diff --git a/parser/parser_misc.c b/parser/parser_misc.c index ea77da781..8aca06101 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -77,6 +77,7 @@ static struct keyword_table keyword_table[] = { {"alias", TOK_ALIAS}, {"rewrite", TOK_ALIAS}, {"ptrace", TOK_PTRACE}, + {"file", TOK_FILE}, /* terminate */ {NULL, 0} }; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 18662ed56..45083d922 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -116,6 +116,7 @@ void add_local_entry(struct codomain *cod); %token TOK_OPENPAREN %token TOK_CLOSEPAREN %token TOK_COMMA +%token TOK_FILE /* rlimits */ %token TOK_RLIMIT @@ -175,6 +176,10 @@ void add_local_entry(struct codomain *cod); %type cond_rule %type network_rule %type rule +%type file_rule +%type file_rule_tail +%type link_rule +%type ptrace_rule %type frule %type flags %type flagvals @@ -197,6 +202,7 @@ void add_local_entry(struct codomain *cod); %type opt_id %type opt_named_transition %type opt_unsafe +%type opt_file %% @@ -891,24 +897,16 @@ opt_named_transition: $$.name = $5; }; +rule: file_rule { $$ = $1; } + | link_rule { $$ = $1; } + | ptrace_rule {$$ = $1; } + opt_unsafe: { /* nothing */ $$ = 0; } | TOK_UNSAFE { $$ = 1; }; | TOK_SAFE { $$ = 2; }; -rule: opt_unsafe frule - { - if ($1) { - if (!($2->mode & AA_EXEC_BITS)) - yyerror(_("unsafe rule missing exec permissions")); - if ($1 == 1) { - $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) & - ALL_AA_EXEC_UNSAFE; - } - else if ($1 == 2) - $2->mode &= ~ALL_AA_EXEC_UNSAFE; - } - $$ = $2; - }; +opt_file: { /* nothing */ $$ = 0; } + | TOK_FILE { $$ = 1; } frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE { @@ -932,16 +930,43 @@ frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE } }; -rule: opt_unsafe id_or_var file_mode id_or_var +file_rule: TOK_FILE TOK_END_OF_RULE + { + char *path = strdup("/**"); + if (!path) + yyerror(_("Memory allocation error.")); + $$ = do_file_rule(NULL, path, ((AA_BASE_PERMS & ~AA_EXEC_TYPE) | + (AA_EXEC_INHERIT | AA_MAY_EXEC)), + NULL, NULL); + } + | opt_file file_rule_tail { $$ = $2; } + + +file_rule_tail: opt_unsafe frule + { + if ($1) { + if (!($2->mode & AA_EXEC_BITS)) + yyerror(_("unsafe rule missing exec permissions")); + if ($1 == 1) { + $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) & + ALL_AA_EXEC_UNSAFE; + } + else if ($1 == 2) + $2->mode &= ~ALL_AA_EXEC_UNSAFE; + } + $$ = $2; + }; + +file_rule_tail: opt_unsafe id_or_var file_mode id_or_var { /* Oopsie, we appear to be missing an EOL marker. If we * were *smart*, we could work around it. Since we're * obviously not smart, we'll just punt with a more * sensible error. */ - yyerror(_("missing an end of line character? (entry: %s)"), $1); + yyerror(_("missing an end of line character? (entry: %s)"), $2); }; -rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE +link_rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5); @@ -951,7 +976,7 @@ rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE $$ = entry; }; -rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE +ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); @@ -960,7 +985,7 @@ rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE $$ = entry; }; -rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE +ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); diff --git a/parser/tst/simple_tests/file/file/bad_1.sd b/parser/tst/simple_tests/file/file/bad_1.sd new file mode 100644 index 000000000..53cc0545a --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw, +} diff --git a/parser/tst/simple_tests/file/file/bad_append_1.sd b/parser/tst/simple_tests/file/file/bad_append_1.sd new file mode 100644 index 000000000..677e2a309 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_append_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION w and a conflict +#=EXRESULT FAIL +# +/usr/bin/foo { + file /a wa, +} + diff --git a/parser/tst/simple_tests/file/file/bad_comma_1.sd b/parser/tst/simple_tests/file/file/bad_comma_1.sd new file mode 100644 index 000000000..c44df8cd8 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_comma_1.sd @@ -0,0 +1,7 @@ +k# +#=DESCRIPTION comma in pathname +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foobar, r, +} diff --git a/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd b/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd new file mode 100644 index 000000000..3bb933336 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT FAIL + +/bin/foo { + file /abc\ def r, +} diff --git a/parser/tst/simple_tests/file/file/bad_lock_1.sd b/parser/tst/simple_tests/file/file/bad_lock_1.sd new file mode 100644 index 000000000..854f5bab4 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_lock_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION k to be lower case +#=EXRESULT FAIL +# +/usr/bin/foo { + file /bin/ls K, +} + diff --git a/parser/tst/simple_tests/file/file/dos_line_endings.sd b/parser/tst/simple_tests/file/file/dos_line_endings.sd new file mode 100644 index 000000000..1257f6350 --- /dev/null +++ b/parser/tst/simple_tests/file/file/dos_line_endings.sd @@ -0,0 +1,41 @@ +# vim:syntax=subdomain +# Last Modified: Wed Aug 31 11:14:09 2005 +#=DESCRIPTION dos line endings +#=EXRESULT PASS +/usr/lib/RealPlayer10/realplay { + #include + #include + + file /bin/bash ix, + file /bin/sed ixr, + file /bin/true ixr, + file /etc/opt/gnome/pango/pango.modules r, + file /opt/gnome/lib/gtk-2.0/2.4.0/loaders/* r, + file /opt/gnome/lib/lib*so* r, + file /opt/gnome/lib/pango/1.4.0/modules/* r, + file /opt/gnome/share/icons r, + file /opt/gnome/share/icons/** r, + file /opt/gnome/bin/nautilus rux, + file /root r, + file /root/.Xauthority r, + file /root/.fonts.cache-1 r, + file /root/.realplayerrc rw, + file /home/*/ r, + file /home/*/.Xauthority r, + file /home/*/.fonts.cache-1 r, + file /home/*/.realplayerrc rw, + file /usr/X11R6/lib/Acrobat7/Resource/Font/* r, + file /usr/X11R6/lib/Acrobat7/Resource/Font/PFM/* r, + file /usr/lib/RealPlayer10/** r, + file /usr/lib/RealPlayer10/realplay.bin ixr, + file /usr/lib/jvm/java-1.4.2-sun-1.4.2.06/jre/lib/fonts/** r, + file /usr/lib/ooo-2.0/share/fonts/** r, + file /opt/MozillaFirefox/bin/firefox.sh pxr, + file /opt/MozillaFirefox/lib/firefox-bin pxr, + file /opt/MozillaFirefox/lib/init.d r, + file /usr/bin/opera pxr, + file /usr/share/icons r, + file /usr/share/icons/** r, + file /opt/gnome/share/pixmaps r, + file /opt/gnome/share/pixmaps/** r, +} diff --git a/parser/tst/simple_tests/file/file/front_perms_ok_1.sd b/parser/tst/simple_tests/file/file/front_perms_ok_1.sd new file mode 100644 index 000000000..bdf13404e --- /dev/null +++ b/parser/tst/simple_tests/file/file/front_perms_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION perms before pathname +#=EXRESULT PASS +# +/usr/bin/foo { + + file r /foo1, + file w /foo1, + file a /foo1, + file k /foo1, + file m /foo1, + file l /foo1, + file px /foo1, + file Px /foo2, + file ux /foo3, + file Ux /foo4, + file ix /foo5, + file unsafe px /foo6, + file unsafe Px /foo7, + file unsafe ux /foo8, + file unsafe Ux /foo9, + file unsafe ix /foo10, + +} diff --git a/parser/tst/simple_tests/file/file/ok_1.sd b/parser/tst/simple_tests/file/file/ok_1.sd new file mode 100644 index 000000000..2b5dce970 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# +/usr/bin/foo { + file /usr/bin/foo r, +} diff --git a/parser/tst/simple_tests/file/file/ok_2.sd b/parser/tst/simple_tests/file/file/ok_2.sd new file mode 100644 index 000000000..6d5f26e6d --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_2.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# +/usr/bin/foo { + file, +} diff --git a/parser/tst/simple_tests/file/file/ok_3.sd b/parser/tst/simple_tests/file/file/ok_3.sd new file mode 100644 index 000000000..f274f1c62 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION A simple successful profile +#=EXRESULT PASS +# +/usr/bin/foo { + file /usr/bin/foo r, + file /usr/bin/blah rix, +} + diff --git a/parser/tst/simple_tests/file/file/ok_append_1.sd b/parser/tst/simple_tests/file/file/ok_append_1.sd new file mode 100644 index 000000000..de8f9df44 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_append_1.sd @@ -0,0 +1,13 @@ +# +#=DESCRIPTION test append +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat a, + file /bin/true ra, + file /bin/false ma, + file /lib/libc.so la, + file /bin/less ixa, + file /bin/more pxa, + file /a uxa, +} diff --git a/parser/tst/simple_tests/file/file/ok_carat_1.sd b/parser/tst/simple_tests/file/file/ok_carat_1.sd new file mode 100644 index 000000000..ed44a9562 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_carat_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo^bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_carat_2.sd b/parser/tst/simple_tests/file/file/ok_carat_2.sd new file mode 100644 index 000000000..b222b7ce2 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_carat_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION trailing carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo/bar^ r, +} diff --git a/parser/tst/simple_tests/file/file/ok_comma_1.sd b/parser/tst/simple_tests/file/file/ok_comma_1.sd new file mode 100644 index 000000000..2be666aeb --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_comma_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo,bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_comma_2.sd b/parser/tst/simple_tests/file/file/ok_comma_2.sd new file mode 100644 index 000000000..33ac37272 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_comma_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma at end of pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file "/foobar," r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd new file mode 100644 index 000000000..10ad90c4e --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + file "/abc\ def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd new file mode 100644 index 000000000..caff2a1c7 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + file "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd new file mode 100644 index 000000000..138ae2a3e --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +"/bin/fo o" { + file "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_inv_char_class.sd b/parser/tst/simple_tests/file/file/ok_inv_char_class.sd new file mode 100644 index 000000000..9a36c3dc9 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_inv_char_class.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo[^me]bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_lock_1.sd b/parser/tst/simple_tests/file/file/ok_lock_1.sd new file mode 100644 index 000000000..e28739c38 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_lock_1.sd @@ -0,0 +1,17 @@ +# +#=DESCRIPTION k and other perms do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/a k, + file /bin/b rk, + file /bin/c wk, + file /bin/d ak, + file /bin/e lk, + file /bin/e mk, + file /bin/f pxk, + file /bin/g Pxk, + file /bin/h ixk, + file /bin/i uxk, + file /bin/j Uxk, +} diff --git a/parser/tst/simple_tests/file/file/ok_mmap_1.sd b/parser/tst/simple_tests/file/file/ok_mmap_1.sd new file mode 100644 index 000000000..21a8c36e8 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_mmap_1.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION m and [uUpPi]x do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat mix, + file /bin/true mpx, + file /bin/false mux, + file /lib/libc.so rwlm, + file /bin/less mUx, + file /bin/more mPx, +} diff --git a/parser/tst/simple_tests/file/file/ok_mmap_2.sd b/parser/tst/simple_tests/file/file/ok_mmap_2.sd new file mode 100644 index 000000000..eef6f5cb2 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_mmap_2.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION m and [upi]x do not conflict, seperate rules +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat rm, + file /bin/cat ix, + file /bin/true px, + file /bin/true m, + file /bin/false m, + file /bin/false ux, + file /lib/libc.so rwl, + file /lib/libc.so m, +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_3.sd b/parser/tst/simple_tests/file/file/owner/bad_3.sd new file mode 100644 index 000000000..d489667a9 --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_3.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner can not follow path name +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foo owner rw, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_4.sd b/parser/tst/simple_tests/file/file/owner/bad_4.sd new file mode 100644 index 000000000..f826f63d3 --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_4.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner cannot follow permission +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foo rw owner, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_5.sd b/parser/tst/simple_tests/file/file/owner/bad_5.sd new file mode 100644 index 000000000..125f9ef9f --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_5.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner rules must have comma termination +#=EXRESULT FAIL +# +/usr/bin/foo { + owner file /foo rw + file /bar rw, +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_6.sd b/parser/tst/simple_tests/file/file/owner/bad_6.sd new file mode 100644 index 000000000..ae3fabc3c --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_6.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner not allowed after forward perm +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw owner /foo, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_7.sd b/parser/tst/simple_tests/file/file/owner/bad_7.sd new file mode 100644 index 000000000..6287df16c --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_7.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner not allowed after pathname in forward rule +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw /foo owner, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_8.sd b/parser/tst/simple_tests/file/file/owner/bad_8.sd new file mode 100644 index 000000000..0c96d4a0b --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_8.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION owner block needs } termination +#=EXRESULT FAIL +# +/usr/bin/foo { + owner { + file rw foo, + +} diff --git a/parser/tst/simple_tests/file/file/owner/ok_1.sd b/parser/tst/simple_tests/file/file/owner/ok_1.sd new file mode 100644 index 000000000..02ea445cd --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/ok_1.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION test owner flag for file rules +#=EXRESULT PASS +# +/usr/bin/foo { + + owner file /foo rw, + owner file /foo/** rw, + + owner file rw /bar, + owner file rw /bar/**, + + owner { + file /one rw, + file /one/** rw, + + file rw /two, + file rw /two/**, + } + + owner { + + } + +}