change from U:G:O syntax to owner syntax and remove group permission

2025-08-22 10:07:12 +00:00 · 2007-11-29 18:06:53 +00:00 · 2007-11-29 18:06:53 +00:00 · 97dbaa02cb
commit 97dbaa02cb
parent 55abf6aa0b
6 changed files with 66 additions and 79 deletions
--- a/parser/immunix.h
+++ b/parser/immunix.h
@ -42,15 +42,12 @@
 					 AA_EXEC_MMAP | AA_EXEC_UNSAFE | \
 					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
 #define AA_USER_SHIFT			0
-#define AA_GROUP_SHIFT			10
+#define AA_OTHER_SHIFT			10
 #define AA_OTHER_SHIFT			20
 #define AA_USER_PERMS			(AA_BASE_PERMS << AA_USER_SHIFT)
 #define AA_GROUP_PERMS			(AA_BASE_PERMS << AA_GROUP_SHIFT)
 #define AA_OTHER_PERMS			(AA_BASE_PERMS << AA_OTHER_SHIFT)
-#define AA_FILE_PERMS			(AA_USER_PERMS | AA_GROUP_PERMS | \
+#define AA_FILE_PERMS			(AA_USER_PERMS | AA_OTHER_PERMS )
 					 AA_OTHER_PERMS)
 #define AA_CHANGE_PROFILE		(1 << 30)
 #define AA_ERROR_BIT			(1 << 31)
@ -69,19 +66,15 @@
 #define AA_VALID_PERMS			(AA_FILE_PERMS | AA_CHANGE_PROFILE)
 #define AA_EXEC_BITS			((AA_MAY_EXEC << AA_USER_SHIFT) | \
 					 (AA_MAY_EXEC << AA_GROUP_SHIFT) | \
 					 (AA_MAY_EXEC << AA_OTHER_SHIFT))
 #define ALL_AA_EXEC_UNSAFE		((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \
 					 (AA_EXEC_UNSAFE << AA_GROUP_SHIFT) | \
 					 (AA_EXEC_UNSAFE << AA_OTHER_SHIFT))
 #define AA_USER_EXEC_TYPE		(AA_EXEC_TYPE << AA_USER_SHIFT)
 #define AA_GROUP_EXEC_TYPE		(AA_EXEC_TYPE << AA_GROUP_SHIFT)
 #define AA_OTHER_EXEC_TYPE		(AA_EXEC_TYPE << AA_OTHER_SHIFT)
 #define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
 					 (AA_MAY_LINK << AA_GROUP_SHIFT) | \
 					 (AA_MAY_LINK << AA_OTHER_SHIFT))
 #define SHIFT_MODE(MODE, SHIFT)		((((MODE) & AA_BASE_PERMS) << (SHIFT))\
@ -92,7 +85,6 @@
 #define AA_LINK_SUBSET_TEST		(AA_MAY_LINK << 1)
 #define LINK_SUBSET_BITS	((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \
 				 (AA_LINK_SUBSET_TEST << AA_GROUP_SHIFT) | \
 				 (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
 #define LINK_TO_LINK_SUBSET(X)		(((X) << 1) & AA_LINK_SUBSET_TEST)
@ -136,9 +128,6 @@ static inline int is_merged_x_consistent(int a, int b)
 	if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
 		return 0;
 	if ((a & AA_GROUP_EXEC_TYPE) && (b & AA_GROUP_EXEC_TYPE) &&
 	    ((a & AA_GROUP_EXEC_TYPE) != (b & AA_GROUP_EXEC_TYPE)))
 		return 0;
 	if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
 		return 0;
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@ -1524,16 +1524,12 @@ uint32_t accept_perms(State *state)
    }
    perms |= exact_match_perms &
-	    ~(AA_USER_EXEC_TYPE | AA_GROUP_EXEC_TYPE | AA_OTHER_EXEC_TYPE);
+	    ~(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE);
    if (exact_match_perms & AA_USER_EXEC_TYPE)
 	    perms = (exact_match_perms & AA_USER_EXEC_TYPE) |
 		    (perms & ~AA_USER_EXEC_TYPE);
    if (exact_match_perms & AA_GROUP_EXEC_TYPE)
 	    perms = (exact_match_perms & AA_GROUP_EXEC_TYPE) |
 		    (perms & ~AA_GROUP_EXEC_TYPE);
    if (exact_match_perms & AA_OTHER_EXEC_TYPE)
 	    perms = (exact_match_perms & AA_OTHER_EXEC_TYPE) |
 		    (perms & ~AA_OTHER_EXEC_TYPE);
@ -1552,8 +1548,8 @@ uint32_t accept_perms(State *state)
 extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms)
 {
    static MatchFlag *match_flags[sizeof(perms) * 8 - 1];
-    static MatchFlag *exec_match_flags[8 * 3];
+    static MatchFlag *exec_match_flags[8 * 2];
-    static ExactMatchFlag *exact_match_flags[8 * 3];
+    static ExactMatchFlag *exact_match_flags[8 * 2];
    Node *tree, *accept;
    int exact_match;
@ -1580,8 +1576,7 @@ extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, uint32_t perms)
    if (rules->reverse)
 	flip_tree(tree);
-#define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_GROUP_EXEC_TYPE | \
+#define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
 		       AA_OTHER_EXEC_TYPE)
 #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7)
 if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
@ -1600,9 +1595,6 @@ if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 		    if (mask & (AA_MAY_EXEC << AA_USER_SHIFT)) {
 			    eperm = mask | perms & AA_USER_EXEC_TYPE;
 			    index = EXTRACT_X_INDEX(perms, AA_USER_SHIFT);
 		    } else if (mask & (AA_MAY_EXEC << AA_GROUP_SHIFT)) {
 			    eperm = mask | perms & AA_GROUP_EXEC_TYPE;
 			    index = EXTRACT_X_INDEX(perms, AA_GROUP_SHIFT) + 8;
 		    } else {
 			    eperm = mask | perms & AA_OTHER_EXEC_TYPE;
 			    index = EXTRACT_X_INDEX(perms, AA_OTHER_SHIFT) + 16;
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@ -54,7 +54,7 @@ END_OF_RULE	[,]
 SEPERATOR 	{UP}
 RANGE		-
 MODE_CHARS 	([RrWwaLlMmk])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
-MODES		({MODE_CHARS}+)|({MODE_CHARS}*:{MODE_CHARS}*:{MODE_CHARS}*)
+MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
 ID 		[^ \t\n"!,]|(,[^ \t\n"!])
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@ -61,6 +61,7 @@ static struct keyword_table keyword_table[] = {
 	{"change_profile",	TOK_CHANGE_PROFILE},
 	{"unsafe",		TOK_UNSAFE},
 	{"link",		TOK_LINK},
 	{"owner",		TOK_OWNER},
 	/* terminate */
 	{NULL, 0}
 };
@ -522,9 +523,6 @@ reeval:
 			yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
 			break;
 		case ':':
 			goto out;
 			break;
 		/* error cases */
 		default:
@ -552,7 +550,7 @@ reeval:
 		p++;
 	}
-out:
+
 	PDEBUG("Parsed mode: %s 0x%x\n", str_mode, mode);
 	return mode;
@ -560,52 +558,12 @@ out:
 int parse_mode(const char *str_mode)
 {
-	const char *next, *pos = str_mode;
+	int tmp, mode = 0;
-	int tmp, exec_mods, mode = 0;
+	tmp = parse_sub_mode(str_mode, "");
-	next = strchr(str_mode, ':');
+	mode = SHIFT_MODE(tmp, AA_USER_SHIFT);
-	if (!next) {
+	mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT);
 		tmp = parse_sub_mode(str_mode, "");
 		mode = SHIFT_MODE(tmp, AA_USER_SHIFT);
 		mode |= SHIFT_MODE(tmp, AA_GROUP_SHIFT);
 		mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT);
 		if (mode & ~AA_VALID_PERMS)
 			yyerror(_("Internal error generated invalid perm 0x%llx\n"), mode);
 		return mode;
 	}
 	/* user:group:other */
 	if (next > pos) {
 		exec_mods = mode & AA_EXEC_MODIFIERS;
 		mode = SHIFT_MODE(parse_sub_mode(pos, "user"), AA_USER_SHIFT);
 	}
 	pos = next + 1;
 	next = strchr(pos, ':');
 	if (next > pos) {
 		tmp = parse_sub_mode(pos, "group");
 /* we can allow different mods per labeling, just not when named transitions
   are present.
 		if ((mode & AA_EXEC_BITS) && (tmp & AA_EXEC_BITS) &&
 		    (exec_mods != (tmp & AA_EXEC_MODIFIERS)))
 			yyerror(_("conflicting x modifiers between user and group permissions."));
 */
 		exec_mods = tmp & AA_EXEC_MODIFIERS;
 		mode |= SHIFT_MODE(tmp, AA_GROUP_SHIFT);
 	}
 	pos = next + 1;
 	if (*pos) {
 		tmp = parse_sub_mode(pos, "other");
 /* allow different x mods per ugo
 		if ((mode & AA_EXEC_BITS) && (tmp & AA_EXEC_BITS) &&
 		    (exec_mods != (tmp & AA_EXEC_MODIFIERS)))
 			yyerror(_("conflicting x modifiers between other and user:group permissions."));
 */
 		exec_mods = tmp & AA_EXEC_MODIFIERS;
 		mode |= SHIFT_MODE(tmp, AA_OTHER_SHIFT);
 	}
 	if (mode & ~AA_VALID_PERMS)
 		yyerror(_("Internal error generated invalid perm 0x%llx\n"), mode);
 	if (!mode)
 		yyerror(_("Invalid permission permission \"::\" - no permission specified."));
 	return mode;
 }
@ -725,8 +683,6 @@ void debug_cod_entries(struct cod_entry *list)
 			printf(" unsafe");
 		debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_USER_SHIFT));
 		printf(":");
 		debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_GROUP_SHIFT));
 		printf(":");
 		debug_base_perm_mask(SHIFT_TO_BASE(item->mode, AA_OTHER_SHIFT));
 		if (item->name)
 			printf("\tName:\t(%s)\n", item->name);
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -499,9 +499,6 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	if (((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_MODIFIERS) ==
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
 	if (((entry->mode >> AA_GROUP_SHIFT) & AA_EXEC_MODIFIERS) ==
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_GROUP_SHIFT;
 	if (((entry->mode >> AA_USER_SHIFT) & AA_EXEC_MODIFIERS) ==
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@ -94,6 +94,7 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
 %token TOK_UNSAFE
 %token TOK_COLON
 %token TOK_LINK
 %token TOK_OWNER
 /* capabilities */
 %token TOK_CAPABILITY
@ -134,6 +135,8 @@ struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
 %type <cod>	cond_rule
 %type <network_entry> network_rule
 %type <user_entry> rule
 %type <user_entry> owner_rule
 %type <user_entry> owner_rules
 %type <flags>	flags
 %type <flags>	flagvals
 %type <flags>	flagval
@ -373,6 +376,31 @@ rules:  rules rule
 		add_entry_to_policy($1, $2);
 		$$ = $1;
 	};
 /*
 rules:  rules owner_rule
 	{
 		PDEBUG("matched: rules owner_rule\n");
 		PDEBUG("rules owner_rule: (%s)\n", $2->name);
 		if (!$2)
 			yyerror(_("Assert: `owner_rule' returned NULL."));
 		add_entry_to_policy($1, $2);
 		$$ = $1;
 	};
 */
 rules:  rules TOK_OWNER owner_rule
 	{
 		struct cod_entry *entry, *tmp;
 		PDEBUG("matched: rules owner_rules\n");
 		PDEBUG("rules owner_rules: (%s)\n", $3->name);
 		if ($3) {
 			list_for_each_safe($3, entry, tmp) {
 				entry->next = NULL;
 				add_entry_to_policy($1, entry);
 			}
 		}
 		$$ = $1;
 	};
 rules: rules network_rule
 	{
@ -514,6 +542,31 @@ expr:	TOK_DEFINED TOK_BOOL_VAR
 id_or_var: TOK_ID { $$ = $1; }
 id_or_var: TOK_SET_VAR { $$ = $1; };
 owner_rule: TOK_OPEN owner_rules TOK_CLOSE
 	{
 		$$ = $2;
 	};
 owner_rule: rule
 	{
 		/* mask mode to owner permissions */
 		if ($1) {
 			$1->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
 		}
 		$$ = $1;
 	};
 owner_rules: { $$ = NULL; };
 owner_rules: owner_rules rule
 	{
 		if ($2) {
 			$2->mode &= (AA_USER_PERMS | AA_SHARED_PERMS);
 			$2->next = $1;
 		}
 		$$ = $2;
 	};
 rule:	id_or_var file_mode TOK_END_OF_RULE
 	{
 		$$ = do_file_rule(NULL, $1, $2, NULL);