From 97dbaa02cb843eb36a4272998b539c1aac266a2b Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 29 Nov 2007 18:06:53 +0000 Subject: [PATCH] change from U:G:O syntax to owner syntax and remove group permission --- parser/immunix.h | 15 ++------- parser/libapparmor_re/regexp.y | 16 +++------- parser/parser_lex.l | 2 +- parser/parser_misc.c | 56 ++++------------------------------ parser/parser_regex.c | 3 -- parser/parser_yacc.y | 53 ++++++++++++++++++++++++++++++++ 6 files changed, 66 insertions(+), 79 deletions(-) diff --git a/parser/immunix.h b/parser/immunix.h index ffb35232f..3a7f29bca 100644 --- a/parser/immunix.h +++ b/parser/immunix.h @@ -42,15 +42,12 @@ AA_EXEC_MMAP | AA_EXEC_UNSAFE | \ AA_EXEC_MOD_0 | AA_EXEC_MOD_1) #define AA_USER_SHIFT 0 -#define AA_GROUP_SHIFT 10 -#define AA_OTHER_SHIFT 20 +#define AA_OTHER_SHIFT 10 #define AA_USER_PERMS (AA_BASE_PERMS << AA_USER_SHIFT) -#define AA_GROUP_PERMS (AA_BASE_PERMS << AA_GROUP_SHIFT) #define AA_OTHER_PERMS (AA_BASE_PERMS << AA_OTHER_SHIFT) -#define AA_FILE_PERMS (AA_USER_PERMS | AA_GROUP_PERMS | \ - AA_OTHER_PERMS) +#define AA_FILE_PERMS (AA_USER_PERMS | AA_OTHER_PERMS ) #define AA_CHANGE_PROFILE (1 << 30) #define AA_ERROR_BIT (1 << 31) @@ -69,19 +66,15 @@ #define AA_VALID_PERMS (AA_FILE_PERMS | AA_CHANGE_PROFILE) #define AA_EXEC_BITS ((AA_MAY_EXEC << AA_USER_SHIFT) | \ - (AA_MAY_EXEC << AA_GROUP_SHIFT) | \ (AA_MAY_EXEC << AA_OTHER_SHIFT)) #define ALL_AA_EXEC_UNSAFE ((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \ - (AA_EXEC_UNSAFE << AA_GROUP_SHIFT) | \ (AA_EXEC_UNSAFE << AA_OTHER_SHIFT)) #define AA_USER_EXEC_TYPE (AA_EXEC_TYPE << AA_USER_SHIFT) -#define AA_GROUP_EXEC_TYPE (AA_EXEC_TYPE << AA_GROUP_SHIFT) #define AA_OTHER_EXEC_TYPE (AA_EXEC_TYPE << AA_OTHER_SHIFT) #define AA_LINK_BITS ((AA_MAY_LINK << AA_USER_SHIFT) | \ - (AA_MAY_LINK << AA_GROUP_SHIFT) | \ (AA_MAY_LINK << AA_OTHER_SHIFT)) #define SHIFT_MODE(MODE, SHIFT) ((((MODE) & AA_BASE_PERMS) << (SHIFT))\ @@ -92,7 +85,6 @@ #define AA_LINK_SUBSET_TEST (AA_MAY_LINK << 1) #define LINK_SUBSET_BITS ((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \ - (AA_LINK_SUBSET_TEST << AA_GROUP_SHIFT) | \ (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT)) #define LINK_TO_LINK_SUBSET(X) (((X) << 1) & AA_LINK_SUBSET_TEST) @@ -136,9 +128,6 @@ static inline int is_merged_x_consistent(int a, int b) if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) && ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE))) return 0; - if ((a & AA_GROUP_EXEC_TYPE) && (b & AA_GROUP_EXEC_TYPE) && - ((a & AA_GROUP_EXEC_TYPE) != (b & AA_GROUP_EXEC_TYPE))) - return 0; if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) && ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE))) return 0; diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y index cf79327e0..bc6ed3199 100644 --- a/parser/libapparmor_re/regexp.y +++ b/parser/libapparmor_re/regexp.y @@ -1524,16 +1524,12 @@ uint32_t accept_perms(State *state) } perms |= exact_match_perms & - ~(AA_USER_EXEC_TYPE | AA_GROUP_EXEC_TYPE | AA_OTHER_EXEC_TYPE); + ~(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE); if (exact_match_perms & AA_USER_EXEC_TYPE) perms = (exact_match_perms & AA_USER_EXEC_TYPE) | (perms & ~AA_USER_EXEC_TYPE); - if (exact_match_perms & AA_GROUP_EXEC_TYPE) - perms = (exact_match_perms & AA_GROUP_EXEC_TYPE) | - (perms & ~AA_GROUP_EXEC_TYPE); - if (exact_match_perms & AA_OTHER_EXEC_TYPE) perms = (exact_match_perms & AA_OTHER_EXEC_TYPE) | (perms & ~AA_OTHER_EXEC_TYPE); @@ -1552,8 +1548,8 @@ uint32_t accept_perms(State *state) extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms) { static MatchFlag *match_flags[sizeof(perms) * 8 - 1]; - static MatchFlag *exec_match_flags[8 * 3]; - static ExactMatchFlag *exact_match_flags[8 * 3]; + static MatchFlag *exec_match_flags[8 * 2]; + static ExactMatchFlag *exact_match_flags[8 * 2]; Node *tree, *accept; int exact_match; @@ -1580,8 +1576,7 @@ extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms) if (rules->reverse) flip_tree(tree); -#define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_GROUP_EXEC_TYPE | \ - AA_OTHER_EXEC_TYPE) +#define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE) #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7) if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS)) @@ -1600,9 +1595,6 @@ if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS)) if (mask & (AA_MAY_EXEC << AA_USER_SHIFT)) { eperm = mask | perms & AA_USER_EXEC_TYPE; index = EXTRACT_X_INDEX(perms, AA_USER_SHIFT); - } else if (mask & (AA_MAY_EXEC << AA_GROUP_SHIFT)) { - eperm = mask | perms & AA_GROUP_EXEC_TYPE; - index = EXTRACT_X_INDEX(perms, AA_GROUP_SHIFT) + 8; } else { eperm = mask | perms & AA_OTHER_EXEC_TYPE; index = EXTRACT_X_INDEX(perms, AA_OTHER_SHIFT) + 16; diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 51d81c578..c30d33702 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -54,7 +54,7 @@ END_OF_RULE [,] SEPERATOR {UP} RANGE - MODE_CHARS ([RrWwaLlMmk])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx]) -MODES ({MODE_CHARS}+)|({MODE_CHARS}*:{MODE_CHARS}*:{MODE_CHARS}*) +MODES {MODE_CHARS}+ WS [[:blank:]] NUMBER [[:digit:]]+ ID [^ \t\n"!,]|(,[^ \t\n"!]) diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 8d96fd6f2..44382d699 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -61,6 +61,7 @@ static struct keyword_table keyword_table[] = { {"change_profile", TOK_CHANGE_PROFILE}, {"unsafe", TOK_UNSAFE}, {"link", TOK_LINK}, + {"owner", TOK_OWNER}, /* terminate */ {NULL, 0} }; @@ -522,9 +523,6 @@ reeval: yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'")); break; - case ':': - goto out; - break; /* error cases */ default: @@ -552,7 +550,7 @@ reeval: p++; } -out: + PDEBUG("Parsed mode: %s 0x%x\n", str_mode, mode); return mode; @@ -560,52 +558,12 @@ out: int parse_mode(const char *str_mode) { - const char *next, *pos = str_mode; - int tmp, exec_mods, mode = 0; - next = strchr(str_mode, ':'); - if (!next) { - tmp = parse_sub_mode(str_mode, ""); - mode = SHIFT_MODE(tmp, AA_USER_SHIFT); - mode |= SHIFT_MODE(tmp, AA_GROUP_SHIFT); - mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT); - if (mode & ~AA_VALID_PERMS) - yyerror(_("Internal error generated invalid perm 0x%llx\n"), mode); - return mode; - } - /* user:group:other */ - if (next > pos) { - exec_mods = mode & AA_EXEC_MODIFIERS; - mode = SHIFT_MODE(parse_sub_mode(pos, "user"), AA_USER_SHIFT); - } - pos = next + 1; - next = strchr(pos, ':'); - if (next > pos) { - tmp = parse_sub_mode(pos, "group"); -/* we can allow different mods per labeling, just not when named transitions - are present. - if ((mode & AA_EXEC_BITS) && (tmp & AA_EXEC_BITS) && - (exec_mods != (tmp & AA_EXEC_MODIFIERS))) - yyerror(_("conflicting x modifiers between user and group permissions.")); -*/ - exec_mods = tmp & AA_EXEC_MODIFIERS; - mode |= SHIFT_MODE(tmp, AA_GROUP_SHIFT); - } - pos = next + 1; - if (*pos) { - tmp = parse_sub_mode(pos, "other"); -/* allow different x mods per ugo - if ((mode & AA_EXEC_BITS) && (tmp & AA_EXEC_BITS) && - (exec_mods != (tmp & AA_EXEC_MODIFIERS))) - yyerror(_("conflicting x modifiers between other and user:group permissions.")); -*/ - exec_mods = tmp & AA_EXEC_MODIFIERS; - mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT); - } + int tmp, mode = 0; + tmp = parse_sub_mode(str_mode, ""); + mode = SHIFT_MODE(tmp, AA_USER_SHIFT); + mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT); if (mode & ~AA_VALID_PERMS) yyerror(_("Internal error generated invalid perm 0x%llx\n"), mode); - if (!mode) - yyerror(_("Invalid permission permission \"::\" - no permission specified.")); - return mode; } @@ -725,8 +683,6 @@ void debug_cod_entries(struct cod_entry *list) printf(" unsafe"); debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_USER_SHIFT)); printf(":"); - debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_GROUP_SHIFT)); - printf(":"); debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_OTHER_SHIFT)); if (item->name) printf("\tName:\t(%s)\n", item->name); diff --git a/parser/parser_regex.c b/parser/parser_regex.c index c59e69f36..11b69004c 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -499,9 +499,6 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry) if (((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT) entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT; - if (((entry->mode >> AA_GROUP_SHIFT) & AA_EXEC_MODIFIERS) == - AA_EXEC_INHERIT) - entry->mode |= AA_EXEC_MMAP << AA_GROUP_SHIFT; if (((entry->mode >> AA_USER_SHIFT) & AA_EXEC_MODIFIERS) == AA_EXEC_INHERIT) entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 7faf03939..e21dbcf70 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -94,6 +94,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode, %token TOK_UNSAFE %token TOK_COLON %token TOK_LINK +%token TOK_OWNER /* capabilities */ %token TOK_CAPABILITY @@ -134,6 +135,8 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode, %type cond_rule %type network_rule %type rule +%type owner_rule +%type owner_rules %type flags %type flagvals %type flagval @@ -373,6 +376,31 @@ rules: rules rule add_entry_to_policy($1, $2); $$ = $1; }; +/* +rules: rules owner_rule + { + PDEBUG("matched: rules owner_rule\n"); + PDEBUG("rules owner_rule: (%s)\n", $2->name); + if (!$2) + yyerror(_("Assert: `owner_rule' returned NULL.")); + add_entry_to_policy($1, $2); + $$ = $1; + }; +*/ +rules: rules TOK_OWNER owner_rule + { + struct cod_entry *entry, *tmp; + + PDEBUG("matched: rules owner_rules\n"); + PDEBUG("rules owner_rules: (%s)\n", $3->name); + if ($3) { + list_for_each_safe($3, entry, tmp) { + entry->next = NULL; + add_entry_to_policy($1, entry); + } + } + $$ = $1; + }; rules: rules network_rule { @@ -514,6 +542,31 @@ expr: TOK_DEFINED TOK_BOOL_VAR id_or_var: TOK_ID { $$ = $1; } id_or_var: TOK_SET_VAR { $$ = $1; }; +owner_rule: TOK_OPEN owner_rules TOK_CLOSE + { + $$ = $2; + }; + +owner_rule: rule + { + /* mask mode to owner permissions */ + if ($1) { + $1->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); + } + $$ = $1; + }; + +owner_rules: { $$ = NULL; }; + +owner_rules: owner_rules rule + { + if ($2) { + $2->mode &= (AA_USER_PERMS | AA_SHARED_PERMS); + $2->next = $1; + } + $$ = $2; + }; + rule: id_or_var file_mode TOK_END_OF_RULE { $$ = do_file_rule(NULL, $1, $2, NULL);