser/dbus.cc
index 0371f66c1..fc028de6c 100644
--- a/parser/dbus.cc
+++ b/parser/dbus.cc
@@ -30,7 +30,7 @@
 #include "dbus.h"
 
 
-int parse_dbus_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_dbus_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("DBus", AA_VALID_DBUS_PERMS, str_perms, perms, fail);
 }
@@ -66,7 +66,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
+dbus_rule::dbus_rule(perm32_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds):
 	perms_rule_t(AA_CLASS_DBUS), bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL)
 {
diff --git a/parser/dbus.h b/parser/dbus.h
index a273bffe5..852755687 100644
--- a/parser/dbus.h
+++ b/parser/dbus.h
@@ -23,7 +23,7 @@
 #include "rule.h"
 #include "profile.h"
 
-extern int parse_dbus_perms(const char *str_mode, perms_t *mode, int fail);
+extern int parse_dbus_perms(const char *str_mode, perm32_t *mode, int fail);
 
 class dbus_rule: public perms_rule_t {
 	void move_conditionals(struct cond_entry *conds);
@@ -40,7 +40,7 @@ public:
 	char *interface;
 	char *member;
 
-	dbus_rule(perms_t perms_p, struct cond_entry *conds,
+	dbus_rule(perm32_t perms_p, struct cond_entry *conds,
 		  struct cond_entry *peer_conds);
 	virtual ~dbus_rule() {
 		free(bus);
diff --git a/parser/io_uring.cc b/parser/io_uring.cc
index ec3af65bf..3425ea36c 100644
--- a/parser/io_uring.cc
+++ b/parser/io_uring.cc
@@ -47,7 +47,7 @@ void io_uring_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-io_uring_rule::io_uring_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *ring_conds):
+io_uring_rule::io_uring_rule(perm32_t perms_p, struct cond_entry *conds, struct cond_entry *ring_conds):
 	perms_rule_t(AA_CLASS_IO_URING), label(NULL)
 {
 	if (perms_p) {
diff --git a/parser/io_uring.h b/parser/io_uring.h
index 7299e16b0..b1d094424 100644
--- a/parser/io_uring.h
+++ b/parser/io_uring.h
@@ -31,7 +31,7 @@ class io_uring_rule: public perms_rule_t {
 public:
 	char *label;
 
-	io_uring_rule(perms_t perms, struct cond_entry *conds, struct cond_entry *ring_conds);
+	io_uring_rule(perm32_t perms, struct cond_entry *conds, struct cond_entry *ring_conds);
 	virtual ~io_uring_rule()
 	{
 		free(label);
diff --git a/parser/mount.cc b/parser/mount.cc
index c3af39a81..31b43ef6d 100644
--- a/parser/mount.cc
+++ b/parser/mount.cc
@@ -478,7 +478,7 @@ static void process_one_option(struct cond_entry *&opts, unsigned int &flags,
 
 mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
 		   struct cond_entry *dst_conds unused, char *mnt_point_p,
-		   perms_t perms_p):
+		   perm32_t perms_p):
 	perms_rule_t(AA_CLASS_MOUNT),
 	mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
 	flagsv(0), opt_flagsv(0)
@@ -784,7 +784,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
 
 	vec[3] = flagsbuf;
 
-	perms_t tmpperms, tmpaudit;
+	perm32_t tmpperms, tmpaudit;
 	if (opts) {
 		tmpperms = AA_MATCH_CONT;
 		tmpaudit = 0;
@@ -993,7 +993,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
 		goto fail;
 	vec[3] = flagsbuf;
 
-	perms_t tmpperms, tmpaudit;
+	perm32_t tmpperms, tmpaudit;
 	if (opts) {
 		tmpperms = AA_MATCH_CONT;
 		tmpaudit = 0;
@@ -1141,7 +1141,7 @@ fail:
 void mnt_rule::post_parse_profile(Profile &prof)
 {
 	if (trans) {
-		perms_t perms = 0;
+		perm32_t perms = 0;
 		int n = add_entry_to_x_table(&prof, trans);
 		if (!n) {
 			PERROR("Profile %s has too many specified profile transitions.\n", prof.name);
diff --git a/parser/mount.h b/parser/mount.h
index fa1794f87..8767a404e 100644
--- a/parser/mount.h
+++ b/parser/mount.h
@@ -152,7 +152,7 @@ public:
 
 	mnt_rule(struct cond_entry *src_conds, char *device_p,
 		   struct cond_entry *dst_conds unused, char *mnt_point_p,
-		   perms_t perms_p);
+		   perm32_t perms_p);
 	virtual ~mnt_rule()
 	{
 		free_value_list(opts);
diff --git a/parser/mqueue.cc b/parser/mqueue.cc
index 3cff674f1..4d91011ef 100644
--- a/parser/mqueue.cc
+++ b/parser/mqueue.cc
@@ -25,7 +25,7 @@
 #include <iostream>
 #include <sstream>
 
-int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_mqueue_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("mqueue", AA_VALID_MQUEUE_PERMS, str_perms, perms, fail);
 }
@@ -86,7 +86,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p):
+mqueue_rule::mqueue_rule(perm32_t perms_p, struct cond_entry *conds, char *qname_p):
 	// mqueue uses multiple classes, arbitrary choice to represent group
 	// withing the AST
 	perms_rule_t(AA_CLASS_POSIX_MQUEUE),
diff --git a/parser/mqueue.h b/parser/mqueue.h
index 0b37b0704..ebfa5636e 100644
--- a/parser/mqueue.h
+++ b/parser/mqueue.h
@@ -84,7 +84,7 @@ static inline uint32_t map_mqueue_perms(uint32_t mask)
 		((mask & (AA_MQUEUE_GETATTR | AA_MQUEUE_SETATTR)) << (AA_OTHER_SHIFT - 8));
 }
 
-int parse_mqueue_perms(const char *str_perms, perms_t *perms, int fail);
+int parse_mqueue_perms(const char *str_perms, perm32_t *perms, int fail);
 
 class mqueue_rule: public perms_rule_t {
 	void move_conditionals(struct cond_entry *conds);
@@ -93,7 +93,7 @@ public:
 	char *qname;
 	char *label;
 
-	mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL);
+	mqueue_rule(perm32_t perms, struct cond_entry *conds, char *qname = NULL);
 	virtual ~mqueue_rule()
 	{
 		free(qname);
diff --git a/parser/network.cc b/parser/network.cc
index c22bfb08e..939f2112f 100644
--- a/parser/network.cc
+++ b/parser/network.cc
@@ -29,7 +29,7 @@
 
 #define ALL_TYPES 0x43e
 
-int parse_net_perms(const char *str_mode, perms_t *mode, int fail)
+int parse_net_perms(const char *str_mode, perm32_t *mode, int fail)
 {
 	return parse_X_perms("net", AA_VALID_NET_PERMS, str_mode, mode, fail);
 }
@@ -401,7 +401,7 @@ void network_rule::set_netperm(unsigned int family, unsigned int type, unsigned
 	network_perms[family].second |= protocol;
 }
 
-network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
+network_rule::network_rule(perm32_t perms_p, struct cond_entry *conds,
 			   struct cond_entry *peer_conds):
 	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
@@ -441,7 +441,7 @@ network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
 	}
 }
 
-network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
+network_rule::network_rule(perm32_t perms_p, const char *family, const char *type,
 			   const char *protocol, struct cond_entry *conds,
 			   struct cond_entry *peer_conds):
 	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
@@ -494,7 +494,7 @@ network_rule::network_rule(perms_t perms_p, const char *family, const char *type
 	}
 }
 
-network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
+network_rule::network_rule(perm32_t perms_p, unsigned int family, unsigned int type):
 	dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL)
 {
 	network_map[family].push_back({ family, type, 0xFFFFFFFF });
@@ -653,7 +653,7 @@ std::list<std::ostringstream> copy_streams_list(std::list<std::ostringstream> &s
 bool network_rule::gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd)
 {
 	std::string buf;
-	perms_t cond_perms;
+	perm32_t cond_perms;
 	std::list<std::ostringstream> ip_streams;
 
 	for (auto &oss : streams) {
diff --git a/parser/network.h b/parser/network.h
index d9fa18144..cb396c9f1 100644
--- a/parser/network.h
+++ b/parser/network.h
@@ -107,8 +107,9 @@ static inline uint32_t map_perms(uint32_t mask)
 		((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
 };
 
-int parse_net_perms(const char *str_mode, perms_t *perms, int fail);
+
 size_t get_af_max();
+int parse_net_perms(const char *str_mode, perm32_t *perms, int fail);
 int net_find_type_val(const char *type);
 const char *net_find_type_name(int type);
 const char *net_find_af_name(unsigned int af);
@@ -158,12 +159,12 @@ public:
 	 * static elements to maintain compatibility with
 	 * AA_CLASS_NET */
 	network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
-	network_rule(perms_t perms_p, struct cond_entry *conds,
+	network_rule(perm32_t perms_p, struct cond_entry *conds,
 		     struct cond_entry *peer_conds);
-	network_rule(perms_t perms_p, const char *family, const char *type,
+	network_rule(perm32_t perms_p, const char *family, const char *type,
 		     const char *protocol, struct cond_entry *conds,
 		     struct cond_entry *peer_conds);
-	network_rule(perms_t perms_p, unsigned int family, unsigned int type);
+	network_rule(perm32_t perms_p, unsigned int family, unsigned int type);
 	virtual ~network_rule()
 	{
 		peer.free_conds();
diff --git a/parser/parser.h b/parser/parser.h
index 27bac1849..885c85d45 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -122,7 +122,7 @@ struct cod_entry {
 	char *nt_name;
 	Profile *prof;		 	/* Special profile defined
 					 * just for this executable */
-	perms_t perms;			/* perms is 'or' of AA_* bits */
+	perm32_t perms;			/* perms is 'or' of AA_* bits */
 	audit_t audit;
 	rule_mode_t rule_mode;
 
@@ -450,12 +450,12 @@ extern char *processunquoted(const char *string, int len);
 extern int get_keyword_token(const char *keyword);
 extern int get_rlimit(const char *name);
 extern char *process_var(const char *var);
-extern perms_t parse_perms(const char *permstr);
-extern int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail);
+extern perm32_t parse_perms(const char *permstr);
+extern int parse_X_perms(const char *X, int valid, const char *str_perms, perm32_t *perms, int fail);
 bool label_contains_ns(const char *label);
 bool parse_label(bool *_stack, char **_ns, char **_name,
 		 const char *label, bool yyerr);
-extern struct cod_entry *new_entry(char *id, perms_t perms, char *link_id);
+extern struct cod_entry *new_entry(char *id, perm32_t perms, char *link_id);
 
 /* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
 extern int str_to_boolean(const char* str);
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 5582ff9fb..124e8b7a2 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -566,12 +566,12 @@ void warn_uppercase(void)
 	}
 }
 
-static perms_t parse_sub_perms(const char *str_perms, const char *perms_desc unused)
+static perm32_t parse_sub_perms(const char *str_perms, const char *perms_desc unused)
 {
 
 #define IS_DIFF_QUAL(perms, q) (((perms) & AA_MAY_EXEC) && (((perms) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE)))
 
-	perms_t perms = 0;
+	perm32_t perms = 0;
 	const char *p;
 
 	PDEBUG("Parsing perms: %s\n", str_perms);
@@ -584,7 +584,7 @@ static perms_t parse_sub_perms(const char *str_perms, const char *perms_desc unu
 		char thisc = *p;
 		char next = *(p + 1);
 		char lower;
-		perms_t tperms = 0;
+		perm32_t tperms = 0;
 
 reeval:
 		switch (thisc) {
@@ -742,9 +742,9 @@ reeval:
 	return perms;
 }
 
-perms_t parse_perms(const char *str_perms)
+perm32_t parse_perms(const char *str_perms)
 {
-	perms_t tmp, perms = 0;
+	perm32_t tmp, perms = 0;
 	tmp = parse_sub_perms(str_perms, "");
 	perms = SHIFT_PERMS(tmp, AA_USER_SHIFT);
 	perms |= SHIFT_PERMS(tmp, AA_OTHER_SHIFT);
@@ -753,9 +753,9 @@ perms_t parse_perms(const char *str_perms)
 	return perms;
 }
 
-static int parse_X_sub_perms(const char *X, const char *str_perms, perms_t *result, int fail, const char *perms_desc unused)
+static int parse_X_sub_perms(const char *X, const char *str_perms, perm32_t *result, int fail, const char *perms_desc unused)
 {
-	perms_t perms = 0;
+	perm32_t perms = 0;
 	const char *p;
 
 	PDEBUG("Parsing %s perms: %s\n", X, str_perms);
@@ -813,7 +813,7 @@ reeval:
 	return 1;
 }
 
-int parse_X_perms(const char *X, int valid, const char *str_perms, perms_t *perms, int fail)
+int parse_X_perms(const char *X, int valid, const char *str_perms, perm32_t *perms, int fail)
 {
 	*perms = 0;
 	if (!parse_X_sub_perms(X, str_perms, perms, fail, ""))
@@ -976,7 +976,7 @@ alloc_fail:
 	return false;
 }
 
-struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
+struct cod_entry *new_entry(char *id, perm32_t perms, char *link_id)
 {
 	struct cod_entry *entry = NULL;
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index de38c7773..65c34f0e4 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -584,7 +584,7 @@ build:
 
 static int warn_change_profile = 1;
 
-static bool is_change_profile_perms(perms_t perms)
+static bool is_change_profile_perms(perm32_t perms)
 {
 	/**
 	 * A change_profile entry will have the AA_CHANGE_PROFILE bit set.
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 10aca3227..c957bd5e1 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -63,10 +63,10 @@
 
 int parser_token = 0;
 
-struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt);
+struct cod_entry *do_file_rule(char *id, perm32_t perms, char *link_id, char *nt);
 mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
 		      struct cond_entry *dst_conds, char *dst,
-		      perms_t perms);
+		      perm32_t perms);
 mnt_rule *do_pivot_rule(struct cond_entry *old, char *root,
 			char *transition);
 static void abi_features(char *filename, bool search);
@@ -212,7 +212,7 @@ static void abi_features(char *filename, bool search);
 	prefix_rule_t *prefix_entry;
 
 	flagvals flags;
-	perms_t fperms;
+	perm32_t fperms;
 	uint64_t cap;
 	unsigned int allowed_protocol;
 	char *set_var;
@@ -1562,7 +1562,7 @@ file_perms: TOK_MODE
 change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		perms_t perms = AA_CHANGE_PROFILE;
+		perm32_t perms = AA_CHANGE_PROFILE;
 		int exec_mode = $2;
 		char *exec = $3;
 		char *target = $4;
@@ -1670,7 +1670,7 @@ void yyerror(const char *msg, ...)
 	exit(1);
 }
 
-struct cod_entry *do_file_rule(char *id, perms_t perms, char *link_id, char *nt)
+struct cod_entry *do_file_rule(char *id, perm32_t perms, char *link_id, char *nt)
 {
 		struct cod_entry *entry;
 		PDEBUG("Matched: tok_id (%s) tok_perms (0x%x)\n", id, perms);
@@ -1711,7 +1711,7 @@ int verify_mnt_conds(struct cond_entry *conds, int src)
 
 mnt_rule *do_mnt_rule(struct cond_entry *src_conds, char *src,
 		      struct cond_entry *dst_conds, char *dst,
-		      perms_t perms)
+		      perm32_t perms)
 {
 	if (verify_mnt_conds(src_conds, MNT_SRC_OPT) != 0)
 		yyerror(_("bad mount rule"));
diff --git a/parser/perms.h b/parser/perms.h
index 2759b7225..f1ac7b4b3 100644
--- a/parser/perms.h
+++ b/parser/perms.h
@@ -19,6 +19,7 @@
 #define __AA_PERM_H
 
 #include <stdint.h>
+#include <sys/apparmor.h>
 
 /* same as in immunix.h - make it so they can both be included or used alone */
 #ifndef AA_MAY_EXEC
@@ -42,11 +43,15 @@
 
 #define AA_MAY_CHMOD		0x1000		/* pair */
 #define AA_MAY_CHOWN		0x2000		/* pair */
+#endif
 #define AA_MAY_CHGRP		0x4000		/* pair */
+#ifndef AA_MAY_CREATE
 #define AA_MAY_LOCK		0x8000		/* LINK_SUBSET overlaid */
 
 #define AA_EXEC_MMAP		0x00010000
+#endif
 #define AA_MAY_MPROT		0x00020000	/* extend conditions */
+#ifndef AA_MAY_CREATE
 #define AA_MAY_LINK		0x00040000	/* pair */
 #endif
 #define AA_MAY_SNAPSHOT		0x00080000	/* pair */
@@ -80,20 +85,22 @@
 #define AA_X_INHERIT		0x40000000
 #define AA_X_UNCONFINED		0x80000000
 
+typedef uint32_t perm32_t;
+
 struct aa_perms {
-	uint32_t allow;
-	uint32_t deny;	/* explicit deny, or conflict if allow also set */
+	perm32_t allow;
+	perm32_t deny;	/* explicit deny, or conflict if allow also set */
 
-	uint32_t subtree;	/* allow perm on full subtree only when allow is set */
-	uint32_t cond;	/* set only when ~allow and ~deny */
+	perm32_t subtree;	/* allow perm on full subtree only when allow is set */
+	perm32_t cond;	/* set only when ~allow and ~deny */
 
-	uint32_t kill;	/* set only when ~allow | deny */
-	uint32_t complain;	/* accumulates only used when ~allow & ~deny */
-	uint32_t prompt;	/* accumulates only used when ~allow & ~deny */
+	perm32_t kill;	/* set only when ~allow | deny */
+	perm32_t complain;	/* accumulates only used when ~allow & ~deny */
+	perm32_t prompt;	/* accumulates only used when ~allow & ~deny */
 
-	uint32_t audit;	/* set only when allow is set */
-	uint32_t quiet;	/* set only when ~allow | deny */
-	uint32_t hide;	/* set only when  ~allow | deny */
+	perm32_t audit;	/* set only when allow is set */
+	perm32_t quiet;	/* set only when ~allow | deny */
+	perm32_t hide;	/* set only when  ~allow | deny */
 
 
 	uint32_t xindex;
diff --git a/parser/profile.cc b/parser/profile.cc
index 3844c2fbf..5c96e65a2 100644
--- a/parser/profile.cc
+++ b/parser/profile.cc
@@ -269,11 +269,11 @@ static bool add_proc_access(Profile *prof, const char *rule)
 void post_process_file_entries(Profile *prof)
 {
 	struct cod_entry *entry;
-	perms_t cp_perms = 0;
+	perm32_t cp_perms = 0;
 
 	list_for_each(prof->entries, entry) {
 		if (entry->nt_name) {
-			perms_t perms = 0;
+			perm32_t perms = 0;
 			int n = add_named_transition(prof, entry);
 			if (!n) {
 				PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
diff --git a/parser/ptrace.cc b/parser/ptrace.cc
index 3729b7606..3a4bbf690 100644
--- a/parser/ptrace.cc
+++ b/parser/ptrace.cc
@@ -24,7 +24,7 @@
 #include <string>
 #include <sstream>
 
-int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_ptrace_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("ptrace", AA_VALID_PTRACE_PERMS, str_perms, perms, fail);
 }
@@ -47,7 +47,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
+ptrace_rule::ptrace_rule(perm32_t perms_p, struct cond_entry *conds):
 	perms_rule_t(AA_CLASS_PTRACE), peer_label(NULL)
 {
 	if (perms_p) {
diff --git a/parser/ptrace.h b/parser/ptrace.h
index b129c5795..bbe7b8638 100644
--- a/parser/ptrace.h
+++ b/parser/ptrace.h
@@ -27,14 +27,14 @@
 #define AA_VALID_PTRACE_PERMS (AA_MAY_READ | AA_MAY_TRACE | AA_MAY_READBY | \
 			       AA_MAY_TRACEDBY)
 
-int parse_ptrace_perms(const char *str_perms, perms_t *perms, int fail);
+int parse_ptrace_perms(const char *str_perms, perm32_t *perms, int fail);
 
 class ptrace_rule: public perms_rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
 	char *peer_label;
 
-	ptrace_rule(perms_t perms, struct cond_entry *conds);
+	ptrace_rule(perm32_t perms, struct cond_entry *conds);
 	virtual ~ptrace_rule()
 	{
 		free(peer_label);
diff --git a/parser/rule.h b/parser/rule.h
index a7234c778..3d2d2946f 100644
--- a/parser/rule.h
+++ b/parser/rule.h
@@ -22,6 +22,7 @@
 #include <list>
 #include <ostream>
 
+#include "perms.h"
 #include "policydb.h"
 
 using namespace std;
@@ -151,7 +152,6 @@ std::ostream &operator<<(std::ostream &os, rule_t &rule);
 typedef std::list<rule_t *> RuleList;
 
 /* Not classes so they can be used in the bison front end */
-typedef uint32_t perms_t;
 typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t;
 typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY, RULE_PROMPT } rule_mode_t;
 
@@ -407,7 +407,7 @@ public:
 		return os;
 	}
 
-	perms_t perms, saved;
+	perm32_t perms, saved;
 };
 
 // alternate perms rule class that only does dedup instead of perms merging
@@ -432,7 +432,7 @@ public:
 		return os;
 	}
 
-	perms_t perms;
+	perm32_t perms;
 };
 
 
diff --git a/parser/signal.cc b/parser/signal.cc
index 15fc5a17a..b2eda5ac2 100644
--- a/parser/signal.cc
+++ b/parser/signal.cc
@@ -116,7 +116,7 @@ static const char *const sig_names[MAXMAPPED_SIG + 1] = {
 };
 
 
-int parse_signal_perms(const char *str_perms, perms_t *perms, int fail)
+int parse_signal_perms(const char *str_perms, perm32_t *perms, int fail)
 {
 	return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail);
 }
@@ -173,7 +173,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
+signal_rule::signal_rule(perm32_t perms_p, struct cond_entry *conds):
 	perms_rule_t(AA_CLASS_SIGNAL), signals(), peer_label(NULL)
 {
 	if (perms_p) {
diff --git a/parser/signal.h b/parser/signal.h
index 4cb4411f9..d3295a4a9 100644
--- a/parser/signal.h
+++ b/parser/signal.h
@@ -32,7 +32,7 @@
 typedef set<int> Signals;
 
 int find_signal_mapping(const char *sig);
-int parse_signal_perms(const char *str_perms, perms_t *perms, int fail);
+int parse_signal_perms(const char *str_perms, perm32_t *perms, int fail);
 
 class signal_rule: public perms_rule_t {
 	void extract_sigs(struct value_list **list);
@@ -41,7 +41,7 @@ public:
 	Signals signals;
 	char *peer_label;
 
-	signal_rule(perms_t perms, struct cond_entry *conds);
+	signal_rule(perm32_t perms, struct cond_entry *conds);
 	virtual ~signal_rule() {
 		signals.clear();
 		free(peer_label);
diff --git a/parser/userns.cc b/parser/userns.cc
index f70f8e84e..cbef5e580 100644
--- a/parser/userns.cc
+++ b/parser/userns.cc
@@ -40,7 +40,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds)
 	}
 }
 
-userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
+userns_rule::userns_rule(perm32_t perms_p, struct cond_entry *conds):
 	perms_rule_t(AA_CLASS_NS)
 {
 	if (perms_p) {
diff --git a/parser/userns.h b/parser/userns.h
index 9d17fc203..8c1364aa9 100644
--- a/parser/userns.h
+++ b/parser/userns.h
@@ -26,7 +26,7 @@
 class userns_rule: public perms_rule_t {
 	void move_conditionals(struct cond_entry *conds);
 public:
-	userns_rule(perms_t perms, struct cond_entry *conds);
+	userns_rule(perm32_t perms, struct cond_entry *conds);
 	virtual ~userns_rule()
 	{
 	};