diff --git a/parser/dbus.h b/parser/dbus.h index 852755687..9d978d97d 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -51,7 +51,7 @@ public: free(member); }; virtual bool valid_prefix(const prefixes &p, const char *&error) { - if (p.owner) { + if (p.owner != OWNER_UNSPECIFIED) { error = "owner prefix not allowed on dbus rules"; return false; } diff --git a/parser/mount.h b/parser/mount.h index 8767a404e..e6bdd01b5 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -163,7 +163,7 @@ public: } virtual bool valid_prefix(const prefixes &p, const char *&error) { - if (p.owner) { + if (p.owner != OWNER_UNSPECIFIED) { error = "owner prefix not allowed on mount rules"; return false; } diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index c957bd5e1..e4fd875e2 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -222,6 +222,7 @@ static void abi_features(char *filename, bool search); struct cond_entry *cond_entry; struct cond_entry_list cond_entry_list; int boolean; + owner_t owner; struct prefixes prefix; IncludeCache_t *includecache; audit_t audit; @@ -266,7 +267,7 @@ static void abi_features(char *filename, bool search); %type opt_id_or_var %type opt_subset_flag %type opt_audit_flag -%type opt_owner_flag +%type opt_owner_flag %type opt_profile_flag %type opt_flags %type opt_rule_mode @@ -626,9 +627,9 @@ opt_subset_flag: { /* nothing */ $$ = false; } opt_audit_flag: { /* nothing */ $$ = AUDIT_UNSPECIFIED; } | TOK_AUDIT { $$ = AUDIT_FORCE; }; -opt_owner_flag: { /* nothing */ $$ = 0; } - | TOK_OWNER { $$ = 1; }; - | TOK_OTHER { $$ = 2; }; +opt_owner_flag: { /* nothing */ $$ = OWNER_UNSPECIFIED; } + | TOK_OWNER { $$ = OWNER_SPECIFIED; }; + | TOK_OTHER { $$ = OWNER_NOT; }; opt_rule_mode: { /* nothing */ $$ = RULE_UNSPECIFIED; } | TOK_ALLOW { $$ = RULE_ALLOW; } @@ -680,7 +681,7 @@ rules: rules opt_prefix block $2.audit == AUDIT_FORCE ? "audit " : "", $2.rule_mode == RULE_DENY ? "deny " : "", $2.rule_mode == RULE_PROMPT ? "prompt " : "", - $2.owner ? "owner " : ""); + $2.owner == OWNER_SPECIFIED ? "owner " : ""); list_for_each_safe($3->entries, entry, tmp) { const char *error; entry->next = NULL; @@ -746,8 +747,8 @@ rules: rules opt_prefix change_profile PDEBUG("rules change_profile: (%s)\n", $3->name); if (!$3) yyerror(_("Assert: `change_profile' returned NULL.")); - if ($2.owner) - yyerror(_("owner prefix not allowed on unix rules")); + if ($2.owner != OWNER_UNSPECIFIED) + yyerror(_("owner conditional not allowed on unix rules")); if (($2.rule_mode == RULE_DENY) && $2.audit == AUDIT_FORCE) { $3->rule_mode = RULE_DENY; } else if ($2.rule_mode == RULE_DENY) { @@ -762,8 +763,8 @@ rules: rules opt_prefix change_profile rules: rules opt_prefix capability { - if ($2.owner) - yyerror(_("owner prefix not allowed on capability rules")); + if ($2.owner != OWNER_UNSPECIFIED) + yyerror(_("owner conditional not allowed on capability rules")); if ($2.rule_mode == RULE_DENY && $2.audit == AUDIT_FORCE) { $1->caps.deny |= $3; @@ -1809,4 +1810,3 @@ static void abi_features(char *filename, bool search) } }; - diff --git a/parser/ptrace.h b/parser/ptrace.h index bbe7b8638..3b76507d5 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -45,7 +45,7 @@ public: virtual int gen_policy_re(Profile &prof); virtual bool valid_prefix(const prefixes &p, const char *&error) { - if (p.owner) { + if (p.owner != OWNER_UNSPECIFIED) { error = "owner prefix not allowed on ptrace rules"; return false; } diff --git a/parser/rule.h b/parser/rule.h index 1def6b418..1192b270a 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -162,6 +162,8 @@ typedef std::list RuleList; /* Not classes so they can be used in the bison front end */ typedef enum { AUDIT_UNSPECIFIED, AUDIT_FORCE, AUDIT_QUIET } audit_t; typedef enum { RULE_UNSPECIFIED, RULE_ALLOW, RULE_DENY, RULE_PROMPT } rule_mode_t; +typedef enum { OWNER_UNSPECIFIED, OWNER_SPECIFIED, OWNER_NOT } owner_t; + /* NOTE: we can not have a constructor for class prefixes. This is * because it will break bison, and we would need to transition to @@ -173,7 +175,7 @@ class prefixes { public: audit_t audit; rule_mode_t rule_mode; - int owner; + owner_t owner; ostream &dump(ostream &os) { @@ -216,11 +218,21 @@ public: break; } - if (owner) { + switch (owner) { + case OWNER_SPECIFIED: if (output) os << " "; os << "owner"; output = true; + break; + case OWNER_NOT: + if (output) + os << " "; + os << "!owner"; + output = true; + break; + default: + break; } if (output) @@ -238,9 +250,9 @@ public: return -1; if ((uint) rule_mode > (uint) rhs.rule_mode) return 1; - if (owner < rhs.owner) + if ((uint) owner < (uint) rhs.owner) return -1; - if (owner > rhs.owner) + if ((uint) owner > (uint) rhs.owner) return 1; return 0; } @@ -250,7 +262,7 @@ public: return true; if ((uint) rule_mode < (uint) rhs.rule_mode) return true; - if (owner < rhs.owner) + if ((uint) owner < (uint) rhs.owner) return true; return false; } @@ -263,7 +275,7 @@ public: /* Must construct prefix here see note on prefixes */ audit = AUDIT_UNSPECIFIED; rule_mode = RULE_UNSPECIFIED; - owner = 0; + owner = OWNER_UNSPECIFIED; }; virtual bool valid_prefix(const prefixes &p, const char *&error) = 0; @@ -293,13 +305,15 @@ public: /* owner !owner conflicts */ if (p.owner) { - if (owner && owner != p.owner) { + if (owner != OWNER_UNSPECIFIED && + owner != p.owner) { error = "conflicting owner prefix"; return false; } owner = p.owner; } + /* TODO: MOVE this ! */ /* does the prefix imply a modifier */ if (p.rule_mode == RULE_DENY && p.audit == AUDIT_FORCE) { rule_mode = RULE_DENY; diff --git a/parser/signal.h b/parser/signal.h index d3295a4a9..a670eb2c3 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -47,7 +47,7 @@ public: free(peer_label); }; virtual bool valid_prefix(const prefixes &p, const char *&error) { - if (p.owner) { + if (p.owner != OWNER_UNSPECIFIED) { error = "owner prefix not allowed on signal rules"; return false; }