mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

parser: fixup audit struct to audit enum

Browse Source 
This removes the struct wrapper used in the previous patch to ensure
that all uses are properly converted.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2021-08-30 14:31:03 -07:00
parent 7a318d99f2
commit fdf5b062a9
21 changed files with 79 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
parser/af_rule.cc
View File

@ -92,7 +92,7 @@ int af_rule::move_base_cond(struct cond_entry *ent, bool peer)
ostream &af_rule::dump_prefix(ostream &os) ostream &af_rule::dump_prefix(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";

4
parser/af_rule.h
View File

@ -45,12 +45,12 @@ public:
char *label; char *label;
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
bool deny; bool deny;
af_rule(const char *name): af_name(name), sock_type(NULL), af_rule(const char *name): af_name(name), sock_type(NULL),
sock_type_n(-1), proto(NULL), proto_n(0), label(NULL), sock_type_n(-1), proto(NULL), proto_n(0), label(NULL),
peer_label(NULL), perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) peer_label(NULL), perms(0), audit(AUDIT_UNSPECIFIED), deny(0)
{} {}
virtual ~af_rule() virtual ~af_rule()

16
parser/af_unix.cc
View File

@ -105,7 +105,7 @@ unix_rule::unix_rule(unsigned int type_p, audit_t audit_p, bool denied):
yyerror("socket rule: invalid socket type '%d'", type_p); yyerror("socket rule: invalid socket type '%d'", type_p);
} }
perms = AA_VALID_NET_PERMS; perms = AA_VALID_NET_PERMS;
audit.audit_mode = audit_p; audit = audit_p;
deny = denied; deny = denied;
} }
@ -195,7 +195,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
mask = 1 << sock_type_n; mask = 1 << sock_type_n;
if (!deny) { if (!deny) {
prof.net.allow[AF_UNIX] |= mask; prof.net.allow[AF_UNIX] |= mask;
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
prof.net.audit[AF_UNIX] |= mask; prof.net.audit[AF_UNIX] |= mask;
} else { } else {
/* deny rules have to be dropped because the downgrade makes /* deny rules have to be dropped because the downgrade makes
@ -336,7 +336,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_CREATE), map_perms(AA_NET_CREATE),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_CREATE : 0), map_perms(audit == AUDIT_FORCE ? AA_NET_CREATE : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
mask &= ~AA_NET_CREATE; mask &= ~AA_NET_CREATE;
@ -361,7 +361,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_BIND), map_perms(AA_NET_BIND),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_BIND : 0), map_perms(audit == AUDIT_FORCE ? AA_NET_BIND : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
/* clear if auto, else generic need to generate addr below */ /* clear if auto, else generic need to generate addr below */
@ -386,7 +386,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(mask & local_mask), map_perms(mask & local_mask),
map_perms(audit.audit_mode == AUDIT_FORCE ? mask & local_mask : 0), map_perms(audit == AUDIT_FORCE ? mask & local_mask : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -400,7 +400,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_LISTEN), map_perms(AA_NET_LISTEN),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_LISTEN : 0), map_perms(audit == AUDIT_FORCE ? AA_NET_LISTEN : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -413,7 +413,7 @@ int unix_rule::gen_policy_re(Profile &prof)
buf = tmp.str(); buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, if (!prof.policy.rules->add_rule(buf.c_str(), deny,
map_perms(AA_NET_OPT), map_perms(AA_NET_OPT),
map_perms(audit.audit_mode == AUDIT_FORCE ? AA_NET_OPT : 0), map_perms(audit == AUDIT_FORCE ? AA_NET_OPT : 0),
dfaflags)) dfaflags))
goto fail; goto fail;
} }
@ -432,7 +432,7 @@ int unix_rule::gen_policy_re(Profile &prof)
goto fail; goto fail;
buf = buffer.str(); buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit.audit_mode == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags)) if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(perms & AA_PEER_NET_PERMS), map_perms(audit == AUDIT_FORCE ? perms & AA_PEER_NET_PERMS : 0), dfaflags))
goto fail; goto fail;
} }

10
parser/dbus.cc
View File

@ -69,7 +69,7 @@ void dbus_rule::move_conditionals(struct cond_entry *conds)
dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds, dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
struct cond_entry *peer_conds): struct cond_entry *peer_conds):
bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL), bus(NULL), name(NULL), peer_label(NULL), path(NULL), interface(NULL), member(NULL),
perms(0), audit({AUDIT_UNSPECIFIED}), deny(0) perms(0), audit(AUDIT_UNSPECIFIED), deny(0)
{ {
int name_is_subject_cond = 0, message_rule = 0, service_rule = 0; int name_is_subject_cond = 0, message_rule = 0, service_rule = 0;
@ -122,7 +122,7 @@ dbus_rule::dbus_rule(perms_t perms_p, struct cond_entry *conds,
ostream &dbus_rule::dump(ostream &os) ostream &dbus_rule::dump(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -279,21 +279,21 @@ int dbus_rule::gen_policy_re(Profile &prof)
if (perms & AA_DBUS_BIND) { if (perms & AA_DBUS_BIND) {
if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND, if (!prof.policy.rules->add_rule_vec(deny, perms & AA_DBUS_BIND,
audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0, audit == AUDIT_FORCE ? perms & AA_DBUS_BIND : 0,
2, vec, dfaflags, false)) 2, vec, dfaflags, false))
goto fail; goto fail;
} }
if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) { if (perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE)) {
if (!prof.policy.rules->add_rule_vec(deny, if (!prof.policy.rules->add_rule_vec(deny,
perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE), perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE),
audit.audit_mode == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0, audit == AUDIT_FORCE ? perms & (AA_DBUS_SEND | AA_DBUS_RECEIVE) : 0,
6, vec, dfaflags, false)) 6, vec, dfaflags, false))
goto fail; goto fail;
} }
if (perms & AA_DBUS_EAVESDROP) { if (perms & AA_DBUS_EAVESDROP) {
if (!prof.policy.rules->add_rule_vec(deny, if (!prof.policy.rules->add_rule_vec(deny,
perms & AA_DBUS_EAVESDROP, perms & AA_DBUS_EAVESDROP,
audit.audit_mode == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0, audit == AUDIT_FORCE ? perms & AA_DBUS_EAVESDROP : 0,
1, vec, dfaflags, false)) 1, vec, dfaflags, false))
goto fail; goto fail;
} }

2
parser/dbus.h
View File

@ -40,7 +40,7 @@ public:
char *interface; char *interface;
char *member; char *member;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
dbus_rule(perms_t perms_p, struct cond_entry *conds, dbus_rule(perms_t perms_p, struct cond_entry *conds,

22
parser/mount.cc
View File

@ -469,7 +469,7 @@ mnt_rule::mnt_rule(struct cond_entry *src_conds, char *device_p,
struct cond_entry *dst_conds unused, char *mnt_point_p, struct cond_entry *dst_conds unused, char *mnt_point_p,
perms_t perms_p): perms_t perms_p):
mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL), mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
flagsv(0), opt_flagsv(0), audit({AUDIT_UNSPECIFIED}), deny(0) flagsv(0), opt_flagsv(0), audit(AUDIT_UNSPECIFIED), deny(0)
{ {
/* FIXME: dst_conds are ignored atm */ /* FIXME: dst_conds are ignored atm */
dev_type = extract_fstype(&src_conds); dev_type = extract_fstype(&src_conds);
@ -581,7 +581,7 @@ ostream &mnt_rule::dump(ostream &os)
os << " -> " << trans; os << " -> " << trans;
const char *prefix = deny ? "deny" : ""; const char *prefix = deny ? "deny" : "";
os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit.audit_mode != AUDIT_UNSPECIFIED ? perms : 0) << ")"; os << " " << prefix << "(0x" << hex << perms << "/0x" << (audit != AUDIT_UNSPECIFIED ? perms : 0) << ")";
os << ",\n"; os << ",\n";
return os; return os;
@ -733,7 +733,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
} else { } else {
/* dependent on full expansion of any data match perms */ /* dependent on full expansion of any data match perms */
tmpperms = perms; tmpperms = perms;
tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; tmpaudit = audit == AUDIT_FORCE ? perms : 0;
} }
/* match for up to but not including data /* match for up to but not including data
* if a data match is required this only has AA_MATCH_CONT perms * if a data match is required this only has AA_MATCH_CONT perms
@ -751,7 +751,7 @@ int mnt_rule::gen_policy_remount(Profile &prof, int &count,
goto fail; goto fail;
vec[4] = optsbuf.c_str(); vec[4] = optsbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
(audit.audit_mode == AUDIT_FORCE ? perms : 0), (audit == AUDIT_FORCE ? perms : 0),
5, vec, dfaflags, false)) 5, vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -792,7 +792,7 @@ int mnt_rule::gen_policy_bind_mount(Profile &prof, int &count,
opt_flags & MS_BIND_FLAGS)) opt_flags & MS_BIND_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
4, vec, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
@ -834,7 +834,7 @@ int mnt_rule::gen_policy_change_mount_type(Profile &prof, int &count,
opt_flags & MS_MAKE_FLAGS)) opt_flags & MS_MAKE_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
4, vec, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
@ -877,7 +877,7 @@ int mnt_rule::gen_policy_move_mount(Profile &prof, int &count,
opt_flags & MS_MOVE_FLAGS)) opt_flags & MS_MOVE_FLAGS))
goto fail; goto fail;
vec[3] = flagsbuf; vec[3] = flagsbuf;
if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0,
4, vec, 4, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
@ -926,7 +926,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
tmpaudit = 0; tmpaudit = 0;
} else { } else {
tmpperms = perms; tmpperms = perms;
tmpaudit = audit.audit_mode == AUDIT_FORCE ? perms : 0; tmpaudit = audit == AUDIT_FORCE ? perms : 0;
} }
/* rule for match without required data || data MATCH_CONT */ /* rule for match without required data || data MATCH_CONT */
if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4, if (!prof.policy.rules->add_rule_vec(deny, tmpperms, tmpaudit, 4,
@ -941,7 +941,7 @@ int mnt_rule::gen_policy_new_mount(Profile &prof, int &count,
goto fail; goto fail;
vec[4] = optsbuf.c_str(); vec[4] = optsbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
audit.audit_mode == AUDIT_FORCE ? perms : 0, audit == AUDIT_FORCE ? perms : 0,
5, vec, dfaflags, false)) 5, vec, dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -1033,7 +1033,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
goto fail; goto fail;
vec[0] = mntbuf.c_str(); vec[0] = mntbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
(audit.audit_mode == AUDIT_FORCE ? perms : 0), 1, vec, (audit == AUDIT_FORCE ? perms : 0), 1, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;
@ -1048,7 +1048,7 @@ int mnt_rule::gen_policy_re(Profile &prof)
goto fail; goto fail;
vec[1] = devbuf.c_str(); vec[1] = devbuf.c_str();
if (!prof.policy.rules->add_rule_vec(deny, perms, if (!prof.policy.rules->add_rule_vec(deny, perms,
(audit.audit_mode == AUDIT_FORCE ? perms : 0), 2, vec, (audit == AUDIT_FORCE ? perms : 0), 2, vec,
dfaflags, false)) dfaflags, false))
goto fail; goto fail;
count++; count++;

2
parser/mount.h
View File

@ -144,7 +144,7 @@ public:
std::vector<unsigned int> flagsv, opt_flagsv; std::vector<unsigned int> flagsv, opt_flagsv;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
mnt_rule(struct cond_entry *src_conds, char *device_p, mnt_rule(struct cond_entry *src_conds, char *device_p,

12
parser/mqueue.cc
View File

@ -87,7 +87,7 @@ void mqueue_rule::move_conditionals(struct cond_entry *conds)
} }
mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p): mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_p):
qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) qtype(mqueue_unspecified), qname(qname_p), label(NULL), audit(AUDIT_UNSPECIFIED), deny(0)
{ {
move_conditionals(conds); move_conditionals(conds);
free_cond_list(conds); free_cond_list(conds);
@ -115,7 +115,7 @@ mqueue_rule::mqueue_rule(perms_t perms_p, struct cond_entry *conds, char *qname_
ostream &mqueue_rule::dump(ostream &os) ostream &mqueue_rule::dump(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -233,10 +233,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
/* store perms at name match so label doesn't need /* store perms at name match so label doesn't need
* to be checked * to be checked
*/ */
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false)) if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
goto fail; goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false)) if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
goto fail; goto fail;
} }
} }
@ -268,10 +268,10 @@ int mqueue_rule::gen_policy_re(Profile &prof)
} }
if (perms & AA_VALID_SYSV_MQ_PERMS) { if (perms & AA_VALID_SYSV_MQ_PERMS) {
if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, 1, vec, dfaflags, false)) if (!label && !prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, 1, vec, dfaflags, false))
goto fail; goto fail;
/* also provide label match with perm */ /* also provide label match with perm */
if (!prof.policy.rules->add_rule_vec(deny, perms, audit.audit_mode ? perms : 0, size, vec, dfaflags, false)) if (!prof.policy.rules->add_rule_vec(deny, perms, audit == AUDIT_FORCE ? perms : 0, size, vec, dfaflags, false))
goto fail; goto fail;
} }
} }

2
parser/mqueue.h
View File

@ -88,7 +88,7 @@ public:
char *qname; char *qname;
char *label; char *label;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL); mqueue_rule(perms_t perms, struct cond_entry *conds, char *qname = NULL);

2
parser/parser.h
View File

@ -131,7 +131,7 @@ struct cod_entry {
Profile *prof; /* Special profile defined Profile *prof; /* Special profile defined
* just for this executable */ * just for this executable */
perms_t perms; /* perms is 'or' of AA_* bits */ perms_t perms; /* perms is 'or' of AA_* bits */
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; /* TRUE or FALSE */ int deny; /* TRUE or FALSE */
int alias_ignore; /* ignore for alias processing */ int alias_ignore; /* ignore for alias processing */

4
parser/parser_merge.c
View File

@ -51,8 +51,8 @@ static int file_comp(const void *c1, const void *c2)
if ((*e1)->deny != (*e2)->deny) if ((*e1)->deny != (*e2)->deny)
return (*e1)->deny < (*e2)->deny ? -1 : 1; return (*e1)->deny < (*e2)->deny ? -1 : 1;
if ((*e1)->audit.audit_mode != (*e2)->audit.audit_mode) if ((*e1)->audit != (*e2)->audit)
return (*e1)->audit.audit_mode < (*e2)->audit.audit_mode ? -1 : 1; return (*e1)->audit < (*e2)->audit ? -1 : 1;
return strcmp((*e1)->name, (*e2)->name); return strcmp((*e1)->name, (*e2)->name);
} }

4
parser/parser_misc.c
View File

@ -961,7 +961,7 @@ struct cod_entry *new_entry(char *id, perms_t perms, char *link_id)
entry->name = id; entry->name = id;
entry->link_name = link_id; entry->link_name = link_id;
entry->perms = perms; entry->perms = perms;
entry->audit.audit_mode = AUDIT_UNSPECIFIED; entry->audit = AUDIT_UNSPECIFIED;
entry->deny = FALSE; entry->deny = FALSE;
entry->pattern_type = ePatternInvalid; entry->pattern_type = ePatternInvalid;
@ -985,7 +985,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
DUP_STRING(orig, entry, link_name, err); DUP_STRING(orig, entry, link_name, err);
DUP_STRING(orig, entry, nt_name, err); DUP_STRING(orig, entry, nt_name, err);
entry->perms = orig->perms; entry->perms = orig->perms;
entry->audit.audit_mode = orig->audit.audit_mode; entry->audit = orig->audit;
entry->deny = orig->deny; entry->deny = orig->deny;
/* XXX - need to create copies of the patterns, too */ /* XXX - need to create copies of the patterns, too */

8
parser/parser_regex.c
View File

@ -632,12 +632,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
!is_change_profile_perms(entry->perms) && !is_change_profile_perms(entry->perms) &&
!dfarules->add_rule(tbuf.c_str(), entry->deny, !dfarules->add_rule(tbuf.c_str(), entry->deny,
entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE), entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE),
entry->audit.audit_mode == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0, entry->audit == AUDIT_FORCE ? entry->perms & ~(AA_LINK_BITS | AA_CHANGE_PROFILE) : 0,
dfaflags)) dfaflags))
return FALSE; return FALSE;
} else if (!is_change_profile_perms(entry->perms)) { } else if (!is_change_profile_perms(entry->perms)) {
if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms, if (!dfarules->add_rule(tbuf.c_str(), entry->deny, entry->perms,
entry->audit.audit_mode == AUDIT_FORCE ? entry->perms : 0, dfaflags)) entry->audit == AUDIT_FORCE ? entry->perms : 0, dfaflags))
return FALSE; return FALSE;
} }
@ -660,7 +660,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
perms |= LINK_TO_LINK_SUBSET(perms); perms |= LINK_TO_LINK_SUBSET(perms);
vec[1] = "/[^/].*"; vec[1] = "/[^/].*";
} }
if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit.audit_mode == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false)) if (!dfarules->add_rule_vec(entry->deny, perms, entry->audit == AUDIT_FORCE ? perms & AA_LINK_BITS : 0, 2, vec, dfaflags, false))
return FALSE; return FALSE;
} }
if (is_change_profile_perms(entry->perms)) { if (is_change_profile_perms(entry->perms)) {
@ -671,7 +671,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
int index = 1; int index = 1;
uint32_t onexec_perms = AA_ONEXEC; uint32_t onexec_perms = AA_ONEXEC;
if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit.audit_mode == AUDIT_FORCE && warn_change_profile) { if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit == AUDIT_FORCE && warn_change_profile) {
/* don't have profile name here, so until this code /* don't have profile name here, so until this code
* gets refactored just throw out a generic warning * gets refactored just throw out a generic warning
*/ */

41
parser/parser_yacc.y
View File

@ -701,8 +701,7 @@ rules: rules opt_prefix rule
$3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); $3->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
/* only set audit ctl quieting if the rule is not audited */ /* only set audit ctl quieting if the rule is not audited */
if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE)) if (($2.deny && $2.audit != AUDIT_FORCE) || (!$2.deny && $2.audit == AUDIT_FORCE))
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
add_entry_to_policy($1, $3); add_entry_to_policy($1, $3);
$$ = $1; $$ = $1;
}; };
@ -732,9 +731,9 @@ rules: rules opt_prefix TOK_OPEN rules TOK_CLOSE
entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS); entry->perms &= (AA_OTHER_PERMS | AA_SHARED_PERMS);
if ($2.audit == AUDIT_FORCE && !entry->deny) if ($2.audit == AUDIT_FORCE && !entry->deny)
entry->audit.audit_mode = AUDIT_FORCE; entry->audit = AUDIT_FORCE;
else if ($2.audit != AUDIT_FORCE && entry->deny) else if ($2.audit != AUDIT_FORCE && entry->deny)
entry->audit.audit_mode = AUDIT_FORCE; entry->audit = AUDIT_FORCE;
add_entry_to_policy($1, entry); add_entry_to_policy($1, entry);
} }
$4->entries = NULL; $4->entries = NULL;
@ -801,9 +800,9 @@ rules: rules opt_prefix mnt_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
@ -818,9 +817,9 @@ rules: rules opt_prefix dbus_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -834,9 +833,9 @@ rules: rules opt_prefix signal_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -850,9 +849,9 @@ rules: rules opt_prefix ptrace_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -866,9 +865,9 @@ rules: rules opt_prefix unix_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -882,9 +881,9 @@ rules: rules opt_prefix userns_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit == AUDIT_FORCE) { } else if ($2.audit == AUDIT_FORCE) {
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -902,9 +901,9 @@ rules: rules opt_prefix change_profile
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit != AUDIT_UNSPECIFIED) { } else if ($2.audit != AUDIT_UNSPECIFIED) {
$3->audit.audit_mode = $2.audit; $3->audit = $2.audit;
} }
add_entry_to_policy($1, $3); add_entry_to_policy($1, $3);
$$ = $1; $$ = $1;
@ -937,9 +936,9 @@ rules: rules opt_prefix mqueue_rule
$3->deny = 1; $3->deny = 1;
} else if ($2.deny) { } else if ($2.deny) {
$3->deny = 1; $3->deny = 1;
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} else if ($2.audit == AUDIT_FORCE) { } else if ($2.audit == AUDIT_FORCE) {
$3->audit.audit_mode = AUDIT_FORCE; $3->audit = AUDIT_FORCE;
} }
$1->rule_ents.push_back($3); $1->rule_ents.push_back($3);
$$ = $1; $$ = $1;
@ -1822,7 +1821,7 @@ void add_local_entry(Profile *prof)
sprintf(name, "%s//%s", prof->parent->name, prof->name); sprintf(name, "%s//%s", prof->parent->name, prof->name);
entry = new_entry(name, prof->local_perms, NULL); entry = new_entry(name, prof->local_perms, NULL);
entry->audit.audit_mode = prof->local_audit.audit_mode; entry->audit = prof->local_audit;
entry->nt_name = trans; entry->nt_name = trans;
if (!entry) if (!entry)
yyerror(_("Memory allocation error.")); yyerror(_("Memory allocation error."));

4
parser/profile.h
View File

@ -191,7 +191,7 @@ public:
/* int default_deny; */ /* TRUE or FALSE */ /* int default_deny; */ /* TRUE or FALSE */
int local; int local;
perms_t local_perms; perms_t local_perms;
struct { audit_t audit_mode; } local_audit; audit_t local_audit;
Profile *parent; Profile *parent;
@ -223,7 +223,7 @@ public:
local_perms = 0; local_perms = 0;
local = 0; local = 0;
local_audit.audit_mode = AUDIT_UNSPECIFIED; local_audit = AUDIT_UNSPECIFIED;
parent = NULL; parent = NULL;

6
parser/ptrace.cc
View File

@ -48,7 +48,7 @@ void ptrace_rule::move_conditionals(struct cond_entry *conds)
} }
ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds): ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) peer_label(NULL), audit(AUDIT_UNSPECIFIED), deny(0)
{ {
if (perms_p) { if (perms_p) {
if (perms_p & ~AA_VALID_PTRACE_PERMS) if (perms_p & ~AA_VALID_PTRACE_PERMS)
@ -64,7 +64,7 @@ ptrace_rule::ptrace_rule(perms_t perms_p, struct cond_entry *conds):
ostream &ptrace_rule::dump(ostream &os) ostream &ptrace_rule::dump(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -137,7 +137,7 @@ int ptrace_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (perms & AA_VALID_PTRACE_PERMS) { if (perms & AA_VALID_PTRACE_PERMS) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/ptrace.h
View File

@ -34,7 +34,7 @@ class ptrace_rule: public rule_t {
public: public:
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
ptrace_rule(perms_t perms, struct cond_entry *conds); ptrace_rule(perms_t perms, struct cond_entry *conds);

6
parser/signal.cc
View File

@ -174,7 +174,7 @@ void signal_rule::move_conditionals(struct cond_entry *conds)
} }
signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds): signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
signals(), peer_label(NULL), audit({AUDIT_UNSPECIFIED}), deny(0) signals(), peer_label(NULL), audit(AUDIT_UNSPECIFIED), deny(0)
{ {
if (perms_p) { if (perms_p) {
perms = perms_p; perms = perms_p;
@ -191,7 +191,7 @@ signal_rule::signal_rule(perms_t perms_p, struct cond_entry *conds):
ostream &signal_rule::dump(ostream &os) ostream &signal_rule::dump(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -292,7 +292,7 @@ int signal_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) { if (perms & (AA_MAY_SEND | AA_MAY_RECEIVE)) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit.audit_mode == AUDIT_FORCE ? perms : 0, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, audit == AUDIT_FORCE ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/signal.h
View File

@ -40,7 +40,7 @@ public:
Signals signals; Signals signals;
char *peer_label; char *peer_label;
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
signal_rule(perms_t perms, struct cond_entry *conds); signal_rule(perms_t perms, struct cond_entry *conds);

6
parser/userns.cc
View File

@ -41,7 +41,7 @@ void userns_rule::move_conditionals(struct cond_entry *conds)
} }
userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds): userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
audit({AUDIT_UNSPECIFIED}), deny(0) audit(AUDIT_UNSPECIFIED), deny(0)
{ {
if (perms_p) { if (perms_p) {
if (perms_p & ~AA_VALID_USERNS_PERMS) if (perms_p & ~AA_VALID_USERNS_PERMS)
@ -59,7 +59,7 @@ userns_rule::userns_rule(perms_t perms_p, struct cond_entry *conds):
ostream &userns_rule::dump(ostream &os) ostream &userns_rule::dump(ostream &os)
{ {
if (audit.audit_mode == AUDIT_FORCE) if (audit == AUDIT_FORCE)
os << "audit "; os << "audit ";
if (deny) if (deny)
os << "deny "; os << "deny ";
@ -101,7 +101,7 @@ int userns_rule::gen_policy_re(Profile &prof)
buf = buffer.str(); buf = buffer.str();
if (perms & AA_VALID_USERNS_PERMS) { if (perms & AA_VALID_USERNS_PERMS) {
if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms, if (!prof.policy.rules->add_rule(buf.c_str(), deny, perms,
audit.audit_mode == AUDIT_FORCE ? perms : 0, audit == AUDIT_FORCE ? perms : 0,
dfaflags)) dfaflags))
goto fail; goto fail;
} }

2
parser/userns.h
View File

@ -27,7 +27,7 @@ class userns_rule: public rule_t {
void move_conditionals(struct cond_entry *conds); void move_conditionals(struct cond_entry *conds);
public: public:
perms_t perms; perms_t perms;
struct { audit_t audit_mode; } audit; audit_t audit;
int deny; int deny;
userns_rule(perms_t perms, struct cond_entry *conds); userns_rule(perms_t perms, struct cond_entry *conds);