[apparmor] [PATCH 06/10] From f5898cf8e0b2d9b032e349be6f7e4f57a6e12768 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen at canonical.com> Date: Sat, 3 Nov 2012 08:19:47 -0700 Subject: [PATCH 06/10] Convert the parser to C++
Seth Arnold
seth.arnold at canonical.com
Thu Jul 25 22:59:10 UTC 2013
On Sun, Jul 21, 2013 at 10:32:49PM -0700, John Johansen wrote:
> This conversion is nothing more than what is required to get it to
> compile. Further improvements will come as the code is refactored.
>
> Unfortunately due to C++ not supporting designated initializers, the auto
> generation of af names needed to be reworked, and "netlink" and "unix"
> domain socket keywords leaked in. Since these where going to be added in
> separate patches I have not bothered to do the extra work to replace them
> with a temporary place holder.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
with a few whitespace-only changes suggested inline.
> ---
> common/Make.rules | 4 +-
> parser/Makefile | 36 +++++-----
> parser/lib.c | 10 +--
> parser/libapparmor_re/aare_rules.cc | 12 ++--
> parser/libapparmor_re/apparmor_re.h | 61 ++++++++---------
> parser/mount.c | 6 +-
> parser/parser.h | 10 +--
> parser/parser_alias.c | 31 +++++----
> parser/parser_common.c | 4 +-
> parser/parser_include.c | 2 +-
> parser/parser_interface.c | 42 ++++++------
> parser/parser_lex.l | 6 +-
> parser/parser_main.c | 13 ++--
> parser/parser_merge.c | 10 +--
> parser/parser_misc.c | 82 ++++++++++++----------
> parser/parser_policy.c | 30 ++++-----
> parser/parser_regex.c | 8 +--
> parser/parser_symtab.c | 86 ++++++++++++------------
> parser/parser_variable.c | 24 +++----
> parser/parser_yacc.y | 48 ++++++-------
> parser/tst/simple_tests/network/network_bad_5.sd | 7 --
> parser/tst/simple_tests/network/network_bad_6.sd | 7 --
> parser/tst/simple_tests/network/network_ok_5.sd | 7 ++
> parser/tst/simple_tests/network/network_ok_6.sd | 7 ++
> 24 files changed, 281 insertions(+), 272 deletions(-)
> delete mode 100644 parser/tst/simple_tests/network/network_bad_5.sd
> delete mode 100644 parser/tst/simple_tests/network/network_bad_6.sd
> create mode 100644 parser/tst/simple_tests/network/network_ok_5.sd
> create mode 100644 parser/tst/simple_tests/network/network_ok_6.sd
>
> diff --git a/common/Make.rules b/common/Make.rules
> index 52a45d5..3f6031e 100644
> --- a/common/Make.rules
> +++ b/common/Make.rules
> @@ -193,12 +193,12 @@ list_capabilities: /usr/include/linux/capability.h
> # to mediate. We use PF_ here since that is what is required in
> # bits/socket.h, but we will rewrite these as AF_.
>
> -FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
> +FILTER_FAMILIES=PF_UNIX
>
> __FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
>
> # emits the AF names in a "AF_NAME NUMBER," pattern
> -AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
> +AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
>
> .PHONY: list_af_names
> list_af_names:
> diff --git a/parser/Makefile b/parser/Makefile
> index f859f0e..3c205f1 100644
> --- a/parser/Makefile
> +++ b/parser/Makefile
> @@ -40,11 +40,11 @@ LEXFLAGS = -B -v
> WARNINGS = -Wall
> EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
> CXX_WARNINGS = ${WARNINGS} $(shell for warning in ${EXTRA_WARNINGS} ; do \
> - if ${CC} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
> + if ${CXX} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
> echo "$${warning}"; \
> fi ; \
> done)
> -CPP_WARNINGS = -Wstrict-prototypes -Wnested-externs
> +CPP_WARNINGS =
> ifndef CFLAGS
> CFLAGS = -g -O2 -pipe
>
> @@ -163,49 +163,49 @@ parser_lex.c: parser_lex.l parser_yacc.h parser.h
> $(LEX) ${LEXFLAGS} -o$@ $<
>
> parser_lex.o: parser_lex.c parser.h parser_yacc.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_misc.o: parser_misc.c parser.h parser_yacc.h af_names.h cap_names.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_yacc.o: parser_yacc.c parser_yacc.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_main.o: parser_main.c parser.h parser_version.h libapparmor_re/apparmor_re.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_interface.o: parser_interface.c parser.h libapparmor_re/apparmor_re.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_include.o: parser_include.c parser.h parser_include.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_merge.o: parser_merge.c parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_regex.o: parser_regex.c parser.h libapparmor_re/apparmor_re.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_symtab.o: parser_symtab.c parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_variable.o: parser_variable.c parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_policy.o: parser_policy.c parser.h parser_yacc.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_alias.o: parser_alias.c parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_common.o: parser_common.c parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> mount.o: mount.c mount.h parser.h immunix.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> lib.o: lib.c lib.h parser.h
> - $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
> + $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
>
> parser_version.h: Makefile
> @echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
> @@ -225,7 +225,7 @@ cap_names.h: /usr/include/linux/capability.h
> echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
>
> tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
> - $(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
> + $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
>
> .SILENT: check
> .PHONY: check
> diff --git a/parser/lib.c b/parser/lib.c
> index c4a917b..6f6f110 100644
> --- a/parser/lib.c
> +++ b/parser/lib.c
> @@ -70,11 +70,13 @@ int dirat_for_each(DIR *dir, const char *name, void *data,
> }
>
> if (dir && (!name || *name != '/')) {
> - dirent = malloc(offsetof(struct dirent, d_name) +
> - fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
> + dirent = (struct dirent *)
> + malloc(offsetof(struct dirent, d_name) +
> + fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
> } else {
> - dirent = malloc(offsetof(struct dirent, d_name) +
> - pathconf(name, _PC_NAME_MAX) + 1);
> + dirent = (struct dirent *)
> + malloc(offsetof(struct dirent, d_name) +
> + pathconf(name, _PC_NAME_MAX) + 1);
> }
> if (!dirent) {
> PDEBUG("could not alloc dirent");
> diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
> index d40591d..a752096 100644
> --- a/parser/libapparmor_re/aare_rules.cc
> +++ b/parser/libapparmor_re/aare_rules.cc
> @@ -39,7 +39,7 @@ struct aare_ruleset {
> Node *root;
> };
>
> -extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
> +aare_ruleset_t *aare_new_ruleset(int reverse)
> {
> aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
> if (!container)
> @@ -51,7 +51,7 @@ extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
> return container;
> }
>
> -extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
> +void aare_delete_ruleset(aare_ruleset_t *rules)
> {
> if (rules) {
> if (rules->root)
> @@ -62,7 +62,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
> aare_reset_matchflags();
> }
>
> -extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
> +int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
> uint32_t perms, uint32_t audit, dfaflags_t flags)
> {
> return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
> @@ -76,7 +76,7 @@ DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
> MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o */
> ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux *u::o */
>
> -extern "C" void aare_reset_matchflags(void)
> +void aare_reset_matchflags(void)
> {
> uint32_t i, j;
> #define RESET_FLAGS(group, size) { \
> @@ -94,7 +94,7 @@ extern "C" void aare_reset_matchflags(void)
> #undef RESET_FLAGS
> }
>
> -extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
> +int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
> uint32_t perms, uint32_t audit,
> int count, char **rulev, dfaflags_t flags)
> {
> @@ -243,7 +243,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
> * returns: buffer contain dfa tables, @size set to the size of the tables
> * else NULL on failure
> */
> -extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
> +void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
> dfaflags_t flags)
> {
> char *buffer = NULL;
> diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h
> index 186899c..420d9ce 100644
> --- a/parser/libapparmor_re/apparmor_re.h
> +++ b/parser/libapparmor_re/apparmor_re.h
> @@ -19,36 +19,37 @@
> #ifndef APPARMOR_RE_H
> #define APPARMOR_RE_H
>
> -typedef enum dfaflags {
> - DFA_CONTROL_EQUIV = 1 << 0,
> - DFA_CONTROL_TREE_NORMAL = 1 << 1,
> - DFA_CONTROL_TREE_SIMPLE = 1 << 2,
> - DFA_CONTROL_TREE_LEFT = 1 << 3,
> - DFA_CONTROL_MINIMIZE = 1 << 4,
> - DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
> - DFA_CONTROL_FILTER_DENY = 1 << 6,
> - DFA_CONTROL_REMOVE_UNREACHABLE = 1 << 7,
> - DFA_CONTROL_TRANS_HIGH = 1 << 8,
> +typedef int dfaflags_t;
>
> - DFA_DUMP_MIN_PARTS = 1 << 13,
> - DFA_DUMP_UNIQ_PERMS = 1 << 14,
> - DFA_DUMP_MIN_UNIQ_PERMS = 1 << 15,
> - DFA_DUMP_TREE_STATS = 1 << 16,
> - DFA_DUMP_TREE = 1 << 17,
> - DFA_DUMP_SIMPLE_TREE = 1 << 18,
> - DFA_DUMP_PROGRESS = 1 << 19,
> - DFA_DUMP_STATS = 1 << 20,
> - DFA_DUMP_STATES = 1 << 21,
> - DFA_DUMP_GRAPH = 1 << 22,
> - DFA_DUMP_TRANS_PROGRESS = 1 << 23,
> - DFA_DUMP_TRANS_STATS = 1 << 24,
> - DFA_DUMP_TRANS_TABLE = 1 << 25,
> - DFA_DUMP_EQUIV = 1 << 26,
> - DFA_DUMP_EQUIV_STATS = 1 << 27,
> - DFA_DUMP_MINIMIZE = 1 << 28,
> - DFA_DUMP_UNREACHABLE = 1 << 29,
> - DFA_DUMP_RULE_EXPR = 1 << 30,
> - DFA_DUMP_NODE_TO_DFA = 1 << 31,
> -} dfaflags_t;
> +
> +#define DFA_CONTROL_EQUIV (1 << 0)
> +#define DFA_CONTROL_TREE_NORMAL (1 << 1)
> +#define DFA_CONTROL_TREE_SIMPLE (1 << 2)
> +#define DFA_CONTROL_TREE_LEFT (1 << 3)
> +#define DFA_CONTROL_MINIMIZE (1 << 4)
> +#define DFA_CONTROL_MINIMIZE_HASH_TRANS (1 << 5)
> +#define DFA_CONTROL_FILTER_DENY (1 << 6)
> +#define DFA_CONTROL_REMOVE_UNREACHABLE (1 << 7)
> +#define DFA_CONTROL_TRANS_HIGH (1 << 8)
> +
> +#define DFA_DUMP_MIN_PARTS (1 << 13)
> +#define DFA_DUMP_UNIQ_PERMS (1 << 14)
> +#define DFA_DUMP_MIN_UNIQ_PERMS (1 << 15)
> +#define DFA_DUMP_TREE_STATS (1 << 16)
> +#define DFA_DUMP_TREE (1 << 17)
> +#define DFA_DUMP_SIMPLE_TREE (1 << 18)
> +#define DFA_DUMP_PROGRESS (1 << 19)
> +#define DFA_DUMP_STATS (1 << 20)
> +#define DFA_DUMP_STATES (1 << 21)
> +#define DFA_DUMP_GRAPH (1 << 22)
> +#define DFA_DUMP_TRANS_PROGRESS (1 << 23)
> +#define DFA_DUMP_TRANS_STATS (1 << 24)
> +#define DFA_DUMP_TRANS_TABLE (1 << 25)
> +#define DFA_DUMP_EQUIV (1 << 26)
> +#define DFA_DUMP_EQUIV_STATS (1 << 27)
> +#define DFA_DUMP_MINIMIZE (1 << 28)
> +#define DFA_DUMP_UNREACHABLE (1 << 29)
> +#define DFA_DUMP_RULE_EXPR (1 << 30)
> +#define DFA_DUMP_NODE_TO_DFA (1 << 31)
>
> #endif /* APPARMOR_RE_H */
> diff --git a/parser/mount.c b/parser/mount.c
> index d446d29..21d8576 100644
> --- a/parser/mount.c
> +++ b/parser/mount.c
> @@ -220,7 +220,7 @@
> #include "mount.h"
>
> struct mnt_keyword_table {
> - char *keyword;
> + const char *keyword;
> unsigned int set;
> unsigned int clear;
> };
> @@ -272,8 +272,8 @@ static struct mnt_keyword_table mnt_opts_table[] = {
> {"iversion", MS_IVERSION, 0},
> {"noiversion", 0, MS_IVERSION},
> {"strictatime", MS_STRICTATIME, 0},
> - {"user", 0, MS_NOUSER},
> - {"nouser", MS_NOUSER, 0},
> + {"user", 0, (unsigned int) MS_NOUSER},
> + {"nouser", (unsigned int) MS_NOUSER, 0},
>
> {NULL, 0, 0}
> };
> diff --git a/parser/parser.h b/parser/parser.h
> index 3b4ac63..733e629 100644
> --- a/parser/parser.h
> +++ b/parser/parser.h
> @@ -52,7 +52,7 @@ struct flagval {
>
> struct named_transition {
> int present;
> - char *namespace;
> + char *ns;
> char *name;
> };
>
> @@ -75,7 +75,7 @@ struct cond_entry {
> };
>
> struct cod_entry {
> - char *namespace;
> + char *ns;
> char *name;
> char *link_name;
> char *nt_name;
> @@ -115,7 +115,7 @@ struct alt_name {
> };
>
> struct codomain {
> - char *namespace;
> + char *ns;
> char *name; /* codomain name */
> char *attachment;
> struct alt_name *altnames;
> @@ -279,7 +279,7 @@ extern dfaflags_t dfaflags;
> extern char *progname;
> extern char *subdomainbase;
> extern char *profilename;
> -extern char *profile_namespace;
> +extern char *profile_ns;
> extern char *current_filename;
> extern FILE *ofile;
> extern int read_implies_exec;
> @@ -330,7 +330,7 @@ extern int name_to_capability(const char *keyword);
> extern int get_rlimit(const char *name);
> extern char *process_var(const char *var);
> extern int parse_mode(const char *mode);
> -extern struct cod_entry *new_entry(char *namespace, char *id, int mode,
> +extern struct cod_entry *new_entry(char *ns, char *id, int mode,
> char *link_id);
> extern struct aa_network_entry *new_network_ent(unsigned int family,
> unsigned int type,
> diff --git a/parser/parser_alias.c b/parser/parser_alias.c
> index 00a4ced..aee882e 100644
> --- a/parser/parser_alias.c
> +++ b/parser/parser_alias.c
> @@ -50,7 +50,7 @@ int new_alias(const char *from, const char *to)
> {
> struct alias_rule *alias, **result;
>
> - alias = calloc(1, sizeof(struct alias_rule));
> + alias = (struct alias_rule *) calloc(1, sizeof(struct alias_rule));
> if (!alias) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> goto fail;
> @@ -95,14 +95,14 @@ fail:
> static char *do_alias(struct alias_rule *alias, const char *target)
> {
> int len = strlen(target) - strlen(alias->from) + strlen(alias->to);
> - char *new = malloc(len + 1);
> - if (!new) {
> + char *n = (char *) malloc(len + 1);
> + if (!n) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> return NULL;
> }
> - sprintf(new, "%s%s", alias->to, target + strlen(alias->from));
> + sprintf(n, "%s%s", alias->to, target + strlen(alias->from));
> /*fprintf(stderr, "replaced alias: from: %s, to: %s, name: %s\n %s\n", alias->from, alias->to, target, new);*/
> - return new;
> + return n;
> }
>
> static struct codomain *target_cod;
> @@ -123,22 +123,22 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
> entry->alias_ignore)
> continue;
> if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
> - char *new = do_alias(*t, entry->name);
> - if (!new)
> + char *n = do_alias(*t, entry->name);
> + if (!n)
> return;
> dup = copy_cod_entry(entry);
> free(dup->name);
> - dup->name = new;
> + dup->name = n;
> }
> if (entry->link_name &&
> strncmp((*t)->from, entry->link_name, len) == 0) {
> - char *new = do_alias(*t, entry->link_name);
> - if (!new)
> + char *n = do_alias(*t, entry->link_name);
> + if (!n)
> return;
> if (!dup)
> dup = copy_cod_entry(entry);
> free(dup->link_name);
> - dup->link_name = new;
> + dup->link_name = n;
> }
> if (dup) {
> dup->alias_ignore = 1;
> @@ -152,7 +152,6 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
> }
> }
>
> -static struct codomain *target_cod;
> static void process_name(const void *nodep, VISIT value, int __unused level)
> {
> struct alias_rule **t = (struct alias_rule **) nodep;
> @@ -172,14 +171,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
>
> if (name && strncmp((*t)->from, name, len) == 0) {
> struct alt_name *alt;
> - char *new = do_alias(*t, name);
> - if (!new)
> + char *n = do_alias(*t, name);
> + if (!n)
> return;
> /* aliases create alternate names */
> - alt = calloc(1, sizeof(struct alt_name));
> + alt = (struct alt_name *) calloc(1, sizeof(struct alt_name));
> if (!alt)
> return;
> - alt->name = new;
> + alt->name = n;
> alt->next = cod->altnames;
> cod->altnames = alt;
> }
> diff --git a/parser/parser_common.c b/parser/parser_common.c
> index bf4dd41..e8b20f0 100644
> --- a/parser/parser_common.c
> +++ b/parser/parser_common.c
> @@ -34,11 +34,11 @@ int names_only = 0;
> int current_lineno = 1;
> int option = OPTION_ADD;
>
> -dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS;
> +dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS);
>
> char *subdomainbase = NULL;
> char *progname = __FILE__;
> -char *profile_namespace = NULL;
> +char *profile_ns = NULL;
> char *profilename = NULL;
> char *current_filename = NULL;
>
> diff --git a/parser/parser_include.c b/parser/parser_include.c
> index f143353..697fad3 100644
> --- a/parser/parser_include.c
> +++ b/parser/parser_include.c
> @@ -291,7 +291,7 @@ void push_include_stack(char *filename)
> {
> struct include_stack_t *include = NULL;
>
> - include = malloc(sizeof(*include));
> + include = (struct include_stack_t *) malloc(sizeof(*include));
> if (!include) {
> perror("malloc of included file stack tracker");
> /* failures in this area are non-fatal */
> diff --git a/parser/parser_interface.c b/parser/parser_interface.c
> index 5c2b486..77f3d2e 100644
> --- a/parser/parser_interface.c
> +++ b/parser/parser_interface.c
> @@ -214,7 +214,7 @@ struct __sdserialize {
>
> sd_serialize *alloc_sd_serial(void)
> {
> - sd_serialize *p = calloc(1, sizeof(sd_serialize));
> + sd_serialize *p = (sd_serialize *) calloc(1, sizeof(sd_serialize));
> if (!p)
> return NULL;
> p->buffer = malloc(BUFFERINC);
> @@ -255,7 +255,7 @@ static inline void sd_inc(sd_serialize *p, int size)
>
> inline long sd_serial_size(sd_serialize *p)
> {
> - return (p->pos - p->buffer);
> + return (long) (p->pos) - (long) (p->buffer);
> }
>
> /* routines for writing data to the serialization buffer */
> @@ -265,14 +265,14 @@ inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
> if (p->pos + SD_CODE_SIZE + size > p->extent) {
> long pos;
> /* try and reallocate the buffer */
> - void *buffer = malloc(p->extent - p->buffer + (BUFFERINC * num));
> - memcpy(buffer, p->buffer, p->extent - p->buffer);
> + void *buffer = malloc((long)(p->extent) - (long)(p->buffer) + (BUFFERINC * num));
> + memcpy(buffer, p->buffer, (long)(p->extent) - (long)(p->buffer));
>
> - pos = p->pos - p->buffer;
> + pos = (long)(p->pos) - (long)(p->buffer);
> if (buffer == NULL || errno == ENOMEM)
> return 0;
>
> - p->extent = buffer + (p->extent - p->buffer) + (BUFFERINC * num);
> + p->extent = buffer + ((long)(p->extent) - (long)(p->buffer)) + (BUFFERINC * num);
> free(p->buffer);
> p->buffer = buffer;
> p->pos = buffer + pos;
> @@ -367,7 +367,7 @@ inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
> u32 tmp;
> if (!sd_write_name(p, name))
> return 0;
> - pad = align64((p->pos + 5) - p->buffer) - ((p->pos + 5) - p->buffer);
> + pad = align64(((long)(p->pos + 5) - (long)(p->buffer)) - ((long)(p->pos + 5) - (long)(p->buffer)));
> if (!sd_prepare_write(p, SD_BLOB, 4 + buf_size + pad))
> return 0;
> tmp = cpu_to_le32(buf_size + pad);
> @@ -555,7 +555,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
> assert(profile->parent);
> int res;
>
> - char *name = malloc(3 + strlen(profile->name) +
> + char *name = (char *) malloc(3 + strlen(profile->name) +
> strlen(profile->parent->name));
> if (!name)
> return 0;
> @@ -696,11 +696,11 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
> if (!sd_write32(p, version))
> return 0;
>
> - if (profile_namespace) {
> - if (!sd_write_string(p, profile_namespace, "namespace"))
> + if (profile_ns) {
> + if (!sd_write_string(p, profile_ns, "namespace"))
> return 0;
> - } else if (profile->namespace) {
> - if (!sd_write_string(p, profile->namespace, "namespace"))
> + } else if (profile->ns) {
> + if (!sd_write_string(p, profile->ns, "namespace"))
> return 0;
> }
>
> @@ -760,15 +760,15 @@ int sd_serialize_codomain(int option, struct codomain *cod)
> char *name, *ns = NULL;
> int len = 0;
>
> - if (profile_namespace) {
> - len += strlen(profile_namespace) + 2;
> - ns = profile_namespace;
> - } else if (cod->namespace) {
> - len += strlen(cod->namespace) + 2;
> - ns = cod->namespace;
> + if (profile_ns) {
> + len += strlen(profile_ns) + 2;
> + ns = profile_ns;
> + } else if (cod->ns) {
> + len += strlen(cod->ns) + 2;
> + ns = cod->ns;
> }
> if (cod->parent) {
> - name = malloc(strlen(cod->name) + 3 +
> + name = (char *) malloc(strlen(cod->name) + 3 +
> strlen(cod->parent->name) + len);
> if (!name) {
> PERROR(_("Memory Allocation Error: Unable to remove ^%s\n"), cod->name);
> @@ -782,7 +782,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
> sprintf(name, "%s//%s", cod->parent->name,
> cod->name);
> } else if (ns) {
> - name = malloc(len + strlen(cod->name) + 1);
> + name = (char *) malloc(len + strlen(cod->name) + 1);
> if (!name) {
> PERROR(_("Memory Allocation Error: Unable to remove %s:%s."), ns, cod->name);
> error = -errno;
> @@ -818,7 +818,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
> goto exit;
> }
>
> - size = work_area->pos - work_area->buffer;
> + size = (long) (work_area->pos) - (long)(work_area->buffer);
> if (kernel_load || option == OPTION_STDOUT || option == OPTION_OFILE) {
> wsize = write(fd, work_area->buffer, size);
> if (wsize < 0) {
> diff --git a/parser/parser_lex.l b/parser/parser_lex.l
> index 1b14625..6150141 100644
> --- a/parser/parser_lex.l
> +++ b/parser/parser_lex.l
> @@ -91,10 +91,10 @@ do { \
> #define YY_NO_INPUT
>
> #define STATE_TABLE_ENT(X) [(X)] = #X
> -static const char *const state_names[];
> +/* static char *const state_names[]; */
>
> struct ignored_suffix_t {
> - char * text;
> + const char * text;
> int len;
> int silent;
> };
> @@ -123,7 +123,7 @@ static int is_blacklisted(const char *name, const char *path)
> /* skip blacklisted suffixes */
> for (suffix = ignored_suffixes; suffix->text; suffix++) {
> char *found;
> - if ( (found = strstr(name, suffix->text)) &&
> + if ( (found = strstr((char *) name, suffix->text)) &&
> found - name + suffix->len == name_len ) {
> if (!suffix->silent)
> PERROR("Ignoring: '%s'\n", path);
> diff --git a/parser/parser_main.c b/parser/parser_main.c
> index afbe78c..0069b2c 100644
> --- a/parser/parser_main.c
> +++ b/parser/parser_main.c
> @@ -64,7 +64,6 @@
> const char *parser_title = "AppArmor parser";
> const char *parser_copyright = "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2012 Canonical Ltd.";
>
> -char *progname;
> int opt_force_complain = 0;
> int binary_input = 0;
> int dump_vars = 0;
> @@ -520,7 +519,7 @@ static int process_arg(int c, char *optarg)
> conf_quiet = 0;
> break;
> case 'n':
> - profile_namespace = strdup(optarg);
> + profile_ns = strdup(optarg);
> break;
> case 'X':
> read_implies_exec = 1;
> @@ -793,7 +792,7 @@ static void get_match_string(void) {
> /* if we have a features directory default to */
> perms_create = 1;
>
> - flags_string = malloc(FLAGS_STRING_SIZE);
> + flags_string = (char *) malloc(FLAGS_STRING_SIZE);
> handle_features_dir(FLAGS_FILE, &flags_string, FLAGS_STRING_SIZE, flags_string);
> if (strstr(flags_string, "network"))
> kernel_supports_network = 1;
> @@ -808,7 +807,7 @@ static void get_match_string(void) {
> if (!ms)
> goto out;
>
> - match_string = malloc(1000);
> + match_string = (char *) malloc(1000);
> if (!match_string) {
> goto out;
> }
> @@ -845,7 +844,7 @@ static void get_flags_string(char **flags, char *flags_file) {
> if (!f)
> return;
>
> - *flags = malloc(FLAGS_STRING_SIZE);
> + *flags = (char *) malloc(FLAGS_STRING_SIZE);
> if (!*flags)
> goto fail;
>
> @@ -892,7 +891,7 @@ int process_binary(int option, char *profilename)
>
> do {
> if (asize - size == 0) {
> - buffer = realloc(buffer, chunksize);
> + buffer = (char *) realloc(buffer, chunksize);
Incorrect indent..
> asize = chunksize;
> chunksize <<= 1;
> if (!buffer) {
> @@ -1049,7 +1048,7 @@ int process_profile(int option, char *profilename)
> * TODO: Add support for embedded namespace defines if they aren't
> * removed from the language.
> */
> - if (profile_namespace)
> + if (profile_ns)
> skip_cache = 1;
>
> /* Do secondary test to see if cached binary profile is good,
> diff --git a/parser/parser_merge.c b/parser/parser_merge.c
> index cc95a7b..3b0baea 100644
> --- a/parser/parser_merge.c
> +++ b/parser/parser_merge.c
> @@ -35,12 +35,12 @@ static int file_comp(const void *c1, const void *c2)
> int res = 0;
>
> //PERROR("strcmp %s %s\n", (*e1)->name, (*e2)->name);
> - if ((*e1)->namespace) {
> - if ((*e2)->namespace)
> - res = strcmp((*e1)->namespace, (*e2)->namespace);
> + if ((*e1)->ns) {
> + if ((*e2)->ns)
> + res = strcmp((*e1)->ns, (*e2)->ns);
> else
> return 1;
> - } else if ((*e2)->namespace) {
> + } else if ((*e2)->ns) {
> return -1;
> }
> if (res)
> @@ -87,7 +87,7 @@ static int process_file_entries(struct codomain *cod)
> if (count < 2)
> return 1;
>
> - table = malloc(sizeof(struct cod_entry *) * (count + 1));
> + table = (struct cod_entry **) malloc(sizeof(struct cod_entry *) * (count + 1));
> if (!table) {
> PERROR(_("Couldn't merge entries. Out of Memory\n"));
> return 0;
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index 8f52e6c..51a0768 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -50,7 +50,7 @@
> #define NPDEBUG(fmt, args...) /* Do nothing */
>
> struct keyword_table {
> - char *keyword;
> + const char *keyword;
> int token;
> };
>
> @@ -160,11 +160,11 @@ int get_rlimit(const char *name)
> }
>
> struct network_tuple {
> - char *family_name;
> + const char *family_name;
> unsigned int family;
> - char *type_name;
> + const char *type_name;
> unsigned int type;
> - char *protocol_name;
> + const char *protocol_name;
> unsigned int protocol;
> };
>
> @@ -325,7 +325,7 @@ struct aa_network_entry *new_network_ent(unsigned int family,
> unsigned int protocol)
> {
> struct aa_network_entry *new_entry;
> - new_entry = calloc(1, sizeof(struct aa_network_entry));
> + new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct aa_network_entry));
> if (new_entry) {
> new_entry->family = family;
> new_entry->type = type;
> @@ -553,13 +553,13 @@ static int parse_sub_mode(const char *str_mode, const char *mode_desc __unused)
>
> p = str_mode;
> while (*p) {
> - char this = *p;
> + char thisc = *p;
> char next = *(p + 1);
> char lower;
> int tmode = 0;
>
> reeval:
> - switch (this) {
> + switch (thisc) {
> case COD_READ_CHAR:
> if (read_implies_exec) {
> PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc);
> @@ -617,7 +617,7 @@ reeval:
> PDEBUG("Parsing mode: found UNCONFINED\n");
> if (IS_DIFF_QUAL(mode, tmode)) {
> yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
> - this);
> + thisc);
> } else {
> if (next != tolower(next))
> warn_uppercase();
> @@ -633,7 +633,7 @@ reeval:
> /* fall through */
> case COD_PROFILE_CHAR:
> case COD_LOCAL_CHAR:
> - if (tolower(this) == COD_UNSAFE_PROFILE_CHAR)
> + if (tolower(thisc) == COD_UNSAFE_PROFILE_CHAR)
> tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC;
> else
> {
> @@ -643,7 +643,7 @@ reeval:
> if (tolower(next) == COD_INHERIT_CHAR) {
> tmode |= AA_EXEC_INHERIT;
> if (IS_DIFF_QUAL(mode, tmode)) {
> - yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
> + yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
> } else {
> mode |= tmode;
> p += 2; /* skip x */
> @@ -651,13 +651,13 @@ reeval:
> } else if (tolower(next) == COD_UNSAFE_UNCONFINED_CHAR) {
> tmode |= AA_EXEC_PUX;
> if (IS_DIFF_QUAL(mode, tmode)) {
> - yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
> + yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
> } else {
> mode |= tmode;
> p += 2; /* skip x */
> }
> } else if (IS_DIFF_QUAL(mode, tmode)) {
> - yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), this);
> + yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), thisc);
>
> } else {
> if (next != tolower(next))
> @@ -674,7 +674,7 @@ reeval:
> break;
>
> case COD_EXEC_CHAR:
> - /* this is valid for deny rules, and named transitions
> + /* thisc is valid for deny rules, and named transitions
> * but invalid for regular x transitions
> * sort it out later.
> */
> @@ -684,7 +684,7 @@ reeval:
> /* error cases */
>
> default:
> - lower = tolower(this);
> + lower = tolower(thisc);
> switch (lower) {
> case COD_READ_CHAR:
> case COD_WRITE_CHAR:
> @@ -693,14 +693,14 @@ reeval:
> case COD_INHERIT_CHAR:
> case COD_MMAP_CHAR:
> case COD_EXEC_CHAR:
> - PDEBUG("Parsing mode: found invalid upper case char %c\n", this);
> + PDEBUG("Parsing mode: found invalid upper case char %c\n", thisc);
> warn_uppercase();
> - this = lower;
> + thisc = lower;
> goto reeval;
> break;
> default:
> yyerror(_("Internal: unexpected mode character '%c' in input"),
> - this);
> + thisc);
> break;
> }
> break;
> @@ -725,7 +725,7 @@ int parse_mode(const char *str_mode)
> return mode;
> }
>
> -struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
> +struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id)
> {
> struct cod_entry *entry = NULL;
>
> @@ -733,7 +733,7 @@ struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
> if (!entry)
> return NULL;
>
> - entry->namespace = namespace;
> + entry->ns = ns;
> entry->name = id;
> entry->link_name = link_id;
> entry->mode = mode;
> @@ -757,7 +757,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
> if (!entry)
> return NULL;
>
> - entry->namespace = orig->namespace ? strdup(orig->namespace) : NULL;
> + entry->ns = orig->ns ? strdup(orig->ns) : NULL;
> entry->name = strdup(orig->name);
> entry->link_name = orig->link_name ? strdup(orig->link_name) : NULL;
> entry->mode = orig->mode;
> @@ -779,8 +779,8 @@ void free_cod_entries(struct cod_entry *list)
> return;
> if (list->next)
> free_cod_entries(list->next);
> - if (list->namespace)
> - free(list->namespace);
> + if (list->ns)
> + free(list->ns);
> if (list->name)
> free(list->name);
> if (list->link_name)
> @@ -845,8 +845,8 @@ void debug_cod_entries(struct cod_entry *list)
> else
> printf("\tName:\tNULL\n");
>
> - if (item->namespace)
> - printf("\tNamespace:\t(%s)\n", item->namespace);
> + if (item->ns)
> + printf("\tNs:\t(%s)\n", item->ns);
>
> if (AA_LINK_BITS & item->mode)
> printf("\tlink:\t(%s)\n", item->link_name ? item->link_name : "/**");
> @@ -943,23 +943,31 @@ void debug_capabilities(struct codomain *cod)
> __debug_capabilities(cod->quiet_caps, "Quiet Caps");
> }
>
> +/* Bleah C++ doesn't have non-trivial designated initializers so we just
> + * have to make sure these are in order. This means we are more brittle
> + * but there isn't much we can do.
> + */
> const char *sock_types[] = {
> - [0] = "none",
> - [SOCK_STREAM] = "stream",
> - [SOCK_DGRAM] = "dgram",
> - [SOCK_RAW] = "raw",
> - [SOCK_RDM] = "rdm",
> - [SOCK_SEQPACKET] = "seqpacket",
> - [SOCK_PACKET] = "packet",
> + "none", /* 0 */
> + "stream", /* 1 [SOCK_STREAM] */
> + "dgram", /* 2 [SOCK_DGRAM] */
> + "raw", /* 3 [SOCK_RAW] */
> + "rdm", /* 4 [SOCK_RDM] */
> + "seqpacket", /* 5 [SOCK_SEQPACKET] */
> + "dccp", /* 6 [SOCK_DCCP] */
> + "invalid", /* 7 */
> + "invalid", /* 8 */
> + "invalid", /* 9 */
> + "packet", /* 10 [SOCK_PACKET] */
> /*
> * See comment above
> - [SOCK_DCCP] = "dccp",
> */
> };
> #define ALL_TYPES 0x43e
>
> +/* another case of C++ not supporting non-trivial designated initializers */
> #undef AA_GEN_NET_ENT
> -#define AA_GEN_NET_ENT(name, AF) [AF] = name,
> +#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
>
> static const char *network_families[] = {
> #include "af_names.h"
> @@ -1038,8 +1046,8 @@ void debug_network(struct codomain *cod)
>
> void debug_cod_list(struct codomain *cod)
> {
> - if (cod->namespace)
> - printf("Namespace:\t\t%s\n", cod->namespace);
> + if (cod->ns)
> + printf("Ns:\t\t%s\n", cod->ns);
>
> if (cod->name)
> printf("Name:\t\t%s\n", cod->name);
> @@ -1064,7 +1072,7 @@ void debug_cod_list(struct codomain *cod)
>
> struct value_list *new_value_list(char *value)
> {
> - struct value_list *val = calloc(1, sizeof(struct value_list));
> + struct value_list *val = (struct value_list *) calloc(1, sizeof(struct value_list));
Incorrect indent..
> if (val)
> val->value = value;
> return val;
> @@ -1130,7 +1138,7 @@ void print_value_list(struct value_list *list)
>
> struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
> {
> - struct cond_entry *ent = calloc(1, sizeof(struct cond_entry));
> + struct cond_entry *ent = (struct cond_entry *) calloc(1, sizeof(struct cond_entry));
Incorrect indent..
> if (ent) {
> ent->name = name;
> ent->vals = list;
> diff --git a/parser/parser_policy.c b/parser/parser_policy.c
> index 77d4a19..3536d21 100644
> --- a/parser/parser_policy.c
> +++ b/parser/parser_policy.c
> @@ -48,12 +48,12 @@ static int codomain_compare(const void *a, const void *b)
> struct codomain *B = (struct codomain *) b;
>
> int res = 0;
> - if (A->namespace) {
> - if (B->namespace)
> - res = strcmp(A->namespace, B->namespace);
> + if (A->ns) {
> + if (B->ns)
> + res = strcmp(A->ns, B->ns);
> else
> res = -1;
> - } else if (B->namespace)
> + } else if (B->ns)
> res = 1;
> if (res)
> return res;
> @@ -118,7 +118,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
> char *name = NULL;
>
> /* check to see if it is a local transition */
> - if (!entry->namespace) {
> + if (!entry->ns) {
> char *sub = strstr(entry->nt_name, "//");
> /* does the subprofile name match the rule */
>
> @@ -137,7 +137,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
> return AA_EXEC_LOCAL >> 10;
> }
> /* specified as cix so profile name is implicit */
> - name = malloc(strlen(cod->name) + strlen(entry->nt_name)
> + name = (char *) malloc(strlen(cod->name) + strlen(entry->nt_name)
> + 3);
> if (!name) {
> PERROR("Memory allocation error\n");
> @@ -148,16 +148,16 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
> entry->nt_name = name;
> }
> }
> - if (entry->namespace) {
> - name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
> + if (entry->ns) {
> + name = (char *) malloc(strlen(entry->ns) + strlen(entry->nt_name) + 3);
> if (!name) {
> PERROR("Memory allocation error\n");
> exit(1);
> }
> - sprintf(name, ":%s:%s", entry->namespace, entry->nt_name);
> - free(entry->namespace);
> + sprintf(name, ":%s:%s", entry->ns, entry->nt_name);
> + free(entry->ns);
> free(entry->nt_name);
> - entry->namespace = NULL;
> + entry->ns = NULL;
> entry->nt_name = NULL;
> } else {
> name = entry->nt_name;
> @@ -191,7 +191,7 @@ void post_process_file_entries(struct codomain *cod)
> mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
> entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
> (mode & AA_ALL_EXEC_MODIFIERS));
> - entry->namespace = NULL;
> + entry->ns = NULL;
> entry->nt_name = NULL;
> }
> /* FIXME: currently change_profile also implies onexec */
> @@ -450,7 +450,7 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
> */
> if ((flag_changehat_version == FLAG_CHANGEHAT_1_4) &&
> (*t)->parent) {
> - char *buffer = malloc(strlen((*t)->name) + 1);
> + char *buffer = (char *) malloc(strlen((*t)->name) + 1);
> if (!buffer) {
> PERROR("Memory allocation error\n");
> exit(1);
> @@ -826,8 +826,8 @@ void free_policy(struct codomain *cod)
> free(cod->name);
> if (cod->attachment)
> free(cod->attachment);
> - if (cod->namespace)
> - free(cod->namespace);
> + if (cod->ns)
> + free(cod->ns);
> if (cod->network_allowed)
> free(cod->network_allowed);
> if (cod->audit_network)
> diff --git a/parser/parser_regex.c b/parser/parser_regex.c
> index 4bc0691..ce9d7a3 100644
> --- a/parser/parser_regex.c
> +++ b/parser/parser_regex.c
> @@ -517,9 +517,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
> /* allow change_profile for all execs */
> vec[0] = "/[^\\x00]*";
>
> - if (entry->namespace) {
> + if (entry->ns) {
> int pos;
> - ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
> + ptype = convert_aaregex_to_pcre(entry->ns, 0, lbuf, PATH_MAX + 8, &pos);
> vec[index++] = lbuf;
> }
> vec[index++] = tbuf;
> @@ -535,9 +535,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
> }
> if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
> int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
> - if (entry->namespace) {
> + if (entry->ns) {
> char *vec[2];
> - vec[0] = entry->namespace;
> + vec[0] = entry->ns;
> vec[1] = entry->name;
> if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags))
> return FALSE;
> diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
> index 6deb328..322551e 100644
> --- a/parser/parser_symtab.c
> +++ b/parser/parser_symtab.c
> @@ -46,51 +46,51 @@ static int __expand_variable(struct symtab *symbol);
>
> static struct symtab *new_symtab_entry(const char *name)
> {
> - struct symtab *new = calloc(1, sizeof(*new));
> + struct symtab *n = (struct symtab *) calloc(1, sizeof(*n));
>
> - if (!new) {
> + if (!n) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> return NULL;
> }
>
> - new->var_name = strndup(name, PATH_MAX);
> - if (!new->var_name) {
> + n->var_name = strndup(name, PATH_MAX);
> + if (!n->var_name) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> - free(new);
> + free(n);
> return NULL;
> }
>
> - return new;
> + return n;
> }
>
> static struct set_value *new_set_value(const char *val)
> {
> - struct set_value *new = calloc(1, sizeof(*new));
> + struct set_value *n = (struct set_value *) calloc(1, sizeof(*n));
>
> - if (!new) {
> + if (!n) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> return NULL;
> }
>
> - new->val = strndup(val, PATH_MAX);
> - if (!new->val) {
> + n->val = strndup(val, PATH_MAX);
> + if (!n->val) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> - free(new);
> + free(n);
> return NULL;
> }
>
> - return new;
> + return n;
> }
>
> static void free_values(struct set_value *val)
> {
> - struct set_value *this = val, *tmp;
> + struct set_value *i = val, *tmp;
>
> - while (this) {
> - if (this->val)
> - free(this->val);
> - tmp = this;
> - this = this->next;
> + while (i) {
> + if (i->val)
> + free(i->val);
> + tmp = i;
> + i = i->next;
> free(tmp);
> }
> }
> @@ -153,26 +153,26 @@ out:
>
> int add_boolean_var(const char *var, int value)
> {
> - struct symtab *new, **result;
> + struct symtab *n, **result;
> int rc = 0;
>
> - new = new_symtab_entry(var);
> - if (!new) {
> + n = new_symtab_entry(var);
> + if (!n) {
> rc = ENOMEM;
> goto err;
> }
>
> - new->type = sd_boolean;
> - new->boolean = value;
> + n->type = sd_boolean;
> + n->boolean = value;
>
> - result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
> + result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
> if (!result) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> rc = errno;
> goto err;
> }
>
> - if (*result != new) {
> + if (*result != n) {
> /* already existing variable */
> PERROR("'%s' is already defined\n", var);
> rc = 1;
> @@ -182,7 +182,7 @@ int add_boolean_var(const char *var, int value)
> return 0;
>
> err:
> - free_symtab(new);
> + free_symtab(n);
> return rc;
> };
>
> @@ -213,26 +213,26 @@ out:
> */
> int new_set_var(const char *var, const char *value)
> {
> - struct symtab *new, **result;
> + struct symtab *n, **result;
> int rc = 0;
>
> - new = new_symtab_entry(var);
> - if (!new) {
> + n = new_symtab_entry(var);
> + if (!n) {
> rc = ENOMEM;
> goto err;
> }
>
> - new->type = sd_set;
> - add_to_set(&(new->values), value);
> + n->type = sd_set;
> + add_to_set(&(n->values), value);
>
> - result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
> + result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
> if (!result) {
> PERROR("Failed to allocate memory: %s\n", strerror(errno));
> rc = errno;
> goto err;
> }
>
> - if (*result != new) {
> + if (*result != n) {
> /* already existing variable */
> PERROR("'%s' is already defined\n", var);
> rc = 1;
> @@ -242,7 +242,7 @@ int new_set_var(const char *var, const char *value)
> return 0;
>
> err:
> - free_symtab(new);
> + free_symtab(n);
> return rc;
> }
>
> @@ -382,15 +382,15 @@ static int __expand_variable(struct symtab *symbol)
> while (work_list) {
> struct symtab *ref;
> struct set_value *ref_item;
> - struct set_value *this_value = work_list;
> + struct set_value *t_value = work_list;
> int rc;
>
> work_list = work_list->next;
>
> - split = split_out_var(this_value->val);
> + split = split_out_var(t_value->val);
> if (!split) {
> /* fully expanded */
> - add_to_set(&expanded, this_value->val);
> + add_to_set(&expanded, t_value->val);
> goto next;
> }
>
> @@ -436,8 +436,8 @@ static int __expand_variable(struct symtab *symbol)
> }
>
> next:
> - this_value->next = NULL;
> - free_values(this_value);
> + t_value->next = NULL;
> + free_values(t_value);
> free_var_string(split);
> }
> }
> @@ -469,10 +469,10 @@ void expand_variables(void)
>
> static inline void dump_set_values(struct set_value *value)
> {
> - struct set_value *this = value;
> - while (this) {
> - printf(" \"%s\"", this->val);
> - this = this->next;
> + struct set_value *t = value;
> + while (t) {
> + printf(" \"%s\"", t->val);
> + t = t->next;
> }
> }
>
> diff --git a/parser/parser_variable.c b/parser/parser_variable.c
> index 48f2fe7..c17123a 100644
> --- a/parser/parser_variable.c
> +++ b/parser/parser_variable.c
> @@ -53,29 +53,29 @@ static inline char *get_var_end(char *var)
> static struct var_string *split_string(char *string, char *var_begin,
> char *var_end)
> {
> - struct var_string *new = calloc(1, sizeof(struct var_string));
> + struct var_string *n = (struct var_string *) calloc(1, sizeof(struct var_string));
> unsigned int offset = strlen("@{");
> - if (!new) {
> + if (!n) {
> PERROR("Memory allocation error\n");
> return NULL;
> }
>
> if (var_begin != string) {
> - new->prefix = strndup(string, var_begin - string);
> + n->prefix = strndup(string, var_begin - string);
> }
>
> - new->var = strndup(var_begin + offset, var_end - (var_begin + offset));
> + n->var = strndup(var_begin + offset, var_end - (var_begin + offset));
>
> if (strlen(var_end + 1) != 0) {
> - new->suffix = strdup(var_end + 1);
> + n->suffix = strdup(var_end + 1);
> }
>
> - return new;
> + return n;
> }
>
> struct var_string *split_out_var(char *string)
> {
> - struct var_string *new = NULL;
> + struct var_string *n = NULL;
> char *sptr;
> BOOL bEscape = 0; /* flag to indicate escape */
>
> @@ -84,7 +84,7 @@ struct var_string *split_out_var(char *string)
>
> sptr = string;
>
> - while (!new && *sptr) {
> + while (!n && *sptr) {
> switch (*sptr) {
> case '\\':
> if (bEscape) {
> @@ -105,7 +105,7 @@ struct var_string *split_out_var(char *string)
> PERROR("Empty variable name found!\n");
> exit(1);
> }
> - new = split_string(string, sptr, eptr);
> + n = split_string(string, sptr, eptr);
> }
> break;
> default:
> @@ -115,7 +115,7 @@ struct var_string *split_out_var(char *string)
> sptr++;
> }
>
> - return new;
> + return n;
> }
>
> void free_var_string(struct var_string *var)
> @@ -190,7 +190,7 @@ static int expand_entry_variables(char **name, void *entry,
>
> int clone_and_chain_cod(void *v)
> {
> - struct cod_entry *entry = v;
> + struct cod_entry *entry = (struct cod_entry *) v;
> struct cod_entry *dup = copy_cod_entry(entry);
> if (!dup)
> return 0;
> @@ -202,7 +202,7 @@ int clone_and_chain_cod(void *v)
>
> int clone_and_chain_mnt(void *v)
> {
> - struct mnt_entry *entry = v;
> + struct mnt_entry *entry = (struct mnt_entry *) v;
>
> struct mnt_entry *dup = dup_mnt_entry(entry);
> if (!dup)
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index c249b01..4939d4f 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -67,7 +67,7 @@
>
> int parser_token = 0;
>
> -struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
> +struct cod_entry *do_file_rule(char *ns, char *id, int mode,
> char *link_id, char *nt);
> struct mnt_entry *do_mnt_rule(struct cond_entry *src_conds, char *src,
> struct cond_entry *dst_conds, char *dst,
> @@ -213,7 +213,7 @@ void add_local_entry(struct codomain *cod);
> %type <boolean> opt_profile_flag
> %type <boolean> opt_flags
> %type <boolean> opt_deny
> -%type <id> opt_namespace
> +%type <id> opt_ns
> %type <id> opt_id
> %type <prefix> opt_prefix
> %type <transition> opt_named_transition
> @@ -237,7 +237,7 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
> | TOK_PROFILE { $$ = 1; }
> | hat_start { $$ = 2; }
>
> -opt_namespace: { /* nothing */ $$ = NULL; }
> +opt_ns: { /* nothing */ $$ = NULL; }
> | TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
>
> opt_id: { /* nothing */ $$ = NULL; }
> @@ -273,7 +273,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
>
> };
>
> -profile: opt_profile_flag opt_namespace profile_base
> +profile: opt_profile_flag opt_ns profile_base
> {
> struct codomain *cod = $3;
> if ($2)
> @@ -284,7 +284,7 @@ profile: opt_profile_flag opt_namespace profile_base
> if ($3->name[0] != '/' && !($1 || $2))
> yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
>
> - cod->namespace = $2;
> + cod->ns = $2;
> if ($1 == 2)
> cod->flags.hat = 1;
> $$ = cod;
> @@ -595,13 +595,13 @@ rules: rules opt_prefix network_rule
> if (!$3)
> yyerror(_("Assert: `network_rule' return invalid protocol."));
> if (!$1->network_allowed) {
> - $1->network_allowed = calloc(get_af_max(),
> + $1->network_allowed = (unsigned int *) calloc(get_af_max(),
Incorrect indent..
> sizeof(unsigned int));
> - $1->audit_network = calloc(get_af_max(),
> + $1->audit_network = (unsigned int *)calloc(get_af_max(),
> sizeof(unsigned int));
> - $1->deny_network = calloc(get_af_max(),
> + $1->deny_network = (unsigned int *)calloc(get_af_max(),
> sizeof(unsigned int));
> - $1->quiet_network = calloc(get_af_max(),
> + $1->quiet_network = (unsigned int *)calloc(get_af_max(),
> sizeof(unsigned int));
> if (!$1->network_allowed || !$1->audit_network ||
> !$1->deny_network || !$1->quiet_network)
> @@ -877,19 +877,19 @@ id_or_var: TOK_SET_VAR { $$ = $1; };
> opt_named_transition:
> { /* nothing */
> $$.present = 0;
> - $$.namespace = NULL;
> + $$.ns = NULL;
> $$.name = NULL;
> }
> | TOK_ARROW id_or_var
> {
> $$.present = 1;
> - $$.namespace = NULL;
> + $$.ns = NULL;
> $$.name = $2;
> }
> | TOK_ARROW TOK_COLON id_or_var TOK_COLON id_or_var
> {
> $$.present = 1;
> - $$.namespace = $3;
> + $$.ns = $3;
> $$.name = $5;
> };
>
> @@ -906,7 +906,7 @@ opt_file: { /* nothing */ $$ = 0; }
>
> frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE
> {
> - $$ = do_file_rule($3.namespace, $1, $2, NULL, $3.name);
> + $$ = do_file_rule($3.ns, $1, $2, NULL, $3.name);
> };
>
> frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
> @@ -915,14 +915,14 @@ frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
> yyerror(_("subset can only be used with link rules."));
> if ($4.present && ($1 & AA_LINK_BITS) && ($1 & AA_EXEC_BITS))
> yyerror(_("link and exec perms conflict on a file rule using ->"));
> - if ($4.present && $4.namespace && ($1 & AA_LINK_BITS))
> + if ($4.present && $4.ns && ($1 & AA_LINK_BITS))
> yyerror(_("link perms are not allowed on a named profile transition.\n"));
> if (($1 & AA_LINK_BITS)) {
> $$ = do_file_rule(NULL, $3, $1, $4.name, NULL);
> $$->subset = $2;
>
> } else {
> - $$ = do_file_rule($4.namespace, $3, $1, NULL, $4.name);
> + $$ = do_file_rule($4.ns, $3, $1, NULL, $4.name);
> }
> };
>
> @@ -1094,15 +1094,15 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
> mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
> {
> char *name = NULL;
> - if ($4.present && $4.namespace) {
> - name = malloc(strlen($4.namespace) +
> - strlen($4.name) + 3);
> + if ($4.present && $4.ns) {
> + name = (char *) malloc(strlen($4.ns) +
> + strlen($4.name) + 3);
> if (!name) {
> PERROR("Memory allocation error\n");
> exit(1);
> }
> - sprintf(name, ":%s:%s", $4.namespace, $4.name);
> - free($4.namespace);
> + sprintf(name, ":%s:%s", $4.ns, $4.name);
> + free($4.ns);
> free($4.name);
> } else if ($4.present)
> name = $4.name;
> @@ -1206,12 +1206,12 @@ void yyerror(const char *msg, ...)
> exit(1);
> }
>
> -struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
> +struct cod_entry *do_file_rule(char *ns, char *id, int mode,
> char *link_id, char *nt)
> {
> struct cod_entry *entry;
> PDEBUG("Matched: tok_id (%s) tok_mode (0x%x)\n", id, mode);
> - entry = new_entry(namespace, id, mode, link_id);
> + entry = new_entry(ns, id, mode, link_id);
> if (!entry)
> yyerror(_("Memory allocation error."));
> entry->nt_name = nt;
> @@ -1227,7 +1227,7 @@ void add_local_entry(struct codomain *cod)
> /* ugh this has to be called after the hat is attached to its parent */
> if (cod->local_mode) {
> struct cod_entry *entry;
> - char *trans = malloc(strlen(cod->parent->name) +
> + char *trans = (char *) malloc(strlen(cod->parent->name) +
> strlen(cod->name) + 3);
> char *name = strdup(cod->name);
> if (!trans)
> @@ -1244,7 +1244,7 @@ void add_local_entry(struct codomain *cod)
> }
> }
>
> -static char *mnt_cond_msg[] = {"",
> +static const char *mnt_cond_msg[] = {"",
> " not allowed as source conditional",
> " not allowed as target conditional",
> "",
> diff --git a/parser/tst/simple_tests/network/network_bad_5.sd b/parser/tst/simple_tests/network/network_bad_5.sd
> deleted file mode 100644
> index a3ca627..0000000
> --- a/parser/tst/simple_tests/network/network_bad_5.sd
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -#
> -#=DESCRIPTION basic network tests
> -#=EXRESULT FAIL
> -#
> -/usr/bin/foo {
> - network unix,
> -}
> diff --git a/parser/tst/simple_tests/network/network_bad_6.sd b/parser/tst/simple_tests/network/network_bad_6.sd
> deleted file mode 100644
> index 5483d8d..0000000
> --- a/parser/tst/simple_tests/network/network_bad_6.sd
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -#
> -#=DESCRIPTION basic network tests
> -#=EXRESULT FAIL
> -#
> -/usr/bin/foo {
> - network netlink,
> -}
> diff --git a/parser/tst/simple_tests/network/network_ok_5.sd b/parser/tst/simple_tests/network/network_ok_5.sd
> new file mode 100644
> index 0000000..12a0fd5
> --- /dev/null
> +++ b/parser/tst/simple_tests/network/network_ok_5.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION basic network tests
> +#=EXRESULT PASS
> +#
> +/usr/bin/foo {
> + network unix,
> +}
> diff --git a/parser/tst/simple_tests/network/network_ok_6.sd b/parser/tst/simple_tests/network/network_ok_6.sd
> new file mode 100644
> index 0000000..42ea6cc
> --- /dev/null
> +++ b/parser/tst/simple_tests/network/network_ok_6.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION basic network tests
> +#=EXRESULT PASS
> +#
> +/usr/bin/foo {
> + network netlink,
> +}
> --
> 1.8.1.2
C++ sure feels old and busted after reading through this patch. I hope
the end result is worth it...
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130725/6f121514/attachment-0001.pgp>
More information about the AppArmor
mailing list