mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 15:25:27 +00:00
Code Issues Releases Wiki Activity

remove old netdomain syntax

Browse Source
This commit is contained in:
John Johansen
2007-11-16 09:34:01 +00:00
parent 50284e8aad
commit 40c3686041
17 changed files with 18 additions and 650 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
parser/immunix.h
View File

@@ -52,18 +52,6 @@
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_0 | AA_EXEC_MOD_1) #define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
/* Network subdomain extensions. */
#define AA_TCP_CONNECT (1 << 16)
#define AA_TCP_ACCEPT (1 << 17)
#define AA_TCP_CONNECTED (1 << 18)
#define AA_TCP_ACCEPTED (1 << 19)
#define AA_UDP_SEND (1 << 20)
#define AA_UDP_RECEIVE (1 << 21)
/* logging only */
#define AA_LOGTCP_SEND (1 << 22)
#define AA_LOGTCP_RECEIVE (1 << 23)
#define AA_HAT_SIZE 975 /* Maximum size of a subdomain #define AA_HAT_SIZE 975 /* Maximum size of a subdomain
* ident (hat) */ * ident (hat) */
#define AA_IP_TCP 0x0001 #define AA_IP_TCP 0x0001

17
parser/parser.h
View File

@@ -49,15 +49,6 @@ struct cod_entry {
struct cod_entry *next; struct cod_entry *next;
}; };
struct cod_net_entry {
struct in_addr *saddr, *smask;
struct in_addr *daddr, *dmask;
unsigned short src_port[2], dst_port[2];
char *iface;
int mode;
struct cod_net_entry *next;
};
/* supported AF protocols */ /* supported AF protocols */
struct aa_network_entry { struct aa_network_entry {
unsigned int family; unsigned int family;
@@ -82,7 +73,6 @@ struct codomain {
* indexed by AF_FAMILY */ * indexed by AF_FAMILY */
struct cod_entry *entries; struct cod_entry *entries;
struct cod_net_entry * net_entries;
void *hat_table; void *hat_table;
//struct codomain *next; //struct codomain *next;
@@ -94,7 +84,6 @@ struct codomain {
struct cod_global_entry { struct cod_global_entry {
struct cod_entry *entry; struct cod_entry *entry;
struct cod_net_entry *net_entry;
struct codomain *hats ; struct codomain *hats ;
unsigned int capabilities; unsigned int capabilities;
}; };
@@ -206,9 +195,6 @@ extern int name_to_capability(const char *keyword);
extern char *process_var(const char *var); extern char *process_var(const char *var);
extern int parse_mode(const char *mode); extern int parse_mode(const char *mode);
extern struct cod_entry *new_entry(char *namespace, char *id, int mode); extern struct cod_entry *new_entry(char *namespace, char *id, int mode);
extern struct cod_net_entry *new_network_entry(int action,
struct ipv4_endpoints *addrs,
char *interface);
extern struct aa_network_entry *new_network_ent(unsigned int family, extern struct aa_network_entry *new_network_ent(unsigned int family,
unsigned int type, unsigned int type,
unsigned int protocol); unsigned int protocol);
@@ -221,8 +207,6 @@ extern void debug_cod_list(struct codomain *list);
extern int str_to_boolean(const char* str); extern int str_to_boolean(const char* str);
extern struct cod_entry *copy_cod_entry(struct cod_entry *cod); extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
extern void free_cod_entries(struct cod_entry *list); extern void free_cod_entries(struct cod_entry *list);
extern void free_net_entries(struct cod_net_entry *list);
extern void free_ipv4_endpoints(struct ipv4_endpoints *addrs);
/* parser_symtab.c */ /* parser_symtab.c */
extern int add_boolean_var(const char *var, int boolean); extern int add_boolean_var(const char *var, int boolean);
@@ -247,7 +231,6 @@ extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
extern void add_to_list(struct codomain *codomain); extern void add_to_list(struct codomain *codomain);
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat); extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry); extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
extern void add_netrule_to_policy(struct codomain *policy, struct cod_net_entry *net_entry);
extern int post_process_policy(void); extern int post_process_policy(void);
extern int process_hat_regex(struct codomain *cod); extern int process_hat_regex(struct codomain *cod);
extern int process_hat_variables(struct codomain *cod); extern int process_hat_variables(struct codomain *cod);

49
parser/parser_interface.c
View File

@@ -430,42 +430,6 @@ inline int sd_write_listend(sd_serialize *p)
return 1; return 1;
} }
int
sd_serialize_net_entry(sd_serialize *p, struct cod_net_entry *net_entry)
{
if (!sd_write_struct(p, "ne"))
return 0;
if (!sd_write32(p, net_entry->mode))
return 0;
if (!sd_write32(p, net_entry->saddr->s_addr))
return 0;
if (!sd_write32(p, net_entry->smask->s_addr))
return 0;
if (!sd_write16(p, net_entry->src_port[0]))
return 0;
if (!sd_write16(p, net_entry->src_port[1]))
return 0;
if (!sd_write32(p, net_entry->daddr->s_addr))
return 0;
if (!sd_write32(p, net_entry->dmask->s_addr))
return 0;
if (!sd_write16(p, net_entry->dst_port[0]))
return 0;
if (!sd_write16(p, net_entry->dst_port[1]))
return 0;
if (net_entry->iface)
if (!sd_write_string(p, net_entry->iface, NULL))
return 0;
if (!sd_write_structend(p))
return 0;
return 1;
}
int sd_serialize_pattern(sd_serialize *p, pcre *pat) int sd_serialize_pattern(sd_serialize *p, pcre *pat)
{ {
if (!sd_write_struct(p, "pcre")) if (!sd_write_struct(p, "pcre"))
@@ -565,7 +529,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
int flattened) int flattened)
{ {
struct cod_entry *entry; struct cod_entry *entry;
struct cod_net_entry *net_entry;
if (!sd_write_struct(p, "profile")) if (!sd_write_struct(p, "profile"))
return 0; return 0;
@@ -660,18 +623,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
} }
} }
if (profile->net_entries && (regex_type != AARE_DFA)) {
if (!sd_write_list(p, "net"))
return 0;
list_for_each(profile->net_entries, net_entry) {
if (!sd_serialize_net_entry(p, net_entry))
return 0;
}
if (!sd_write_listend(p))
return 0;
}
if (profile->hat_table && regex_type != AARE_DFA) { if (profile->hat_table && regex_type != AARE_DFA) {
if (!sd_write_list(p, "hats")) if (!sd_write_list(p, "hats"))
return 0; return 0;

70
parser/parser_lex.l
View File

@@ -73,8 +73,6 @@ BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}* PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\" QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
IFACE [[:alnum:]:]+
FLAGOPEN_PAREN \( FLAGOPEN_PAREN \(
FLAGCLOSE_PAREN \) FLAGCLOSE_PAREN \)
FLAGSEP \, FLAGSEP \,
@@ -82,8 +80,6 @@ EQUALS =
ADD_ASSIGN \+= ADD_ASSIGN \+=
%x SUB_NAME %x SUB_NAME
%x IP_MODE
%x IF_MODE
%x NETWORK_MODE %x NETWORK_MODE
%x FLAGS_MODE %x FLAGS_MODE
%x ASSIGN_MODE %x ASSIGN_MODE
@@ -124,61 +120,6 @@ ADD_ASSIGN \+=
} }
} }
<IP_MODE>{
{COLON} {
PDEBUG("(ip_mode) Found a colon\n");
return TOK_COLON;
}
{NUMBER} {
yylval = (YYSTYPE) strtoul(yytext, NULL, 10);
PDEBUG("(ip_mode) Found a number %d\n", yylval);
return TOK_NUM;
}
{IP} {
yylval = (YYSTYPE) strdup(yytext);
PDEBUG("Found ip %s\n", yylval);
return TOK_IP;
}
{SLASH} {
PDEBUG("(ip_mode) Found a slash\n");
return TOK_SLASH;
}
{RANGE} {
PDEBUG("(ip_mode) Found a slash\n");
return TOK_RANGE;
}
{WS} {
/* Ignoring whitespace */
PDEBUG("Ending ip mode\n");
BEGIN(INITIAL);
}
{END_OF_RULE} { /* Ugh, need this so we don't require a space
before the EoL marker */
BEGIN(INITIAL);
return TOK_END_OF_RULE;
}
[^\n] {
/* Something we didn't expect */
yylval = (YYSTYPE) strdup(yytext);
yyerror(_("(ip_mode) Found unexpected character: '%s'"), yylval);
}
}
<IF_MODE>{
{WS}+ { /* Eat whitespace preceding interface */ }
{IFACE} {
yylval = (YYSTYPE) strdup(yytext);
PDEBUG("Found interface: %s\n", yylval);
BEGIN(INITIAL);
return TOK_IFACE;
}
[^\n] {
/* Something we didn't expect */
yyerror(_("Unexpected character in interface name: '%s'"), yytext);
}
}
<FLAGS_MODE>{ <FLAGS_MODE>{
{FLAGOPEN_PAREN} { {FLAGOPEN_PAREN} {
PDEBUG("FLag (\n"); PDEBUG("FLag (\n");
@@ -302,14 +243,6 @@ ADD_ASSIGN \+=
return TOK_CLOSE; return TOK_CLOSE;
} }
{IP} {
yylval = (YYSTYPE) strdup(yytext);
PDEBUG("Found ip %s\n", yylval);
BEGIN(IP_MODE);
return TOK_IP;
}
{PATHNAME} { {PATHNAME} {
yylval = (YYSTYPE) processunquoted(yytext, yyleng); yylval = (YYSTYPE) processunquoted(yytext, yyleng);
PDEBUG("Found id: \"%s\"\n", yylval); PDEBUG("Found id: \"%s\"\n", yylval);
@@ -355,9 +288,6 @@ ADD_ASSIGN \+=
PDEBUG("Found id: \"%s\"\n", yylval); PDEBUG("Found id: \"%s\"\n", yylval);
return TOK_ID; return TOK_ID;
break; break;
case TOK_VIA:
BEGIN(IF_MODE); /* look for an interface name next */
break;
case TOK_FLAGS: case TOK_FLAGS:
BEGIN(FLAGS_MODE); BEGIN(FLAGS_MODE);
break; break;

16
parser/parser_merge.c
View File

@@ -29,15 +29,6 @@
#include "parser.h" #include "parser.h"
static inline int count_net_entries(struct codomain *cod)
{
struct cod_net_entry *list;
int count = 0;
for (list = cod->net_entries; list; list = list->next)
count++;
return count;
}
static int file_comp(const void *c1, const void *c2) static int file_comp(const void *c1, const void *c2)
{ {
struct cod_entry **e1, **e2; struct cod_entry **e1, **e2;
@@ -127,17 +118,10 @@ static int process_file_entries(struct codomain *cod)
return 1; return 1;
} }
static int process_net_entries(struct codomain __unused *cod)
{
return 1;
}
int codomain_merge_rules(struct codomain *cod) int codomain_merge_rules(struct codomain *cod)
{ {
if (!process_file_entries(cod)) if (!process_file_entries(cod))
goto fail; goto fail;
if (!process_net_entries(cod))
goto fail;
/* XXX return error from this */ /* XXX return error from this */
merge_hat_rules(cod); merge_hat_rules(cod);

142
parser/parser_misc.c
View File

@@ -51,15 +51,6 @@ static struct keyword_table keyword_table[] = {
/* flags */ /* flags */
{"flags", TOK_FLAGS}, {"flags", TOK_FLAGS},
/* network */ /* network */
{"via", TOK_VIA},
{"tcp_connect", TOK_TCP_CONN},
{"tcp_accept", TOK_TCP_ACPT},
{"tcp_connected", TOK_TCP_CONN_ESTB},
{"tcp_accepted", TOK_TCP_ACPT_ESTB},
{"udp_send", TOK_UDP_SEND},
{"udp_receive", TOK_UDP_RECV},
{"to", TOK_TO},
{"from", TOK_FROM},
{"network", TOK_NETWORK}, {"network", TOK_NETWORK},
/* misc keywords */ /* misc keywords */
{"capability", TOK_CAPABILITY}, {"capability", TOK_CAPABILITY},
@@ -564,58 +555,6 @@ reeval:
return mode; return mode;
} }
struct cod_net_entry *new_network_entry(int action,
struct ipv4_endpoints *addrs,
char *interface)
{
struct cod_net_entry *entry = NULL;
entry = (struct cod_net_entry *)
malloc(sizeof(struct cod_net_entry));
entry->saddr = (struct in_addr *)malloc(sizeof(struct in_addr));
entry->smask = (struct in_addr *)malloc(sizeof(struct in_addr));
entry->daddr = (struct in_addr *)malloc(sizeof(struct in_addr));
entry->dmask = (struct in_addr *)malloc(sizeof(struct in_addr));
if (!addrs || !entry || !entry->saddr || !entry->smask ||
!entry->daddr || !entry->dmask) {
yyerror(_("Memory allocation error."));
return NULL;
}
entry->next = NULL;
entry->mode = action;
entry->iface = interface ? interface : NULL;
if (addrs->src) {
PDEBUG("Assigning source\n");
entry->saddr->s_addr = addrs->src->addr.s_addr & addrs->src->mask;
entry->smask->s_addr = addrs->src->mask;
entry->src_port[0] = addrs->src->port[0];
entry->src_port[1] = addrs->src->port[1];
} else {
entry->saddr->s_addr = 0;
entry->smask->s_addr = 0;
entry->src_port[0] = MIN_PORT;
entry->src_port[1] = MAX_PORT;
}
if (addrs->dest) {
PDEBUG("Assigning source\n");
entry->daddr->s_addr = addrs->dest->addr.s_addr & addrs->dest->mask;
entry->dmask->s_addr = addrs->dest->mask;
entry->dst_port[0] = addrs->dest->port[0];
entry->dst_port[1] = addrs->dest->port[1];
} else {
entry->daddr->s_addr = 0;
entry->dmask->s_addr = 0;
entry->dst_port[0] = MIN_PORT;
entry->dst_port[1] = MAX_PORT;
}
return entry;
}
struct cod_entry *new_entry(char *namespace, char *id, int mode) struct cod_entry *new_entry(char *namespace, char *id, int mode)
{ {
struct cod_entry *entry = NULL; struct cod_entry *entry = NULL;
@@ -662,17 +601,6 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
return entry; return entry;
} }
void free_ipv4_endpoints(struct ipv4_endpoints *addrs)
{
if (!addrs)
return;
if (addrs->src)
free(addrs->src);
if (addrs->dest)
free(addrs->dest);
free(addrs);
}
void free_cod_entries(struct cod_entry *list) void free_cod_entries(struct cod_entry *list)
{ {
if (!list) if (!list)
@@ -690,25 +618,6 @@ void free_cod_entries(struct cod_entry *list)
free(list); free(list);
} }
void free_net_entries(struct cod_net_entry *list)
{
if (!list)
return;
if (list->next)
free_net_entries(list->next);
if (list->saddr)
free(list->saddr);
if (list->smask)
free(list->smask);
if (list->daddr)
free(list->daddr);
if (list->dmask)
free(list->dmask);
if (list->iface)
free(list->iface);
free(list);
}
void debug_cod_entries(struct cod_entry *list) void debug_cod_entries(struct cod_entry *list)
{ {
struct cod_entry *item = NULL; struct cod_entry *item = NULL;
@@ -763,54 +672,6 @@ void debug_cod_entries(struct cod_entry *list)
} }
} }
void debug_cod_net_entries(struct cod_net_entry *list)
{
struct cod_net_entry *item = NULL;
struct in_addr src_addr, dst_addr;
unsigned long smask;
unsigned long dmask;
printf("--- NetwerkEntries --- \n");
list_for_each(list, item) {
if (!item)
printf("Item is NULL");
src_addr.s_addr = item->saddr->s_addr;
dst_addr.s_addr = item->daddr->s_addr;
smask = ntohl(item->smask->s_addr);
dmask = ntohl(item->dmask->s_addr);
printf("Source IP: %s\n", inet_ntoa(src_addr));
printf("Source Port: (%hu) - (%hu)\n", item->src_port[0],
item->src_port[1]);
printf("Source netmask: %lx\n", smask);
fflush(stdout);
printf("Destination IP: %s\n", inet_ntoa(dst_addr));
printf("Destination Port: %hu - %hu\n", item->dst_port[0],
item->dst_port[1]);
printf("Destination netmask: %lx\n", dmask);
fflush(stdout);
printf("Mode:\t");
if (item->mode & AA_TCP_ACCEPT)
printf("TA");
if (item->mode & AA_TCP_CONNECT)
printf("TC");
if (item->mode & AA_TCP_ACCEPTED)
printf("Ta");
if (item->mode & AA_TCP_CONNECTED)
printf("Tc");
if (item->mode & AA_UDP_SEND)
printf("US");
if (item->mode & AA_UDP_RECEIVE)
printf("UR");
if (item->iface != NULL)
printf("\nInterface: %s\n", item->iface);
printf("\n");
}
}
static const char *capnames[] = { static const char *capnames[] = {
"chown", "chown",
"dac_override", "dac_override",
@@ -887,9 +748,6 @@ void debug_cod_list(struct codomain *cod)
if (cod->entries) if (cod->entries)
debug_cod_entries(cod->entries); debug_cod_entries(cod->entries);
if (cod->net_entries)
debug_cod_net_entries(cod->net_entries);
printf("\n"); printf("\n");
dump_policy_hats(cod); dump_policy_hats(cod);
} }

16
parser/parser_policy.c
View File

@@ -99,12 +99,6 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
cod->entries = entry; cod->entries = entry;
} }
void add_netrule_to_policy(struct codomain *cod, struct cod_net_entry *net_entry)
{
net_entry->next = cod->net_entries;
cod->net_entries = net_entry;
}
static void __merge_rules(const void *nodep, const VISIT value, static void __merge_rules(const void *nodep, const VISIT value,
const int __unused depth) const int __unused depth)
{ {
@@ -392,7 +386,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
{ {
struct codomain *ret = a; struct codomain *ret = a;
struct cod_entry *last; struct cod_entry *last;
struct cod_net_entry *lastnet;
if (!a) { if (!a) {
ret = b; ret = b;
goto out; goto out;
@@ -415,14 +408,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
} }
b->entries = NULL; b->entries = NULL;
if (a->net_entries) {
list_last_entry(a->net_entries, lastnet);
lastnet->next = b->net_entries;
} else {
a->net_entries = b->net_entries;
}
b->net_entries = NULL;
a->flags.complain = a->flags.complain || b->flags.complain; a->flags.complain = a->flags.complain || b->flags.complain;
a->flags.audit = a->flags.audit || b->flags.audit; a->flags.audit = a->flags.audit || b->flags.audit;
@@ -482,7 +467,6 @@ void free_policy(struct codomain *cod)
return; return;
free_hat_table(cod->hat_table); free_hat_table(cod->hat_table);
free_cod_entries(cod->entries); free_cod_entries(cod->entries);
free_net_entries(cod->net_entries);
if (cod->dfarules) if (cod->dfarules)
aare_delete_ruleset(cod->dfarules); aare_delete_ruleset(cod->dfarules);
if (cod->dfa) if (cod->dfa)

312
parser/parser_yacc.y
View File

@@ -90,26 +90,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
%token TOK_NETWORK %token TOK_NETWORK
%token TOK_HAT %token TOK_HAT
%token TOK_UNSAFE %token TOK_UNSAFE
/* network tokens */
%token TOK_IP
%token TOK_IFACE
%token TOK_ACTION
%token TOK_PORT
%token TOK_PORT_IDENT
%token TOK_NUM
%token TOK_COLON %token TOK_COLON
%token TOK_SLASH
%token TOK_RANGE
%token TOK_VIA
%token TOK_TO
%token TOK_FROM
%token TOK_TCP_CONN
%token TOK_TCP_ACPT
%token TOK_TCP_CONN_ESTB
%token TOK_TCP_ACPT_ESTB
%token TOK_UDP_SEND
%token TOK_UDP_RECV
/* capabilities */ /* capabilities */
%token TOK_CAPABILITY %token TOK_CAPABILITY
@@ -124,23 +105,12 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
%union { %union {
char *id; char *id;
char *flag_id; char *flag_id;
char *ip;
char *iface;
char *mode; char *mode;
char *eth;
/* char * action; */
char *via;
/* char * port; */
unsigned long int num;
struct aa_network_entry *network_entry; struct aa_network_entry *network_entry;
struct codomain *cod; struct codomain *cod;
struct cod_global_entry *entry; struct cod_global_entry *entry;
struct cod_net_entry *net_entry; struct cod_net_entry *net_entry;
struct cod_entry *user_entry; struct cod_entry *user_entry;
struct ipv4_desc *ipv4;
struct ipv4_endpoints *endpoints;
unsigned short (*port)[2];
int action;
struct flagval flags; struct flagval flags;
int fmode; int fmode;
unsigned int cap; unsigned int cap;
@@ -159,20 +129,8 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
%type <cod> rules %type <cod> rules
%type <cod> hat %type <cod> hat
%type <cod> cond_rule %type <cod> cond_rule
%type <net_entry> netrule
%type <network_entry> network_rule %type <network_entry> network_rule
%type <user_entry> rule %type <user_entry> rule
%type <ipv4> address
%type <endpoints> addresses
%type <num> mask
%type <port> ports
%type <ip> TOK_IP
%type <iface> TOK_IFACE interface
%type <action> TOK_ACTION
%type <via> TOK_VIA
%type <port> TOK_PORT_IDENT
%type <num> TOK_NUM
%type <action> action
%type <flags> flags %type <flags> flags
%type <flags> flagvals %type <flags> flagvals
%type <flags> flagval %type <flags> flagval
@@ -413,17 +371,6 @@ rules: rules rule
$$ = $1; $$ = $1;
}; };
rules: rules netrule
{
PDEBUG("Matched: netrules rule\n");
if (!$2)
yyerror(_("Assert: `netrule' returned NULL."));
PDEBUG("Assigning %s\n", inet_ntoa(*$2->saddr));
PDEBUG("Assigning %s\n", inet_ntoa(*$2->daddr));
add_netrule_to_policy($1, $2);
$$ = $1;
};
rules: rules network_rule rules: rules network_rule
{ {
struct aa_network_entry *entry, *tmp; struct aa_network_entry *entry, *tmp;
@@ -647,44 +594,6 @@ network_rule: TOK_NETWORK TOK_ID TOK_ID TOK_END_OF_RULE
$$ = entry; $$ = entry;
} }
/*
* The addition of an entirely new grammer set to our (previously) slim
* profile spec is below. It's designed to look quite similar to
* (Free|Open)BSD's ipfw rules:
*
* 'tcp_connect to 10.0.0.40:80 via eth0' for example.
*
*
* mb:
* We need to verify the following rules:
*/
netrule: action addresses interface TOK_END_OF_RULE
{
struct cod_net_entry *entry;
entry = NULL;
if (!$2)
yyerror(_("Assert: `addresses' returned NULL."));
PDEBUG("Matched action (%d) via (%s)\n", $1, $3);
entry = new_network_entry($1, $2, $3);
if (!entry)
yyerror(_("Memory allocation error."));
free_ipv4_endpoints($2);
$$ = entry;
};
action: TOK_TCP_CONN { $$ = AA_TCP_CONNECT; }
| TOK_TCP_ACPT { $$ = AA_TCP_ACCEPT; }
| TOK_TCP_CONN_ESTB { $$ = AA_TCP_CONNECTED; }
| TOK_TCP_ACPT_ESTB { $$ = AA_TCP_ACCEPTED; }
| TOK_UDP_SEND { $$ = AA_UDP_SEND; }
| TOK_UDP_RECV { $$ = AA_UDP_RECEIVE; }
;
hat_start: TOK_SEP {} hat_start: TOK_SEP {}
| TOK_HAT {} | TOK_HAT {}
@@ -694,227 +603,6 @@ file_mode: TOK_MODE
free($1); free($1);
} }
interface: /* nothing, no interface specified */
{
$$ = NULL;
};
interface: TOK_VIA TOK_IFACE
{
PDEBUG ("Matched an interface (%s)\n", $2);
$$ = $2;
};
addresses: /* Nothing */
{
struct ipv4_endpoints *addresses;
addresses = (struct ipv4_endpoints *)
malloc (sizeof (struct ipv4_endpoints));
if (!addresses)
yyerror(_("Memory allocation error."));
addresses->src = NULL;
addresses->dest = NULL;
$$ = addresses;
};
addresses: TOK_TO address
{
struct ipv4_endpoints *addresses;
addresses = (struct ipv4_endpoints *)
malloc(sizeof (struct ipv4_endpoints));
if (!addresses)
yyerror(_("Memory allocation error."));
addresses->src = NULL;
addresses->dest = $2;
$$ = addresses;
};
addresses: TOK_FROM address
{
struct ipv4_endpoints *addresses;
addresses = (struct ipv4_endpoints *)
malloc(sizeof (struct ipv4_endpoints));
if (!addresses)
yyerror(_("Memory allocation error."));
addresses->src = $2;
addresses->dest = NULL;
$$ = addresses;
};
addresses: TOK_FROM address TOK_TO address
{
struct ipv4_endpoints *addresses;
addresses = (struct ipv4_endpoints *)
malloc (sizeof (struct ipv4_endpoints));
if (!addresses)
yyerror(_("Memory allocation error."));
addresses->src = $2;
addresses->dest = $4;
$$ = addresses;
};
addresses: TOK_TO address TOK_FROM address
{
struct ipv4_endpoints *addresses;
addresses = (struct ipv4_endpoints *)
malloc(sizeof (struct ipv4_endpoints));
if (!addresses)
yyerror(_("Memory allocation error."));
addresses->src = $4;
addresses->dest = $2;
$$ = addresses;
};
addresses: TOK_TO address TOK_TO
{
/* better error warnings (hopefully) */
yyerror(_("Network entries can only have one TO address."));
};
addresses: TOK_FROM address TOK_FROM
{
/* better error warnings (hopefully) */
yyerror(_("Network entries can only have one FROM address."));
};
address: TOK_IP ports
{
/* Bleah, I have to handle address as two rules, because
* if the user provides an ip of 0.0.0.0 and no mask, we
* treat it as 0.0.0.0/0 instead of 0.0.0.0/32. */
struct ipv4_desc *address;
address = (struct ipv4_desc *)
malloc (sizeof (struct ipv4_desc));
if (!address)
yyerror(_("Memory allocation error."));
address->port[0] = (*$2)[0];
address->port[1] = (*$2)[1];
if (inet_aton($1, &(address->addr)) == 0)
yyerror(_("`%s' is not a valid ip address."), $1);
if (address->addr.s_addr == 0) {
/* the user specified 0.0.0.0 without giving an
* explicit mask, so treat it as 0.0.0.0/0 */
address->mask = htonl (0UL);
} else {
/* otherwise, treat it as /32 */
address->mask = htonl (0xffffffff);
}
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
inet_ntoa(address->addr), address->mask,
address->port[0], address->port[1]);
free($1);
free(*$2);
$$ = address;
};
address: TOK_IP mask ports
{
struct ipv4_desc *address;
address = (struct ipv4_desc *)
malloc(sizeof (struct ipv4_desc));
if (!address)
yyerror(_("Memory allocation error."));
address->mask = $2;
address->port[0] = (*$3)[0];
address->port[1] = (*$3)[1];
if (inet_aton($1, &(address->addr)) == 0)
yyerror(_("`%s' is not a valid ip address."), $1);
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
inet_ntoa(address->addr), address->mask,
address->port[0], address->port[1]);
free($1);
free(*$3);
$$ = address;
};
mask: TOK_SLASH TOK_NUM
{
PDEBUG("Matched a netmask (%d)\n", $2);
if (($2 < 0) || ($2 > 32))
yyerror(_("`/%d' is not a valid netmask."), $2);
$$ = htonl(0xffffffff << (32 - $2));
};
mask: TOK_SLASH TOK_IP
{
struct in_addr mask;
if (inet_aton($2, &mask) == 0)
yyerror(_("`%s' is not a valid netmask."), $2);
PDEBUG("Matched a netmask (%d)\n", mask.s_addr);
$$ = mask.s_addr;
};
ports: {
/* nothing, return all ports */
unsigned short (*ports)[2];
ports = (unsigned short (*)[2])
malloc(sizeof (unsigned short [2]));
if (!ports)
yyerror(_("Memory allocation error."));
(*ports)[0] = MIN_PORT;
(*ports)[1] = MAX_PORT;
$$ = ports;
};
ports: TOK_COLON TOK_NUM
{
unsigned short (*ports)[2];
PDEBUG("Matched a single port (%d)\n", $2);
ports = (unsigned short (*)[2])
malloc(sizeof (unsigned short [2]));
if (($2 < MIN_PORT) || ($2 > MAX_PORT))
yyerror(_("ports must be between %d and %d"),
MIN_PORT, MAX_PORT);
if (!ports)
yyerror(_("Memory allocation error."));
(*ports)[0] = $2;
(*ports)[1] = $2;
$$ = ports;
};
ports: TOK_COLON TOK_NUM TOK_RANGE TOK_NUM
{
unsigned short (*ports)[2];
PDEBUG("Matched a port range (%d,%d)\n", $2, $4);
ports = (unsigned short (*)[2])
malloc(sizeof (unsigned short [2]));
if (!ports)
yyerror(_("Memory allocation error."));
if (($2 < MIN_PORT) || ($4 > MAX_PORT)
|| ($2 < MIN_PORT) || ($4 > MAX_PORT))
yyerror(_("ports must be between %d and %d"),
MIN_PORT, MAX_PORT);
(*ports)[0] = $2;
(*ports)[1] = $4;
if ((*ports)[0] > (*ports)[1])
{
unsigned short tmp;
pwarn("expected first port number to be less than the second, swapping (%ld,%ld)\n",
$2, $4);
tmp = (*ports)[0];
(*ports)[0] = (*ports)[1];
(*ports)[1] = tmp;
}
$$ = ports;
};
change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_END_OF_RULE change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_END_OF_RULE
{ {
struct cod_entry *entry; struct cod_entry *entry;

4
parser/tst/simple_tests/tcp_server_ok1.sd → parser/tst/simple_tests/netdomain_bad_1.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_server_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp accept simple parse test (from,via) #=DESCRIPTION netdomain tcp accept simple parse test (from,via)
#=EXRESULT PASS #=EXRESULT FAIL
# #
/tmp/tcp/tcp_server { /tmp/tcp/tcp_server {
tcp_accept from 127.0.0.1, tcp_accept from 127.0.0.1,

4
parser/tst/simple_tests/tcp_server_ok2.sd → parser/tst/simple_tests/netdomain_bad_2.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_server_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp accept from ip/cidr netmask/port range via #=DESCRIPTION netdomain tcp accept from ip/cidr netmask/port range via
#=EXRESULT PASS #=EXRESULT FAIL
/tmp/tcp/tcp_server { /tmp/tcp/tcp_server {
tcp_accept from 10.0.0.17/16:50-100 via eth1, tcp_accept from 10.0.0.17/16:50-100 via eth1,
tcp_accept from 127.0.0.1, tcp_accept from 127.0.0.1,

3
parser/tst/simple_tests/tcp_server_ok3.sd → parser/tst/simple_tests/netdomain_bad_3.sd
View File

@@ -1,6 +1,7 @@
# #
# $Id$ # $Id: tcp_server_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp accept from,to,via #=DESCRIPTION netdomain tcp accept from,to,via
#=EXRESULT FAIL
/tmp/tcp/tcp_server { /tmp/tcp/tcp_server {
tcp_accept from 10.0.0.17/16:50-100 to 127.0.0.1 via eth1, tcp_accept from 10.0.0.17/16:50-100 to 127.0.0.1 via eth1,
tcp_accept from 127.0.0.1, tcp_accept from 127.0.0.1,

4
parser/tst/simple_tests/tcp_server_ok4.sd → parser/tst/simple_tests/netdomain_bad_4.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_server_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain accept from port 65535 #=DESCRIPTION netdomain accept from port 65535
#=EXRESULT PASS #=EXRESULT FAIL
# #
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_accept to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1, tcp_accept to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1,

4
parser/tst/simple_tests/tcp_client_ok1.sd → parser/tst/simple_tests/netdomain_bad_5.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_client_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp connect simple parse test (to,via) #=DESCRIPTION netdomain tcp connect simple parse test (to,via)
#=EXRESULT PASS #=EXRESULT FAIL
# #
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_connect to 127.0.0.1, tcp_connect to 127.0.0.1,

4
parser/tst/simple_tests/tcp_client_ok2.sd → parser/tst/simple_tests/netdomain_bad_6.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_client_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp connect to ip/cidr netmask/port range via #=DESCRIPTION netdomain tcp connect to ip/cidr netmask/port range via
#=EXRESULT PASS #=EXRESULT FAIL
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_connect to 10.0.0.17/16:50-100 via eth1, tcp_connect to 10.0.0.17/16:50-100 via eth1,
tcp_connect to 127.0.0.1, tcp_connect to 127.0.0.1,

3
parser/tst/simple_tests/tcp_client_ok3.sd → parser/tst/simple_tests/netdomain_bad_7.sd
View File

@@ -1,6 +1,7 @@
# #
# $Id$ # $Id: tcp_client_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp connect to,from,via #=DESCRIPTION netdomain tcp connect to,from,via
#=EXRESULT FAIL
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_connect to 10.0.0.17/16:50-100 from 127.0.0.1 via eth1, tcp_connect to 10.0.0.17/16:50-100 from 127.0.0.1 via eth1,
tcp_connect to 127.0.0.1, tcp_connect to 127.0.0.1,

4
parser/tst/simple_tests/tcp_client_ok4.sd → parser/tst/simple_tests/netdomain_bad_8.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_client_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain tcp (accept,connect), udp (send,receive) conglomerate test #=DESCRIPTION netdomain tcp (accept,connect), udp (send,receive) conglomerate test
#=EXRESULT PASS #=EXRESULT FAIL
# #
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_connect to 10.0.0.17/16:50-100 from 0.0.0.0:50-100 via eth1, tcp_connect to 10.0.0.17/16:50-100 from 0.0.0.0:50-100 via eth1,

4
parser/tst/simple_tests/tcp_client_ok5.sd → parser/tst/simple_tests/netdomain_bad_9.sd
View File

@@ -1,7 +1,7 @@
# #
# $Id$ # $Id: tcp_client_ok5.sd 66 2006-06-01 18:02:28Z steve-beattie $
#=DESCRIPTION netdomain connect to port 65535 #=DESCRIPTION netdomain connect to port 65535
#=EXRESULT PASS #=EXRESULT FAIL
# #
/tmp/tcp/tcp_client { /tmp/tcp/tcp_client {
tcp_connect to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1, tcp_connect to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1,