[apparmor] [PATCH 1/5] Merge profile and :namespace:profile parsing into a single rule. This also fixes a bug where the profile keyword was not allowed to proceed profiles with a namespace declaration.
John Johansen
john.johansen at canonical.com
Tue Nov 23 09:18:51 GMT 2010
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_yacc.y | 48 +++++++--------------
parser/tst/simple_tests/profile/profile_ns_ok1.sd | 35 +++++++++++++++
2 files changed, 51 insertions(+), 32 deletions(-)
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index bf9bf08..4c0da5a 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -190,6 +190,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
%type <boolean> opt_audit_flag
%type <boolean> opt_owner_flag
%type <boolean> opt_profile_flag
+%type <id> opt_namespace
%type <transition> opt_named_transition
%%
@@ -210,19 +211,27 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
| TOK_PROFILE { $$ = 1; }
| hat_start { $$ = 2; }
-profile: opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
+opt_namespace: { /* nothing */ $$ = NULL; }
+| TOK_COLON TOK_ID TOK_COLON { fprintf(stderr, "namespace %s\n", $2); $$ = $2; }
+
+profile: opt_profile_flag opt_namespace TOK_ID flags TOK_OPEN rules TOK_CLOSE
{
- struct codomain *cod = $5;
- PDEBUG("Matched: id (%s) open rules close\n", $2);
+ struct codomain *cod = $6;
+ if ($2)
+ PDEBUG("Matched: id (%s://%s) open rules close\n", $2, $3);
+ else
+ PDEBUG("Matched: id (%s) open rules close\n", $3);
+
if (!cod) {
yyerror(_("Memory allocation error."));
}
- if (!$1 && $2[0] != '/')
- yyerror(_("Profile names must begin with a '/', or keyword 'profile' or 'hat'."));
+ if ($3[0] != '/' && !($1 || $2))
+ yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
- cod->name = $2;
- cod->flags = $3;
+ cod->namespace = $2;
+ cod->name = $3;
+ cod->flags = $4;
if (force_complain)
cod->flags.complain = 1;
if ($1 == 2)
@@ -237,31 +246,6 @@ profile: opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
$$ = cod;
};
-profile: opt_profile_flag TOK_COLON TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules TOK_CLOSE
- {
- struct codomain *cod = $8;
- PDEBUG("Matched: id (%s:%s) open rules close\n", $3, $5);
- if (!cod) {
- yyerror(_("Memory allocation error."));
- }
-
- cod->namespace = $3;
- cod->name = $5;
- cod->flags = $6;
- if (force_complain)
- cod->flags.complain = 1;
- if ($1 == 2)
- cod->flags.hat = 1;
-
- post_process_nt_entries(cod);
- PDEBUG("%s: flags='%s%s'\n",
- $3,
- cod->flags.complain ? "complain, " : "",
- cod->flags.audit ? "audit" : "");
-
- $$ = cod;
- };
-
preamble: { /* nothing */ }
| preamble alias { /* nothing */ };
| preamble varassign { /* nothing */ };
diff --git a/parser/tst/simple_tests/profile/profile_ns_ok1.sd b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
index e3cc5e1..cc0f682 100644
--- a/parser/tst/simple_tests/profile/profile_ns_ok1.sd
+++ b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
@@ -17,3 +17,38 @@
/bin/echo uxuxuxuxux,
}
+profile :foo:/does/not/exist2 {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+:foo:unattached {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :foo:unattached {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
\ No newline at end of file
--
1.7.1
More information about the AppArmor
mailing list