[apparmor] [PATCH 1/5] Merge profile and :namespace:profile parsing into a single rule. This also fixes a bug where the profile keyword was not allowed to proceed profiles with a namespace declaration.

Steve Beattie steve at nxnw.org
Mon Nov 29 20:07:57 GMT 2010 

On Tue, Nov 23, 2010 at 01:18:51AM -0800, John Johansen wrote:
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-By: Steve Beattie <sbeattie at ubuntu.com>

(Can you make sure parser/tst/simple_tests/profile/profile_ns_ok1.sd
gets an ending newline?)

> ---
>  parser/parser_yacc.y                              |   48 +++++++--------------
>  parser/tst/simple_tests/profile/profile_ns_ok1.sd |   35 +++++++++++++++
>  2 files changed, 51 insertions(+), 32 deletions(-)
> 
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index bf9bf08..4c0da5a 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -190,6 +190,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
>  %type <boolean> opt_audit_flag
>  %type <boolean> opt_owner_flag
>  %type <boolean> opt_profile_flag
> +%type <id>	opt_namespace
>  %type <transition> opt_named_transition
>  
>  %%
> @@ -210,19 +211,27 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
>  	| TOK_PROFILE { $$ = 1; }
>  	| hat_start { $$ = 2; }
>  
> -profile:	opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
> +opt_namespace: { /* nothing */ $$ = NULL; }
> +| TOK_COLON TOK_ID TOK_COLON { fprintf(stderr, "namespace %s\n", $2); $$ = $2; }
> +
> +profile:	opt_profile_flag opt_namespace TOK_ID flags TOK_OPEN rules TOK_CLOSE
>  	{
> -		struct codomain *cod = $5;
> -		PDEBUG("Matched: id (%s) open rules close\n", $2);
> +		struct codomain *cod = $6;
> +		if ($2)
> +			PDEBUG("Matched: id (%s://%s) open rules close\n", $2, $3);
> +		else
> +			PDEBUG("Matched: id (%s) open rules close\n", $3);
> +
>  		if (!cod) {
>  			yyerror(_("Memory allocation error."));
>  		}
>  
> -		if (!$1 && $2[0] != '/')
> -			yyerror(_("Profile names must begin with a '/', or keyword 'profile' or 'hat'."));
> +		if ($3[0] != '/' && !($1 || $2))
> +			yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
>  
> -		cod->name = $2;
> -		cod->flags = $3;
> +		cod->namespace = $2;
> +		cod->name = $3;
> +		cod->flags = $4;
>  		if (force_complain)
>  			cod->flags.complain = 1;
>  		if ($1 == 2)
> @@ -237,31 +246,6 @@ profile:	opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
>  		$$ = cod;
>  	};
>  
> -profile:	opt_profile_flag TOK_COLON TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules TOK_CLOSE
> -	{
> -		struct codomain *cod = $8;
> -		PDEBUG("Matched: id (%s:%s) open rules close\n", $3, $5);
> -		if (!cod) {
> -			yyerror(_("Memory allocation error."));
> -		}
> -
> -		cod->namespace = $3;
> -		cod->name = $5;
> -		cod->flags = $6;
> -		if (force_complain)
> -			cod->flags.complain = 1;
> -		if ($1 == 2)
> -			cod->flags.hat = 1;
> -
> -		post_process_nt_entries(cod);
> -		PDEBUG("%s: flags='%s%s'\n",
> -		       $3,
> -		       cod->flags.complain ? "complain, " : "",
> -		       cod->flags.audit ? "audit" : "");
> -
> -		$$ = cod;
> -	};
> -
>  preamble: { /* nothing */ }
>  	| preamble alias { /* nothing */ };
>  	| preamble varassign { /* nothing */ };
> diff --git a/parser/tst/simple_tests/profile/profile_ns_ok1.sd b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
> index e3cc5e1..cc0f682 100644
> --- a/parser/tst/simple_tests/profile/profile_ns_ok1.sd
> +++ b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
> @@ -17,3 +17,38 @@
>    /bin/echo uxuxuxuxux,
>  }
>  
> +profile :foo:/does/not/exist2 {
> +  #include <includes/base>
> +
> +  /usr/X11R6/lib/lib*so* rrr,
> +  /does/not/exist r,
> +  /var/log/messages www,
> +  /tmp/sd*.foo rwrwwrll,
> +  /bin/cat pxpxpxpxpx,
> +  /bin/ls ixixixix,
> +  /bin/echo uxuxuxuxux,
> +}
> +
> +:foo:unattached {
> +  #include <includes/base>
> +
> +  /usr/X11R6/lib/lib*so* rrr,
> +  /does/not/exist r,
> +  /var/log/messages www,
> +  /tmp/sd*.foo rwrwwrll,
> +  /bin/cat pxpxpxpxpx,
> +  /bin/ls ixixixix,
> +  /bin/echo uxuxuxuxux,
> +}
> +
> +profile :foo:unattached {
> +  #include <includes/base>
> +
> +  /usr/X11R6/lib/lib*so* rrr,
> +  /does/not/exist r,
> +  /var/log/messages www,
> +  /tmp/sd*.foo rwrwwrll,
> +  /bin/cat pxpxpxpxpx,
> +  /bin/ls ixixixix,
> +  /bin/echo uxuxuxuxux,
> +}
> \ No newline at end of file
> -- 
> 1.7.1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20101129/fb47f42f/attachment.pgp

More information about the AppArmor mailing list