mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-09-02 15:25:27 +00:00
remove old netdomain syntax
This commit is contained in:
John Johansen
@@ -52,18 +52,6 @@
|
||||
#define AA_EXEC_PROFILE_OR_INHERIT (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
|
||||
|
||||
|
||||
/* Network subdomain extensions. */
|
||||
#define AA_TCP_CONNECT (1 << 16)
|
||||
#define AA_TCP_ACCEPT (1 << 17)
|
||||
#define AA_TCP_CONNECTED (1 << 18)
|
||||
#define AA_TCP_ACCEPTED (1 << 19)
|
||||
#define AA_UDP_SEND (1 << 20)
|
||||
#define AA_UDP_RECEIVE (1 << 21)
|
||||
|
||||
/* logging only */
|
||||
#define AA_LOGTCP_SEND (1 << 22)
|
||||
#define AA_LOGTCP_RECEIVE (1 << 23)
|
||||
|
||||
#define AA_HAT_SIZE 975 /* Maximum size of a subdomain
|
||||
* ident (hat) */
|
||||
#define AA_IP_TCP 0x0001
|
||||
|
||||
@@ -49,15 +49,6 @@ struct cod_entry {
|
||||
struct cod_entry *next;
|
||||
};
|
||||
|
||||
struct cod_net_entry {
|
||||
struct in_addr *saddr, *smask;
|
||||
struct in_addr *daddr, *dmask;
|
||||
unsigned short src_port[2], dst_port[2];
|
||||
char *iface;
|
||||
int mode;
|
||||
struct cod_net_entry *next;
|
||||
};
|
||||
|
||||
/* supported AF protocols */
|
||||
struct aa_network_entry {
|
||||
unsigned int family;
|
||||
@@ -82,7 +73,6 @@ struct codomain {
|
||||
* indexed by AF_FAMILY */
|
||||
|
||||
struct cod_entry *entries;
|
||||
struct cod_net_entry * net_entries;
|
||||
void *hat_table;
|
||||
//struct codomain *next;
|
||||
|
||||
@@ -94,7 +84,6 @@ struct codomain {
|
||||
|
||||
struct cod_global_entry {
|
||||
struct cod_entry *entry;
|
||||
struct cod_net_entry *net_entry;
|
||||
struct codomain *hats ;
|
||||
unsigned int capabilities;
|
||||
};
|
||||
@@ -206,9 +195,6 @@ extern int name_to_capability(const char *keyword);
|
||||
extern char *process_var(const char *var);
|
||||
extern int parse_mode(const char *mode);
|
||||
extern struct cod_entry *new_entry(char *namespace, char *id, int mode);
|
||||
extern struct cod_net_entry *new_network_entry(int action,
|
||||
struct ipv4_endpoints *addrs,
|
||||
char *interface);
|
||||
extern struct aa_network_entry *new_network_ent(unsigned int family,
|
||||
unsigned int type,
|
||||
unsigned int protocol);
|
||||
@@ -221,8 +207,6 @@ extern void debug_cod_list(struct codomain *list);
|
||||
extern int str_to_boolean(const char* str);
|
||||
extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
|
||||
extern void free_cod_entries(struct cod_entry *list);
|
||||
extern void free_net_entries(struct cod_net_entry *list);
|
||||
extern void free_ipv4_endpoints(struct ipv4_endpoints *addrs);
|
||||
|
||||
/* parser_symtab.c */
|
||||
extern int add_boolean_var(const char *var, int boolean);
|
||||
@@ -247,7 +231,6 @@ extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
|
||||
extern void add_to_list(struct codomain *codomain);
|
||||
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
|
||||
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
|
||||
extern void add_netrule_to_policy(struct codomain *policy, struct cod_net_entry *net_entry);
|
||||
extern int post_process_policy(void);
|
||||
extern int process_hat_regex(struct codomain *cod);
|
||||
extern int process_hat_variables(struct codomain *cod);
|
||||
|
||||
@@ -430,42 +430,6 @@ inline int sd_write_listend(sd_serialize *p)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
sd_serialize_net_entry(sd_serialize *p, struct cod_net_entry *net_entry)
|
||||
{
|
||||
|
||||
if (!sd_write_struct(p, "ne"))
|
||||
return 0;
|
||||
if (!sd_write32(p, net_entry->mode))
|
||||
return 0;
|
||||
|
||||
if (!sd_write32(p, net_entry->saddr->s_addr))
|
||||
return 0;
|
||||
if (!sd_write32(p, net_entry->smask->s_addr))
|
||||
return 0;
|
||||
if (!sd_write16(p, net_entry->src_port[0]))
|
||||
return 0;
|
||||
if (!sd_write16(p, net_entry->src_port[1]))
|
||||
return 0;
|
||||
if (!sd_write32(p, net_entry->daddr->s_addr))
|
||||
return 0;
|
||||
if (!sd_write32(p, net_entry->dmask->s_addr))
|
||||
return 0;
|
||||
if (!sd_write16(p, net_entry->dst_port[0]))
|
||||
return 0;
|
||||
if (!sd_write16(p, net_entry->dst_port[1]))
|
||||
return 0;
|
||||
|
||||
if (net_entry->iface)
|
||||
if (!sd_write_string(p, net_entry->iface, NULL))
|
||||
return 0;
|
||||
|
||||
if (!sd_write_structend(p))
|
||||
return 0;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int sd_serialize_pattern(sd_serialize *p, pcre *pat)
|
||||
{
|
||||
if (!sd_write_struct(p, "pcre"))
|
||||
@@ -565,7 +529,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
||||
int flattened)
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
struct cod_net_entry *net_entry;
|
||||
|
||||
if (!sd_write_struct(p, "profile"))
|
||||
return 0;
|
||||
@@ -660,18 +623,6 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
|
||||
}
|
||||
}
|
||||
|
||||
if (profile->net_entries && (regex_type != AARE_DFA)) {
|
||||
if (!sd_write_list(p, "net"))
|
||||
return 0;
|
||||
list_for_each(profile->net_entries, net_entry) {
|
||||
if (!sd_serialize_net_entry(p, net_entry))
|
||||
return 0;
|
||||
}
|
||||
if (!sd_write_listend(p))
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
if (profile->hat_table && regex_type != AARE_DFA) {
|
||||
if (!sd_write_list(p, "hats"))
|
||||
return 0;
|
||||
|
||||
@@ -73,8 +73,6 @@ BOOL_VARIABLE $(\{{VARIABLE_NAME}\}|{VARIABLE_NAME})
|
||||
PATHNAME (\/|{SET_VARIABLE}{POST_VAR_ID}){ID}*
|
||||
QPATHNAME \"(\/|{SET_VAR_PREFIX})([^\0"]|\\\")*\"
|
||||
|
||||
IFACE [[:alnum:]:]+
|
||||
|
||||
FLAGOPEN_PAREN \(
|
||||
FLAGCLOSE_PAREN \)
|
||||
FLAGSEP \,
|
||||
@@ -82,8 +80,6 @@ EQUALS =
|
||||
ADD_ASSIGN \+=
|
||||
|
||||
%x SUB_NAME
|
||||
%x IP_MODE
|
||||
%x IF_MODE
|
||||
%x NETWORK_MODE
|
||||
%x FLAGS_MODE
|
||||
%x ASSIGN_MODE
|
||||
@@ -124,61 +120,6 @@ ADD_ASSIGN \+=
|
||||
}
|
||||
}
|
||||
|
||||
<IP_MODE>{
|
||||
{COLON} {
|
||||
PDEBUG("(ip_mode) Found a colon\n");
|
||||
return TOK_COLON;
|
||||
}
|
||||
{NUMBER} {
|
||||
yylval = (YYSTYPE) strtoul(yytext, NULL, 10);
|
||||
PDEBUG("(ip_mode) Found a number %d\n", yylval);
|
||||
return TOK_NUM;
|
||||
}
|
||||
{IP} {
|
||||
yylval = (YYSTYPE) strdup(yytext);
|
||||
PDEBUG("Found ip %s\n", yylval);
|
||||
return TOK_IP;
|
||||
}
|
||||
{SLASH} {
|
||||
PDEBUG("(ip_mode) Found a slash\n");
|
||||
return TOK_SLASH;
|
||||
}
|
||||
{RANGE} {
|
||||
PDEBUG("(ip_mode) Found a slash\n");
|
||||
return TOK_RANGE;
|
||||
}
|
||||
{WS} {
|
||||
/* Ignoring whitespace */
|
||||
PDEBUG("Ending ip mode\n");
|
||||
BEGIN(INITIAL);
|
||||
}
|
||||
{END_OF_RULE} { /* Ugh, need this so we don't require a space
|
||||
before the EoL marker */
|
||||
BEGIN(INITIAL);
|
||||
return TOK_END_OF_RULE;
|
||||
}
|
||||
[^\n] {
|
||||
/* Something we didn't expect */
|
||||
yylval = (YYSTYPE) strdup(yytext);
|
||||
yyerror(_("(ip_mode) Found unexpected character: '%s'"), yylval);
|
||||
}
|
||||
}
|
||||
|
||||
<IF_MODE>{
|
||||
{WS}+ { /* Eat whitespace preceding interface */ }
|
||||
|
||||
{IFACE} {
|
||||
yylval = (YYSTYPE) strdup(yytext);
|
||||
PDEBUG("Found interface: %s\n", yylval);
|
||||
BEGIN(INITIAL);
|
||||
return TOK_IFACE;
|
||||
}
|
||||
[^\n] {
|
||||
/* Something we didn't expect */
|
||||
yyerror(_("Unexpected character in interface name: '%s'"), yytext);
|
||||
}
|
||||
}
|
||||
|
||||
<FLAGS_MODE>{
|
||||
{FLAGOPEN_PAREN} {
|
||||
PDEBUG("FLag (\n");
|
||||
@@ -302,14 +243,6 @@ ADD_ASSIGN \+=
|
||||
return TOK_CLOSE;
|
||||
}
|
||||
|
||||
|
||||
{IP} {
|
||||
yylval = (YYSTYPE) strdup(yytext);
|
||||
PDEBUG("Found ip %s\n", yylval);
|
||||
BEGIN(IP_MODE);
|
||||
return TOK_IP;
|
||||
}
|
||||
|
||||
{PATHNAME} {
|
||||
yylval = (YYSTYPE) processunquoted(yytext, yyleng);
|
||||
PDEBUG("Found id: \"%s\"\n", yylval);
|
||||
@@ -355,9 +288,6 @@ ADD_ASSIGN \+=
|
||||
PDEBUG("Found id: \"%s\"\n", yylval);
|
||||
return TOK_ID;
|
||||
break;
|
||||
case TOK_VIA:
|
||||
BEGIN(IF_MODE); /* look for an interface name next */
|
||||
break;
|
||||
case TOK_FLAGS:
|
||||
BEGIN(FLAGS_MODE);
|
||||
break;
|
||||
|
||||
@@ -29,15 +29,6 @@
|
||||
#include "parser.h"
|
||||
|
||||
|
||||
static inline int count_net_entries(struct codomain *cod)
|
||||
{
|
||||
struct cod_net_entry *list;
|
||||
int count = 0;
|
||||
for (list = cod->net_entries; list; list = list->next)
|
||||
count++;
|
||||
return count;
|
||||
}
|
||||
|
||||
static int file_comp(const void *c1, const void *c2)
|
||||
{
|
||||
struct cod_entry **e1, **e2;
|
||||
@@ -127,17 +118,10 @@ static int process_file_entries(struct codomain *cod)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int process_net_entries(struct codomain __unused *cod)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
int codomain_merge_rules(struct codomain *cod)
|
||||
{
|
||||
if (!process_file_entries(cod))
|
||||
goto fail;
|
||||
if (!process_net_entries(cod))
|
||||
goto fail;
|
||||
|
||||
/* XXX return error from this */
|
||||
merge_hat_rules(cod);
|
||||
|
||||
@@ -51,15 +51,6 @@ static struct keyword_table keyword_table[] = {
|
||||
/* flags */
|
||||
{"flags", TOK_FLAGS},
|
||||
/* network */
|
||||
{"via", TOK_VIA},
|
||||
{"tcp_connect", TOK_TCP_CONN},
|
||||
{"tcp_accept", TOK_TCP_ACPT},
|
||||
{"tcp_connected", TOK_TCP_CONN_ESTB},
|
||||
{"tcp_accepted", TOK_TCP_ACPT_ESTB},
|
||||
{"udp_send", TOK_UDP_SEND},
|
||||
{"udp_receive", TOK_UDP_RECV},
|
||||
{"to", TOK_TO},
|
||||
{"from", TOK_FROM},
|
||||
{"network", TOK_NETWORK},
|
||||
/* misc keywords */
|
||||
{"capability", TOK_CAPABILITY},
|
||||
@@ -564,58 +555,6 @@ reeval:
|
||||
return mode;
|
||||
}
|
||||
|
||||
struct cod_net_entry *new_network_entry(int action,
|
||||
struct ipv4_endpoints *addrs,
|
||||
char *interface)
|
||||
{
|
||||
struct cod_net_entry *entry = NULL;
|
||||
|
||||
entry = (struct cod_net_entry *)
|
||||
malloc(sizeof(struct cod_net_entry));
|
||||
entry->saddr = (struct in_addr *)malloc(sizeof(struct in_addr));
|
||||
entry->smask = (struct in_addr *)malloc(sizeof(struct in_addr));
|
||||
entry->daddr = (struct in_addr *)malloc(sizeof(struct in_addr));
|
||||
entry->dmask = (struct in_addr *)malloc(sizeof(struct in_addr));
|
||||
|
||||
if (!addrs || !entry || !entry->saddr || !entry->smask ||
|
||||
!entry->daddr || !entry->dmask) {
|
||||
yyerror(_("Memory allocation error."));
|
||||
return NULL;
|
||||
}
|
||||
|
||||
entry->next = NULL;
|
||||
entry->mode = action;
|
||||
entry->iface = interface ? interface : NULL;
|
||||
|
||||
if (addrs->src) {
|
||||
PDEBUG("Assigning source\n");
|
||||
entry->saddr->s_addr = addrs->src->addr.s_addr & addrs->src->mask;
|
||||
entry->smask->s_addr = addrs->src->mask;
|
||||
entry->src_port[0] = addrs->src->port[0];
|
||||
entry->src_port[1] = addrs->src->port[1];
|
||||
} else {
|
||||
entry->saddr->s_addr = 0;
|
||||
entry->smask->s_addr = 0;
|
||||
entry->src_port[0] = MIN_PORT;
|
||||
entry->src_port[1] = MAX_PORT;
|
||||
}
|
||||
|
||||
if (addrs->dest) {
|
||||
PDEBUG("Assigning source\n");
|
||||
entry->daddr->s_addr = addrs->dest->addr.s_addr & addrs->dest->mask;
|
||||
entry->dmask->s_addr = addrs->dest->mask;
|
||||
entry->dst_port[0] = addrs->dest->port[0];
|
||||
entry->dst_port[1] = addrs->dest->port[1];
|
||||
} else {
|
||||
entry->daddr->s_addr = 0;
|
||||
entry->dmask->s_addr = 0;
|
||||
entry->dst_port[0] = MIN_PORT;
|
||||
entry->dst_port[1] = MAX_PORT;
|
||||
}
|
||||
|
||||
return entry;
|
||||
}
|
||||
|
||||
struct cod_entry *new_entry(char *namespace, char *id, int mode)
|
||||
{
|
||||
struct cod_entry *entry = NULL;
|
||||
@@ -662,17 +601,6 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
|
||||
return entry;
|
||||
}
|
||||
|
||||
void free_ipv4_endpoints(struct ipv4_endpoints *addrs)
|
||||
{
|
||||
if (!addrs)
|
||||
return;
|
||||
if (addrs->src)
|
||||
free(addrs->src);
|
||||
if (addrs->dest)
|
||||
free(addrs->dest);
|
||||
free(addrs);
|
||||
}
|
||||
|
||||
void free_cod_entries(struct cod_entry *list)
|
||||
{
|
||||
if (!list)
|
||||
@@ -690,25 +618,6 @@ void free_cod_entries(struct cod_entry *list)
|
||||
free(list);
|
||||
}
|
||||
|
||||
void free_net_entries(struct cod_net_entry *list)
|
||||
{
|
||||
if (!list)
|
||||
return;
|
||||
if (list->next)
|
||||
free_net_entries(list->next);
|
||||
if (list->saddr)
|
||||
free(list->saddr);
|
||||
if (list->smask)
|
||||
free(list->smask);
|
||||
if (list->daddr)
|
||||
free(list->daddr);
|
||||
if (list->dmask)
|
||||
free(list->dmask);
|
||||
if (list->iface)
|
||||
free(list->iface);
|
||||
free(list);
|
||||
}
|
||||
|
||||
void debug_cod_entries(struct cod_entry *list)
|
||||
{
|
||||
struct cod_entry *item = NULL;
|
||||
@@ -763,54 +672,6 @@ void debug_cod_entries(struct cod_entry *list)
|
||||
}
|
||||
}
|
||||
|
||||
void debug_cod_net_entries(struct cod_net_entry *list)
|
||||
{
|
||||
struct cod_net_entry *item = NULL;
|
||||
struct in_addr src_addr, dst_addr;
|
||||
unsigned long smask;
|
||||
unsigned long dmask;
|
||||
|
||||
printf("--- NetwerkEntries --- \n");
|
||||
|
||||
list_for_each(list, item) {
|
||||
if (!item)
|
||||
printf("Item is NULL");
|
||||
|
||||
src_addr.s_addr = item->saddr->s_addr;
|
||||
dst_addr.s_addr = item->daddr->s_addr;
|
||||
smask = ntohl(item->smask->s_addr);
|
||||
dmask = ntohl(item->dmask->s_addr);
|
||||
|
||||
printf("Source IP: %s\n", inet_ntoa(src_addr));
|
||||
printf("Source Port: (%hu) - (%hu)\n", item->src_port[0],
|
||||
item->src_port[1]);
|
||||
printf("Source netmask: %lx\n", smask);
|
||||
fflush(stdout);
|
||||
printf("Destination IP: %s\n", inet_ntoa(dst_addr));
|
||||
printf("Destination Port: %hu - %hu\n", item->dst_port[0],
|
||||
item->dst_port[1]);
|
||||
printf("Destination netmask: %lx\n", dmask);
|
||||
fflush(stdout);
|
||||
printf("Mode:\t");
|
||||
if (item->mode & AA_TCP_ACCEPT)
|
||||
printf("TA");
|
||||
if (item->mode & AA_TCP_CONNECT)
|
||||
printf("TC");
|
||||
if (item->mode & AA_TCP_ACCEPTED)
|
||||
printf("Ta");
|
||||
if (item->mode & AA_TCP_CONNECTED)
|
||||
printf("Tc");
|
||||
if (item->mode & AA_UDP_SEND)
|
||||
printf("US");
|
||||
if (item->mode & AA_UDP_RECEIVE)
|
||||
printf("UR");
|
||||
if (item->iface != NULL)
|
||||
printf("\nInterface: %s\n", item->iface);
|
||||
|
||||
printf("\n");
|
||||
}
|
||||
}
|
||||
|
||||
static const char *capnames[] = {
|
||||
"chown",
|
||||
"dac_override",
|
||||
@@ -887,9 +748,6 @@ void debug_cod_list(struct codomain *cod)
|
||||
if (cod->entries)
|
||||
debug_cod_entries(cod->entries);
|
||||
|
||||
if (cod->net_entries)
|
||||
debug_cod_net_entries(cod->net_entries);
|
||||
|
||||
printf("\n");
|
||||
dump_policy_hats(cod);
|
||||
}
|
||||
|
||||
@@ -99,12 +99,6 @@ void add_entry_to_policy(struct codomain *cod, struct cod_entry *entry)
|
||||
cod->entries = entry;
|
||||
}
|
||||
|
||||
void add_netrule_to_policy(struct codomain *cod, struct cod_net_entry *net_entry)
|
||||
{
|
||||
net_entry->next = cod->net_entries;
|
||||
cod->net_entries = net_entry;
|
||||
}
|
||||
|
||||
static void __merge_rules(const void *nodep, const VISIT value,
|
||||
const int __unused depth)
|
||||
{
|
||||
@@ -392,7 +386,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
|
||||
{
|
||||
struct codomain *ret = a;
|
||||
struct cod_entry *last;
|
||||
struct cod_net_entry *lastnet;
|
||||
if (!a) {
|
||||
ret = b;
|
||||
goto out;
|
||||
@@ -415,14 +408,6 @@ struct codomain *merge_policy(struct codomain *a, struct codomain *b)
|
||||
}
|
||||
b->entries = NULL;
|
||||
|
||||
if (a->net_entries) {
|
||||
list_last_entry(a->net_entries, lastnet);
|
||||
lastnet->next = b->net_entries;
|
||||
} else {
|
||||
a->net_entries = b->net_entries;
|
||||
}
|
||||
b->net_entries = NULL;
|
||||
|
||||
a->flags.complain = a->flags.complain || b->flags.complain;
|
||||
a->flags.audit = a->flags.audit || b->flags.audit;
|
||||
|
||||
@@ -482,7 +467,6 @@ void free_policy(struct codomain *cod)
|
||||
return;
|
||||
free_hat_table(cod->hat_table);
|
||||
free_cod_entries(cod->entries);
|
||||
free_net_entries(cod->net_entries);
|
||||
if (cod->dfarules)
|
||||
aare_delete_ruleset(cod->dfarules);
|
||||
if (cod->dfa)
|
||||
|
||||
@@ -90,26 +90,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
|
||||
%token TOK_NETWORK
|
||||
%token TOK_HAT
|
||||
%token TOK_UNSAFE
|
||||
|
||||
/* network tokens */
|
||||
%token TOK_IP
|
||||
%token TOK_IFACE
|
||||
%token TOK_ACTION
|
||||
%token TOK_PORT
|
||||
%token TOK_PORT_IDENT
|
||||
%token TOK_NUM
|
||||
%token TOK_COLON
|
||||
%token TOK_SLASH
|
||||
%token TOK_RANGE
|
||||
%token TOK_VIA
|
||||
%token TOK_TO
|
||||
%token TOK_FROM
|
||||
%token TOK_TCP_CONN
|
||||
%token TOK_TCP_ACPT
|
||||
%token TOK_TCP_CONN_ESTB
|
||||
%token TOK_TCP_ACPT_ESTB
|
||||
%token TOK_UDP_SEND
|
||||
%token TOK_UDP_RECV
|
||||
|
||||
/* capabilities */
|
||||
%token TOK_CAPABILITY
|
||||
@@ -124,23 +105,12 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
|
||||
%union {
|
||||
char *id;
|
||||
char *flag_id;
|
||||
char *ip;
|
||||
char *iface;
|
||||
char *mode;
|
||||
char *eth;
|
||||
/* char * action; */
|
||||
char *via;
|
||||
/* char * port; */
|
||||
unsigned long int num;
|
||||
struct aa_network_entry *network_entry;
|
||||
struct codomain *cod;
|
||||
struct cod_global_entry *entry;
|
||||
struct cod_net_entry *net_entry;
|
||||
struct cod_entry *user_entry;
|
||||
struct ipv4_desc *ipv4;
|
||||
struct ipv4_endpoints *endpoints;
|
||||
unsigned short (*port)[2];
|
||||
int action;
|
||||
struct flagval flags;
|
||||
int fmode;
|
||||
unsigned int cap;
|
||||
@@ -159,20 +129,8 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode);
|
||||
%type <cod> rules
|
||||
%type <cod> hat
|
||||
%type <cod> cond_rule
|
||||
%type <net_entry> netrule
|
||||
%type <network_entry> network_rule
|
||||
%type <user_entry> rule
|
||||
%type <ipv4> address
|
||||
%type <endpoints> addresses
|
||||
%type <num> mask
|
||||
%type <port> ports
|
||||
%type <ip> TOK_IP
|
||||
%type <iface> TOK_IFACE interface
|
||||
%type <action> TOK_ACTION
|
||||
%type <via> TOK_VIA
|
||||
%type <port> TOK_PORT_IDENT
|
||||
%type <num> TOK_NUM
|
||||
%type <action> action
|
||||
%type <flags> flags
|
||||
%type <flags> flagvals
|
||||
%type <flags> flagval
|
||||
@@ -413,17 +371,6 @@ rules: rules rule
|
||||
$$ = $1;
|
||||
};
|
||||
|
||||
rules: rules netrule
|
||||
{
|
||||
PDEBUG("Matched: netrules rule\n");
|
||||
if (!$2)
|
||||
yyerror(_("Assert: `netrule' returned NULL."));
|
||||
PDEBUG("Assigning %s\n", inet_ntoa(*$2->saddr));
|
||||
PDEBUG("Assigning %s\n", inet_ntoa(*$2->daddr));
|
||||
add_netrule_to_policy($1, $2);
|
||||
$$ = $1;
|
||||
};
|
||||
|
||||
rules: rules network_rule
|
||||
{
|
||||
struct aa_network_entry *entry, *tmp;
|
||||
@@ -647,44 +594,6 @@ network_rule: TOK_NETWORK TOK_ID TOK_ID TOK_END_OF_RULE
|
||||
$$ = entry;
|
||||
}
|
||||
|
||||
/*
|
||||
* The addition of an entirely new grammer set to our (previously) slim
|
||||
* profile spec is below. It's designed to look quite similar to
|
||||
* (Free|Open)BSD's ipfw rules:
|
||||
*
|
||||
* 'tcp_connect to 10.0.0.40:80 via eth0' for example.
|
||||
*
|
||||
*
|
||||
* mb:
|
||||
* We need to verify the following rules:
|
||||
*/
|
||||
|
||||
netrule: action addresses interface TOK_END_OF_RULE
|
||||
{
|
||||
struct cod_net_entry *entry;
|
||||
|
||||
entry = NULL;
|
||||
|
||||
if (!$2)
|
||||
yyerror(_("Assert: `addresses' returned NULL."));
|
||||
|
||||
PDEBUG("Matched action (%d) via (%s)\n", $1, $3);
|
||||
entry = new_network_entry($1, $2, $3);
|
||||
if (!entry)
|
||||
yyerror(_("Memory allocation error."));
|
||||
|
||||
free_ipv4_endpoints($2);
|
||||
$$ = entry;
|
||||
};
|
||||
|
||||
action: TOK_TCP_CONN { $$ = AA_TCP_CONNECT; }
|
||||
| TOK_TCP_ACPT { $$ = AA_TCP_ACCEPT; }
|
||||
| TOK_TCP_CONN_ESTB { $$ = AA_TCP_CONNECTED; }
|
||||
| TOK_TCP_ACPT_ESTB { $$ = AA_TCP_ACCEPTED; }
|
||||
| TOK_UDP_SEND { $$ = AA_UDP_SEND; }
|
||||
| TOK_UDP_RECV { $$ = AA_UDP_RECEIVE; }
|
||||
;
|
||||
|
||||
hat_start: TOK_SEP {}
|
||||
| TOK_HAT {}
|
||||
|
||||
@@ -694,227 +603,6 @@ file_mode: TOK_MODE
|
||||
free($1);
|
||||
}
|
||||
|
||||
interface: /* nothing, no interface specified */
|
||||
{
|
||||
$$ = NULL;
|
||||
};
|
||||
interface: TOK_VIA TOK_IFACE
|
||||
{
|
||||
PDEBUG ("Matched an interface (%s)\n", $2);
|
||||
$$ = $2;
|
||||
};
|
||||
|
||||
addresses: /* Nothing */
|
||||
{
|
||||
struct ipv4_endpoints *addresses;
|
||||
|
||||
addresses = (struct ipv4_endpoints *)
|
||||
malloc (sizeof (struct ipv4_endpoints));
|
||||
if (!addresses)
|
||||
yyerror(_("Memory allocation error."));
|
||||
addresses->src = NULL;
|
||||
addresses->dest = NULL;
|
||||
|
||||
$$ = addresses;
|
||||
};
|
||||
|
||||
addresses: TOK_TO address
|
||||
{
|
||||
struct ipv4_endpoints *addresses;
|
||||
|
||||
addresses = (struct ipv4_endpoints *)
|
||||
malloc(sizeof (struct ipv4_endpoints));
|
||||
if (!addresses)
|
||||
yyerror(_("Memory allocation error."));
|
||||
addresses->src = NULL;
|
||||
addresses->dest = $2;
|
||||
|
||||
$$ = addresses;
|
||||
};
|
||||
|
||||
addresses: TOK_FROM address
|
||||
{
|
||||
struct ipv4_endpoints *addresses;
|
||||
|
||||
addresses = (struct ipv4_endpoints *)
|
||||
malloc(sizeof (struct ipv4_endpoints));
|
||||
if (!addresses)
|
||||
yyerror(_("Memory allocation error."));
|
||||
addresses->src = $2;
|
||||
addresses->dest = NULL;
|
||||
|
||||
$$ = addresses;
|
||||
};
|
||||
|
||||
addresses: TOK_FROM address TOK_TO address
|
||||
{
|
||||
struct ipv4_endpoints *addresses;
|
||||
|
||||
addresses = (struct ipv4_endpoints *)
|
||||
malloc (sizeof (struct ipv4_endpoints));
|
||||
if (!addresses)
|
||||
yyerror(_("Memory allocation error."));
|
||||
addresses->src = $2;
|
||||
addresses->dest = $4;
|
||||
|
||||
$$ = addresses;
|
||||
};
|
||||
|
||||
addresses: TOK_TO address TOK_FROM address
|
||||
{
|
||||
struct ipv4_endpoints *addresses;
|
||||
|
||||
addresses = (struct ipv4_endpoints *)
|
||||
malloc(sizeof (struct ipv4_endpoints));
|
||||
if (!addresses)
|
||||
yyerror(_("Memory allocation error."));
|
||||
addresses->src = $4;
|
||||
addresses->dest = $2;
|
||||
|
||||
$$ = addresses;
|
||||
};
|
||||
|
||||
addresses: TOK_TO address TOK_TO
|
||||
{
|
||||
/* better error warnings (hopefully) */
|
||||
yyerror(_("Network entries can only have one TO address."));
|
||||
};
|
||||
addresses: TOK_FROM address TOK_FROM
|
||||
{
|
||||
/* better error warnings (hopefully) */
|
||||
yyerror(_("Network entries can only have one FROM address."));
|
||||
};
|
||||
address: TOK_IP ports
|
||||
{
|
||||
/* Bleah, I have to handle address as two rules, because
|
||||
* if the user provides an ip of 0.0.0.0 and no mask, we
|
||||
* treat it as 0.0.0.0/0 instead of 0.0.0.0/32. */
|
||||
|
||||
struct ipv4_desc *address;
|
||||
|
||||
address = (struct ipv4_desc *)
|
||||
malloc (sizeof (struct ipv4_desc));
|
||||
if (!address)
|
||||
yyerror(_("Memory allocation error."));
|
||||
|
||||
address->port[0] = (*$2)[0];
|
||||
address->port[1] = (*$2)[1];
|
||||
if (inet_aton($1, &(address->addr)) == 0)
|
||||
yyerror(_("`%s' is not a valid ip address."), $1);
|
||||
if (address->addr.s_addr == 0) {
|
||||
/* the user specified 0.0.0.0 without giving an
|
||||
* explicit mask, so treat it as 0.0.0.0/0 */
|
||||
address->mask = htonl (0UL);
|
||||
} else {
|
||||
/* otherwise, treat it as /32 */
|
||||
address->mask = htonl (0xffffffff);
|
||||
}
|
||||
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
|
||||
inet_ntoa(address->addr), address->mask,
|
||||
address->port[0], address->port[1]);
|
||||
|
||||
free($1);
|
||||
free(*$2);
|
||||
$$ = address;
|
||||
};
|
||||
|
||||
address: TOK_IP mask ports
|
||||
{
|
||||
struct ipv4_desc *address;
|
||||
|
||||
address = (struct ipv4_desc *)
|
||||
malloc(sizeof (struct ipv4_desc));
|
||||
if (!address)
|
||||
yyerror(_("Memory allocation error."));
|
||||
|
||||
address->mask = $2;
|
||||
address->port[0] = (*$3)[0];
|
||||
address->port[1] = (*$3)[1];
|
||||
if (inet_aton($1, &(address->addr)) == 0)
|
||||
yyerror(_("`%s' is not a valid ip address."), $1);
|
||||
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
|
||||
inet_ntoa(address->addr), address->mask,
|
||||
address->port[0], address->port[1]);
|
||||
free($1);
|
||||
free(*$3);
|
||||
$$ = address;
|
||||
};
|
||||
|
||||
mask: TOK_SLASH TOK_NUM
|
||||
{
|
||||
PDEBUG("Matched a netmask (%d)\n", $2);
|
||||
if (($2 < 0) || ($2 > 32))
|
||||
yyerror(_("`/%d' is not a valid netmask."), $2);
|
||||
$$ = htonl(0xffffffff << (32 - $2));
|
||||
};
|
||||
mask: TOK_SLASH TOK_IP
|
||||
{
|
||||
struct in_addr mask;
|
||||
if (inet_aton($2, &mask) == 0)
|
||||
yyerror(_("`%s' is not a valid netmask."), $2);
|
||||
PDEBUG("Matched a netmask (%d)\n", mask.s_addr);
|
||||
$$ = mask.s_addr;
|
||||
};
|
||||
|
||||
ports: {
|
||||
/* nothing, return all ports */
|
||||
unsigned short (*ports)[2];
|
||||
|
||||
ports = (unsigned short (*)[2])
|
||||
malloc(sizeof (unsigned short [2]));
|
||||
if (!ports)
|
||||
yyerror(_("Memory allocation error."));
|
||||
(*ports)[0] = MIN_PORT;
|
||||
(*ports)[1] = MAX_PORT;
|
||||
|
||||
$$ = ports;
|
||||
};
|
||||
ports: TOK_COLON TOK_NUM
|
||||
{
|
||||
unsigned short (*ports)[2];
|
||||
|
||||
PDEBUG("Matched a single port (%d)\n", $2);
|
||||
ports = (unsigned short (*)[2])
|
||||
malloc(sizeof (unsigned short [2]));
|
||||
if (($2 < MIN_PORT) || ($2 > MAX_PORT))
|
||||
yyerror(_("ports must be between %d and %d"),
|
||||
MIN_PORT, MAX_PORT);
|
||||
if (!ports)
|
||||
yyerror(_("Memory allocation error."));
|
||||
(*ports)[0] = $2;
|
||||
(*ports)[1] = $2;
|
||||
|
||||
$$ = ports;
|
||||
};
|
||||
ports: TOK_COLON TOK_NUM TOK_RANGE TOK_NUM
|
||||
{
|
||||
unsigned short (*ports)[2];
|
||||
|
||||
PDEBUG("Matched a port range (%d,%d)\n", $2, $4);
|
||||
ports = (unsigned short (*)[2])
|
||||
malloc(sizeof (unsigned short [2]));
|
||||
if (!ports)
|
||||
yyerror(_("Memory allocation error."));
|
||||
if (($2 < MIN_PORT) || ($4 > MAX_PORT)
|
||||
|| ($2 < MIN_PORT) || ($4 > MAX_PORT))
|
||||
yyerror(_("ports must be between %d and %d"),
|
||||
MIN_PORT, MAX_PORT);
|
||||
(*ports)[0] = $2;
|
||||
(*ports)[1] = $4;
|
||||
|
||||
if ((*ports)[0] > (*ports)[1])
|
||||
{
|
||||
unsigned short tmp;
|
||||
pwarn("expected first port number to be less than the second, swapping (%ld,%ld)\n",
|
||||
$2, $4);
|
||||
tmp = (*ports)[0];
|
||||
(*ports)[0] = (*ports)[1];
|
||||
(*ports)[1] = tmp;
|
||||
}
|
||||
|
||||
$$ = ports;
|
||||
};
|
||||
|
||||
change_profile: TOK_CHANGE_PROFILE TOK_ID TOK_END_OF_RULE
|
||||
{
|
||||
struct cod_entry *entry;
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_server_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp accept simple parse test (from,via)
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/tmp/tcp/tcp_server {
|
||||
tcp_accept from 127.0.0.1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_server_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp accept from ip/cidr netmask/port range via
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
/tmp/tcp/tcp_server {
|
||||
tcp_accept from 10.0.0.17/16:50-100 via eth1,
|
||||
tcp_accept from 127.0.0.1,
|
||||
@@ -1,6 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_server_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp accept from,to,via
|
||||
#=EXRESULT FAIL
|
||||
/tmp/tcp/tcp_server {
|
||||
tcp_accept from 10.0.0.17/16:50-100 to 127.0.0.1 via eth1,
|
||||
tcp_accept from 127.0.0.1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_server_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain accept from port 65535
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_accept to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_client_ok1.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp connect simple parse test (to,via)
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_connect to 127.0.0.1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_client_ok2.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp connect to ip/cidr netmask/port range via
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_connect to 10.0.0.17/16:50-100 via eth1,
|
||||
tcp_connect to 127.0.0.1,
|
||||
@@ -1,6 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_client_ok3.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp connect to,from,via
|
||||
#=EXRESULT FAIL
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_connect to 10.0.0.17/16:50-100 from 127.0.0.1 via eth1,
|
||||
tcp_connect to 127.0.0.1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_client_ok4.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain tcp (accept,connect), udp (send,receive) conglomerate test
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_connect to 10.0.0.17/16:50-100 from 0.0.0.0:50-100 via eth1,
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# $Id$
|
||||
# $Id: tcp_client_ok5.sd 66 2006-06-01 18:02:28Z steve-beattie $
|
||||
#=DESCRIPTION netdomain connect to port 65535
|
||||
#=EXRESULT PASS
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/tmp/tcp/tcp_client {
|
||||
tcp_connect to 10.0.0.17/16:1024-65535 from 127.0.0.1 via eth1,
|
||||
Reference in New Issue
Block a user