Basis for named transitions

parser/immunix.h

@@ -34,20 +34,19 @@
 #define AA_EXEC_MMAP			(1 << 6)
 #define AA_MAY_MOUNT			(1 << 7)
 #define AA_EXEC_UNSAFE			(1 << 8)
-#define AA_EXEC_MOD_0			(1 << 9)
-#define AA_EXEC_MOD_1			(1 << 10)
-#define AA_EXEC_MOD_2			(1 << 11)
-#define AA_EXEC_MOD_3			(1 << 12)
-#define AA_EXEC_MOD_4			(1 << 13)
+#define AA_EXEC_INHERIT			(1 << 9)
+#define AA_EXEC_MOD_0			(1 << 10)
+#define AA_EXEC_MOD_1			(1 << 11)
+#define AA_EXEC_MOD_2			(1 << 12)
+#define AA_EXEC_MOD_3			(1 << 13)
 
 #define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
 					 AA_MAY_READ | AA_MAY_APPEND | \
 					 AA_MAY_LINK | AA_MAY_LOCK | \
 					 AA_MAY_MOUNT | AA_EXEC_MMAP | \
-					 AA_EXEC_UNSAFE | \
+					 AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
 					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
-					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
-					 AA_EXEC_MOD_4)
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
 
 #define AA_USER_SHIFT			0
 #define AA_OTHER_SHIFT			14
@@ -66,22 +65,20 @@
 #define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
 
 #define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
-					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3 | \
-					 AA_EXEC_MOD_4)
-#define AA_EXEC_COUNT			32
+					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
+#define AA_EXEC_COUNT			16
 
 #define AA_USER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_USER_SHIFT)
 #define AA_OTHER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
 #define AA_ALL_EXEC_MODIFIERS		(AA_USER_EXEC_MODIFIERS | \
 					 AA_OTHER_EXEC_MODIFIERS)
 
-#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_MODIFIERS)
+#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
+					 AA_EXEC_MODIFIERS)
 
 #define AA_EXEC_UNCONFINED		(AA_EXEC_MOD_0)
-#define AA_EXEC_INHERIT			(AA_EXEC_MOD_1)
-#define AA_EXEC_PROFILE			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
-#define AA_EXEC_PROFILE_OR_INHERIT	(AA_EXEC_MOD_2)
-#define AA_EXEC_LOCAL			(AA_EXEC_MOD_2 | AA_EXEC_MOD_0)
+#define AA_EXEC_PROFILE			(AA_EXEC_MOD_1)
+#define AA_EXEC_LOCAL			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
 
 #define AA_VALID_PERMS			(AA_FILE_PERMS | AA_PTRACE_PERMS | \
 					 AA_OTHER_PERMS)
@@ -144,26 +141,23 @@ enum pattern_t {
 #define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
 #define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
 #define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
-#define HAS_EXEC_INHERIT(mode)		(((mode) & AA_EXEC_MODIFIERS) == \
-					 AA_EXEC_INHERIT)
-#define HAS_EXEC_PROFILE(mode)		(((mode) & AA_EXEC_MODIFIERS) == \
-					 AA_EXEC_PROFILE)
-#define HAS_EXEC_UNCONFINED(mode)	(((mode) & AA_EXEC_MODIFIERS) == \
-					 AA_EXEC_UNCONFINED)
-#define HAS_EXEC_PROFILE_OR_INHERIT(mode) (((mode) & AA_EXEC_MODIFIERS) == \
-					   AA_EXEC_PROFILE_OR_INHERIT)
+
 #define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
 #define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
 
+#include <stdio.h>
 static inline int is_merged_x_consistent(int a, int b)
 {
 	if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
+{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
 		return 0;
+}
 	if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
+{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
 		return 0;
-
+}
 	return 1;
 }
 

parser/libapparmor_re/regexp.y

@@ -1514,8 +1514,8 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
 
 static inline int diff_qualifiers(uint32_t perm1, uint32_t perm2)
 {
-	return ((perm1 & AA_EXEC_MODIFIERS) && (perm2 & AA_EXEC_MODIFIERS) &&
-		(perm1 & AA_EXEC_MODIFIERS) != (perm2 & AA_EXEC_MODIFIERS));
+	return ((perm1 & AA_EXEC_TYPE) && (perm2 & AA_EXEC_TYPE) &&
+		(perm1 & AA_EXEC_TYPE) != (perm2 & AA_EXEC_TYPE));
 }
 
 /**
@@ -1610,8 +1610,8 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 {
     static MatchFlag *match_flags[2][sizeof(perms) * 8 - 1];
     static DenyMatchFlag *deny_flags[2][sizeof(perms) * 8 - 1];
-    static MatchFlag *exec_match_flags[2][(AA_EXEC_COUNT << 1) * 2];	/* mods + unsafe *u::o*/
-    static ExactMatchFlag *exact_match_flags[2][(AA_EXEC_COUNT << 1) * 2];/* mods + unsafe *u::o*/
+    static MatchFlag *exec_match_flags[2][(AA_EXEC_COUNT << 2) * 2];	/* mods + unsafe + ix *u::o*/
+    static ExactMatchFlag *exact_match_flags[2][(AA_EXEC_COUNT << 2) * 2];/* mods + unsafe +ix *u::o*/
     Node *tree = NULL, *accept;
     int exact_match;
 
@@ -1649,7 +1649,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 	flip_tree(tree);
 
 
-/* 0x3f == 5 bits x mods + 1 bit unsafe mask, after shift */
+/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
 #define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
 
 //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
@@ -1694,7 +1694,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
 			    index = EXTRACT_X_INDEX(eperm, AA_USER_SHIFT);
 		    } else {
 			    eperm = mask | (perms & AA_OTHER_EXEC_TYPE);
-			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 1);
+			    index = EXTRACT_X_INDEX(eperm, AA_OTHER_SHIFT) + (AA_EXEC_COUNT << 2);
 		    }
 //fprintf(stderr, "index %d eperm 0x%x\n", index, eperm);
 		    if (exact_match) {

parser/parser.h

@@ -143,6 +143,8 @@ struct var_string {
 #define COD_UNSAFE_UNCONFINED_CHAR	'u'
 #define COD_PROFILE_CHAR	'P'
 #define COD_UNSAFE_PROFILE_CHAR	'p'
+#define COD_LOCAL_CHAR		'C'
+#define COD_UNSAFE_LOCAL_CHAR	'c'
 
 #define OPTION_ADD      1
 #define OPTION_REMOVE   2

parser/parser_lex.l

@@ -53,7 +53,7 @@ COLON		:
 END_OF_RULE	[,]
 SEPERATOR 	{UP}
 RANGE		-
-MODE_CHARS 	([RrWwaLlMmkXx])|([Pp][Xx])|([Uu][Xx])|([Ii][Xx])|([Pp][Ii][Xx])
+MODE_CHARS 	([RrWwaLlMmkXx])|(([Uu]|[Pp]|[Cc])[Xx])|(([Pp]|[Cc])?[Ii][Xx])
 MODES		{MODE_CHARS}+
 WS		[[:blank:]]
 NUMBER		[[:digit:]]+

parser/parser_misc.c

@@ -443,7 +443,7 @@ static void warn_uppercase(void)
 static int parse_sub_mode(const char *str_mode, const char *mode_desc)
 {
 
-#define IS_DIFF_QUAL(mode, q) (((mode) & AA_MAY_EXEC) && (((mode) & (AA_EXEC_MODIFIERS | AA_EXEC_UNSAFE)) != (q)))
+#define IS_DIFF_QUAL(mode, q) (((mode) & AA_MAY_EXEC) && (((mode) & AA_EXEC_TYPE) != ((q) & AA_EXEC_TYPE)))
 
 	int mode = 0;
 	const char *p;
@@ -493,7 +493,7 @@ reeval:
 
 		case COD_INHERIT_CHAR:
 			PDEBUG("Parsing mode: found INHERIT\n");
-			if (IS_DIFF_QUAL(mode, AA_EXEC_INHERIT)) {
+			if (mode & AA_EXEC_MODIFIERS) {
 				yyerror(_("Exec qualifier 'i' invalid, conflicting qualifier already specified"));
 			} else {
 				if (next != tolower(next))
@@ -510,40 +510,48 @@ reeval:
 			      COD_UNSAFE_UNCONFINED_CHAR, COD_EXEC_CHAR);
 			/* fall through */
 		case COD_UNCONFINED_CHAR:
+			tmode |= AA_EXEC_UNCONFINED | AA_MAY_EXEC;
 			PDEBUG("Parsing mode: found UNCONFINED\n");
-			if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_UNCONFINED)) {
+			if (IS_DIFF_QUAL(mode, tmode)) {
 				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
 					this);
 			} else {
 				if (next != tolower(next))
 					warn_uppercase();
-				mode |= tmode | AA_EXEC_UNCONFINED |
-				    AA_MAY_EXEC;
+				mode |=  tmode;
 				p++;	/* skip 'x' */
 			}
 			tmode = 0;
 			break;
 
 		case COD_UNSAFE_PROFILE_CHAR:
+		case COD_UNSAFE_LOCAL_CHAR:
 			tmode = AA_EXEC_UNSAFE;
 			/* fall through */
 		case COD_PROFILE_CHAR:
+		case COD_LOCAL_CHAR:
+			if (tolower(this) == COD_UNSAFE_PROFILE_CHAR)
+				tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC;
+			else
+			{
+				tmode |= AA_EXEC_LOCAL | AA_MAY_EXEC;
+			}
 			PDEBUG("Parsing mode: found PROFILE\n");
 			if (tolower(next) == COD_INHERIT_CHAR) {
-				if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_PROFILE_OR_INHERIT)) {
+				tmode |= AA_EXEC_INHERIT;
+				if (IS_DIFF_QUAL(mode, tmode)) {
 					yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
 				} else {
-					mode |= tmode | AA_MAY_EXEC |
-					    AA_EXEC_PROFILE_OR_INHERIT;
+					mode |= tmode;
 					p += 2;		/* skip x */
 				}
-			} else if (IS_DIFF_QUAL(mode, tmode | AA_EXEC_PROFILE)) {
-				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
-					this);
+			} else if (IS_DIFF_QUAL(mode, tmode)) {
+				yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), this);
+
 			} else {
 				if (next != tolower(next))
 					warn_uppercase();
-				mode |= tmode | AA_EXEC_PROFILE | AA_MAY_EXEC;
+				mode |= tmode;
 				p++;	/* skip 'x' */
 			}
 			tmode = 0;
@@ -686,20 +694,6 @@ static void debug_base_perm_mask(int mask)
 		printf("%c", COD_LINK_CHAR);
 	if (HAS_MAY_LOCK(mask))
 		printf("%c", COD_LOCK_CHAR);
-	if (HAS_EXEC_INHERIT(mask))
-		printf("%c", COD_INHERIT_CHAR);
-	if (HAS_EXEC_UNCONFINED(mask)) {
-		if (HAS_EXEC_UNSAFE(mask))
-			printf("%c", COD_UNSAFE_UNCONFINED_CHAR);
-		else
-			printf("%c", COD_UNCONFINED_CHAR);
-	}
-	if (HAS_EXEC_PROFILE(mask)) {
-		if (HAS_EXEC_UNSAFE(mask))
-			printf("%c", COD_UNSAFE_PROFILE_CHAR);
-		else
-			printf("%c", COD_PROFILE_CHAR);
-	}
 	if (HAS_EXEC_MMAP(mask))
 		printf("%c", COD_MMAP_CHAR);
 	if (HAS_MAY_EXEC(mask))

parser/parser_regex.c

@@ -496,11 +496,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
 	/* ix implies m but the apparmor module does not add m bit to
 	 * dfa states like it does for pcre
 	 */
-	if (((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_MODIFIERS) ==
-	    AA_EXEC_INHERIT)
+	if ((entry->mode >> AA_OTHER_SHIFT) & AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_OTHER_SHIFT;
-	if (((entry->mode >> AA_USER_SHIFT) & AA_EXEC_MODIFIERS) ==
-	    AA_EXEC_INHERIT)
+	if ((entry->mode >> AA_USER_SHIFT) & AA_EXEC_INHERIT)
 		entry->mode |= AA_EXEC_MMAP << AA_USER_SHIFT;
 
 	/* relying on ptrace and change_profile not getting merged earlier */