Add the ability to specify link subset test on a link pair, and

fix a bug where link pairs could get improperly merged.

parser/immunix.h

@@ -68,9 +68,14 @@
 #define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
 					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
 					 AA_EXEC_MOD_4)
+#define AA_EXEC_COUNT			32
 
-#define AA_EXEC_TYPE			(AA_MAY_EXEC | AA_EXEC_UNSAFE | \
+#define AA_USER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_USER_SHIFT)
-					 AA_EXEC_MODIFIERS)
+#define AA_OTHER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
+#define AA_ALL_EXEC_MODIFIERS		(AA_USER_EXEC_MODIFIERS | \
+					 AA_OTHER_EXEC_MODIFIERS)
+
+#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_MODIFIERS)
 
 #define AA_EXEC_UNCONFINED		(AA_EXEC_MOD_0)
 #define AA_EXEC_INHERIT			(AA_EXEC_MOD_1)
@@ -79,8 +84,10 @@
 
 #define AA_VALID_PERMS			(AA_FILE_PERMS | AA_CHANGE_PROFILE)
 
-#define AA_EXEC_BITS			((AA_MAY_EXEC << AA_USER_SHIFT) | \
+#define AA_USER_EXEC			(AA_MAY_EXEC << AA_USER_SHIFT)
-					 (AA_MAY_EXEC << AA_OTHER_SHIFT))
+#define AA_OTHER_EXEC			(AA_MAY_EXEC << AA_OTHER_SHIFT)
+
+#define AA_EXEC_BITS			(AA_USER_EXEC | AA_OTHER_EXEC)
 
 #define ALL_AA_EXEC_UNSAFE		((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \
 					 (AA_EXEC_UNSAFE << AA_OTHER_SHIFT))
@@ -88,6 +95,8 @@
 #define AA_USER_EXEC_TYPE		(AA_EXEC_TYPE << AA_USER_SHIFT)
 #define AA_OTHER_EXEC_TYPE		(AA_EXEC_TYPE << AA_OTHER_SHIFT)
 
+#define ALL_AA_EXEC_TYPE		(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
+
 #define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
 					 (AA_MAY_LINK << AA_OTHER_SHIFT))
 
@@ -102,6 +111,13 @@
 				 (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
 #define LINK_TO_LINK_SUBSET(X)		(((X) << 1) & AA_LINK_SUBSET_TEST)
 
+
+/* Pack the audit, and quiet masks into a single 28 bit field in the
+ * format oq:oa:uq:ua
+ */
+#define PACK_AUDIT_CTL(audit, quiet)	(((audit) & 0x1fc07f) | \
+					 (((quiet) & 0x1fc07f) << 7))
+
 #define AA_HAT_SIZE	975	/* Maximum size of a subdomain
 					 * ident (hat) */
 #define AA_IP_TCP			0x0001

parser/parser.h

@@ -44,6 +44,8 @@ struct cod_entry {
 	int mode;			/* mode is 'or' of AA_* bits */
 	int deny;			/* TRUE or FALSE */
 
+	int subset;
+
 	pattern_t pattern_type;
 	struct cod_pattern pat;
 

parser/parser_merge.c

@@ -59,6 +59,11 @@ static int file_comp(const void *c1, const void *c2)
 	if (res)
 		return res;
 
+	if ((*e1)->link_name)
+		res = (*e2)->subset - (*e1)->subset;
+	if (res)
+		return res;
+
 	return strcmp((*e1)->name, (*e2)->name);
 }
 

parser/parser_misc.c

@@ -62,6 +62,7 @@ static struct keyword_table keyword_table[] = {
 	{"unsafe",		TOK_UNSAFE},
 	{"link",		TOK_LINK},
 	{"owner",		TOK_OWNER},
+	{"subset",		TOK_SUBSET},
 	/* terminate */
 	{NULL, 0}
 };

parser/parser_regex.c

@@ -515,6 +515,8 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 			ptype = convert_aaregex_to_pcre(entry->link_name, 0, lbuf, PATH_MAX + 8);
 			if (ptype == ePatternInvalid)
 				return FALSE;
+			if (entry->subset)
+				perms |= LINK_TO_LINK_SUBSET(perms);
 			vec[1] = lbuf;
 		} else {
 			perms |= LINK_TO_LINK_SUBSET(perms);

parser/parser_yacc.y

@@ -95,6 +95,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
 %token TOK_COLON
 %token TOK_LINK
 %token TOK_OWNER
+%token TOK_SUBSET
 
 /* capabilities */
 %token TOK_CAPABILITY
@@ -150,7 +151,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
 %type <val_list> valuelist
 %type <boolean> expr
 %type <id>	id_or_var
-
+%type <boolean> opt_subset_flag
 %%
 
 
@@ -357,6 +358,9 @@ flagval:	TOK_FLAG_ID
 		$$ = fv;
 	};
 
+opt_subset_flag: { /* nothing */ $$ = 0; }
+	| TOK_SUBSET { $$ = 1; }
+
 rules:	{ /* nothing */ 
 		struct codomain *cod = NULL;
 		cod = (struct codomain *) calloc(1, sizeof(struct codomain));
@@ -585,27 +589,29 @@ rule:  id_or_var file_mode id_or_var
 		yyerror(_("missing an end of line character? (entry: %s)"), $1);
 	};
 
-rule: TOK_LINK TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
+rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $2, $4);
+		PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
-		entry = new_entry(NULL, $2, AA_LINK_BITS, $4);
+		entry = new_entry(NULL, $3, AA_LINK_BITS, $5);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
+		entry->subset = $2;
 		PDEBUG("rule.entry: link (%s)\n", entry->name);
 		$$ = entry;
 	};
 
-rule: TOK_LINK file_mode TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
+rule: file_mode opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
-		if ($2 & ~AA_LINK_BITS) {
+		if ($1 & ~AA_LINK_BITS) {
 			yyerror(_("only link perms can be specified in a link rule."));
 		} else {
-			entry = new_entry(NULL, $3, $2, $5);
+			entry = new_entry(NULL, $3, AA_LINK_BITS, $5);
 			if (!entry)
 				yyerror(_("Memory allocation error."));
+			entry->subset = $2;
 		}
 		PDEBUG("rule.entry: link (%s)\n", entry->name);
 		$$ = entry;