diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 04ffae9b2..f04089e8d 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -87,6 +87,7 @@ LT_EQUAL <= %x FLAGS_MODE %x ASSIGN_MODE %x RLIMIT_MODE +%x CHANGE_PROFILE_MODE %% @@ -237,6 +238,47 @@ LT_EQUAL <= } } +{ + {ARROW} { + PDEBUG("Matched a arrow\n"); + yylval = (YYSTYPE) yytext; + return TOK_ARROW; + } + + {ID}+ { + /* Ugh, this is a gross hack. I used to use + * {ID}+ to match all TOK_IDs, but that would + * also match TOK_MODE + TOK_END_OF_RULE + * without any spaces in between (because it's + * a longer match). So now, when I want to + * match any random string, I go into a + * seperate state. */ + yylval = (YYSTYPE) processunquoted(yytext, yyleng); + PDEBUG("Found sub name: \"%s\"\n", yylval); + BEGIN(INITIAL); + return TOK_ID; + } + {QUOTED_ID} { + /* Ugh, this is a gross hack. I used to use + * {ID}+ to match all TOK_IDs, but that would + * also match TOK_MODE + TOK_END_OF_RULE + * without any spaces in between (because it's + * a longer match). So now, when I want to + * match any random string, I go into a + * seperate state. */ + yylval = (YYSTYPE) processquoted(yytext, yyleng); + PDEBUG("Found sub name: \"%s\"\n", yylval); + BEGIN(INITIAL); + return TOK_ID; + } + + {WS}+ { /* Ignoring whitespace */ } + [^\n] { + /* Something we didn't expect */ + yyerror(_("Found unexpected character: '%s'"), yytext); + } +} + #.*\n { /* Comment - ignore */ current_lineno++; PDEBUG("Line no++: %d\n", current_lineno); @@ -377,6 +419,9 @@ LT_EQUAL <= case TOK_NETWORK: BEGIN(NETWORK_MODE); break; + case TOK_CHANGE_PROFILE: + BEGIN(CHANGE_PROFILE_MODE); + break; default: /* nothing */ break; } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 6aedff040..5c858eaf3 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -487,6 +487,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) if (!entry) /* shouldn't happen */ return TRUE; + ptype = convert_aaregex_to_pcre(entry->name, 0, tbuf, PATH_MAX + 3); if (ptype == ePatternInvalid) return FALSE; @@ -513,7 +514,7 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) entry->mode & ~AA_LINK_BITS, entry->audit & ~AA_LINK_BITS)) return FALSE; - } else { + } else if (entry->mode & ~AA_CHANGE_PROFILE) { if (!aare_add_rule(dfarules, tbuf, entry->deny, entry->mode, entry->audit)) return FALSE; @@ -542,12 +543,14 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) if (entry->mode & AA_CHANGE_PROFILE) { if (entry->namespace) { char *vec[2]; - vec[0] = entry->namespace; - vec[1] = entry->name; + char lbuf[PATH_MAX + 8]; + ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8); + vec[0] = lbuf; + vec[1] = tbuf; if (!aare_add_rule_vec(dfarules, 0, AA_CHANGE_PROFILE, 0, 2, vec)) return FALSE; } else { - if (!aare_add_rule(dfarules, entry->name, 0, AA_CHANGE_PROFILE, 0)) + if (!aare_add_rule(dfarules, tbuf, 0, AA_CHANGE_PROFILE, 0)) return FALSE; } } diff --git a/parser/tst/simple_tests/change_profile/ok_6.sd b/parser/tst/simple_tests/change_profile/ok_6.sd new file mode 100644 index 000000000..ba4b569a9 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/ok_7.sd b/parser/tst/simple_tests/change_profile/ok_7.sd new file mode 100644 index 000000000..adadc1862 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/ok_8.sd b/parser/tst/simple_tests/change_profile/ok_8.sd new file mode 100644 index 000000000..64afeaba3 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/re_ok_1.sd b/parser/tst/simple_tests/change_profile/re_ok_1.sd new file mode 100644 index 000000000..047a5cc49 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> /bin/*, +} + +/usr/bin/foo2 { + change_profile -> /bin/**, +} + +/usr/bin/foo3 { + change_profile -> /bin/?, +} + +/usr/bin/foo4 { + change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/re_ok_2.sd b/parser/tst/simple_tests/change_profile/re_ok_2.sd new file mode 100644 index 000000000..626fb2013 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/re_ok_3.sd b/parser/tst/simple_tests/change_profile/re_ok_3.sd new file mode 100644 index 000000000..929cffa75 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/re_ok_4.sd b/parser/tst/simple_tests/change_profile/re_ok_4.sd new file mode 100644 index 000000000..bc359f3b6 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/re_ok_5.sd b/parser/tst/simple_tests/change_profile/re_ok_5.sd new file mode 100644 index 000000000..a7b782b31 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + change_profile -> *, +} + +/usr/bin/foo2 { + change_profile -> **, +} + +/usr/bin/foo3 { + change_profile -> ?, +} + +/usr/bin/foo4 { + change_profile -> [ab], +} + +/usr/bin/foo5 { + change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/re_ok_6.sd b/parser/tst/simple_tests/change_profile/re_ok_6.sd new file mode 100644 index 000000000..0da82922b --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + change_profile -> *//ab, +} + +/usr/bin/foo2 { + change_profile -> **//ab, +} + +/usr/bin/foo3 { + change_profile -> ?//ab, +} + +/usr/bin/foo4 { + change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + change_profile -> ab//*, +} + +/usr/bin/foo7 { + change_profile -> ab//**, +} + +/usr/bin/foo8 { + change_profile -> ab//?, +} + +/usr/bin/foo9 { + change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + change_profile -> *//*, +} + +/usr/bin/foo12 { + change_profile -> **//*, +} + +/usr/bin/foo13 { + change_profile -> ?//*, +} + +/usr/bin/foo14 { + change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/re_ok_7.sd b/parser/tst/simple_tests/change_profile/re_ok_7.sd new file mode 100644 index 000000000..c45bc9155 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + change_profile -> :ab:*, +} + +/usr/bin/foo2 { + change_profile -> :ab:**, +} + +/usr/bin/foo3 { + change_profile -> :ab:?, +} + +/usr/bin/foo4 { + change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + change_profile -> :*:ab, +} + +/usr/bin/foo7 { + change_profile -> :**:ab, +} + +/usr/bin/foo8 { + change_profile -> :?:ab, +} + +/usr/bin/foo9 { + change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + change_profile -> :*:*, +} + +/usr/bin/foo12 { + change_profile -> :**:**, +} + +/usr/bin/foo13 { + change_profile -> :?:?, +} + +/usr/bin/foo14 { + change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/re_ok_8.sd b/parser/tst/simple_tests/change_profile/re_ok_8.sd new file mode 100644 index 000000000..fb1d0cb6a --- /dev/null +++ b/parser/tst/simple_tests/change_profile/re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + change_profile -> "/bin/ ?ab", +} +