mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 05:17:59 +00:00
Code Issues Releases Wiki Activity

parser: Properly parse named transition targets

Browse Source 
https://launchpad.net/bugs/1540666

Reuse the new parse_label() function to initialize named_transition
structs so that transition targets, when used with change_profile, are
properly seperated into a profile namespace and profile name.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1379874
This commit is contained in:
Tyler Hicks 2016-02-18 15:58:11 -06:00
parent 349b4a4ba1
commit e7accd8485
4 changed files with 40 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
parser/parser.h
View File

@ -394,6 +394,8 @@ extern char *process_var(const char *var);
extern int parse_mode(const char *mode); extern int parse_mode(const char *mode);
extern int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail); extern int parse_X_mode(const char *X, int valid, const char *str_mode, int *mode, int fail);
void parse_label(char **ns, char **name, const char *label); void parse_label(char **ns, char **name, const char *label);
void parse_named_transition_target(struct named_transition *nt,
const char *target);
extern struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id); extern struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id);
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */ /* returns -1 if value != true or false, otherwise 0 == false, 1 == true */

13
parser/parser_misc.c
View File

@ -615,6 +615,19 @@ void parse_label(char **ns, char **name, const char *label)
*name = _name; *name = _name;
} }
void parse_named_transition_target(struct named_transition *nt,
const char *target)
{
memset(nt, 0, sizeof(*nt));
if (!target) {
/* Return with nt->present set to 0 (thanks to the memset) */
return;
}
parse_label(&nt->ns, &nt->name, target);
nt->present = 1;
}
struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id) struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id)
{ {
struct cod_entry *entry = NULL; struct cod_entry *entry = NULL;

52
parser/parser_yacc.y
View File

@ -258,8 +258,6 @@ void add_local_entry(Profile *prof);
%type <boolean> opt_profile_flag %type <boolean> opt_profile_flag
%type <boolean> opt_flags %type <boolean> opt_flags
%type <boolean> opt_perm_mode %type <boolean> opt_perm_mode
%type <id> opt_ns
%type <id> ns_id
%type <id> opt_id %type <id> opt_id
%type <prefix> opt_prefix %type <prefix> opt_prefix
%type <fmode> dbus_perm %type <fmode> dbus_perm
@ -299,11 +297,6 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
| TOK_PROFILE { $$ = 1; } | TOK_PROFILE { $$ = 1; }
| hat_start { $$ = 2; } | hat_start { $$ = 2; }
ns_id: TOK_COLON id_or_var TOK_COLON { $$ = $2; }
opt_ns: { /* nothing */ $$ = NULL; }
| ns_id { $$ = $1; }
opt_id: { /* nothing */ $$ = NULL; } opt_id: { /* nothing */ $$ = NULL; }
| TOK_ID { $$ = $1; } | TOK_ID { $$ = $1; }
@ -1053,21 +1046,12 @@ id_or_var: TOK_SET_VAR { $$ = $1; };
opt_named_transition: opt_named_transition:
{ /* nothing */ { /* nothing */
$$.present = 0; parse_named_transition_target(&$$, NULL);
$$.ns = NULL;
$$.name = NULL;
} }
| TOK_ARROW id_or_var | TOK_ARROW id_or_var
{ {
$$.present = 1; parse_named_transition_target(&$$, $2);
$$.ns = NULL; free($2);
$$.name = $2;
}
| TOK_ARROW ns_id id_or_var
{
$$.present = 1;
$$.ns = $2;
$$.name = $3;
}; };
rule: file_rule { $$ = $1; } rule: file_rule { $$ = $1; }
@ -1508,27 +1492,25 @@ change_profile_head: TOK_CHANGE_PROFILE opt_id
$$ = $2; $$ = $2;
} }
change_profile: change_profile_head TOK_END_OF_RULE change_profile: change_profile_head opt_named_transition TOK_END_OF_RULE
{ {
struct cod_entry *entry; struct cod_entry *entry;
char *rule = strdup("**");
if (!rule)
yyerror(_("Memory allocation error."));
PDEBUG("Matched change_profile,\n");
entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $1);
if (!entry)
yyerror(_("Memory allocation error."));
PDEBUG("change_profile,\n");
$$ = entry;
};
change_profile: change_profile_head TOK_ARROW opt_ns TOK_ID TOK_END_OF_RULE if ($2.present) {
{ PDEBUG("Matched change_profile: tok_id (:%s://%s)\n",
struct cod_entry *entry; $2.ns ? $2.ns : "", $2.name);
PDEBUG("Matched change_profile: tok_id (:%s://%s)\n", $3 ? $3 : "", $4); entry = new_entry($2.ns, $2.name, AA_CHANGE_PROFILE, $1);
entry = new_entry($3, $4, AA_CHANGE_PROFILE, $1); } else {
char *rule = strdup("**");
if (!rule)
yyerror(_("Memory allocation error."));
PDEBUG("Matched change_profile,\n");
entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $1);
}
if (!entry) if (!entry)
yyerror(_("Memory allocation error.")); yyerror(_("Memory allocation error."));
PDEBUG("change_profile.entry: (%s)\n", entry->name); PDEBUG("change_profile.entry: (%s)\n", entry->name);
$$ = entry; $$ = entry;
}; };

8
tests/regression/apparmor/changeprofile.sh
View File

@ -29,6 +29,7 @@ fqsubbase="$pwd/changeprofile"
fqsubtest="$fqsubbase//$subtest" fqsubtest="$fqsubbase//$subtest"
subtest2="$pwd//sub2" subtest2="$pwd//sub2"
subtest3="$pwd//sub3" subtest3="$pwd//sub3"
nstest=":ns:changeprofile"
touch $file $subfile touch $file $subfile
@ -70,3 +71,10 @@ runchecktest "CHANGEPROFILE_RE (nochange access file)" pass nochange $file
runchecktest_errno EACCES "CHANGEPROFILE_RE (nochange access subfile)" fail nochange $subfile runchecktest_errno EACCES "CHANGEPROFILE_RE (nochange access subfile)" fail nochange $subfile
runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file
runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile
genprofile --stdin <<EOF
$test { file, change_profile -> ${nstest}, }
$nstest { $subfile ${okperm}, }
EOF
runchecktest "CHANGEPROFILE_NS (access sub file)" pass $nstest $subfile
runchecktest "CHANGEPROFILE_NS (access file)" fail $nstest $file