diff --git a/parser/af_rule.cc b/parser/af_rule.cc index 9c0a9d04a..c974d5ce6 100644 --- a/parser/af_rule.cc +++ b/parser/af_rule.cc @@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer) ostream &af_rule::dump_prefix(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; diff --git a/parser/af_rule.h b/parser/af_rule.h index 88b1503fc..99253a834 100644 --- a/parser/af_rule.h +++ b/parser/af_rule.h @@ -45,12 +45,12 @@ public: char *label; char *peer_label; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; bool deny; af_rule(const char *name): af_name(name), sock_type(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), - peer_label(NULL), perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) + peer_label(NULL), perms(0), audit(AUDIT_UNSPECIFIED), deny(0) {} virtual ~af_rule() diff --git a/parser/af_unix.cc b/parser/af_unix.cc index f586a8f67..8fbdce9af 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied): yyerror("socket rule: invalid socket type '%d'", type_p); } perms = AA_VALID_NET_PERMS; - audit.audit_mode = audit_p; + audit = audit_p; deny = denied; } @@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) { mask = 1 << sock_type_n; if (!deny) { prof.net.allow[AF_UNIX] |= mask; - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) prof.net.audit[AF_UNIX] |= mask; } else { /* deny rules have to be dropped because the downgrade makes @@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_CREATE), - map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0), + map_perms(audit == AUDIT_FORCE ? AA_NET_CREATE : 0), dfaflags)) goto fail; mask &= ~AA_NET_CREATE; @@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_BIND), - map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0), + map_perms(audit == AUDIT_FORCE ? AA_NET_BIND : 0), dfaflags)) goto fail; /* clear if auto, else generic need to generate addr below */ @@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mask & local_mask), - map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0), + map_perms(audit == AUDIT_FORCE ? mask & local_mask : 0), dfaflags)) goto fail; } @@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_LISTEN), - map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0), + map_perms(audit == AUDIT_FORCE ? AA_NET_LISTEN : 0), dfaflags)) goto fail; } @@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof) buf = tmp.str(); if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(AA_NET_OPT), - map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0), + map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0), dfaflags)) goto fail; } @@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof) goto fail; buf = buffer.str(); - if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) + if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) goto fail; } diff --git a/parser/dbus.cc b/parser/dbus.cc index 8999acda0..e597d0338 100644 --- a/parser/dbus.cc +++ b/parser/dbus.cc @@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds) dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, struct cond_entry *peer_conds): bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), - perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) + perms(0), audit(AUDIT_UNSPECIFIED), deny(0) { int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; @@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, ostream &dbus_rule::dump(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof) if (perms & AA_DBUS_BIND) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, - audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, + audit == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, 2, vec, dfaflags, false)) goto fail; } if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (!prof.policy.rules->add_rule_vec(deny, perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), - audit.audit_mode == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, + audit == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, 6, vec, dfaflags, false)) goto fail; } if (perms & AA_DBUS_EAVESDROP) { if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_EAVESDROP, - audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, + audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, 1, vec, dfaflags, false)) goto fail; } diff --git a/parser/dbus.h b/parser/dbus.h index 37b83f5f9..cdd1f5cb1 100644 --- a/parser/dbus.h +++ b/parser/dbus.h @@ -40,7 +40,7 @@ public: char *interface; char *member; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; dbus_rule(perms_t perms_p, struct cond_entry *conds, diff --git a/parser/mount.cc b/parser/mount.cc index 7a8cad7c9..3c2db1ecd 100644 --- a/parser/mount.cc +++ b/parser/mount.cc @@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p, struct cond_entry *dst_conds unused, char *mnt_point_p, perms_t perms_p): mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL), - flagsv(0), opt_flagsv(0), audit({AUDIT_UNSPECIFIED}), deny(0) + flagsv(0), opt_flagsv(0), audit(AUDIT_UNSPECIFIED), deny(0) { /* FIXME: dst_conds are ignored atm */ dev_type = extract_fstype(&src_conds); @@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os) os << " -> " << trans; const char *prefix = deny ? "deny" : ""; - os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit_mode != AUDIT_UNSPECIFIED ? perms : 0) << ")"; + os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit != AUDIT_UNSPECIFIED ? perms : 0) << ")"; os << ",\n"; return os; @@ -733,7 +733,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, } else { /* dependent on full expansion of any data match perms */ tmpperms = perms; - tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; + tmpaudit = audit == AUDIT_FORCE ? perms : 0; } /* match for up to but not including data * if a data match is required this only has AA_MATCH_CONT perms @@ -751,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit.audit_mode == AUDIT_FORCE ? perms : 0), + (audit == AUDIT_FORCE ? perms : 0), 5, vec, dfaflags, false)) goto fail; count++; @@ -792,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count, opt_flags & MS_BIND_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -834,7 +834,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count, opt_flags & MS_MAKE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -877,7 +877,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count, opt_flags & MS_MOVE_FLAGS)) goto fail; vec[3] = flagsbuf; - if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 4, vec, dfaflags, false)) goto fail; @@ -926,7 +926,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, tmpaudit = 0; } else { tmpperms = perms; - tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; + tmpaudit = audit == AUDIT_FORCE ? perms : 0; } /* rule for match without required data || data MATCH_CONT */ if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, @@ -941,7 +941,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count, goto fail; vec[4] = optsbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - audit.audit_mode == AUDIT_FORCE ? perms : 0, + audit == AUDIT_FORCE ? perms : 0, 5, vec, dfaflags, false)) goto fail; count++; @@ -1033,7 +1033,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[0] = mntbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit.audit_mode == AUDIT_FORCE ? perms : 0), 1, vec, + (audit == AUDIT_FORCE ? perms : 0), 1, vec, dfaflags, false)) goto fail; count++; @@ -1048,7 +1048,7 @@ int mnt_rule::gen_policy_re(Profile &prof) goto fail; vec[1] = devbuf.c_str(); if (!prof.policy.rules->add_rule_vec(deny, perms, - (audit.audit_mode == AUDIT_FORCE ? perms : 0), 2, vec, + (audit == AUDIT_FORCE ? perms : 0), 2, vec, dfaflags, false)) goto fail; count++; diff --git a/parser/mount.h b/parser/mount.h index 7d73e2d32..650628544 100644 --- a/parser/mount.h +++ b/parser/mount.h @@ -144,7 +144,7 @@ public: std::vector flagsv, opt_flagsv; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; mnt_rule(struct cond_entry *src_conds, char *device_p, diff --git a/parser/mqueue.cc b/parser/mqueue.cc index 1a54d1b37..5b9da33d8 100644 --- a/parser/mqueue.cc +++ b/parser/mqueue.cc @@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds) } mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): - qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) + qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(AUDIT_UNSPECIFIED), deny(0) { move_conditionals(conds); free_cond_list(conds); @@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_ ostream &mqueue_rule::dump(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) /* store perms at name match so label doesn't need * to be checked */ - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } @@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof) } if (perms & AA_VALID_SYSV_MQ_PERMS) { - if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, 1, vec, dfaflags, false)) + if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) goto fail; /* also provide label match with perm */ - if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, size, vec, dfaflags, false)) + if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) goto fail; } } diff --git a/parser/mqueue.h b/parser/mqueue.h index b8fd38ca0..b7d827687 100644 --- a/parser/mqueue.h +++ b/parser/mqueue.h @@ -88,7 +88,7 @@ public: char *qname; char *label; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); diff --git a/parser/parser.h b/parser/parser.h index 6448b4a8a..07ed75b73 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -131,7 +131,7 @@ struct cod_entry { Profile *prof; /* Special profile defined * just for this executable */ perms_t perms; /* perms is 'or' of AA_* bits */ - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; /* TRUE or FALSE */ int alias_ignore; /* ignore for alias processing */ diff --git a/parser/parser_merge.c b/parser/parser_merge.c index d9ce9f629..b93103aa1 100644 --- a/parser/parser_merge.c +++ b/parser/parser_merge.c @@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2) if ((*e1)->deny != (*e2)->deny) return (*e1)->deny < (*e2)->deny ? -1 : 1; - if ((*e1)->audit.audit_mode != (*e2)->audit.audit_mode) - return (*e1)->audit.audit_mode < (*e2)->audit.audit_mode ? -1 : 1; + if ((*e1)->audit != (*e2)->audit) + return (*e1)->audit < (*e2)->audit ? -1 : 1; return strcmp((*e1)->name, (*e2)->name); } diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 1af6f996f..ee304d7d6 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id) entry->name = id; entry->link_name = link_id; entry->perms = perms; - entry->audit.audit_mode = AUDIT_UNSPECIFIED; + entry->audit = AUDIT_UNSPECIFIED; entry->deny = FALSE; entry->pattern_type = ePatternInvalid; @@ -985,7 +985,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig) DUP_STRING(orig, entry, link_name, err); DUP_STRING(orig, entry, nt_name, err); entry->perms = orig->perms; - entry->audit.audit_mode = orig->audit.audit_mode; + entry->audit = orig->audit; entry->deny = orig->deny; /* XXX - need to create copies of the patterns, too */ diff --git a/parser/parser_regex.c b/parser/parser_regex.c index f459b80d5..9ad25eb41 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) !is_change_profile_perms(entry->perms) && !dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), - entry->audit.audit_mode == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, + entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, dfaflags)) return FALSE; } else if (!is_change_profile_perms(entry->perms)) { if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, - entry->audit.audit_mode == AUDIT_FORCE ? entry->perms : 0, dfaflags)) + entry->audit == AUDIT_FORCE ? entry->perms : 0, dfaflags)) return FALSE; } @@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) perms |= LINK_TO_LINK_SUBSET(perms); vec[1] = "/[^/].*"; } - if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit_mode == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) + if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) return FALSE; } if (is_change_profile_perms(entry->perms)) { @@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) int index = 1; uint32_t onexec_perms = AA_ONEXEC; - if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit_mode == AUDIT_FORCE && warn_change_profile) { + if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit == AUDIT_FORCE && warn_change_profile) { /* don't have profile name here, so until this code * gets refactored just throw out a generic warning */ diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 8cfa8eb8f..b4101f090 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -701,8 +701,7 @@ rules: rules opt_prefix rule $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); /* only set audit ctl quieting if the rule is not audited */ if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE)) - $3->audit.audit_mode = AUDIT_FORCE; - + $3->audit = AUDIT_FORCE; add_entry_to_policy($1, $3); $$ = $1; }; @@ -732,9 +731,9 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); if ($2.audit == AUDIT_FORCE && !entry->deny) - entry->audit.audit_mode = AUDIT_FORCE; + entry->audit = AUDIT_FORCE; else if ($2.audit != AUDIT_FORCE && entry->deny) - entry->audit.audit_mode = AUDIT_FORCE; + entry->audit = AUDIT_FORCE; add_entry_to_policy($1, entry); } $4->entries = NULL; @@ -801,9 +800,9 @@ rules: rules opt_prefix mnt_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } $1->rule_ents.push_back($3); @@ -818,9 +817,9 @@ rules: rules opt_prefix dbus_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -834,9 +833,9 @@ rules: rules opt_prefix signal_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -850,9 +849,9 @@ rules: rules opt_prefix ptrace_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -866,9 +865,9 @@ rules: rules opt_prefix unix_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } $1->rule_ents.push_back($3); $$ = $1; @@ -882,9 +881,9 @@ rules: rules opt_prefix userns_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit == AUDIT_FORCE) { - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -902,9 +901,9 @@ rules: rules opt_prefix change_profile $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit != AUDIT_UNSPECIFIED) { - $3->audit.audit_mode = $2.audit; + $3->audit = $2.audit; } add_entry_to_policy($1, $3); $$ = $1; @@ -937,9 +936,9 @@ rules: rules opt_prefix mqueue_rule $3->deny = 1; } else if ($2.deny) { $3->deny = 1; - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } else if ($2.audit == AUDIT_FORCE) { - $3->audit.audit_mode = AUDIT_FORCE; + $3->audit = AUDIT_FORCE; } $1->rule_ents.push_back($3); $$ = $1; @@ -1822,7 +1821,7 @@ void add_local_entry(Profile *prof) sprintf(name, "%s//%s", prof->parent->name, prof->name); entry = new_entry(name, prof->local_perms, NULL); - entry->audit.audit_mode = prof->local_audit.audit_mode; + entry->audit = prof->local_audit; entry->nt_name = trans; if (!entry) yyerror(_("Memory allocation error.")); diff --git a/parser/profile.h b/parser/profile.h index 9e8c0f3c9..bf9ca2308 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -191,7 +191,7 @@ public: /* int default_deny; */ /* TRUE or FALSE */ int local; perms_t local_perms; - struct { audit_t audit_mode; } local_audit; + audit_t local_audit; Profile *parent; @@ -223,7 +223,7 @@ public: local_perms = 0; local = 0; - local_audit.audit_mode = AUDIT_UNSPECIFIED; + local_audit = AUDIT_UNSPECIFIED; parent = NULL; diff --git a/parser/ptrace.cc b/parser/ptrace.cc index 2875f1088..fda719705 100644 --- a/parser/ptrace.cc +++ b/parser/ptrace.cc @@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds) } ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): - peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) + peer_label(NULL), audit(AUDIT_UNSPECIFIED), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_PTRACE_PERMS) @@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): ostream &ptrace_rule::dump(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_PTRACE_PERMS) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/ptrace.h b/parser/ptrace.h index 217a0bee8..2f54b0fd5 100644 --- a/parser/ptrace.h +++ b/parser/ptrace.h @@ -34,7 +34,7 @@ class ptrace_rule: public rule_t { public: char *peer_label; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; ptrace_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/signal.cc b/parser/signal.cc index 84a27a758..0799ff5d4 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds) } signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): - signals(), peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) + signals(), peer_label(NULL), audit(AUDIT_UNSPECIFIED), deny(0) { if (perms_p) { perms = perms_p; @@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): ostream &signal_rule::dump(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { - if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, + if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/signal.h b/parser/signal.h index 26a7dab6d..8e3526d89 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -40,7 +40,7 @@ public: Signals signals; char *peer_label; perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; signal_rule(perms_t perms, struct cond_entry *conds); diff --git a/parser/userns.cc b/parser/userns.cc index a6fbd94f4..e8b3b5320 100644 --- a/parser/userns.cc +++ b/parser/userns.cc @@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds) } userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): - audit({AUDIT_UNSPECIFIED}), deny(0) + audit(AUDIT_UNSPECIFIED), deny(0) { if (perms_p) { if (perms_p & ~AA_VALID_USERNS_PERMS) @@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): ostream &userns_rule::dump(ostream &os) { - if (audit.audit_mode == AUDIT_FORCE) + if (audit == AUDIT_FORCE) os << "audit "; if (deny) os << "deny "; @@ -101,7 +101,7 @@ int userns_rule::gen_policy_re(Profile &prof) buf = buffer.str(); if (perms & AA_VALID_USERNS_PERMS) { if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, - audit.audit_mode == AUDIT_FORCE ? perms : 0, + audit == AUDIT_FORCE ? perms : 0, dfaflags)) goto fail; } diff --git a/parser/userns.h b/parser/userns.h index 11fd082fb..d7776dc5b 100644 --- a/parser/userns.h +++ b/parser/userns.h @@ -27,7 +27,7 @@ class userns_rule: public rule_t { void move_conditionals(struct cond_entry *conds); public: perms_t perms; - struct { audit_t audit_mode; } audit; + audit_t audit; int deny; userns_rule(perms_t perms, struct cond_entry *conds);