[apparmor] [PATCH 1/5] Merge profile and :namespace:profile parsing into a single rule. This also fixes a bug where the profile keyword was not allowed to proceed profiles with a namespace declaration.
John Johansen
john.johansen at canonical.com
Tue Nov 30 05:18:57 GMT 2010
On 11/29/2010 12:07 PM, Steve Beattie wrote:
> On Tue, Nov 23, 2010 at 01:18:51AM -0800, John Johansen wrote:
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
> Acked-By: Steve Beattie <sbeattie at ubuntu.com>
>
> (Can you make sure parser/tst/simple_tests/profile/profile_ns_ok1.sd
> gets an ending newline?)
done
>
>> ---
>> parser/parser_yacc.y | 48 +++++++--------------
>> parser/tst/simple_tests/profile/profile_ns_ok1.sd | 35 +++++++++++++++
>> 2 files changed, 51 insertions(+), 32 deletions(-)
>>
>> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
>> index bf9bf08..4c0da5a 100644
>> --- a/parser/parser_yacc.y
>> +++ b/parser/parser_yacc.y
>> @@ -190,6 +190,7 @@ struct codomain *do_local_profile(struct codomain *cod, char *name, int mode, in
>> %type <boolean> opt_audit_flag
>> %type <boolean> opt_owner_flag
>> %type <boolean> opt_profile_flag
>> +%type <id> opt_namespace
>> %type <transition> opt_named_transition
>>
>> %%
>> @@ -210,19 +211,27 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
>> | TOK_PROFILE { $$ = 1; }
>> | hat_start { $$ = 2; }
>>
>> -profile: opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
>> +opt_namespace: { /* nothing */ $$ = NULL; }
>> +| TOK_COLON TOK_ID TOK_COLON { fprintf(stderr, "namespace %s\n", $2); $$ = $2; }
>> +
>> +profile: opt_profile_flag opt_namespace TOK_ID flags TOK_OPEN rules TOK_CLOSE
>> {
>> - struct codomain *cod = $5;
>> - PDEBUG("Matched: id (%s) open rules close\n", $2);
>> + struct codomain *cod = $6;
>> + if ($2)
>> + PDEBUG("Matched: id (%s://%s) open rules close\n", $2, $3);
>> + else
>> + PDEBUG("Matched: id (%s) open rules close\n", $3);
>> +
>> if (!cod) {
>> yyerror(_("Memory allocation error."));
>> }
>>
>> - if (!$1 && $2[0] != '/')
>> - yyerror(_("Profile names must begin with a '/', or keyword 'profile' or 'hat'."));
>> + if ($3[0] != '/' && !($1 || $2))
>> + yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
>>
>> - cod->name = $2;
>> - cod->flags = $3;
>> + cod->namespace = $2;
>> + cod->name = $3;
>> + cod->flags = $4;
>> if (force_complain)
>> cod->flags.complain = 1;
>> if ($1 == 2)
>> @@ -237,31 +246,6 @@ profile: opt_profile_flag TOK_ID flags TOK_OPEN rules TOK_CLOSE
>> $$ = cod;
>> };
>>
>> -profile: opt_profile_flag TOK_COLON TOK_ID TOK_COLON TOK_ID flags TOK_OPEN rules TOK_CLOSE
>> - {
>> - struct codomain *cod = $8;
>> - PDEBUG("Matched: id (%s:%s) open rules close\n", $3, $5);
>> - if (!cod) {
>> - yyerror(_("Memory allocation error."));
>> - }
>> -
>> - cod->namespace = $3;
>> - cod->name = $5;
>> - cod->flags = $6;
>> - if (force_complain)
>> - cod->flags.complain = 1;
>> - if ($1 == 2)
>> - cod->flags.hat = 1;
>> -
>> - post_process_nt_entries(cod);
>> - PDEBUG("%s: flags='%s%s'\n",
>> - $3,
>> - cod->flags.complain ? "complain, " : "",
>> - cod->flags.audit ? "audit" : "");
>> -
>> - $$ = cod;
>> - };
>> -
>> preamble: { /* nothing */ }
>> | preamble alias { /* nothing */ };
>> | preamble varassign { /* nothing */ };
>> diff --git a/parser/tst/simple_tests/profile/profile_ns_ok1.sd b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
>> index e3cc5e1..cc0f682 100644
>> --- a/parser/tst/simple_tests/profile/profile_ns_ok1.sd
>> +++ b/parser/tst/simple_tests/profile/profile_ns_ok1.sd
>> @@ -17,3 +17,38 @@
>> /bin/echo uxuxuxuxux,
>> }
>>
>> +profile :foo:/does/not/exist2 {
>> + #include <includes/base>
>> +
>> + /usr/X11R6/lib/lib*so* rrr,
>> + /does/not/exist r,
>> + /var/log/messages www,
>> + /tmp/sd*.foo rwrwwrll,
>> + /bin/cat pxpxpxpxpx,
>> + /bin/ls ixixixix,
>> + /bin/echo uxuxuxuxux,
>> +}
>> +
>> +:foo:unattached {
>> + #include <includes/base>
>> +
>> + /usr/X11R6/lib/lib*so* rrr,
>> + /does/not/exist r,
>> + /var/log/messages www,
>> + /tmp/sd*.foo rwrwwrll,
>> + /bin/cat pxpxpxpxpx,
>> + /bin/ls ixixixix,
>> + /bin/echo uxuxuxuxux,
>> +}
>> +
>> +profile :foo:unattached {
>> + #include <includes/base>
>> +
>> + /usr/X11R6/lib/lib*so* rrr,
>> + /does/not/exist r,
>> + /var/log/messages www,
>> + /tmp/sd*.foo rwrwwrll,
>> + /bin/cat pxpxpxpxpx,
>> + /bin/ls ixixixix,
>> + /bin/echo uxuxuxuxux,
>> +}
>> \ No newline at end of file
>> --
>> 1.7.1
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
More information about the AppArmor
mailing list