Note: this patch currently overlays onexec with link_name to take advantage of code already being used on link_name. Ideally what needs to happen is entry needs to be split into file, link and change_profile entry classes.
Signed-off-by: John Johansen <[email protected]> --- parser/parser.h | 5 ++++- parser/parser_lex.l | 2 +- parser/parser_regex.c | 12 +++++++++--- parser/parser_yacc.y | 22 ++++++++++++++-------- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/parser/parser.h b/parser/parser.h index f4566b9..281a6f7 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -100,7 +100,10 @@ struct cond_entry_list { struct cod_entry { char *ns; char *name; - char *link_name; + union { + char *link_name; + char *onexec; + }; char *nt_name; Profile *prof; /* Special profile defined * just for this executable */ diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 286d9a2..5af788a 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -443,7 +443,7 @@ LT_EQUAL <= ({IDS}|{QUOTED_ID}) { yylval.id = processid(yytext, yyleng); - POP_AND_RETURN(TOK_ID); + RETURN_TOKEN(TOK_ID); } } diff --git a/parser/parser_regex.c b/parser/parser_regex.c index dc713c8..30f009f 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) } if (entry->mode & AA_CHANGE_PROFILE) { const char *vec[3]; - std::string lbuf; + std::string lbuf, xbuf; int index = 1; if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { @@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) warn_change_profile = 0; } - /* allow change_profile for all execs */ - vec[0] = "/[^\\x00]*"; + if (entry->onexec) { + ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos); + if (ptype == ePatternInvalid) + return FALSE; + vec[0] = xbuf.c_str(); + } else + /* allow change_profile for all execs */ + vec[0] = "/[^\\x00]*"; if (entry->ns) { int pos; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index df3ce15..4ae5bf3 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -1491,36 +1491,42 @@ file_mode: TOK_MODE free($1); } -change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_END_OF_RULE { struct cod_entry *entry; char *rule = strdup("**"); if (!rule) yyerror(_("Memory allocation error.")); PDEBUG("Matched change_profile,\n"); - entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile,\n"); $$ = entry; }; -change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; - PDEBUG("Matched change_profile: tok_id (%s)\n", $3); - entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL); + PDEBUG("Matched change_profile: tok_id (%s)\n", $4); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry(NULL, $4, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile.entry: (%s)\n", entry->name); $$ = entry; }; -change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE +change_profile: TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; - PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6); - entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL); + PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $5, $7); + if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0)) + yyerror(_("Exec condition must begin with '/'.")); + entry = new_entry($5, $7, AA_CHANGE_PROFILE, $2); if (!entry) yyerror(_("Memory allocation error.")); PDEBUG("change_profile.entry: (%s)\n", entry->name); -- 2.1.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
