Patch by jjohansen@suse.de

Acked-By: Steve Beattie <sbeattie@suse.de> Add support for a distinction between write permission and append-only permission.
2025-08-30 22:05:27 +00:00 · 2007-07-27 20:31:38 +00:00
parent 2737f6bc97
commit 95d6ab1b1b
5 changed files with 18 additions and 4 deletions
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -28,7 +28,7 @@
 #define AA_MAY_EXEC			(1 << 0)
 #define AA_MAY_WRITE			(1 << 1)
 #define AA_MAY_READ			(1 << 2)
-/*#define AA_MAY_APPEND			(1 << 3)*/
+#define AA_MAY_APPEND			(1 << 3)
 #define AA_MAY_LINK			(1 << 4)
 #define AA_EXEC_INHERIT 		(1 << 5)
 #define AA_EXEC_UNCONSTRAINED		(1 << 6)
@@ -72,6 +72,7 @@ enum pattern_t {

 #define HAS_MAY_READ(mode)		((mode) & AA_MAY_READ)
 #define HAS_MAY_WRITE(mode)		((mode) & AA_MAY_WRITE)
+#define HAS_MAY_APPEND(mode)		((mode) & AA_MAY_APPEND)
 #define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
 #define HAS_MAY_EXEC(mode)		((mode) & AA_MAY_EXEC)
 #define HAS_EXEC_INHERIT(mode)		((mode) & AA_EXEC_INHERIT)
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -1494,7 +1494,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 }

 #define ACCUMULATING_FLAGS \
-	(AA_MAY_READ | AA_MAY_WRITE | AA_MAY_EXEC | \
+	(AA_MAY_READ | AA_MAY_WRITE | AA_MAY_APPEND | AA_MAY_EXEC | \
 	 AA_MAY_LINK | AA_EXEC_MMAP | AA_CHANGE_PROFILE)

 /**
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -122,6 +122,7 @@ struct var_string {

 #define COD_READ_CHAR 		'r'
 #define COD_WRITE_CHAR 		'w'
+#define COD_APPEND_CHAR		'a'
 #define COD_EXEC_CHAR 		'x'
 #define COD_INHERIT_CHAR 	'i'
 #define COD_LINK_CHAR 		'l'
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -53,7 +53,7 @@ COLON		:
 END_OF_RULE	[,]
 SEPERATOR 	{UP}
 RANGE		-
-MODES 		[RrWwXxIiLlUuPpMm]
+MODES 		[RrWwaXxIiLlUuPpMm]
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
 ID 		[^ \t\n"!,]|(,[^ \t\n"!])
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -455,7 +455,16 @@ reeval:

 		case COD_WRITE_CHAR:
 			PDEBUG("Parsing mode: found WRITE\n");
-			mode |= AA_MAY_WRITE;
+			if ((mode & AA_MAY_APPEND) && !(mode & AA_MAY_WRITE))
+				yyerror(_("Conflict 'a' and 'w' perms are mutually exclusive."));
+			mode |= AA_MAY_WRITE | AA_MAY_APPEND;
+			break;
+
+		case COD_APPEND_CHAR:
+			PDEBUG("Parsing mode: found APPEND\n");
+			if (mode & AA_MAY_WRITE)
+				yyerror(_("Conflict 'a' and 'w' perms are mutually exclusive."));
+			mode |= AA_MAY_APPEND;
 			break;

 		case COD_LINK_CHAR:
@@ -539,6 +548,7 @@ reeval:
 			switch (lower) {
 			case COD_READ_CHAR:
 			case COD_WRITE_CHAR:
+			case COD_APPEND_CHAR:
 			case COD_LINK_CHAR:
 			case COD_INHERIT_CHAR:
 			case COD_MMAP_CHAR:
@@ -720,6 +730,8 @@ void debug_cod_entries(struct cod_entry *list)
 			printf("%c", COD_READ_CHAR);
 		if (HAS_MAY_WRITE(item->mode))
 			printf("%c", COD_WRITE_CHAR);
+		if (HAS_MAY_APPEND(item->mode))
+			printf("%c", COD_APPEND_CHAR);
 		if (HAS_MAY_LINK(item->mode))
 			printf("%c", COD_LINK_CHAR);
 		if (HAS_EXEC_INHERIT(item->mode))