From d2eeef82915ff254c99d869d412b4acef7b82ad3 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 13 Mar 2008 16:46:53 +0000
Subject: [PATCH] extend the flags in preparation for audit control

---
 parser/immunix.h               | 38 +++++++++++++++++++++++-----------
 parser/libapparmor_re/regexp.y | 15 ++++++++++----
 parser/parser_yacc.y           |  2 +-
 3 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/parser/immunix.h b/parser/immunix.h
index 3a7f29bca..efba3f487 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -32,36 +32,50 @@
 #define AA_MAY_LINK			(1 << 4)
 #define AA_MAY_LOCK			(1 << 5)
 #define AA_EXEC_MMAP			(1 << 6)
-#define AA_EXEC_UNSAFE			(1 << 7)
-#define AA_EXEC_MOD_0			(1 << 8)
-#define AA_EXEC_MOD_1			(1 << 9)
+#define AA_MAY_MOUNT			(1 << 7)
+#define AA_EXEC_UNSAFE			(1 << 8)
+#define AA_EXEC_MOD_0			(1 << 9)
+#define AA_EXEC_MOD_1			(1 << 10)
+#define AA_EXEC_MOD_2			(1 << 11)
+#define AA_EXEC_MOD_3			(1 << 12)
+#define AA_EXEC_MOD_4			(1 << 13)
 
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
 					 AA_MAY_LINK | AA_MAY_LOCK | \
-					 AA_EXEC_MMAP | AA_EXEC_UNSAFE | \
-					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
+					 AA_MAY_MOUNT | AA_EXEC_MMAP | \
+					 AA_EXEC_UNSAFE | \
+					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
+					 AA_EXEC_MOD_4)
+
 #define AA_USER_SHIFT			0
-#define AA_OTHER_SHIFT			10
+#define AA_OTHER_SHIFT			14
 
 #define AA_USER_PERMS			(AA_BASE_PERMS << AA_USER_SHIFT)
 #define AA_OTHER_PERMS			(AA_BASE_PERMS << AA_OTHER_SHIFT)
 
 #define AA_FILE_PERMS			(AA_USER_PERMS | AA_OTHER_PERMS )
 
+#define AA_AUDIT_FIELD			(1 << 28)
+#define AA_CHANGE_HAT			(1 << 29)
 #define AA_CHANGE_PROFILE		(1 << 30)
 #define AA_ERROR_BIT			(1 << 31)
-#define AA_SHARED_PERMS			(AA_CHANGE_PROFILE | AA_ERROR_BIT)
+#define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE | \
+					 AA_AUDIT_FIELD | AA_ERROR_BIT)
 
 
-#define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
+#define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
+					 AA_EXEC_MOD_4)
+
 #define AA_EXEC_TYPE			(AA_MAY_EXEC | AA_EXEC_UNSAFE | \
 					 AA_EXEC_MODIFIERS)
 
-#define AA_EXEC_UNCONFINED		0
-#define AA_EXEC_INHERIT			(AA_EXEC_MOD_0)
-#define AA_EXEC_PROFILE			(AA_EXEC_MOD_1)
-#define AA_EXEC_PROFILE_OR_INHERIT	(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
+#define AA_EXEC_UNCONFINED		(AA_EXEC_MOD_0)
+#define AA_EXEC_INHERIT			(AA_EXEC_MOD_1)
+#define AA_EXEC_PROFILE			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
+#define AA_EXEC_PROFILE_OR_INHERIT	(AA_EXEC_MOD_2)
 
 #define AA_VALID_PERMS			(AA_FILE_PERMS | AA_CHANGE_PROFILE)
 
diff --git a/parser/libapparmor_re/regexp.y b/parser/libapparmor_re/regexp.y
index 435e1d32d..b4bb9adb3 100644
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@@ -1538,6 +1538,9 @@ uint32_t accept_perms(State *state)
      fprintf(stderr, "error bit 0x%x\n", perms);
      exit(255);
 }
+
+ //if (perms & AA_EXEC_BITS)
+ //fprintf(stderr, "accept perm: 0x%x\n", perms);
  /*
      if (perms & ~AA_VALID_PERMS)
  	yyerror(_("Internal error accumulated invalid perm 0x%llx\n"), perms);
@@ -1554,8 +1557,8 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, uint32_t perms,
 				 int count, char **rulev)
 {
     static MatchFlag *match_flags[sizeof(perms) * 8 - 1];
-    static MatchFlag *exec_match_flags[8 * 2];
-    static ExactMatchFlag *exact_match_flags[8 * 2];
+    static MatchFlag *exec_match_flags[64 * 2];		/* mods + unsafe *u::o*/
+    static ExactMatchFlag *exact_match_flags[64 * 2];	/* mods + unsafe *u::o*/
     Node *tree = NULL, *accept;
     int exact_match;
 
@@ -1593,11 +1596,14 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, uint32_t perms,
 	flip_tree(tree);
 
 #define ALL_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7)
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
 
 if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 	fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
 
+//if (perms & ALL_EXEC_TYPE)
+//    fprintf(stderr, "adding X rule %s 0x%x\n", rulev[0], perms);
+
     accept = NULL;
     for (unsigned int n = 0; perms && n < (sizeof(perms) * 8) - 1; n++) {
 	uint32_t mask = 1 << n;
@@ -1614,8 +1620,9 @@ if (perms & ALL_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 			    index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
 		    } else {
 			    eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
-			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + 8;
+			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + 16;
 		    }
+//fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
 		    if (exact_match) {
 			    if (exact_match_flags[index]) {
 				    flag = exact_match_flags[index]->dup();
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 27603cef0..3a5e54fe9 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -569,7 +569,7 @@ rule:   file_mode id_or_var TOK_END_OF_RULE
 
 rule:	TOK_UNSAFE file_mode id_or_var TOK_END_OF_RULE
 	{
-		int mode = (($2 & AA_EXEC_BITS) << 7) & ALL_AA_EXEC_UNSAFE;
+		int mode = (($2 & AA_EXEC_BITS) << 8) & ALL_AA_EXEC_UNSAFE;
 		if (!($2 & AA_EXEC_BITS))
 			yyerror(_("unsafe rule missing exec permissions"));
 		$$ = do_file_rule(NULL, $3, ($2 & ~ALL_AA_EXEC_UNSAFE) | mode,