pass prompt info down into the backend for mapping

mapping for PROMPT_DEV needs to know that we should prompt

parser/libapparmor_re/aare_rules.cc

@@ -199,8 +199,8 @@ bool aare_rules::append_rule(const char *rule, bool oob, bool with_perm,
  */
 CHFA *aare_rules::create_chfa(int *min_match_len,
 			      vector <aa_perms> &perms_table,
-			      optflags const &opts,
+			      optflags const &opts, bool filedfa,
-			      bool filedfa, bool extended_perms)
+			      bool extended_perms, bool prompt)
 {
 	/* finish constructing the expr tree from the different permission
 	 * set nodes */
@@ -310,9 +310,9 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 		//cerr << "Checking extended perms " << extended_perms << "\n";
 		if (extended_perms) {
 			//cerr << "creating permstable\n";
-			dfa.compute_perms_table(perms_table);
+		  dfa.compute_perms_table(perms_table, prompt);
 		}
-		chfa = new CHFA(dfa, eq, opts, extended_perms);
+		chfa = new CHFA(dfa, eq, opts, extended_perms, prompt);
 		if (opts.dump & DUMP_DFA_TRANS_TABLE)
 			chfa->dump(cerr);
 	}
@@ -331,14 +331,15 @@ CHFA *aare_rules::create_chfa(int *min_match_len,
 void *aare_rules::create_dfablob(size_t *size, int *min_match_len,
 				 vector <aa_perms> &perms_table,
 				 optflags const &opts, bool filedfa,
-				 bool extended_perms)
+				 bool extended_perms, bool prompt)
 {
 	char *buffer = NULL;
 	stringstream stream;
 
 	try {
 		CHFA *chfa = create_chfa(min_match_len, perms_table,
-					 opts, filedfa, extended_perms);
+					 opts, filedfa, extended_perms,
+					 prompt);
 		if (!chfa) {
 			*size = 0;
 			return NULL;
@@ -375,7 +376,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
 					size_t *new_start,
 					vector <aa_perms> &perms_table,
 					optflags const &opts,
-					bool extended_perms)
+					bool extended_perms, bool prompt)
 {
 	int file_min_len;
 	vector <aa_perms> file_perms;
@@ -383,7 +384,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
 	try {
 		file_chfa = file_rules->create_chfa(&file_min_len,
 						    file_perms, opts,
-						    true, extended_perms);
+						    true, extended_perms, prompt);
 		if (!file_chfa) {
 			*size = 0;
 			return NULL;
@@ -398,7 +399,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
 	try {
 		policy_chfa = create_chfa(min_match_len,
 					  perms_table, opts,
-					  false, extended_perms);
+					  false, extended_perms, prompt);
 		if (!policy_chfa) {
 			delete file_chfa;
 			*size = 0;
@@ -414,7 +415,7 @@ void *aare_rules::create_welded_dfablob(aare_rules *file_rules,
 	stringstream stream;
 	try {
 		policy_chfa->weld_file_to_policy(*file_chfa, *new_start,
-						 extended_perms,
+						 extended_perms, prompt,
 						 perms_table, file_perms);
 		policy_chfa->flex_table(stream);
 	}

parser/libapparmor_re/aare_rules.h

@@ -118,17 +118,17 @@ class aare_rules {
 	CHFA *create_chfa(int *min_match_len,
 			  vector <aa_perms> &perms_table,
 			  optflags const &opts, bool filedfa,
-			  bool extended_perms);
+			  bool extended_perms, bool prompt);
 	void *create_dfablob(size_t *size, int *min_match_len,
 			 vector <aa_perms> &perms_table,
 			 optflags const &opts,
-			 bool filedfa, bool extended_perms);
+			 bool filedfa, bool extended_perms, bool prompt);
 	void *create_welded_dfablob(aare_rules *file_rules,
 				    size_t *size, int *min_match_len,
 				    size_t *new_start,
 				    vector <aa_perms> &perms_table,
 				    optflags const &opts,
-				    bool extended_perms);
+				    bool extended_perms, bool prompt);
 };
 
 #endif				/* __LIBAA_RE_RULES_H */

parser/libapparmor_re/chfa.cc

@@ -55,7 +55,7 @@ void CHFA::init_free_list(vector<pair<size_t, size_t> > &free_list,
  *       permtable index flag
  */
 CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
-	   bool permindex): eq(eq)
+	   bool permindex, bool prompt): eq(eq)
 {
 	if (opts.dump & DUMP_DFA_TRANS_PROGRESS)
 		fprintf(stderr, "Compressing HFA:\r");
@@ -110,11 +110,16 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 		accept[0] = dfa.nonmatching->idx;
 		accept[1] = dfa.start->idx;
 	} else {
+		uint32_t accept3;
 		accept2.resize(max(dfa.states.size(), (size_t) 2));
 		dfa.nonmatching->map_perms_to_accept(accept[0],
-						     accept2[0]);
+						     accept2[0],
+						     accept3,
+						     prompt);
 		dfa.start->map_perms_to_accept(accept[1],
-					       accept2[1]);
+					       accept2[1],
+					       accept3,
+					       prompt);
 	}
 	next_check.resize(max(optimal, (size_t) dfa.max_range));
 	free_list.resize(next_check.size());
@@ -131,12 +136,15 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 	if (!(opts.control & CONTROL_DFA_TRANS_HIGH)) {
 		for (Partition::iterator i = dfa.states.begin(); i != dfa.states.end(); i++) {
 			if (*i != dfa.nonmatching && *i != dfa.start) {
+				uint32_t accept3;
 				insert_state(free_list, *i, dfa);
 				if (permindex)
 					accept[num.size()] = (*i)->idx;
 				else
 					(*i)->map_perms_to_accept(accept[num.size()],
-								  accept2[num.size()]);
+								  accept2[num.size()],
+								  accept3,
+								  prompt);
 				num.insert(make_pair(*i, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
@@ -151,12 +159,15 @@ CHFA::CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
 		     i != order.end(); i++) {
 			if (i->second != dfa.nonmatching &&
 			    i->second != dfa.start) {
+				uint32_t accept3;
 				insert_state(free_list, i->second, dfa);
 				if (permindex)
 					accept[num.size()] = i->second->idx;
 				else
 					i->second->map_perms_to_accept(accept[num.size()],
-								       accept2[num.size()]);
+								       accept2[num.size()],
+								       accept3,
+								       prompt);
 				num.insert(make_pair(i->second, num.size()));
 			}
 			if (opts.dump & (DUMP_DFA_TRANS_PROGRESS)) {
@@ -484,7 +495,7 @@ void CHFA::flex_table(ostream &os)
 
  */
 void CHFA::weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
-			       bool accept_idx,
+			       bool accept_idx, bool prompt,
 			       vector <aa_perms>  &policy_perms,
 			       vector <aa_perms> &file_perms)
 {

parser/libapparmor_re/chfa.h

@@ -40,8 +40,7 @@ class CHFA {
       public:
 	CHFA(void);
 	CHFA(DFA &dfa, map<transchar, transchar> &eq, optflags const &opts,
-	     bool permindex);
+	     bool permindex, bool prompt);
-
 	void dump(ostream & os);
 	void flex_table(ostream &os);
 	void init_free_list(vector<pair<size_t, size_t> > &free_list,
@@ -51,7 +50,7 @@ class CHFA {
 	void insert_state(vector<pair<size_t, size_t> > &free_list,
 			  State *state, DFA &dfa);
 	void weld_file_to_policy(CHFA &file_chfa, size_t &new_start,
-				 bool accept_idx,
+				 bool accept_idx, bool prompt,
 				 vector <aa_perms>  &policy_perms,
 				 vector <aa_perms> &file_perms);
 

parser/libapparmor_re/hfa.cc

@@ -1308,12 +1308,13 @@ void DFA::apply_equivalence_classes(map<transchar, transchar> &eq)
 }
 
 void DFA::compute_perms_table_ent(State *state, size_t pos,
-				  vector <aa_perms> &perms_table)
+				  vector <aa_perms> &perms_table,
+				  bool prompt)
 {
 	uint32_t accept1, accept2, accept3;
 
 	// until front end doesn't map the way it does
-	state->map_perms_to_accept(accept1, accept2, accept3);
+	state->map_perms_to_accept(accept1, accept2, accept3, prompt);
 	if (filedfa) {
 		state->idx = pos * 2;
 		perms_table[pos*2] = compute_fperms_user(accept1, accept2, accept3);
@@ -1324,7 +1325,7 @@ void DFA::compute_perms_table_ent(State *state, size_t pos,
 	}
 }
 
-void DFA::compute_perms_table(vector <aa_perms> &perms_table)
+void DFA::compute_perms_table(vector <aa_perms> &perms_table, bool prompt)
 {
 	size_t mult = filedfa ? 2 : 1;
 	size_t pos = 2;
@@ -1334,13 +1335,13 @@ void DFA::compute_perms_table(vector <aa_perms> &perms_table)
 
 	// nonmatching and start need to be 0 and 1 so handle outside of loop
 	if (filedfa)
-		compute_perms_table_ent(nonmatching, 0, perms_table);
+	  compute_perms_table_ent(nonmatching, 0, perms_table, prompt);
-	compute_perms_table_ent(start, 1, perms_table);
+	compute_perms_table_ent(start, 1, perms_table, prompt);
 
 	for (Partition::iterator i = states.begin(); i != states.end(); i++) {
 		if (*i == nonmatching || *i == start)
 			continue;
-		compute_perms_table_ent(*i, pos, perms_table);
+		compute_perms_table_ent(*i, pos, perms_table, prompt);
 		pos++;
 	}
 }

parser/libapparmor_re/hfa.h

@@ -34,6 +34,8 @@
 
 #include "expr-tree.h"
 #include "policy_compat.h"
+#include "../rule.h"
+extern int prompt_compat_mode;
 
 #define DiffEncodeFlag 1
 
@@ -258,9 +260,13 @@ public:
 	void flatten_relative(State *, int upper_bound);
 
 	int apply_and_clear_deny(void) { return perms.apply_and_clear_deny(); }
-	void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2, uint32_t &accept3)
+	void map_perms_to_accept(uint32_t &accept1, uint32_t &accept2,
+				 uint32_t &accept3, bool prompt)
 	{
 		accept1 = perms.allow;
+		if (prompt && prompt_compat_mode == PROMPT_COMPAT_DEV)
+		  accept2 = PACK_AUDIT_CTL(perms.prompt, perms.quiet & perms.deny);
+		else
 		accept2 = PACK_AUDIT_CTL(perms.audit, perms.quiet & perms.deny);
 		accept3 = perms.prompt;
 	}
@@ -358,8 +364,10 @@ public:
 	void apply_equivalence_classes(map<transchar, transchar> &eq);
 
 	void compute_perms_table_ent(State *state, size_t pos,
-				     vector <aa_perms> &perms_table);
+				     vector <aa_perms> &perms_table,
-	void compute_perms_table(vector <aa_perms> &perms_table);
+				     bool prompt);
+	void compute_perms_table(vector <aa_perms> &perms_table,
+				 bool prompt);
 
 	unsigned int diffcount;
 	int oob_range;

parser/parser.h

@@ -324,10 +324,6 @@ do {								\
 /* The parser fills this variable in automatically */
 #define PROFILE_NAME_VARIABLE "profile_name"
 
-#define PROMPT_COMPAT_IGNORE  0
-#define PROMPT_COMPAT_PERMSV2 1
-#define PROMPT_COMPAT_DEV 2
-#define PROMPT_COMPAT_PERMSV1 3
 
 /* from parser_common.c */
 extern uint32_t policy_version;

parser/parser_regex.c

@@ -578,7 +578,7 @@ build:
 		 *
 		 * we don't need to build xmatch for permstable32, so don't
 		 */
-		prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, kernel_supports_permstable32 && !kernel_supports_permstable32_v1);
+		prof->xmatch = rules->create_dfablob(&prof->xmatch_size, &prof->xmatch_len, prof->xmatch_perms_table, parseopts, false, false, false);
 		delete rules;
 		if (!prof->xmatch)
 			return FALSE;
@@ -785,7 +785,8 @@ int process_profile_regex(Profile *prof)
 		prof->dfa.dfa = prof->dfa.rules->create_dfablob(&prof->dfa.size,
 					&xmatch_len, prof->dfa.perms_table,
 					parseopts, true,
-					 prof->uses_prompt_rules && kernel_supports_permstable32);
+					prof->uses_prompt_rules && kernel_supports_permstable32,
+					prof->uses_prompt_rules);
 		delete prof->dfa.rules;
 		prof->dfa.rules = NULL;
 		if (!prof->dfa.dfa)
@@ -1149,7 +1150,8 @@ int process_profile_policydb(Profile *prof)
 					&xmatch_len,
 					&prof->policy.file_start,
 					prof->policy.perms_table, parseopts,
-					kernel_supports_permstable32_v1);
+					kernel_supports_permstable32_v1,
+					prof->uses_prompt_rules);
 		delete prof->policy.rules;
 		delete prof->dfa.rules;
 		prof->policy.rules = NULL;
@@ -1165,7 +1167,8 @@ int process_profile_policydb(Profile *prof)
 						&xmatch_len,
 						prof->policy.perms_table,
 						parseopts, false,
-						prof->uses_prompt_rules && kernel_supports_permstable32);
+						prof->uses_prompt_rules && kernel_supports_permstable32,
+						prof->uses_prompt_rules);
 		delete prof->policy.rules;
 
 		prof->policy.rules = NULL;

parser/rule.h

@@ -27,6 +27,12 @@
 
 using namespace std;
 
+#define PROMPT_COMPAT_IGNORE  0
+#define PROMPT_COMPAT_PERMSV2 1
+#define PROMPT_COMPAT_DEV 2
+#define PROMPT_COMPAT_PERMSV1 3
+
+
 class Profile;
 
 #define RULE_NOT_SUPPORTED 0