mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

parser: convert audit from bool to enum

Browse Source 
Audit control support is going to be extended to support allowing
policy to which rules should quiet auditing. Update the frontend
internals to prepare for this.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen
2021-08-28 02:11:11 -07:00
parent 134e95f783
commit 7a318d99f2
22 changed files with 111 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
parser/af_unix.cc
View File

@@ -95,7 +95,7 @@ void unix_rule::move_peer_conditionals(struct cond_entry *conds)
}
}
unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied):
af_rule("unix"), addr(NULL), peer_addr(NULL)
{
if (type_p != 0xffffffff) {
@@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
yyerror("socket rule: invalid socket type '%d'", type_p);
}
perms = AA_VALID_NET_PERMS;
audit = audit_p;
audit.audit_mode = audit_p;
deny = denied;
}
@@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
mask = 1 << sock_type_n;
if (!deny) {
prof.net.allow[AF_UNIX] |= mask;
if (audit)
if (audit.audit_mode == AUDIT_FORCE)
prof.net.audit[AF_UNIX] |= mask;
} else {
/* deny rules have to be dropped because the downgrade makes
@@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_CREATE),
map_perms(audit ? AA_NET_CREATE : 0),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0),
dfaflags))
goto fail;
mask &= ~AA_NET_CREATE;
@@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_BIND),
map_perms(audit ? AA_NET_BIND : 0),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0),
dfaflags))
goto fail;
/* clear if auto, else generic need to generate addr below */
@@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & local_mask),
map_perms(audit ? mask & local_mask : 0),
map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0),
dfaflags))
goto fail;
}
@@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_LISTEN),
map_perms(audit ? AA_NET_LISTEN : 0),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0),
dfaflags))
goto fail;
}
@@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_OPT),
map_perms(audit ? AA_NET_OPT : 0),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0),
dfaflags))
goto fail;
}
@@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
goto fail;
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
goto fail;
}