Basis for named transitions

2025-08-22 10:07:12 +00:00 · 2008-04-16 04:44:21 +00:00 · 2008-04-16 04:44:21 +00:00 · db34aac811
commit db34aac811
parent 051a3f8c01
6 changed files with 50 additions and 62 deletions
--- a/parser/immunix.h
+++ b/parser/immunix.h
@ -34,20 +34,19 @@
 #define AA_EXEC_MMAP			(1 << 6)
 #define AA_MAY_MOUNT			(1 << 7)
 #define AA_EXEC_UNSAFE			(1 << 8)
-#define AA_EXEC_MOD_0			(1 << 9)
+#define AA_EXEC_INHERIT			(1 << 9)
-#define AA_EXEC_MOD_1			(1 << 10)
+#define AA_EXEC_MOD_0			(1 << 10)
-#define AA_EXEC_MOD_2			(1 << 11)
+#define AA_EXEC_MOD_1			(1 << 11)
-#define AA_EXEC_MOD_3			(1 << 12)
+#define AA_EXEC_MOD_2			(1 << 12)
-#define AA_EXEC_MOD_4			(1 << 13)
+#define AA_EXEC_MOD_3			(1 << 13)
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
 					 AA_MAY_LINK | AA_MAY_LOCK | \
 					 AA_MAY_MOUNT | AA_EXEC_MMAP | \
-					 AA_EXEC_UNSAFE | \
+					 AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
 					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
-					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
 					 AA_EXEC_MOD_4)
 #define AA_USER_SHIFT			0
 #define AA_OTHER_SHIFT			14
@ -66,22 +65,20 @@
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
 #define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
-					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
-					 AA_EXEC_MOD_4)
+#define AA_EXEC_COUNT			16
 #define AA_EXEC_COUNT			32
 #define AA_USER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_USER_SHIFT)
 #define AA_OTHER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
 #define AA_ALL_EXEC_MODIFIERS		(AA_USER_EXEC_MODIFIERS | \
 					 AA_OTHER_EXEC_MODIFIERS)
-#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_MODIFIERS)
+#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
 					 AA_EXEC_MODIFIERS)
 #define AA_EXEC_UNCONFINED		(AA_EXEC_MOD_0)
-#define AA_EXEC_INHERIT			(AA_EXEC_MOD_1)
+#define AA_EXEC_PROFILE			(AA_EXEC_MOD_1)
-#define AA_EXEC_PROFILE			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
+#define AA_EXEC_LOCAL			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
 #define AA_EXEC_PROFILE_OR_INHERIT	(AA_EXEC_MOD_2)
 #define AA_EXEC_LOCAL			(AA_EXEC_MOD_2 | AA_EXEC_MOD_0)
 #define AA_VALID_PERMS			(AA_FILE_PERMS | AA_PTRACE_PERMS | \
 					 AA_OTHER_PERMS)
@ -144,26 +141,23 @@ enum pattern_t {
 #define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
 #define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
 #define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
-#define HAS_EXEC_INHERIT(mode)		(((mode) & AA_EXEC_MODIFIERS) == \
+
 					 AA_EXEC_INHERIT)
 #define HAS_EXEC_PROFILE(mode)		(((mode) & AA_EXEC_MODIFIERS) == \
 					 AA_EXEC_PROFILE)
 #define HAS_EXEC_UNCONFINED(mode)	(((mode) & AA_EXEC_MODIFIERS) == \
 					 AA_EXEC_UNCONFINED)
 #define HAS_EXEC_PROFILE_OR_INHERIT(mode) (((mode) & AA_EXEC_MODIFIERS) == \
 					   AA_EXEC_PROFILE_OR_INHERIT)
 #define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
 #define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
 #include <stdio.h>
 static inline int is_merged_x_consistent(int a, int b)
 {
 	if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
 { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
 		return 0;
 }
 	if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
 { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
 		return 0;
-
+}
 	return 1;
 }
--- a/parser/libapparmor_re/regexp.y
+++ b/parser/libapparmor_re/regexp.y
@ -1514,8 +1514,8 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
 {
-	return ((perm1 & AA_EXEC_MODIFIERS) && (perm2 & AA_EXEC_MODIFIERS) &&
+	return ((perm1 & AA_EXEC_TYPE) && (perm2 & AA_EXEC_TYPE) &&
-		(perm1 & AA_EXEC_MODIFIERS) != (perm2 & AA_EXEC_MODIFIERS));
+		(perm1 & AA_EXEC_TYPE) != (perm2 & AA_EXEC_TYPE));
 }
 /**
@ -1610,8 +1610,8 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 {
    static MatchFlag *match_flags[2][sizeof(perms) * 8 - 1];
    static DenyMatchFlag *deny_flags[2][sizeof(perms) * 8 - 1];
-    static MatchFlag *exec_match_flags[2][(AA_EXEC_COUNT << 1) * 2];	/* mods + unsafe *u::o*/
+    static MatchFlag *exec_match_flags[2][(AA_EXEC_COUNT << 2) * 2];	/* mods + unsafe + ix *u::o*/
-    static ExactMatchFlag *exact_match_flags[2][(AA_EXEC_COUNT << 1) * 2];/* mods + unsafe *u::o*/
+    static ExactMatchFlag *exact_match_flags[2][(AA_EXEC_COUNT << 2) * 2];/* mods + unsafe +ix *u::o*/
    Node *tree = NULL, *accept;
    int exact_match;
@ -1649,7 +1649,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 	flip_tree(tree);
-/* 0x3f == 5 bits x mods + 1 bit unsafe mask, after shift */
+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
 #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
 //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
@ -1694,7 +1694,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 			    index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
 		    } else {
 			    eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
-			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 1);
+			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
 		    }
 //fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
 		    if (exact_match) {
--- a/parser/parser.h
+++ b/parser/parser.h
@ -143,6 +143,8 @@ struct var_string {
 #define COD_UNSAFE_UNCONFINED_CHAR	'u'
 #define COD_PROFILE_CHAR	'P'
 #define COD_UNSAFE_PROFILE_CHAR	'p'
 #define COD_LOCAL_CHAR		'C'
 #define COD_UNSAFE_LOCAL_CHAR	'c'
 #define OPTION_ADD      1
 #define OPTION_REMOVE   2
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@ -53,7 +53,7 @@ COLON		:
 END_OF_RULE	[,]
 SEPERATOR 	{UP}
 RANGE		-
-MODE_CHARS 	([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
+MODE_CHARS 	([RrWwaLlMmkXx])|(([Uu]|[Pp]|[Cc])[Xx])|(([Pp]|[Cc])?[Ii][Xx])
 MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@ -443,7 +443,7 @@ static void warn_uppercase(void)
 static int parse_sub_mode(const char *str_mode, const char *mode_desc)
 {
-#define IS_DIFF_QUAL(mode, q) (((mode) & AA_MAY_EXEC) && (((mode) & (AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE)) != (q)))
+#define IS_DIFF_QUAL(mode, q) (((mode) & AA_MAY_EXEC) && (((mode) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE)))
 	int mode = 0;
 	const char *p;
@ -493,7 +493,7 @@ reeval:
 		case COD_INHERIT_CHAR:
 			PDEBUG("Parsing mode: found INHERIT\n");
-			if (IS_DIFF_QUAL(mode, AA_EXEC_INHERIT)) {
+			if (mode & AA_EXEC_MODIFIERS) {
 				yyerror(_("Exec qualifier 'i' invalid, conflicting qualifier already specified"));
 			} else {
 				if (next != tolower(next))
@ -510,40 +510,48 @@ reeval:
 			      COD_UNSAFE_UNCONFINED_CHAR, COD_EXEC_CHAR);
 			/* fall through */
 		case COD_UNCONFINED_CHAR:
 			tmode |= AA_EXEC_UNCONFINED | AA_MAY_EXEC;
 			PDEBUG("Parsing mode: found UNCONFINED\n");
-			if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_UNCONFINED)) {
+			if (IS_DIFF_QUAL(mode, tmode)) {
 				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
 					this);
 			} else {
 				if (next != tolower(next))
 					warn_uppercase();
-				mode |= tmode | AA_EXEC_UNCONFINED |
+				mode |=  tmode;
 				    AA_MAY_EXEC;
 				p++;	/* skip 'x' */
 			}
 			tmode = 0;
 			break;
 		case COD_UNSAFE_PROFILE_CHAR:
 		case COD_UNSAFE_LOCAL_CHAR:
 			tmode = AA_EXEC_UNSAFE;
 			/* fall through */
 		case COD_PROFILE_CHAR:
 		case COD_LOCAL_CHAR:
 			if (tolower(this) == COD_UNSAFE_PROFILE_CHAR)
 				tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC;
 			else
 			{
 				tmode |= AA_EXEC_LOCAL | AA_MAY_EXEC;
 			}
 			PDEBUG("Parsing mode: found PROFILE\n");
 			if (tolower(next) == COD_INHERIT_CHAR) {
-				if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_PROFILE_OR_INHERIT)) {
+				tmode |= AA_EXEC_INHERIT;
 				if (IS_DIFF_QUAL(mode, tmode)) {
 					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
 				} else {
-					mode |= tmode | AA_MAY_EXEC |
+					mode |= tmode;
 					    AA_EXEC_PROFILE_OR_INHERIT;
 					p += 2;		/* skip x */
 				}
-			} else if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_PROFILE)) {
+			} else if (IS_DIFF_QUAL(mode, tmode)) {
-				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
+				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), this);
-					this);
+
 			} else {
 				if (next != tolower(next))
 					warn_uppercase();
-				mode |= tmode | AA_EXEC_PROFILE | AA_MAY_EXEC;
+				mode |= tmode;
 				p++;	/* skip 'x' */
 			}
 			tmode = 0;
@ -686,20 +694,6 @@ static void debug_base_perm_mask(int mask)
 		printf("%c", COD_LINK_CHAR);
 	if (HAS_MAY_LOCK(mask))
 		printf("%c", COD_LOCK_CHAR);
 	if (HAS_EXEC_INHERIT(mask))
 		printf("%c", COD_INHERIT_CHAR);
 	if (HAS_EXEC_UNCONFINED(mask)) {
 		if (HAS_EXEC_UNSAFE(mask))
 			printf("%c", COD_UNSAFE_UNCONFINED_CHAR);
 		else
 			printf("%c", COD_UNCONFINED_CHAR);
 	}
 	if (HAS_EXEC_PROFILE(mask)) {
 		if (HAS_EXEC_UNSAFE(mask))
 			printf("%c", COD_UNSAFE_PROFILE_CHAR);
 		else
 			printf("%c", COD_PROFILE_CHAR);
 	}
 	if (HAS_EXEC_MMAP(mask))
 		printf("%c", COD_MMAP_CHAR);
 	if (HAS_MAY_EXEC(mask))
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@ -496,11 +496,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	/* ix implies m but the apparmor module does not add m bit to
 	 * dfa states like it does for pcre
 	 */
-	if (((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_MODIFIERS) ==
+	if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
-	if (((entry->mode >> AA_USER_SHIFT) & AA_EXEC_MODIFIERS) ==
+	if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
 	    AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
 	/* relying on ptrace and change_profile not getting merged earlier */