Convert the parser to C++

This conversion is nothing more than what is required to get it to
compile. Further improvements will come as the code is refactored.

Unfortunately due to C++ not supporting designated initializers, the auto
generation of af names needed to be reworked, and "netlink" and "unix"
domain socket keywords leaked in. Since these where going to be added in
separate patches I have not bothered to do the extra work to replace them
with a temporary place holder.

Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: merged with dbus changes and memory leak fixes]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

common/Make.rules

@@ -193,12 +193,12 @@ list_capabilities: /usr/include/linux/capability.h
 # to mediate. We use PF_ here since that is what is required in
 # bits/socket.h, but we will rewrite these as AF_.
 
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+FILTER_FAMILIES=PF_UNIX
 
 __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
 
 # emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
 
 .PHONY: list_af_names
 list_af_names:

parser/Makefile

@@ -40,11 +40,11 @@ LEXFLAGS = -B -v
 WARNINGS = -Wall
 EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
 CXX_WARNINGS = ${WARNINGS} $(shell for warning in ${EXTRA_WARNINGS} ; do \
-			if ${CC} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
+			if ${CXX} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
 				echo "$${warning}"; \
 			fi ; \
 		done)
-CPP_WARNINGS = -Wstrict-prototypes -Wnested-externs
+CPP_WARNINGS =
 ifndef CFLAGS
 CFLAGS	= -g -O2 -pipe
 
@@ -163,52 +163,52 @@ parser_lex.c: parser_lex.l parser_yacc.h parser.h
 	$(LEX) ${LEXFLAGS} -o$@ $<
 
 parser_lex.o: parser_lex.c parser.h parser_yacc.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_misc.o: parser_misc.c parser.h parser_yacc.h af_names.h cap_names.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_yacc.o: parser_yacc.c parser_yacc.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_main.o: parser_main.c parser.h parser_version.h libapparmor_re/apparmor_re.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_interface.o: parser_interface.c parser.h libapparmor_re/apparmor_re.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_include.o: parser_include.c parser.h parser_include.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_merge.o: parser_merge.c parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_regex.o: parser_regex.c parser.h libapparmor_re/apparmor_re.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_symtab.o: parser_symtab.c parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_variable.o: parser_variable.c parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_policy.o: parser_policy.c parser.h parser_yacc.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_alias.o: parser_alias.c parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_common.o: parser_common.c parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 mount.o: mount.c mount.h parser.h immunix.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 lib.o: lib.c lib.h parser.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 dbus.o: dbus.c dbus.h parser.h immunix.h
-	$(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+	$(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
 
 parser_version.h: Makefile
 	@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
@@ -228,7 +228,7 @@ cap_names.h: /usr/include/linux/capability.h
 	echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
 
 tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
-	$(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
+	$(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
 
 .SILENT: check
 .PHONY: check

parser/lib.c

@@ -70,11 +70,13 @@ int dirat_for_each(DIR *dir, const char *name, void *data,
 	}
 
 	if (dir && (!name || *name != '/')) {
-		dirent = malloc(offsetof(struct dirent, d_name) +
+		dirent = (struct dirent *)
-				fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
+			malloc(offsetof(struct dirent, d_name) +
+			       fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
 	} else {
-		dirent = malloc(offsetof(struct dirent, d_name) +
+		dirent = (struct dirent *)
-				pathconf(name, _PC_NAME_MAX) + 1);
+			malloc(offsetof(struct dirent, d_name) +
+			       pathconf(name, _PC_NAME_MAX) + 1);
 	}
 	if (!dirent) {
 		PDEBUG("could not alloc dirent");

parser/libapparmor_re/aare_rules.cc

@@ -39,7 +39,7 @@ struct aare_ruleset {
 	Node *root;
 };
 
-extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
+aare_ruleset_t *aare_new_ruleset(int reverse)
 {
 	aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
 	if (!container)
@@ -51,7 +51,7 @@ extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
 	return container;
 }
 
-extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
+void aare_delete_ruleset(aare_ruleset_t *rules)
 {
 	if (rules) {
 		if (rules->root)
@@ -62,7 +62,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 	aare_reset_matchflags();
 }
 
-extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
 			     uint32_t perms, uint32_t audit, dfaflags_t flags)
 {
 	return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
@@ -76,7 +76,7 @@ DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
 MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux * u::o */
 ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux *u::o */
 
-extern "C" void aare_reset_matchflags(void)
+void aare_reset_matchflags(void)
 {
 	uint32_t i, j;
 #define RESET_FLAGS(group, size) { \
@@ -94,7 +94,7 @@ extern "C" void aare_reset_matchflags(void)
 #undef RESET_FLAGS
 }
 
-extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
+int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 				 uint32_t perms, uint32_t audit,
 				 int count, char **rulev, dfaflags_t flags)
 {
@@ -243,7 +243,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
  * returns: buffer contain dfa tables, @size set to the size of the tables
  *          else NULL on failure
  */
-extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
 				 dfaflags_t flags)
 {
 	char *buffer = NULL;

parser/libapparmor_re/apparmor_re.h

@@ -19,36 +19,37 @@
 #ifndef APPARMOR_RE_H
 #define APPARMOR_RE_H
 
-typedef enum dfaflags {
+typedef int dfaflags_t;
-  DFA_CONTROL_EQUIV =		1 << 0,
-  DFA_CONTROL_TREE_NORMAL =	1 << 1,
-  DFA_CONTROL_TREE_SIMPLE =	1 << 2,
-  DFA_CONTROL_TREE_LEFT =	1 << 3,
-  DFA_CONTROL_MINIMIZE =	1 << 4,
-  DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
-  DFA_CONTROL_FILTER_DENY =	1 << 6,
-  DFA_CONTROL_REMOVE_UNREACHABLE =	1 << 7,
-  DFA_CONTROL_TRANS_HIGH =	1 << 8,
 
-  DFA_DUMP_MIN_PARTS =		1 << 13,
+
-  DFA_DUMP_UNIQ_PERMS =		1 << 14,
+#define DFA_CONTROL_EQUIV 		(1 << 0)
-  DFA_DUMP_MIN_UNIQ_PERMS =	1 << 15,
+#define DFA_CONTROL_TREE_NORMAL 	(1 << 1)
-  DFA_DUMP_TREE_STATS =		1 << 16,
+#define DFA_CONTROL_TREE_SIMPLE 	(1 << 2)
-  DFA_DUMP_TREE =		1 << 17,
+#define DFA_CONTROL_TREE_LEFT 		(1 << 3)
-  DFA_DUMP_SIMPLE_TREE =	1 << 18,
+#define DFA_CONTROL_MINIMIZE 		(1 << 4)
-  DFA_DUMP_PROGRESS =		1 << 19,
+#define DFA_CONTROL_MINIMIZE_HASH_TRANS (1 << 5)
-  DFA_DUMP_STATS =		1 << 20,
+#define DFA_CONTROL_FILTER_DENY 	(1 << 6)
-  DFA_DUMP_STATES =		1 << 21,
+#define DFA_CONTROL_REMOVE_UNREACHABLE  (1 << 7)
-  DFA_DUMP_GRAPH =		1 << 22,
+#define DFA_CONTROL_TRANS_HIGH		(1 << 8)
-  DFA_DUMP_TRANS_PROGRESS =	1 << 23,
+
-  DFA_DUMP_TRANS_STATS =	1 << 24,
+#define DFA_DUMP_MIN_PARTS 		(1 << 13)
-  DFA_DUMP_TRANS_TABLE =	1 << 25,
+#define DFA_DUMP_UNIQ_PERMS 		(1 << 14)
-  DFA_DUMP_EQUIV =		1 << 26,
+#define DFA_DUMP_MIN_UNIQ_PERMS 	(1 << 15)
-  DFA_DUMP_EQUIV_STATS =	1 << 27,
+#define DFA_DUMP_TREE_STATS 		(1 << 16)
-  DFA_DUMP_MINIMIZE =		1 << 28,
+#define DFA_DUMP_TREE 			(1 << 17)
-  DFA_DUMP_UNREACHABLE =	1 << 29,
+#define DFA_DUMP_SIMPLE_TREE 		(1 << 18)
-  DFA_DUMP_RULE_EXPR =		1 << 30,
+#define DFA_DUMP_PROGRESS 		(1 << 19)
-  DFA_DUMP_NODE_TO_DFA =	1 << 31,
+#define DFA_DUMP_STATS			(1 << 20)
-} dfaflags_t;
+#define DFA_DUMP_STATES 		(1 << 21)
+#define DFA_DUMP_GRAPH			(1 << 22)
+#define DFA_DUMP_TRANS_PROGRESS 	(1 << 23)
+#define DFA_DUMP_TRANS_STATS 		(1 << 24)
+#define DFA_DUMP_TRANS_TABLE 		(1 << 25)
+#define DFA_DUMP_EQUIV			(1 << 26)
+#define DFA_DUMP_EQUIV_STATS 		(1 << 27)
+#define DFA_DUMP_MINIMIZE 		(1 << 28)
+#define DFA_DUMP_UNREACHABLE 		(1 << 29)
+#define DFA_DUMP_RULE_EXPR 		(1 << 30)
+#define DFA_DUMP_NODE_TO_DFA 		(1 << 31)
 
 #endif /* APPARMOR_RE_H */

parser/mount.c

@@ -220,7 +220,7 @@
 #include "mount.h"
 
 struct mnt_keyword_table {
-	char *keyword;
+	const char *keyword;
 	unsigned int set;
 	unsigned int clear;
 };
@@ -272,8 +272,8 @@ static struct mnt_keyword_table mnt_opts_table[] = {
 	{"iversion",		MS_IVERSION, 0},
 	{"noiversion",		0, MS_IVERSION},
 	{"strictatime",		MS_STRICTATIME, 0},
-	{"user",		0, MS_NOUSER},
+	{"user",		0, (unsigned int) MS_NOUSER},
-	{"nouser",		MS_NOUSER, 0},
+	{"nouser",		(unsigned int) MS_NOUSER, 0},
 
 	{NULL, 0, 0}
 };

parser/parser.h

@@ -22,12 +22,18 @@
 #ifndef __AA_PARSER_H
 #define __AA_PARSER_H
 
+
+#include <string.h>
 #include <netinet/in.h>
 #include <sys/resource.h>
 #include "immunix.h"
 #include "libapparmor_re/apparmor_re.h"
 #include "libapparmor_re/aare_rules.h"
 
+using namespace std;
+
+#include <set>
+
 struct mnt_ent;
 
 /* Global variable to pass token to lexer.  Will be replaced by parameter
@@ -52,7 +58,7 @@ struct flagval {
 
 struct named_transition {
 	int present;
-	char *namespace;
+	char *ns;
 	char *name;
 };
 
@@ -75,7 +81,7 @@ struct cond_entry {
 };
 
 struct cod_entry {
-	char *namespace;
+	char *ns;
 	char *name;
 	char *link_name;
 	char *nt_name;
@@ -115,7 +121,7 @@ struct alt_name {
 };
 
 struct codomain {
-	char *namespace;
+	char *ns;
 	char *name;				/* codomain name */
 	char *attachment;
 	struct alt_name *altnames;
@@ -287,7 +293,7 @@ extern dfaflags_t dfaflags;
 extern char *progname;
 extern char *subdomainbase;
 extern char *profilename;
-extern char *profile_namespace;
+extern char *profile_ns;
 extern char *current_filename;
 extern FILE *ofile;
 extern int read_implies_exec;
@@ -342,8 +348,7 @@ extern int get_rlimit(const char *name);
 extern char *process_var(const char *var);
 extern int parse_mode(const char *mode);
 extern int parse_dbus_mode(const char *str_mode, int *mode, int fail);
-extern struct cod_entry *new_entry(char *namespace, char *id, int mode,
+extern struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id);
-				   char *link_id);
 extern struct aa_network_entry *new_network_ent(unsigned int family,
 						unsigned int type,
 						unsigned int protocol);

parser/parser_alias.c

@@ -50,7 +50,7 @@ int new_alias(const char *from, const char *to)
 {
 	struct alias_rule *alias, **result;
 
-	alias = calloc(1, sizeof(struct alias_rule));
+	alias = (struct alias_rule *) calloc(1, sizeof(struct alias_rule));
 	if (!alias) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		goto fail;
@@ -95,14 +95,14 @@ fail:
 static char *do_alias(struct alias_rule *alias, const char *target)
 {
 	int len = strlen(target) - strlen(alias->from) + strlen(alias->to);
-	char *new = malloc(len + 1);
+	char *n = (char *) malloc(len + 1);
-	if (!new) {
+	if (!n) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		return NULL;
 	}
-	sprintf(new, "%s%s", alias->to, target + strlen(alias->from));
+	sprintf(n, "%s%s", alias->to, target + strlen(alias->from));
 /*fprintf(stderr, "replaced alias: from: %s, to: %s, name: %s\n  %s\n", alias->from, alias->to, target, new);*/
-	return new;
+	return n;
 }
 
 static struct codomain *target_cod;
@@ -123,22 +123,22 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
 		    entry->alias_ignore)
 			continue;
 		if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
-			char *new = do_alias(*t, entry->name);
+			char *n = do_alias(*t, entry->name);
-			if (!new)
+			if (!n)
 				return;
 			dup = copy_cod_entry(entry);
 			free(dup->name);
-			dup->name = new;
+			dup->name = n;
 		}
 		if (entry->link_name &&
 		    strncmp((*t)->from, entry->link_name, len) == 0) {
-			char *new = do_alias(*t, entry->link_name);
+			char *n = do_alias(*t, entry->link_name);
-			if (!new)
+			if (!n)
 				return;
 			if (!dup)
 				dup = copy_cod_entry(entry);
 			free(dup->link_name);
-			dup->link_name = new;
+			dup->link_name = n;
 		}
 		if (dup) {
 			dup->alias_ignore = 1;
@@ -152,7 +152,6 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
 	}
 }
 
-static struct codomain *target_cod;
 static void process_name(const void *nodep, VISIT value, int __unused level)
 {
 	struct alias_rule **t = (struct alias_rule **) nodep;
@@ -172,14 +171,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
 
 	if (name && strncmp((*t)->from, name, len) == 0) {
 		struct alt_name *alt;
-		char *new = do_alias(*t, name);
+		char *n = do_alias(*t, name);
-		if (!new)
+		if (!n)
 			return;
 		/* aliases create alternate names */
-		alt = calloc(1, sizeof(struct alt_name));
+		alt = (struct alt_name *) calloc(1, sizeof(struct alt_name));
 		if (!alt)
 			return;
-		alt->name = new;
+		alt->name = n;
 		alt->next = cod->altnames;
 		cod->altnames = alt;
 	}

parser/parser_common.c

@@ -34,11 +34,11 @@ int names_only = 0;
 int current_lineno = 1;
 int option = OPTION_ADD;
 
-dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS;
+dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS);
 
 char *subdomainbase = NULL;
 char *progname = __FILE__;
-char *profile_namespace = NULL;
+char *profile_ns = NULL;
 char *profilename = NULL;
 char *current_filename = NULL;
 

parser/parser_include.c

@@ -291,7 +291,7 @@ void push_include_stack(char *filename)
 {
 	struct include_stack_t *include = NULL;
 
-	include = malloc(sizeof(*include));
+	include = (struct include_stack_t *) malloc(sizeof(*include));
 	if (!include) {
 		perror("malloc of included file stack tracker");
 		/* failures in this area are non-fatal */

parser/parser_interface.c

@@ -214,7 +214,7 @@ struct __sdserialize {
 
 sd_serialize *alloc_sd_serial(void)
 {
-	sd_serialize *p = calloc(1, sizeof(sd_serialize));
+	sd_serialize *p = (sd_serialize *) calloc(1, sizeof(sd_serialize));
 	if (!p)
 		return NULL;
 	p->buffer = malloc(BUFFERINC);
@@ -255,7 +255,7 @@ static inline void sd_inc(sd_serialize *p, int size)
 
 inline long sd_serial_size(sd_serialize *p)
 {
-	return (p->pos - p->buffer);
+	return (long) (p->pos) - (long) (p->buffer);
 }
 
 /* routines for writing data to the serialization buffer */
@@ -265,14 +265,14 @@ inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
 	if (p->pos + SD_CODE_SIZE + size > p->extent) {
 		long pos;
 		/* try and reallocate the buffer */
-		void *buffer = malloc(p->extent - p->buffer + (BUFFERINC * num));
+		void *buffer = malloc((long)(p->extent) - (long)(p->buffer) + (BUFFERINC * num));
-		memcpy(buffer, p->buffer, p->extent - p->buffer);
+		memcpy(buffer, p->buffer, (long)(p->extent) - (long)(p->buffer));
 
-		pos = p->pos - p->buffer;
+		pos = (long)(p->pos) - (long)(p->buffer);
 		if (buffer == NULL || errno == ENOMEM)
 			return 0;
 
-		p->extent = buffer + (p->extent - p->buffer) + (BUFFERINC * num);
+		p->extent = buffer + ((long)(p->extent) - (long)(p->buffer)) + (BUFFERINC * num);
 		free(p->buffer);
 		p->buffer = buffer;
 		p->pos = buffer + pos;
@@ -367,7 +367,7 @@ inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
 	u32 tmp;
 	if (!sd_write_name(p, name))
 		return 0;
-	pad = align64((p->pos + 5) - p->buffer) - ((p->pos + 5) - p->buffer);
+	pad = align64(((long)(p->pos + 5) - (long)(p->buffer)) - ((long)(p->pos + 5) - (long)(p->buffer)));
 	if (!sd_prepare_write(p, SD_BLOB, 4 + buf_size + pad))
 		return 0;
 	tmp = cpu_to_le32(buf_size + pad);
@@ -555,7 +555,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
 		assert(profile->parent);
 		int res;
 
-		char *name = malloc(3 + strlen(profile->name) +
+		char *name = (char *) malloc(3 + strlen(profile->name) +
 				    strlen(profile->parent->name));
 		if (!name)
 			return 0;
@@ -687,11 +687,11 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
 	if (!sd_write32(p, version))
 		return 0;
 
-	if (profile_namespace) {
+	if (profile_ns) {
-		if (!sd_write_string(p, profile_namespace, "namespace"))
+		if (!sd_write_string(p, profile_ns, "namespace"))
 			return 0;
-	} else if (profile->namespace) {
+	} else if (profile->ns) {
-		if (!sd_write_string(p, profile->namespace, "namespace"))
+		if (!sd_write_string(p, profile->ns, "namespace"))
 			return 0;
 	}
 
@@ -751,15 +751,15 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 		char *name, *ns = NULL;
 		int len = 0;
 
-		if (profile_namespace) {
+		if (profile_ns) {
-			len += strlen(profile_namespace) + 2;
+			len += strlen(profile_ns) + 2;
-			ns = profile_namespace;
+			ns = profile_ns;
-		} else if (cod->namespace) {
+		} else if (cod->ns) {
-			len += strlen(cod->namespace) + 2;
+			len += strlen(cod->ns) + 2;
-			ns = cod->namespace;
+			ns = cod->ns;
 		}
 		if (cod->parent) {
-			name = malloc(strlen(cod->name) + 3 +
+			name = (char *) malloc(strlen(cod->name) + 3 +
 				      strlen(cod->parent->name) + len);
 			if (!name) {
 				PERROR(_("Memory Allocation Error: Unable to remove ^%s\n"), cod->name);
@@ -773,7 +773,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 				sprintf(name, "%s//%s", cod->parent->name,
 					cod->name);
 		} else if (ns) {
-			name = malloc(len + strlen(cod->name) + 1);
+			name = (char *) malloc(len + strlen(cod->name) + 1);
 			if (!name) {
 				PERROR(_("Memory Allocation Error: Unable to remove %s:%s."), ns, cod->name);
 				error = -errno;
@@ -809,7 +809,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
 			goto exit;
 		}
 
-		size = work_area->pos - work_area->buffer;
+		size = (long) (work_area->pos) - (long)(work_area->buffer);
 		if (kernel_load || option == OPTION_STDOUT || option == OPTION_OFILE) {
 			wsize = write(fd, work_area->buffer, size);
 			if (wsize < 0) {

parser/parser_lex.l

@@ -104,10 +104,10 @@ do { \
 #define YY_NO_INPUT
 
 #define STATE_TABLE_ENT(X) [(X)] = #X
-static const char *const state_names[];
+/* static char *const state_names[]; */
 
 struct ignored_suffix_t {
-	char * text;
+	const char * text;
 	int len;
 	int silent;
 };
@@ -136,7 +136,7 @@ static int is_blacklisted(const char *name, const char *path)
 	/* skip blacklisted suffixes */
 	for (suffix = ignored_suffixes; suffix->text; suffix++) {
 		char *found;
-		if ( (found = strstr(name, suffix->text)) &&
+		if ( (found = strstr((char *) name, suffix->text)) &&
 		     found - name + suffix->len == name_len ) {
 			if (!suffix->silent)
 				PERROR("Ignoring: '%s'\n", path);
@@ -637,15 +637,16 @@ static const char *const state_names[] = {
 	STATE_TABLE_ENT(SUB_ID),
 	STATE_TABLE_ENT(SUB_VALUE),
 	STATE_TABLE_ENT(EXTCOND_MODE),
-	STATE_TABLE_ENT(LIST_COND_VAL),
-	STATE_TABLE_ENT(LIST_COND_PAREN_VAL),
-	STATE_TABLE_ENT(LIST_COND_MODE),
 	STATE_TABLE_ENT(EXTCONDLIST_MODE),
 	STATE_TABLE_ENT(NETWORK_MODE),
 	STATE_TABLE_ENT(LIST_VAL_MODE),
+	STATE_TABLE_ENT(LIST_COND_MODE),
+	STATE_TABLE_ENT(LIST_COND_VAL),
+	STATE_TABLE_ENT(LIST_COND_PAREN_VAL),
 	STATE_TABLE_ENT(ASSIGN_MODE),
 	STATE_TABLE_ENT(RLIMIT_MODE),
 	STATE_TABLE_ENT(MOUNT_MODE),
+	STATE_TABLE_ENT(DBUS_MODE),
 	STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
 	STATE_TABLE_ENT(INCLUDE),
 };

parser/parser_main.c

@@ -64,7 +64,6 @@
 const char *parser_title	= "AppArmor parser";
 const char *parser_copyright	= "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2012 Canonical Ltd.";
 
-char *progname;
 int opt_force_complain = 0;
 int binary_input = 0;
 int dump_vars = 0;
@@ -520,7 +519,7 @@ static int process_arg(int c, char *optarg)
 		conf_quiet = 0;
 		break;
 	case 'n':
-		profile_namespace = strdup(optarg);
+		profile_ns = strdup(optarg);
 		break;
 	case 'X':
 		read_implies_exec = 1;
@@ -793,7 +792,7 @@ static void get_match_string(void) {
 		/* if we have a features directory default to */
 		perms_create = 1;
 
-		flags_string = malloc(FLAGS_STRING_SIZE);
+		flags_string = (char *) malloc(FLAGS_STRING_SIZE);
 		handle_features_dir(FLAGS_FILE, &flags_string, FLAGS_STRING_SIZE, flags_string);
 		if (strstr(flags_string, "network"))
 			kernel_supports_network = 1;
@@ -808,7 +807,7 @@ static void get_match_string(void) {
 	if (!ms)
 		goto out;
 
-	match_string = malloc(1000);
+	match_string = (char *) malloc(1000);
 	if (!match_string) {
 		goto out;
 	}
@@ -845,7 +844,7 @@ static void get_flags_string(char **flags, char *flags_file) {
 	if (!f)
 		return;
 
-	*flags = malloc(FLAGS_STRING_SIZE);
+	*flags = (char *) malloc(FLAGS_STRING_SIZE);
 	if (!*flags)
 		goto fail;
 
@@ -892,7 +891,7 @@ int process_binary(int option, char *profilename)
 
 	do {
 		if (asize - size == 0) {
-			buffer = realloc(buffer, chunksize);
+		  buffer = (char *) realloc(buffer, chunksize);
 			asize = chunksize;
 			chunksize <<= 1;
 			if (!buffer) {
@@ -1049,7 +1048,7 @@ int process_profile(int option, char *profilename)
 	 * TODO: Add support for embedded namespace defines if they aren't
 	 *       removed from the language.
 	 */
-	if (profile_namespace)
+	if (profile_ns)
 		skip_cache = 1;
 
 	/* Do secondary test to see if cached binary profile is good,

parser/parser_merge.c

@@ -35,12 +35,12 @@ static int file_comp(const void *c1, const void *c2)
 	int res = 0;
 
 	//PERROR("strcmp %s %s\n", (*e1)->name, (*e2)->name);
-	if ((*e1)->namespace) {
+	if ((*e1)->ns) {
-		if ((*e2)->namespace)
+		if ((*e2)->ns)
-			res = strcmp((*e1)->namespace, (*e2)->namespace);
+			res = strcmp((*e1)->ns, (*e2)->ns);
 		else
 			return 1;
-	} else if ((*e2)->namespace) {
+	} else if ((*e2)->ns) {
 		return -1;
 	}
 	if (res)
@@ -86,7 +86,7 @@ static int process_file_entries(struct codomain *cod)
 	if (count < 2)
 		return 1;
 
-	table = malloc(sizeof(struct cod_entry *) * (count + 1));
+	table = (struct cod_entry **) malloc(sizeof(struct cod_entry *) * (count + 1));
 	if (!table) {
 		PERROR(_("Couldn't merge entries. Out of Memory\n"));
 		return 0;

parser/parser_misc.c

@@ -51,7 +51,7 @@
 #define NPDEBUG(fmt, args...)	/* Do nothing */
 
 struct keyword_table {
-	char *keyword;
+	const char *keyword;
 	int token;
 };
 
@@ -169,11 +169,11 @@ int get_rlimit(const char *name)
 }
 
 struct network_tuple {
-	char *family_name;
+	const char *family_name;
 	unsigned int family;
-	char *type_name;
+	const char *type_name;
 	unsigned int type;
-	char *protocol_name;
+	const char *protocol_name;
 	unsigned int protocol;
 };
 
@@ -334,7 +334,7 @@ struct aa_network_entry *new_network_ent(unsigned int family,
 					 unsigned int protocol)
 {
 	struct aa_network_entry *new_entry;
-	new_entry = calloc(1, sizeof(struct aa_network_entry));
+	new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct aa_network_entry));
 	if (new_entry) {
 		new_entry->family = family;
 		new_entry->type = type;
@@ -562,13 +562,13 @@ static int parse_sub_mode(const char *str_mode, const char *mode_desc __unused)
 
 	p = str_mode;
 	while (*p) {
-		char this = *p;
+		char thisc = *p;
 		char next = *(p + 1);
 		char lower;
 		int tmode = 0;
 
 reeval:
-		switch (this) {
+		switch (thisc) {
 		case COD_READ_CHAR:
 			if (read_implies_exec) {
 				PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc);
@@ -626,7 +626,7 @@ reeval:
 			PDEBUG("Parsing mode: found UNCONFINED\n");
 			if (IS_DIFF_QUAL(mode, tmode)) {
 				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
-					this);
+					thisc);
 			} else {
 				if (next != tolower(next))
 					warn_uppercase();
@@ -642,7 +642,7 @@ reeval:
 			/* fall through */
 		case COD_PROFILE_CHAR:
 		case COD_LOCAL_CHAR:
-			if (tolower(this) == COD_UNSAFE_PROFILE_CHAR)
+			if (tolower(thisc) == COD_UNSAFE_PROFILE_CHAR)
 				tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC;
 			else
 			{
@@ -652,7 +652,7 @@ reeval:
 			if (tolower(next) == COD_INHERIT_CHAR) {
 				tmode |= AA_EXEC_INHERIT;
 				if (IS_DIFF_QUAL(mode, tmode)) {
-					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
+					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
 				} else {
 					mode |= tmode;
 					p += 2;		/* skip x */
@@ -660,13 +660,13 @@ reeval:
 			} else if (tolower(next) == COD_UNSAFE_UNCONFINED_CHAR) {
 				tmode |= AA_EXEC_PUX;
 				if (IS_DIFF_QUAL(mode, tmode)) {
-					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
+					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
 				} else {
 					mode |= tmode;
 					p += 2;		/* skip x */
 				}
 			} else if (IS_DIFF_QUAL(mode, tmode)) {
-				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), this);
+				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), thisc);
 
 			} else {
 				if (next != tolower(next))
@@ -683,7 +683,7 @@ reeval:
 			break;
 
 		case COD_EXEC_CHAR:
-			/* this is valid for deny rules, and named transitions
+			/* thisc is valid for deny rules, and named transitions
 			 * but invalid for regular x transitions
 			 * sort it out later.
 			 */
@@ -693,7 +693,7 @@ reeval:
  		/* error cases */
 
 		default:
-			lower = tolower(this);
+			lower = tolower(thisc);
 			switch (lower) {
 			case COD_READ_CHAR:
 			case COD_WRITE_CHAR:
@@ -702,14 +702,14 @@ reeval:
 			case COD_INHERIT_CHAR:
 			case COD_MMAP_CHAR:
 			case COD_EXEC_CHAR:
-				PDEBUG("Parsing mode: found invalid upper case char %c\n", this);
+				PDEBUG("Parsing mode: found invalid upper case char %c\n", thisc);
 				warn_uppercase();
-				this = lower;
+				thisc = lower;
 				goto reeval;
 				break;
 			default:
 				yyerror(_("Internal: unexpected mode character '%c' in input"),
-					this);
+					thisc);
 				break;
 			}
 			break;
@@ -746,11 +746,11 @@ static int parse_dbus_sub_mode(const char *str_mode, int *result, int fail, cons
 
 	p = str_mode;
 	while (*p) {
-		char this = *p;
+		char current = *p;
 		char lower;
 
 reeval:
-		switch (this) {
+		switch (current) {
 		case COD_READ_CHAR:
 			PDEBUG("Parsing DBus mode: found %s READ\n", mode_desc);
 			mode |= AA_DBUS_RECEIVE;
@@ -765,20 +765,20 @@ reeval:
 		/* error cases */
 
 		default:
-			lower = tolower(this);
+			lower = tolower(current);
 			switch (lower) {
 			case COD_READ_CHAR:
 			case COD_WRITE_CHAR:
 				PDEBUG("Parsing DBus mode: found invalid upper case char %c\n",
-				       this);
+				       current);
 				warn_uppercase();
-				this = lower;
+				current = lower;
 				goto reeval;
 				break;
 			default:
 				if (fail)
 					yyerror(_("Internal: unexpected DBus mode character '%c' in input"),
-						this);
+						current);
 				else
 					return 0;
 				break;
@@ -809,7 +809,7 @@ int parse_dbus_mode(const char *str_mode, int *mode, int fail)
 	return 1;
 }
 
-struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
+struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id)
 {
 	struct cod_entry *entry = NULL;
 
@@ -817,7 +817,7 @@ struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
 	if (!entry)
 		return NULL;
 
-	entry->namespace = namespace;
+	entry->ns = ns;
 	entry->name = id;
 	entry->link_name = link_id;
 	entry->mode = mode;
@@ -841,7 +841,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
 	if (!entry)
 		return NULL;
 
-	DUP_STRING(orig, entry, namespace, err);
+	DUP_STRING(orig, entry, ns, err);
 	DUP_STRING(orig, entry, name, err);
 	DUP_STRING(orig, entry, link_name, err);
 	entry->mode = orig->mode;
@@ -867,8 +867,8 @@ void free_cod_entries(struct cod_entry *list)
 		return;
 	if (list->next)
 		free_cod_entries(list->next);
-	if (list->namespace)
+	if (list->ns)
-		free(list->namespace);
+		free(list->ns);
 	if (list->name)
 		free(list->name);
 	if (list->link_name)
@@ -943,8 +943,8 @@ void debug_cod_entries(struct cod_entry *list)
 		else
 			printf("\tName:\tNULL\n");
 
-		if (item->namespace)
+		if (item->ns)
-			printf("\tNamespace:\t(%s)\n", item->namespace);
+			printf("\tNs:\t(%s)\n", item->ns);
 
 		if (AA_LINK_BITS & item->mode)
 			printf("\tlink:\t(%s)\n", item->link_name ? item->link_name : "/**");
@@ -1041,23 +1041,31 @@ void debug_capabilities(struct codomain *cod)
 		__debug_capabilities(cod->quiet_caps, "Quiet Caps");
 }
 
+/* Bleah C++ doesn't have non-trivial designated initializers so we just
+ * have to make sure these are in order.  This means we are more brittle
+ * but there isn't much we can do.
+ */
 const char *sock_types[] = {
-	[0] = "none",
+	"none",		/* 0 */
-	[SOCK_STREAM] = "stream",
+	"stream",	/* 1 [SOCK_STREAM] */
-	[SOCK_DGRAM] = "dgram",
+	"dgram",	/* 2 [SOCK_DGRAM] */
-	[SOCK_RAW] = "raw",
+	"raw",		/* 3 [SOCK_RAW] */
-	[SOCK_RDM] = "rdm",
+	"rdm",		/* 4 [SOCK_RDM] */
-	[SOCK_SEQPACKET] = "seqpacket",
+	"seqpacket",	/* 5 [SOCK_SEQPACKET] */
-	[SOCK_PACKET] = "packet",
+	"dccp",		/* 6 [SOCK_DCCP] */
+	"invalid",	/* 7 */
+	"invalid",	/* 8 */
+	"invalid",	/* 9 */
+	"packet",	/* 10 [SOCK_PACKET] */
 	/*
 	 * See comment above
-	[SOCK_DCCP] = "dccp",
 	*/
 };
 #define ALL_TYPES 0x43e
 
+/* another case of C++ not supporting non-trivial designated initializers */
 #undef AA_GEN_NET_ENT
-#define AA_GEN_NET_ENT(name, AF) [AF] = name,
+#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
 
 static const char *network_families[] = {
 #include "af_names.h"
@@ -1136,8 +1144,8 @@ void debug_network(struct codomain *cod)
 
 void debug_cod_list(struct codomain *cod)
 {
-	if (cod->namespace)
+	if (cod->ns)
-		printf("Namespace:\t\t%s\n", cod->namespace);
+		printf("Ns:\t\t%s\n", cod->ns);
 
 	if (cod->name)
 		printf("Name:\t\t%s\n", cod->name);
@@ -1162,7 +1170,7 @@ void debug_cod_list(struct codomain *cod)
 
 struct value_list *new_value_list(char *value)
 {
-	struct value_list *val = calloc(1, sizeof(struct value_list));
+	struct value_list *val = (struct value_list *) calloc(1, sizeof(struct value_list));
 	if (val)
 		val->value = value;
 	return val;
@@ -1228,7 +1236,7 @@ void print_value_list(struct value_list *list)
 
 struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
 {
-	struct cond_entry *ent = calloc(1, sizeof(struct cond_entry));
+	struct cond_entry *ent = (struct cond_entry *) calloc(1, sizeof(struct cond_entry));
 	if (ent) {
 		ent->name = name;
 		ent->vals = list;

parser/parser_policy.c

@@ -19,6 +19,8 @@
  *   Ltd.
  */
 
+#include <algorithm>
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
@@ -49,12 +51,12 @@ static int codomain_compare(const void *a, const void *b)
 	struct codomain *B = (struct codomain *) b;
 
 	int res = 0;
-	if (A->namespace) {
+	if (A->ns) {
-		if (B->namespace)
+		if (B->ns)
-			res = strcmp(A->namespace, B->namespace);
+			res = strcmp(A->ns, B->ns);
 		else
 			res = -1;
-	} else if (B->namespace)
+	} else if (B->ns)
 		res = 1;
 	if (res)
 		return res;
@@ -119,7 +121,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 	char *name = NULL;
 
 	/* check to see if it is a local transition */
-	if (!entry->namespace) {
+	if (!entry->ns) {
 		char *sub = strstr(entry->nt_name, "//");
 		/* does the subprofile name match the rule */
 
@@ -138,7 +140,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 				return AA_EXEC_LOCAL >> 10;
 			}
 			/* specified as cix so profile name is implicit */
-			name = malloc(strlen(cod->name) + strlen(entry->nt_name)
+			name = (char *) malloc(strlen(cod->name) + strlen(entry->nt_name)
 				      + 3);
 			if (!name) {
 				PERROR("Memory allocation error\n");
@@ -149,16 +151,16 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
 			entry->nt_name = name;
 		}
 	}
-	if (entry->namespace) {
+	if (entry->ns) {
-		name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
+	  name = (char *) malloc(strlen(entry->ns) + strlen(entry->nt_name) + 3);
 		if (!name) {
 			PERROR("Memory allocation error\n");
 			exit(1);
 		}
-		sprintf(name, ":%s:%s", entry->namespace, entry->nt_name);
+		sprintf(name, ":%s:%s", entry->ns, entry->nt_name);
-		free(entry->namespace);
+		free(entry->ns);
 		free(entry->nt_name);
-		entry->namespace = NULL;
+		entry->ns = NULL;
 		entry->nt_name = NULL;
 	} else {
 		name = entry->nt_name;
@@ -192,7 +194,7 @@ void post_process_file_entries(struct codomain *cod)
 				mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
 			entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
 				       (mode & AA_ALL_EXEC_MODIFIERS));
-			entry->namespace = NULL;
+			entry->ns = NULL;
 			entry->nt_name = NULL;
 		}
 		/* FIXME: currently change_profile also implies onexec */
@@ -451,7 +453,7 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
 	 */
 	if ((flag_changehat_version == FLAG_CHANGEHAT_1_4) &&
 	    (*t)->parent) {
-		char *buffer = malloc(strlen((*t)->name) + 1);
+		char *buffer = (char *) malloc(strlen((*t)->name) + 1);
 		if (!buffer) {
 			PERROR("Memory allocation error\n");
 			exit(1);
@@ -828,8 +830,8 @@ void free_policy(struct codomain *cod)
 		free(cod->name);
 	if (cod->attachment)
 		free(cod->attachment);
-	if (cod->namespace)
+	if (cod->ns)
-		free(cod->namespace);
+		free(cod->ns);
 	if (cod->network_allowed)
 		free(cod->network_allowed);
 	if (cod->audit_network)

parser/parser_regex.c

@@ -518,9 +518,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 		/* allow change_profile for all execs */
 		vec[0] = "/[^\\x00]*";
 
-		if (entry->namespace) {
+		if (entry->ns) {
 			int pos;
-			ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
+			ptype = convert_aaregex_to_pcre(entry->ns, 0, lbuf, PATH_MAX + 8, &pos);
 			vec[index++] = lbuf;
 		}
 		vec[index++] = tbuf;
@@ -536,9 +536,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	}
 	if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
 		int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
-		if (entry->namespace) {
+		if (entry->ns) {
 			char *vec[2];
-			vec[0] = entry->namespace;
+			vec[0] = entry->ns;
 			vec[1] = entry->name;
 			if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags))
 			    return FALSE;

parser/parser_symtab.c

@@ -46,51 +46,51 @@ static int __expand_variable(struct symtab *symbol);
 
 static struct symtab *new_symtab_entry(const char *name)
 {
-	struct symtab *new = calloc(1, sizeof(*new));
+	struct symtab *n = (struct symtab *) calloc(1, sizeof(*n));
 
-	if (!new) {
+	if (!n) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		return NULL;
 	}
 
-	new->var_name = strndup(name, PATH_MAX);
+	n->var_name = strndup(name, PATH_MAX);
-	if (!new->var_name) {
+	if (!n->var_name) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
-		free(new);
+		free(n);
 		return NULL;
 	}
 
-	return new;
+	return n;
 }
 
 static struct set_value *new_set_value(const char *val)
 {
-	struct set_value *new = calloc(1, sizeof(*new));
+	struct set_value *n = (struct set_value *) calloc(1, sizeof(*n));
 
-	if (!new) {
+	if (!n) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		return NULL;
 	}
 
-	new->val = strndup(val, PATH_MAX);
+	n->val = strndup(val, PATH_MAX);
-	if (!new->val) {
+	if (!n->val) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
-		free(new);
+		free(n);
 		return NULL;
 	}
 
-	return new;
+	return n;
 }
 
 static void free_values(struct set_value *val)
 {
-	struct set_value *this = val, *tmp;
+	struct set_value *i = val, *tmp;
 
-	while (this) {
+	while (i) {
-		if (this->val)
+		if (i->val)
-			free(this->val);
+			free(i->val);
-		tmp = this;
+		tmp = i;
-		this = this->next;
+		i = i->next;
 		free(tmp);
 	}
 }
@@ -153,26 +153,26 @@ out:
 
 int add_boolean_var(const char *var, int value)
 {
-	struct symtab *new, **result;
+	struct symtab *n, **result;
 	int rc = 0;
 
-	new = new_symtab_entry(var);
+	n = new_symtab_entry(var);
-	if (!new) {
+	if (!n) {
 		rc = ENOMEM;
 		goto err;
 	}
 
-	new->type = sd_boolean;
+	n->type = sd_boolean;
-	new->boolean = value;
+	n->boolean = value;
 
-	result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
+	result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
 	if (!result) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		rc = errno;
 		goto err;
 	}
 
-	if (*result != new) {
+	if (*result != n) {
 		/* already existing variable */
 		PERROR("'%s' is already defined\n", var);
 		rc = 1;
@@ -182,7 +182,7 @@ int add_boolean_var(const char *var, int value)
 	return 0;
 
 err:
-	free_symtab(new);
+	free_symtab(n);
 	return rc;
 };
 
@@ -213,26 +213,26 @@ out:
  */
 int new_set_var(const char *var, const char *value)
 {
-	struct symtab *new, **result;
+	struct symtab *n, **result;
 	int rc = 0;
 
-	new = new_symtab_entry(var);
+	n = new_symtab_entry(var);
-	if (!new) {
+	if (!n) {
 		rc = ENOMEM;
 		goto err;
 	}
 
-	new->type = sd_set;
+	n->type = sd_set;
-	add_to_set(&(new->values), value);
+	add_to_set(&(n->values), value);
 
-	result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
+	result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
 	if (!result) {
 		PERROR("Failed to allocate memory: %s\n", strerror(errno));
 		rc = errno;
 		goto err;
 	}
 
-	if (*result != new) {
+	if (*result != n) {
 		/* already existing variable */
 		PERROR("'%s' is already defined\n", var);
 		rc = 1;
@@ -242,7 +242,7 @@ int new_set_var(const char *var, const char *value)
 	return 0;
 
 err:
-	free_symtab(new);
+	free_symtab(n);
 	return rc;
 }
 
@@ -382,15 +382,15 @@ static int __expand_variable(struct symtab *symbol)
 		while (work_list) {
 			struct symtab *ref;
 			struct set_value *ref_item;
-			struct set_value *this_value = work_list;
+			struct set_value *t_value = work_list;
 			int rc;
 
 			work_list = work_list->next;
 
-			split = split_out_var(this_value->val);
+			split = split_out_var(t_value->val);
 			if (!split) {
 				/* fully expanded */
-				add_to_set(&expanded, this_value->val);
+				add_to_set(&expanded, t_value->val);
 				goto next;
 			}
 
@@ -399,7 +399,7 @@ static int __expand_variable(struct symtab *symbol)
 				PERROR("Variable @{%s} is referenced recursively (by @{%s})\n",
 		       		       split->var, symbol->var_name);
 				retval = 1;
-				free_values(this_value);
+				free_values(t_value);
 				goto out;
 			}
 
@@ -408,14 +408,14 @@ static int __expand_variable(struct symtab *symbol)
 				PERROR("Variable @{%s} references undefined variable @{%s}\n",
 				       symbol->var_name, split->var);
 				retval = 3;
-				free_values(this_value);
+				free_values(t_value);
 				goto out;
 			}
 
 			rc = __expand_variable(ref);
 			if (rc != 0) {
 				retval = rc;
-				free_values(this_value);
+				free_values(t_value);
 				goto out;
 			}
 
@@ -439,8 +439,8 @@ static int __expand_variable(struct symtab *symbol)
 			}
 
 next:
-			this_value->next = NULL;
+			t_value->next = NULL;
-			free_values(this_value);
+			free_values(t_value);
 			free_var_string(split);
 		}
 	}
@@ -472,10 +472,10 @@ void expand_variables(void)
 
 static inline void dump_set_values(struct set_value *value)
 {
-	struct set_value *this = value;
+	struct set_value *t = value;
-	while (this) {
+	while (t) {
-		printf(" \"%s\"", this->val);
+		printf(" \"%s\"", t->val);
-		this = this->next;
+		t = t->next;
 	}
 }
 

parser/parser_variable.c

@@ -54,29 +54,29 @@ static inline char *get_var_end(char *var)
 static struct var_string *split_string(char *string, char *var_begin,
 				       char *var_end)
 {
-	struct var_string *new = calloc(1, sizeof(struct var_string));
+	struct var_string *n = (struct var_string *) calloc(1, sizeof(struct var_string));
 	unsigned int offset = strlen("@{");
-	if (!new) {
+	if (!n) {
 		PERROR("Memory allocation error\n");
 		return NULL;
 	}
 
 	if (var_begin != string) {
-		new->prefix = strndup(string, var_begin - string);
+		n->prefix = strndup(string, var_begin - string);
 	}
 
-	new->var = strndup(var_begin + offset, var_end - (var_begin + offset));
+	n->var = strndup(var_begin + offset, var_end - (var_begin + offset));
 
 	if (strlen(var_end + 1) != 0) {
-		new->suffix = strdup(var_end + 1);
+		n->suffix = strdup(var_end + 1);
 	}
 
-	return new;
+	return n;
 }
 
 struct var_string *split_out_var(char *string)
 {
-	struct var_string *new = NULL;
+	struct var_string *n = NULL;
 	char *sptr;
 	BOOL bEscape = 0;	/* flag to indicate escape */
 
@@ -85,7 +85,7 @@ struct var_string *split_out_var(char *string)
 
 	sptr = string;
 
-	while (!new && *sptr) {
+	while (!n && *sptr) {
 		switch (*sptr) {
 		case '\\':
 			if (bEscape) {
@@ -106,7 +106,7 @@ struct var_string *split_out_var(char *string)
 					PERROR("Empty variable name found!\n");
 					exit(1);
 				}
-				new = split_string(string, sptr, eptr);
+				n = split_string(string, sptr, eptr);
 			}
 			break;
 		default:
@@ -116,7 +116,7 @@ struct var_string *split_out_var(char *string)
 		sptr++;
 	}
 
-	return new;
+	return n;
 }
 
 void free_var_string(struct var_string *var)
@@ -191,7 +191,7 @@ static int expand_entry_variables(char **name, void *entry,
 
 int clone_and_chain_cod(void *v)
 {
-	struct cod_entry *entry = v;
+	struct cod_entry *entry = (struct cod_entry *) v;
 	struct cod_entry *dup = copy_cod_entry(entry);
 	if (!dup)
 		return 0;
@@ -203,7 +203,7 @@ int clone_and_chain_cod(void *v)
 
 int clone_and_chain_mnt(void *v)
 {
-	struct mnt_entry *entry = v;
+	struct mnt_entry *entry = (struct mnt_entry *) v;
 
 	struct mnt_entry *dup = dup_mnt_entry(entry);
 	if (!dup)
@@ -216,7 +216,7 @@ int clone_and_chain_mnt(void *v)
 
 int clone_and_chain_dbus(void *v)
 {
-	struct dbus_entry *entry = v;
+	struct dbus_entry *entry = (struct dbus_entry *) v;
 
 	struct dbus_entry *dup = dup_dbus_entry(entry);
 	if (!dup)

parser/parser_yacc.y

@@ -68,7 +68,7 @@
 
 int parser_token = 0;
 
-struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
+struct cod_entry *do_file_rule(char *ns, char *id, int mode,
 			       char *link_id, char *nt);
 struct mnt_entry *do_mnt_rule(struct cond_entry *src_conds, char *src,
 			      struct cond_entry *dst_conds, char *dst,
@@ -225,7 +225,7 @@ void add_local_entry(struct codomain *cod);
 %type <boolean> opt_profile_flag
 %type <boolean> opt_flags
 %type <boolean> opt_perm_mode
-%type <id>	opt_namespace
+%type <id>	opt_ns
 %type <id>	opt_id
 %type <prefix>  opt_prefix
 %type <fmode>	dbus_perm
@@ -253,7 +253,7 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
 	| TOK_PROFILE { $$ = 1; }
 	| hat_start { $$ = 2; }
 
-opt_namespace: { /* nothing */ $$ = NULL; }
+opt_ns: { /* nothing */ $$ = NULL; }
 	| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
 
 opt_id: { /* nothing */ $$ = NULL; }
@@ -289,7 +289,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
 
 	};
 
-profile:  opt_profile_flag opt_namespace profile_base
+profile:  opt_profile_flag opt_ns profile_base
 	{
 		struct codomain *cod = $3;
 		if ($2)
@@ -300,7 +300,7 @@ profile:  opt_profile_flag opt_namespace profile_base
 		if ($3->name[0] != '/' && !($1 || $2))
 			yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
 
-		cod->namespace = $2;
+		cod->ns = $2;
 		if ($1 == 2)
 			cod->flags.hat = 1;
 		$$ = cod;
@@ -613,13 +613,13 @@ rules: rules opt_prefix network_rule
 		if (!$3)
 			yyerror(_("Assert: `network_rule' return invalid protocol."));
 		if (!$1->network_allowed) {
-			$1->network_allowed = calloc(get_af_max(),
+			$1->network_allowed = (unsigned int *) calloc(get_af_max(),
-						     sizeof(unsigned int));
+						      sizeof(unsigned int));
-			$1->audit_network = calloc(get_af_max(),
+			$1->audit_network = (unsigned int *)calloc(get_af_max(),
 						   sizeof(unsigned int));
-			$1->deny_network = calloc(get_af_max(),
+			$1->deny_network = (unsigned int *)calloc(get_af_max(),
 						     sizeof(unsigned int));
-			$1->quiet_network = calloc(get_af_max(),
+			$1->quiet_network = (unsigned int *)calloc(get_af_max(),
 						     sizeof(unsigned int));
 			if (!$1->network_allowed || !$1->audit_network ||
 			    !$1->deny_network || !$1->quiet_network)
@@ -908,19 +908,19 @@ id_or_var: TOK_SET_VAR { $$ = $1; };
 opt_named_transition:
 	{ /* nothing */
 		$$.present = 0;
-		$$.namespace = NULL;
+		$$.ns = NULL;
 		$$.name = NULL;
 	}
 	| TOK_ARROW id_or_var
 	{
 		$$.present = 1;
-		$$.namespace = NULL;
+		$$.ns = NULL;
 		$$.name = $2;
 	}
 	| TOK_ARROW TOK_COLON id_or_var TOK_COLON id_or_var
 	{
 		$$.present = 1;
-		$$.namespace = $3;
+		$$.ns = $3;
 		$$.name = $5;
 	};
 
@@ -937,7 +937,7 @@ opt_file: { /* nothing */ $$ = 0; }
 
 frule:	id_or_var file_mode opt_named_transition TOK_END_OF_RULE
 	{
-		$$ = do_file_rule($3.namespace, $1, $2, NULL, $3.name);
+		$$ = do_file_rule($3.ns, $1, $2, NULL, $3.name);
 	};
 
 frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
@@ -946,14 +946,14 @@ frule:	file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
 			yyerror(_("subset can only be used with link rules."));
 		if ($4.present && ($1 & AA_LINK_BITS) && ($1 & AA_EXEC_BITS))
 			yyerror(_("link and exec perms conflict on a file rule using ->"));
-		if ($4.present && $4.namespace && ($1 & AA_LINK_BITS))
+		if ($4.present && $4.ns && ($1 & AA_LINK_BITS))
 			yyerror(_("link perms are not allowed on a named profile transition.\n"));
 		if (($1 & AA_LINK_BITS)) {
 			$$ = do_file_rule(NULL, $3, $1, $4.name, NULL);
 			$$->subset = $2;
 
 		} else {
-			$$ = do_file_rule($4.namespace, $3, $1, NULL, $4.name);
+			$$ = do_file_rule($4.ns, $3, $1, NULL, $4.name);
 		}
  	};
 
@@ -1133,15 +1133,15 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
 mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
 	{
 		char *name = NULL;
-		if ($4.present && $4.namespace) {
+		if ($4.present && $4.ns) {
-			name = malloc(strlen($4.namespace) +
+			name = (char *) malloc(strlen($4.ns) +
-				      strlen($4.name) + 3);
+					       strlen($4.name) + 3);
 			if (!name) {
 				PERROR("Memory allocation error\n");
 				exit(1);
 			}
-			sprintf(name, ":%s:%s", $4.namespace, $4.name);
+			sprintf(name, ":%s:%s", $4.ns, $4.name);
-			free($4.namespace);
+			free($4.ns);
 			free($4.name);
 		} else if ($4.present)
 			name = $4.name;
@@ -1291,12 +1291,12 @@ void yyerror(const char *msg, ...)
 	exit(1);
 }
 
-struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
+struct cod_entry *do_file_rule(char *ns, char *id, int mode,
 			       char *link_id, char *nt)
 {
 		struct cod_entry *entry;
 		PDEBUG("Matched: tok_id (%s) tok_mode (0x%x)\n", id, mode);
-		entry = new_entry(namespace, id, mode, link_id);
+		entry = new_entry(ns, id, mode, link_id);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		entry->nt_name = nt;
@@ -1312,7 +1312,7 @@ void add_local_entry(struct codomain *cod)
 	/* ugh this has to be called after the hat is attached to its parent */
 	if (cod->local_mode) {
 		struct cod_entry *entry;
-		char *trans = malloc(strlen(cod->parent->name) +
+		char *trans = (char *) malloc(strlen(cod->parent->name) +
 				    strlen(cod->name) + 3);
 		char *name = strdup(cod->name);
 		if (!trans)
@@ -1329,7 +1329,7 @@ void add_local_entry(struct codomain *cod)
 	}
 }
 
-static char *mnt_cond_msg[] = {"",
+static const char *mnt_cond_msg[] = {"",
 			 " not allowed as source conditional",
 			 " not allowed as target conditional",
 			 "",

parser/tst/simple_tests/network/network_ok_5.sd

@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION basic network tests
-#=EXRESULT FAIL
+#=EXRESULT PASS
 #
 /usr/bin/foo {
   network unix,

parser/tst/simple_tests/network/network_ok_6.sd

@@ -1,6 +1,6 @@
 #
 #=DESCRIPTION basic network tests
-#=EXRESULT FAIL
+#=EXRESULT PASS
 #
 /usr/bin/foo {
   network netlink,