[apparmor] [PATCH 4/5] And the ability to specify the name and attachment of the profile separately. It does not allow for the attachment specification to begin with a variable however since variables in profile names is not currently support this shouldn't be and issue.

Tue Nov 23 09:18:54 GMT 2010

The format of the naming follows the basic guide of the name coming
before the attachment but after profile namespace.

profile default /** { }
profile :namespace: foo /bar { }
profile /foo//bar /** { }
profile /foo {
   profile named /** { }
}

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser.h        |    1 +
 parser/parser_alias.c  |   10 ++++++++--
 parser/parser_policy.c |    2 ++
 parser/parser_regex.c  |    7 +++++--
 parser/parser_yacc.y   |   18 ++++++++++++++----
 5 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/parser/parser.h b/parser/parser.h
index 03db29d..0eed1d8 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -88,6 +88,7 @@ struct alt_name {
 struct codomain {
 	char *namespace;
 	char *name;				/* codomain name */
+	char *attachment;
 	struct alt_name *altnames;
 	void *xmatch;
 	size_t xmatch_size;
diff --git a/parser/parser_alias.c b/parser/parser_alias.c
index 81c65fb..d25d5c4 100644
--- a/parser/parser_alias.c
+++ b/parser/parser_alias.c
@@ -159,6 +159,7 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
 {
 	struct alias_rule **t = (struct alias_rule **) nodep;
 	struct codomain *cod = target_cod;
+	char *name;
 	int len;
 
 	if (value == preorder || value == endorder)
@@ -166,9 +167,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
 
 	len = strlen((*t)->from);
 
-	if (cod->name && strncmp((*t)->from, cod->name, len) == 0) {
+	if (cod->attachment)
+		name = cod->attachment;
+	else
+		name = cod->name;
+
+	if (name && strncmp((*t)->from, name, len) == 0) {
 		struct alt_name *alt;
-		char *new = do_alias(*t, cod->name);
+		char *new = do_alias(*t, name);
 		if (!new)
 			return;
 		/* aliases create alternate names */
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index b218d86..5fe777a 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -736,6 +736,8 @@ void free_policy(struct codomain *cod)
 		free(cod->dfa);
 	if (cod->name)
 		free(cod->name);
+	if (cod->attachment)
+		free(cod->attachment);
 	if (cod->namespace)
 		free(cod->namespace);
 	if (cod->network_allowed)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index d43138a..f38ea4f 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -388,14 +388,17 @@ static int process_profile_name_xmatch(struct codomain *cod)
 	const char *name;
 
 	/* don't filter_slashes for profile names */
-	name = local_name(cod->name);
+	if (cod->attachment)
+		name = cod->attachment;
+	else
+		name = local_name(cod->name);
 	ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
 					&cod->xmatch_len);
 
 	if (ptype == ePatternInvalid) {
 		PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
 		return FALSE;
-	} else if (ptype == ePatternBasic && !cod->altnames) {
+	} else if (ptype == ePatternBasic && !(cod->altnames || cod->attachment)) {
 		/* no regex so do not set xmatch */
 		cod->xmatch = NULL;
 		cod->xmatch_len = 0;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 950d4ea..ea5b69e 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -190,6 +190,7 @@ void add_local_entry(struct codomain *cod);
 %type <boolean> opt_owner_flag
 %type <boolean> opt_profile_flag
 %type <id>	opt_namespace
+%type <id>	opt_id
 %type <transition> opt_named_transition
 
 %%
@@ -213,21 +214,30 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
 opt_namespace: { /* nothing */ $$ = NULL; }
 	| TOK_COLON TOK_ID TOK_COLON { fprintf(stderr, "namespace %s\n", $2); $$ = $2; }
 
-profile_base: TOK_ID flags TOK_OPEN rules TOK_CLOSE
+opt_id: { /* nothing */ $$ = NULL; }
+	| TOK_ID { $$ = $1; }
+
+profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
 	{
-		struct codomain *cod = $4;
+		struct codomain *cod = $5;
 		if (!cod) {
 			yyerror(_("Memory allocation error."));
 		}
 
 		cod->name = $1;
-		cod->flags = $2;
+		cod->attachment = $2;
+		if ($2 && $2[0] != '/')
+			/* we don't support variables as part of the profile
+			 * name or attachment atm
+			 */
+			yyerror(_("Profile attachment must begin with a '/'."));
+		cod->flags = $3;
 		if (force_complain)
 			cod->flags.complain = 1;
 
 		post_process_nt_entries(cod);
 		PDEBUG("%s: flags='%s%s'\n",
-		       $2,
+		       $3,
 		       cod->flags.complain ? "complain, " : "",
 		       cod->flags.audit ? "audit" : "");
 
-- 
1.7.1


