mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 06:16:03 +00:00
parser: Add support for DBus rules
This patch implements the parsing of DBus rules. It attempts to catch all corner cases, such as specifying a bind permission with an interface conditional or specifying a subject name conditional and a peer name conditional in the same rule. It introduces the concept of conditional lists to the lexer and parser in order to handle 'peer=(label=/usr/bin/foo name=com.foo.bar)', since the existing list support in the lexer only supports a list of values. The DBus rules are encoded as follows: bus,name<bind_perm>,peer_label,path,interface,member<rw_perms> Bind rules stop matching at name<bind_perm>. Note that name is used for the subject name in bind rules and the peer name in rw rules. The function new_dbus_entry() is what does the proper sanitization to make sure that if a name conditional is specified, that it is the subject name in the case of a bind rule or that it is the peer name in the case of a rw rule. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
Tyler Hicks
48
parser/dbus.h
Normal file
48
parser/dbus.h
Normal file
@@ -0,0 +1,48 @@
|
||||
/*
|
||||
* Copyright (c) 2013
|
||||
* Canonical, Ltd. (All rights reserved)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of version 2 of the GNU General Public
|
||||
* License published by the Free Software Foundation.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc. or Canonical
|
||||
* Ltd.
|
||||
*/
|
||||
|
||||
#ifndef __AA_DBUS_H
|
||||
#define __AA_DBUS_H
|
||||
|
||||
#include "parser.h"
|
||||
|
||||
struct dbus_entry {
|
||||
char *bus;
|
||||
/**
|
||||
* Be careful! ->name can be the subject or the peer name, depending on
|
||||
* whether the rule is a bind rule or a send/receive rule. See the
|
||||
* comments in new_dbus_entry() for details.
|
||||
*/
|
||||
char *name;
|
||||
char *peer_label;
|
||||
char *path;
|
||||
char *interface;
|
||||
char *member;
|
||||
int mode;
|
||||
int audit;
|
||||
int deny;
|
||||
|
||||
struct dbus_entry *next;
|
||||
};
|
||||
|
||||
void free_dbus_entry(struct dbus_entry *ent);
|
||||
struct dbus_entry *new_dbus_entry(int mode, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds);
|
||||
void print_dbus_entry(struct dbus_entry *ent);
|
||||
|
||||
#endif /* __AA_DBUS_H */
|
||||
Reference in New Issue
Block a user