From 4eea3ae073d8740990534b33d587314f1c044402 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 20 Dec 2010 11:56:57 -0800
Subject: [PATCH] Make meaning of leading permissions consistent with trailing
 permissions

x Permissions when specified as a the start of the rule had a differnt
meaning than when they appeared at the tail of a rule.

Specifically px,cx,ux were not treated as unsafe when they appeared at
the start of the rule.
  px /foo,
instead of at the tail of the rule
  /foo px,

the keyword unsafe had to be used to force the rule to cause the x transitio
to be its unsafe variant.

Fix leading permissions so that they are consistent with file rules that
use trailing permissions.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 parser/parser_yacc.y                             |  5 +++--
 .../xtrans/simple_bad_x_mods_first_34.sd         | 16 ----------------
 .../tst/simple_tests/xtrans/simple_ok_pix_1.sd   |  4 ++--
 3 files changed, 5 insertions(+), 20 deletions(-)
 delete mode 100644 parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 7f5191e7f..80f23781a 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -879,11 +879,12 @@ opt_unsafe: { /* nothing */ $$ = 0; }
 
 rule:   opt_unsafe file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 	{
-		int mode = $2 & ~ALL_AA_EXEC_UNSAFE;
+		int mode = $2;
 		if ($1) {
 			if (!($2 & AA_EXEC_BITS))
 				yyerror(_("unsafe rule missing exec permissions"));
-			mode |= (($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE;
+			mode = ($2 & ~ALL_AA_EXEC_UNSAFE) |
+				((($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE);
 		}
 
 		if ($3 && ($2 & ~AA_LINK_BITS))
diff --git a/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd b/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd
deleted file mode 100644
index 2ab50b030..000000000
--- a/parser/tst/simple_tests/xtrans/simple_bad_x_mods_first_34.sd
+++ /dev/null
@@ -1,16 +0,0 @@
-#
-#=DESCRIPTION test pix - in forward perms P and p are the same and the
-# unsafe keyword is required.  So these should conflict
-#=EXRESULT FAIL
-#
-/usr/bin/foo {
-  /bin/cat pix,
-  /bin/foo Pix,
-  /bin/bar pIx,
-  /bin/a   PIx,
-
-  pix /bin/cat,
-  Pix /bin/foo,
-  pIx /bin/bar,
-  PIx /bin/a,
-}
diff --git a/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd b/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
index 4a4b9aea2..c8e6ab133 100644
--- a/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
+++ b/parser/tst/simple_tests/xtrans/simple_ok_pix_1.sd
@@ -9,7 +9,7 @@
   /bin/a   PIx,
 
   unsafe pix /bin/cat,
-  pix /bin/foo,
+  Pix /bin/foo,
   unsafe pix /bin/bar,
-  pix /bin/a,
+  Pix /bin/a,
 }