[apparmor] [PATCH 5/8] Convert the parser to C++
Tyler Hicks
tyhicks at canonical.com
Wed Sep 11 08:47:44 UTC 2013
From: John Johansen <john.johansen at canonical.com>
This conversion is nothing more than what is required to get it to
compile. Further improvements will come as the code is refactored.
Unfortunately due to C++ not supporting designated initializers, the auto
generation of af names needed to be reworked, and "netlink" and "unix"
domain socket keywords leaked in. Since these where going to be added in
separate patches I have not bothered to do the extra work to replace them
with a temporary place holder.
Signed-off-by: John Johansen <john.johansen at canonical.com>
[tyhicks: merged with dbus changes and memory leak fixes]
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
---
common/Make.rules | 4 +-
parser/Makefile | 38 +++++-----
parser/lib.c | 10 ++-
parser/libapparmor_re/aare_rules.cc | 12 +--
parser/libapparmor_re/apparmor_re.h | 61 +++++++--------
parser/mount.c | 6 +-
parser/parser.h | 17 +++--
parser/parser_alias.c | 31 ++++----
parser/parser_common.c | 4 +-
parser/parser_include.c | 2 +-
parser/parser_interface.c | 42 +++++------
parser/parser_lex.l | 13 ++--
parser/parser_main.c | 13 ++--
parser/parser_merge.c | 10 +--
parser/parser_misc.c | 94 +++++++++++++-----------
parser/parser_policy.c | 32 ++++----
parser/parser_regex.c | 8 +-
parser/parser_symtab.c | 92 +++++++++++------------
parser/parser_variable.c | 26 +++----
parser/parser_yacc.y | 50 ++++++-------
parser/tst/simple_tests/network/network_bad_5.sd | 7 --
parser/tst/simple_tests/network/network_bad_6.sd | 7 --
parser/tst/simple_tests/network/network_ok_5.sd | 7 ++
parser/tst/simple_tests/network/network_ok_6.sd | 7 ++
24 files changed, 305 insertions(+), 288 deletions(-)
delete mode 100644 parser/tst/simple_tests/network/network_bad_5.sd
delete mode 100644 parser/tst/simple_tests/network/network_bad_6.sd
create mode 100644 parser/tst/simple_tests/network/network_ok_5.sd
create mode 100644 parser/tst/simple_tests/network/network_ok_6.sd
diff --git a/common/Make.rules b/common/Make.rules
index 52a45d5..3f6031e 100644
--- a/common/Make.rules
+++ b/common/Make.rules
@@ -193,12 +193,12 @@ list_capabilities: /usr/include/linux/capability.h
# to mediate. We use PF_ here since that is what is required in
# bits/socket.h, but we will rewrite these as AF_.
-FILTER_FAMILIES=PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
+FILTER_FAMILIES=PF_UNIX
__FILTER=$(shell echo $(strip $(FILTER_FAMILIES)) | sed -e 's/ /\\\|/g')
# emits the AF names in a "AF_NAME NUMBER," pattern
-AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
+AF_NAMES=$(shell echo "\#include <sys/socket.h>" | cpp -dM | LC_ALL=C sed -n -e '/$(__FILTER)/d' -e 's/PF_LOCAL/PF_UNIX/' -e 's/^\#define[ \t]\+PF_\([A-Z0-9_]\+\)[ \t]\+\([0-9]\+\).*$$/AF_\1 \2,/p' | sort -n -k2)
.PHONY: list_af_names
list_af_names:
diff --git a/parser/Makefile b/parser/Makefile
index 7f691ca..84a7a10 100644
--- a/parser/Makefile
+++ b/parser/Makefile
@@ -40,11 +40,11 @@ LEXFLAGS = -B -v
WARNINGS = -Wall
EXTRA_WARNINGS = -Wsign-compare -Wmissing-field-initializers -Wformat-security -Wunused-parameter
CXX_WARNINGS = ${WARNINGS} $(shell for warning in ${EXTRA_WARNINGS} ; do \
- if ${CC} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
+ if ${CXX} $${warning} -S -o /dev/null -xc /dev/null >/dev/null 2>&1; then \
echo "$${warning}"; \
fi ; \
done)
-CPP_WARNINGS = -Wstrict-prototypes -Wnested-externs
+CPP_WARNINGS =
ifndef CFLAGS
CFLAGS = -g -O2 -pipe
@@ -163,52 +163,52 @@ parser_lex.c: parser_lex.l parser_yacc.h parser.h
$(LEX) ${LEXFLAGS} -o$@ $<
parser_lex.o: parser_lex.c parser.h parser_yacc.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_misc.o: parser_misc.c parser.h parser_yacc.h af_names.h cap_names.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_yacc.o: parser_yacc.c parser_yacc.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_main.o: parser_main.c parser.h parser_version.h libapparmor_re/apparmor_re.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_interface.o: parser_interface.c parser.h libapparmor_re/apparmor_re.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_include.o: parser_include.c parser.h parser_include.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_merge.o: parser_merge.c parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_regex.o: parser_regex.c parser.h libapparmor_re/apparmor_re.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_symtab.o: parser_symtab.c parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_variable.o: parser_variable.c parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_policy.o: parser_policy.c parser.h parser_yacc.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_alias.o: parser_alias.c parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_common.o: parser_common.c parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
mount.o: mount.c mount.h parser.h immunix.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
lib.o: lib.c lib.h parser.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
dbus.o: dbus.c dbus.h parser.h immunix.h
- $(CC) $(EXTRA_CFLAGS) -c -o $@ $<
+ $(CXX) $(EXTRA_CFLAGS) -c -o $@ $<
parser_version.h: Makefile
@echo \#define PARSER_VERSION \"$(VERSION)\" > .ver
@@ -228,7 +228,7 @@ cap_names.h: /usr/include/linux/capability.h
echo "$(CAPABILITIES)" | LC_ALL=C sed -n -e "s/[ \\t]\\?CAP_\\([A-Z0-9_]\\+\\)/\{\"\\L\\1\", \\UCAP_\\1\},\\n/pg" > $@
tst_%: parser_%.c parser.h $(filter-out parser_%.o, ${TEST_OBJECTS})
- $(CC) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
+ $(CXX) $(TEST_CFLAGS) -o $@ $< $(filter-out $(<:.c=.o), ${TEST_OBJECTS}) $(TEST_LDFLAGS)
.SILENT: check
.PHONY: check
diff --git a/parser/lib.c b/parser/lib.c
index c4a917b..6f6f110 100644
--- a/parser/lib.c
+++ b/parser/lib.c
@@ -70,11 +70,13 @@ int dirat_for_each(DIR *dir, const char *name, void *data,
}
if (dir && (!name || *name != '/')) {
- dirent = malloc(offsetof(struct dirent, d_name) +
- fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
+ dirent = (struct dirent *)
+ malloc(offsetof(struct dirent, d_name) +
+ fpathconf(dirfd(dir), _PC_NAME_MAX) + 1);
} else {
- dirent = malloc(offsetof(struct dirent, d_name) +
- pathconf(name, _PC_NAME_MAX) + 1);
+ dirent = (struct dirent *)
+ malloc(offsetof(struct dirent, d_name) +
+ pathconf(name, _PC_NAME_MAX) + 1);
}
if (!dirent) {
PDEBUG("could not alloc dirent");
diff --git a/parser/libapparmor_re/aare_rules.cc b/parser/libapparmor_re/aare_rules.cc
index d40591d..a752096 100644
--- a/parser/libapparmor_re/aare_rules.cc
+++ b/parser/libapparmor_re/aare_rules.cc
@@ -39,7 +39,7 @@ struct aare_ruleset {
Node *root;
};
-extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
+aare_ruleset_t *aare_new_ruleset(int reverse)
{
aare_ruleset_t *container = (aare_ruleset_t *) malloc(sizeof(aare_ruleset_t));
if (!container)
@@ -51,7 +51,7 @@ extern "C" aare_ruleset_t *aare_new_ruleset(int reverse)
return container;
}
-extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
+void aare_delete_ruleset(aare_ruleset_t *rules)
{
if (rules) {
if (rules->root)
@@ -62,7 +62,7 @@ extern "C" void aare_delete_ruleset(aare_ruleset_t *rules)
aare_reset_matchflags();
}
-extern "C" int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
+int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
uint32_t perms, uint32_t audit, dfaflags_t flags)
{
return aare_add_rule_vec(rules, deny, perms, audit, 1, &rule, flags);
@@ -76,7 +76,7 @@ DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o */
ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux *u::o */
-extern "C" void aare_reset_matchflags(void)
+void aare_reset_matchflags(void)
{
uint32_t i, j;
#define RESET_FLAGS(group, size) { \
@@ -94,7 +94,7 @@ extern "C" void aare_reset_matchflags(void)
#undef RESET_FLAGS
}
-extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
+int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
uint32_t perms, uint32_t audit,
int count, char **rulev, dfaflags_t flags)
{
@@ -243,7 +243,7 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
* returns: buffer contain dfa tables, @size set to the size of the tables
* else NULL on failure
*/
-extern "C" void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
+void *aare_create_dfa(aare_ruleset_t *rules, size_t *size,
dfaflags_t flags)
{
char *buffer = NULL;
diff --git a/parser/libapparmor_re/apparmor_re.h b/parser/libapparmor_re/apparmor_re.h
index 186899c..420d9ce 100644
--- a/parser/libapparmor_re/apparmor_re.h
+++ b/parser/libapparmor_re/apparmor_re.h
@@ -19,36 +19,37 @@
#ifndef APPARMOR_RE_H
#define APPARMOR_RE_H
-typedef enum dfaflags {
- DFA_CONTROL_EQUIV = 1 << 0,
- DFA_CONTROL_TREE_NORMAL = 1 << 1,
- DFA_CONTROL_TREE_SIMPLE = 1 << 2,
- DFA_CONTROL_TREE_LEFT = 1 << 3,
- DFA_CONTROL_MINIMIZE = 1 << 4,
- DFA_CONTROL_MINIMIZE_HASH_TRANS = 1 << 5,
- DFA_CONTROL_FILTER_DENY = 1 << 6,
- DFA_CONTROL_REMOVE_UNREACHABLE = 1 << 7,
- DFA_CONTROL_TRANS_HIGH = 1 << 8,
+typedef int dfaflags_t;
- DFA_DUMP_MIN_PARTS = 1 << 13,
- DFA_DUMP_UNIQ_PERMS = 1 << 14,
- DFA_DUMP_MIN_UNIQ_PERMS = 1 << 15,
- DFA_DUMP_TREE_STATS = 1 << 16,
- DFA_DUMP_TREE = 1 << 17,
- DFA_DUMP_SIMPLE_TREE = 1 << 18,
- DFA_DUMP_PROGRESS = 1 << 19,
- DFA_DUMP_STATS = 1 << 20,
- DFA_DUMP_STATES = 1 << 21,
- DFA_DUMP_GRAPH = 1 << 22,
- DFA_DUMP_TRANS_PROGRESS = 1 << 23,
- DFA_DUMP_TRANS_STATS = 1 << 24,
- DFA_DUMP_TRANS_TABLE = 1 << 25,
- DFA_DUMP_EQUIV = 1 << 26,
- DFA_DUMP_EQUIV_STATS = 1 << 27,
- DFA_DUMP_MINIMIZE = 1 << 28,
- DFA_DUMP_UNREACHABLE = 1 << 29,
- DFA_DUMP_RULE_EXPR = 1 << 30,
- DFA_DUMP_NODE_TO_DFA = 1 << 31,
-} dfaflags_t;
+
+#define DFA_CONTROL_EQUIV (1 << 0)
+#define DFA_CONTROL_TREE_NORMAL (1 << 1)
+#define DFA_CONTROL_TREE_SIMPLE (1 << 2)
+#define DFA_CONTROL_TREE_LEFT (1 << 3)
+#define DFA_CONTROL_MINIMIZE (1 << 4)
+#define DFA_CONTROL_MINIMIZE_HASH_TRANS (1 << 5)
+#define DFA_CONTROL_FILTER_DENY (1 << 6)
+#define DFA_CONTROL_REMOVE_UNREACHABLE (1 << 7)
+#define DFA_CONTROL_TRANS_HIGH (1 << 8)
+
+#define DFA_DUMP_MIN_PARTS (1 << 13)
+#define DFA_DUMP_UNIQ_PERMS (1 << 14)
+#define DFA_DUMP_MIN_UNIQ_PERMS (1 << 15)
+#define DFA_DUMP_TREE_STATS (1 << 16)
+#define DFA_DUMP_TREE (1 << 17)
+#define DFA_DUMP_SIMPLE_TREE (1 << 18)
+#define DFA_DUMP_PROGRESS (1 << 19)
+#define DFA_DUMP_STATS (1 << 20)
+#define DFA_DUMP_STATES (1 << 21)
+#define DFA_DUMP_GRAPH (1 << 22)
+#define DFA_DUMP_TRANS_PROGRESS (1 << 23)
+#define DFA_DUMP_TRANS_STATS (1 << 24)
+#define DFA_DUMP_TRANS_TABLE (1 << 25)
+#define DFA_DUMP_EQUIV (1 << 26)
+#define DFA_DUMP_EQUIV_STATS (1 << 27)
+#define DFA_DUMP_MINIMIZE (1 << 28)
+#define DFA_DUMP_UNREACHABLE (1 << 29)
+#define DFA_DUMP_RULE_EXPR (1 << 30)
+#define DFA_DUMP_NODE_TO_DFA (1 << 31)
#endif /* APPARMOR_RE_H */
diff --git a/parser/mount.c b/parser/mount.c
index d446d29..21d8576 100644
--- a/parser/mount.c
+++ b/parser/mount.c
@@ -220,7 +220,7 @@
#include "mount.h"
struct mnt_keyword_table {
- char *keyword;
+ const char *keyword;
unsigned int set;
unsigned int clear;
};
@@ -272,8 +272,8 @@ static struct mnt_keyword_table mnt_opts_table[] = {
{"iversion", MS_IVERSION, 0},
{"noiversion", 0, MS_IVERSION},
{"strictatime", MS_STRICTATIME, 0},
- {"user", 0, MS_NOUSER},
- {"nouser", MS_NOUSER, 0},
+ {"user", 0, (unsigned int) MS_NOUSER},
+ {"nouser", (unsigned int) MS_NOUSER, 0},
{NULL, 0, 0}
};
diff --git a/parser/parser.h b/parser/parser.h
index 0e99213..3eae519 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -22,12 +22,18 @@
#ifndef __AA_PARSER_H
#define __AA_PARSER_H
+
+#include <string.h>
#include <netinet/in.h>
#include <sys/resource.h>
#include "immunix.h"
#include "libapparmor_re/apparmor_re.h"
#include "libapparmor_re/aare_rules.h"
+using namespace std;
+
+#include <set>
+
struct mnt_ent;
/* Global variable to pass token to lexer. Will be replaced by parameter
@@ -52,7 +58,7 @@ struct flagval {
struct named_transition {
int present;
- char *namespace;
+ char *ns;
char *name;
};
@@ -75,7 +81,7 @@ struct cond_entry {
};
struct cod_entry {
- char *namespace;
+ char *ns;
char *name;
char *link_name;
char *nt_name;
@@ -115,7 +121,7 @@ struct alt_name {
};
struct codomain {
- char *namespace;
+ char *ns;
char *name; /* codomain name */
char *attachment;
struct alt_name *altnames;
@@ -280,7 +286,7 @@ extern dfaflags_t dfaflags;
extern char *progname;
extern char *subdomainbase;
extern char *profilename;
-extern char *profile_namespace;
+extern char *profile_ns;
extern char *current_filename;
extern FILE *ofile;
extern int read_implies_exec;
@@ -335,8 +341,7 @@ extern int get_rlimit(const char *name);
extern char *process_var(const char *var);
extern int parse_mode(const char *mode);
extern int parse_dbus_mode(const char *str_mode, int *mode, int fail);
-extern struct cod_entry *new_entry(char *namespace, char *id, int mode,
- char *link_id);
+extern struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id);
extern struct aa_network_entry *new_network_ent(unsigned int family,
unsigned int type,
unsigned int protocol);
diff --git a/parser/parser_alias.c b/parser/parser_alias.c
index 00a4ced..aee882e 100644
--- a/parser/parser_alias.c
+++ b/parser/parser_alias.c
@@ -50,7 +50,7 @@ int new_alias(const char *from, const char *to)
{
struct alias_rule *alias, **result;
- alias = calloc(1, sizeof(struct alias_rule));
+ alias = (struct alias_rule *) calloc(1, sizeof(struct alias_rule));
if (!alias) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
goto fail;
@@ -95,14 +95,14 @@ fail:
static char *do_alias(struct alias_rule *alias, const char *target)
{
int len = strlen(target) - strlen(alias->from) + strlen(alias->to);
- char *new = malloc(len + 1);
- if (!new) {
+ char *n = (char *) malloc(len + 1);
+ if (!n) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
return NULL;
}
- sprintf(new, "%s%s", alias->to, target + strlen(alias->from));
+ sprintf(n, "%s%s", alias->to, target + strlen(alias->from));
/*fprintf(stderr, "replaced alias: from: %s, to: %s, name: %s\n %s\n", alias->from, alias->to, target, new);*/
- return new;
+ return n;
}
static struct codomain *target_cod;
@@ -123,22 +123,22 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
entry->alias_ignore)
continue;
if (entry->name && strncmp((*t)->from, entry->name, len) == 0) {
- char *new = do_alias(*t, entry->name);
- if (!new)
+ char *n = do_alias(*t, entry->name);
+ if (!n)
return;
dup = copy_cod_entry(entry);
free(dup->name);
- dup->name = new;
+ dup->name = n;
}
if (entry->link_name &&
strncmp((*t)->from, entry->link_name, len) == 0) {
- char *new = do_alias(*t, entry->link_name);
- if (!new)
+ char *n = do_alias(*t, entry->link_name);
+ if (!n)
return;
if (!dup)
dup = copy_cod_entry(entry);
free(dup->link_name);
- dup->link_name = new;
+ dup->link_name = n;
}
if (dup) {
dup->alias_ignore = 1;
@@ -152,7 +152,6 @@ static void process_entries(const void *nodep, VISIT value, int __unused level)
}
}
-static struct codomain *target_cod;
static void process_name(const void *nodep, VISIT value, int __unused level)
{
struct alias_rule **t = (struct alias_rule **) nodep;
@@ -172,14 +171,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
if (name && strncmp((*t)->from, name, len) == 0) {
struct alt_name *alt;
- char *new = do_alias(*t, name);
- if (!new)
+ char *n = do_alias(*t, name);
+ if (!n)
return;
/* aliases create alternate names */
- alt = calloc(1, sizeof(struct alt_name));
+ alt = (struct alt_name *) calloc(1, sizeof(struct alt_name));
if (!alt)
return;
- alt->name = new;
+ alt->name = n;
alt->next = cod->altnames;
cod->altnames = alt;
}
diff --git a/parser/parser_common.c b/parser/parser_common.c
index bf4dd41..e8b20f0 100644
--- a/parser/parser_common.c
+++ b/parser/parser_common.c
@@ -34,11 +34,11 @@ int names_only = 0;
int current_lineno = 1;
int option = OPTION_ADD;
-dfaflags_t dfaflags = DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS;
+dfaflags_t dfaflags = (dfaflags_t)(DFA_CONTROL_TREE_NORMAL | DFA_CONTROL_TREE_SIMPLE | DFA_CONTROL_MINIMIZE | DFA_CONTROL_MINIMIZE_HASH_TRANS);
char *subdomainbase = NULL;
char *progname = __FILE__;
-char *profile_namespace = NULL;
+char *profile_ns = NULL;
char *profilename = NULL;
char *current_filename = NULL;
diff --git a/parser/parser_include.c b/parser/parser_include.c
index f143353..697fad3 100644
--- a/parser/parser_include.c
+++ b/parser/parser_include.c
@@ -291,7 +291,7 @@ void push_include_stack(char *filename)
{
struct include_stack_t *include = NULL;
- include = malloc(sizeof(*include));
+ include = (struct include_stack_t *) malloc(sizeof(*include));
if (!include) {
perror("malloc of included file stack tracker");
/* failures in this area are non-fatal */
diff --git a/parser/parser_interface.c b/parser/parser_interface.c
index 5c2b486..77f3d2e 100644
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -214,7 +214,7 @@ struct __sdserialize {
sd_serialize *alloc_sd_serial(void)
{
- sd_serialize *p = calloc(1, sizeof(sd_serialize));
+ sd_serialize *p = (sd_serialize *) calloc(1, sizeof(sd_serialize));
if (!p)
return NULL;
p->buffer = malloc(BUFFERINC);
@@ -255,7 +255,7 @@ static inline void sd_inc(sd_serialize *p, int size)
inline long sd_serial_size(sd_serialize *p)
{
- return (p->pos - p->buffer);
+ return (long) (p->pos) - (long) (p->buffer);
}
/* routines for writing data to the serialization buffer */
@@ -265,14 +265,14 @@ inline int sd_prepare_write(sd_serialize *p, enum sd_code code, size_t size)
if (p->pos + SD_CODE_SIZE + size > p->extent) {
long pos;
/* try and reallocate the buffer */
- void *buffer = malloc(p->extent - p->buffer + (BUFFERINC * num));
- memcpy(buffer, p->buffer, p->extent - p->buffer);
+ void *buffer = malloc((long)(p->extent) - (long)(p->buffer) + (BUFFERINC * num));
+ memcpy(buffer, p->buffer, (long)(p->extent) - (long)(p->buffer));
- pos = p->pos - p->buffer;
+ pos = (long)(p->pos) - (long)(p->buffer);
if (buffer == NULL || errno == ENOMEM)
return 0;
- p->extent = buffer + (p->extent - p->buffer) + (BUFFERINC * num);
+ p->extent = buffer + ((long)(p->extent) - (long)(p->buffer)) + (BUFFERINC * num);
free(p->buffer);
p->buffer = buffer;
p->pos = buffer + pos;
@@ -367,7 +367,7 @@ inline int sd_write_aligned_blob(sd_serialize *p, void *b, int buf_size,
u32 tmp;
if (!sd_write_name(p, name))
return 0;
- pad = align64((p->pos + 5) - p->buffer) - ((p->pos + 5) - p->buffer);
+ pad = align64(((long)(p->pos + 5) - (long)(p->buffer)) - ((long)(p->pos + 5) - (long)(p->buffer)));
if (!sd_prepare_write(p, SD_BLOB, 4 + buf_size + pad))
return 0;
tmp = cpu_to_le32(buf_size + pad);
@@ -555,7 +555,7 @@ int sd_serialize_profile(sd_serialize *p, struct codomain *profile,
assert(profile->parent);
int res;
- char *name = malloc(3 + strlen(profile->name) +
+ char *name = (char *) malloc(3 + strlen(profile->name) +
strlen(profile->parent->name));
if (!name)
return 0;
@@ -696,11 +696,11 @@ int sd_serialize_top_profile(sd_serialize *p, struct codomain *profile)
if (!sd_write32(p, version))
return 0;
- if (profile_namespace) {
- if (!sd_write_string(p, profile_namespace, "namespace"))
+ if (profile_ns) {
+ if (!sd_write_string(p, profile_ns, "namespace"))
return 0;
- } else if (profile->namespace) {
- if (!sd_write_string(p, profile->namespace, "namespace"))
+ } else if (profile->ns) {
+ if (!sd_write_string(p, profile->ns, "namespace"))
return 0;
}
@@ -760,15 +760,15 @@ int sd_serialize_codomain(int option, struct codomain *cod)
char *name, *ns = NULL;
int len = 0;
- if (profile_namespace) {
- len += strlen(profile_namespace) + 2;
- ns = profile_namespace;
- } else if (cod->namespace) {
- len += strlen(cod->namespace) + 2;
- ns = cod->namespace;
+ if (profile_ns) {
+ len += strlen(profile_ns) + 2;
+ ns = profile_ns;
+ } else if (cod->ns) {
+ len += strlen(cod->ns) + 2;
+ ns = cod->ns;
}
if (cod->parent) {
- name = malloc(strlen(cod->name) + 3 +
+ name = (char *) malloc(strlen(cod->name) + 3 +
strlen(cod->parent->name) + len);
if (!name) {
PERROR(_("Memory Allocation Error: Unable to remove ^%s\n"), cod->name);
@@ -782,7 +782,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
sprintf(name, "%s//%s", cod->parent->name,
cod->name);
} else if (ns) {
- name = malloc(len + strlen(cod->name) + 1);
+ name = (char *) malloc(len + strlen(cod->name) + 1);
if (!name) {
PERROR(_("Memory Allocation Error: Unable to remove %s:%s."), ns, cod->name);
error = -errno;
@@ -818,7 +818,7 @@ int sd_serialize_codomain(int option, struct codomain *cod)
goto exit;
}
- size = work_area->pos - work_area->buffer;
+ size = (long) (work_area->pos) - (long)(work_area->buffer);
if (kernel_load || option == OPTION_STDOUT || option == OPTION_OFILE) {
wsize = write(fd, work_area->buffer, size);
if (wsize < 0) {
diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index eff937e..0731588 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -104,10 +104,10 @@ do { \
#define YY_NO_INPUT
#define STATE_TABLE_ENT(X) [(X)] = #X
-static const char *const state_names[];
+/* static char *const state_names[]; */
struct ignored_suffix_t {
- char * text;
+ const char * text;
int len;
int silent;
};
@@ -136,7 +136,7 @@ static int is_blacklisted(const char *name, const char *path)
/* skip blacklisted suffixes */
for (suffix = ignored_suffixes; suffix->text; suffix++) {
char *found;
- if ( (found = strstr(name, suffix->text)) &&
+ if ( (found = strstr((char *) name, suffix->text)) &&
found - name + suffix->len == name_len ) {
if (!suffix->silent)
PERROR("Ignoring: '%s'\n", path);
@@ -637,15 +637,16 @@ static const char *const state_names[] = {
STATE_TABLE_ENT(SUB_ID),
STATE_TABLE_ENT(SUB_VALUE),
STATE_TABLE_ENT(EXTCOND_MODE),
- STATE_TABLE_ENT(LIST_COND_VAL),
- STATE_TABLE_ENT(LIST_COND_PAREN_VAL),
- STATE_TABLE_ENT(LIST_COND_MODE),
STATE_TABLE_ENT(EXTCONDLIST_MODE),
STATE_TABLE_ENT(NETWORK_MODE),
STATE_TABLE_ENT(LIST_VAL_MODE),
+ STATE_TABLE_ENT(LIST_COND_MODE),
+ STATE_TABLE_ENT(LIST_COND_VAL),
+ STATE_TABLE_ENT(LIST_COND_PAREN_VAL),
STATE_TABLE_ENT(ASSIGN_MODE),
STATE_TABLE_ENT(RLIMIT_MODE),
STATE_TABLE_ENT(MOUNT_MODE),
+ STATE_TABLE_ENT(DBUS_MODE),
STATE_TABLE_ENT(CHANGE_PROFILE_MODE),
STATE_TABLE_ENT(INCLUDE),
};
diff --git a/parser/parser_main.c b/parser/parser_main.c
index af35813..ab2aea9 100644
--- a/parser/parser_main.c
+++ b/parser/parser_main.c
@@ -64,7 +64,6 @@
const char *parser_title = "AppArmor parser";
const char *parser_copyright = "Copyright (C) 1999-2008 Novell Inc.\nCopyright 2009-2012 Canonical Ltd.";
-char *progname;
int opt_force_complain = 0;
int binary_input = 0;
int dump_vars = 0;
@@ -520,7 +519,7 @@ static int process_arg(int c, char *optarg)
conf_quiet = 0;
break;
case 'n':
- profile_namespace = strdup(optarg);
+ profile_ns = strdup(optarg);
break;
case 'X':
read_implies_exec = 1;
@@ -793,7 +792,7 @@ static void get_match_string(void) {
/* if we have a features directory default to */
perms_create = 1;
- flags_string = malloc(FLAGS_STRING_SIZE);
+ flags_string = (char *) malloc(FLAGS_STRING_SIZE);
handle_features_dir(FLAGS_FILE, &flags_string, FLAGS_STRING_SIZE, flags_string);
if (strstr(flags_string, "network"))
kernel_supports_network = 1;
@@ -808,7 +807,7 @@ static void get_match_string(void) {
if (!ms)
goto out;
- match_string = malloc(1000);
+ match_string = (char *) malloc(1000);
if (!match_string) {
goto out;
}
@@ -845,7 +844,7 @@ static void get_flags_string(char **flags, char *flags_file) {
if (!f)
return;
- *flags = malloc(FLAGS_STRING_SIZE);
+ *flags = (char *) malloc(FLAGS_STRING_SIZE);
if (!*flags)
goto fail;
@@ -892,7 +891,7 @@ int process_binary(int option, char *profilename)
do {
if (asize - size == 0) {
- buffer = realloc(buffer, chunksize);
+ buffer = (char *) realloc(buffer, chunksize);
asize = chunksize;
chunksize <<= 1;
if (!buffer) {
@@ -1049,7 +1048,7 @@ int process_profile(int option, char *profilename)
* TODO: Add support for embedded namespace defines if they aren't
* removed from the language.
*/
- if (profile_namespace)
+ if (profile_ns)
skip_cache = 1;
/* Do secondary test to see if cached binary profile is good,
diff --git a/parser/parser_merge.c b/parser/parser_merge.c
index 156057f..c57ebe5 100644
--- a/parser/parser_merge.c
+++ b/parser/parser_merge.c
@@ -35,12 +35,12 @@ static int file_comp(const void *c1, const void *c2)
int res = 0;
//PERROR("strcmp %s %s\n", (*e1)->name, (*e2)->name);
- if ((*e1)->namespace) {
- if ((*e2)->namespace)
- res = strcmp((*e1)->namespace, (*e2)->namespace);
+ if ((*e1)->ns) {
+ if ((*e2)->ns)
+ res = strcmp((*e1)->ns, (*e2)->ns);
else
return 1;
- } else if ((*e2)->namespace) {
+ } else if ((*e2)->ns) {
return -1;
}
if (res)
@@ -86,7 +86,7 @@ static int process_file_entries(struct codomain *cod)
if (count < 2)
return 1;
- table = malloc(sizeof(struct cod_entry *) * (count + 1));
+ table = (struct cod_entry **) malloc(sizeof(struct cod_entry *) * (count + 1));
if (!table) {
PERROR(_("Couldn't merge entries. Out of Memory\n"));
return 0;
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index 24dd53d..10c41ec 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -51,7 +51,7 @@
#define NPDEBUG(fmt, args...) /* Do nothing */
struct keyword_table {
- char *keyword;
+ const char *keyword;
int token;
};
@@ -169,11 +169,11 @@ int get_rlimit(const char *name)
}
struct network_tuple {
- char *family_name;
+ const char *family_name;
unsigned int family;
- char *type_name;
+ const char *type_name;
unsigned int type;
- char *protocol_name;
+ const char *protocol_name;
unsigned int protocol;
};
@@ -334,7 +334,7 @@ struct aa_network_entry *new_network_ent(unsigned int family,
unsigned int protocol)
{
struct aa_network_entry *new_entry;
- new_entry = calloc(1, sizeof(struct aa_network_entry));
+ new_entry = (struct aa_network_entry *) calloc(1, sizeof(struct aa_network_entry));
if (new_entry) {
new_entry->family = family;
new_entry->type = type;
@@ -562,13 +562,13 @@ static int parse_sub_mode(const char *str_mode, const char *mode_desc __unused)
p = str_mode;
while (*p) {
- char this = *p;
+ char thisc = *p;
char next = *(p + 1);
char lower;
int tmode = 0;
reeval:
- switch (this) {
+ switch (thisc) {
case COD_READ_CHAR:
if (read_implies_exec) {
PDEBUG("Parsing mode: found %s READ imply X\n", mode_desc);
@@ -626,7 +626,7 @@ reeval:
PDEBUG("Parsing mode: found UNCONFINED\n");
if (IS_DIFF_QUAL(mode, tmode)) {
yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"),
- this);
+ thisc);
} else {
if (next != tolower(next))
warn_uppercase();
@@ -642,7 +642,7 @@ reeval:
/* fall through */
case COD_PROFILE_CHAR:
case COD_LOCAL_CHAR:
- if (tolower(this) == COD_UNSAFE_PROFILE_CHAR)
+ if (tolower(thisc) == COD_UNSAFE_PROFILE_CHAR)
tmode |= AA_EXEC_PROFILE | AA_MAY_EXEC;
else
{
@@ -652,7 +652,7 @@ reeval:
if (tolower(next) == COD_INHERIT_CHAR) {
tmode |= AA_EXEC_INHERIT;
if (IS_DIFF_QUAL(mode, tmode)) {
- yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
+ yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
} else {
mode |= tmode;
p += 2; /* skip x */
@@ -660,13 +660,13 @@ reeval:
} else if (tolower(next) == COD_UNSAFE_UNCONFINED_CHAR) {
tmode |= AA_EXEC_PUX;
if (IS_DIFF_QUAL(mode, tmode)) {
- yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), this, next);
+ yyerror(_("Exec qualifier '%c%c' invalid, conflicting qualifier already specified"), thisc, next);
} else {
mode |= tmode;
p += 2; /* skip x */
}
} else if (IS_DIFF_QUAL(mode, tmode)) {
- yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), this);
+ yyerror(_("Exec qualifier '%c' invalid, conflicting qualifier already specified"), thisc);
} else {
if (next != tolower(next))
@@ -683,7 +683,7 @@ reeval:
break;
case COD_EXEC_CHAR:
- /* this is valid for deny rules, and named transitions
+ /* thisc is valid for deny rules, and named transitions
* but invalid for regular x transitions
* sort it out later.
*/
@@ -693,7 +693,7 @@ reeval:
/* error cases */
default:
- lower = tolower(this);
+ lower = tolower(thisc);
switch (lower) {
case COD_READ_CHAR:
case COD_WRITE_CHAR:
@@ -702,14 +702,14 @@ reeval:
case COD_INHERIT_CHAR:
case COD_MMAP_CHAR:
case COD_EXEC_CHAR:
- PDEBUG("Parsing mode: found invalid upper case char %c\n", this);
+ PDEBUG("Parsing mode: found invalid upper case char %c\n", thisc);
warn_uppercase();
- this = lower;
+ thisc = lower;
goto reeval;
break;
default:
yyerror(_("Internal: unexpected mode character '%c' in input"),
- this);
+ thisc);
break;
}
break;
@@ -746,11 +746,11 @@ static int parse_dbus_sub_mode(const char *str_mode, int *result, int fail, cons
p = str_mode;
while (*p) {
- char this = *p;
+ char current = *p;
char lower;
reeval:
- switch (this) {
+ switch (current) {
case COD_READ_CHAR:
PDEBUG("Parsing DBus mode: found %s READ\n", mode_desc);
mode |= AA_DBUS_RECEIVE;
@@ -765,20 +765,20 @@ reeval:
/* error cases */
default:
- lower = tolower(this);
+ lower = tolower(current);
switch (lower) {
case COD_READ_CHAR:
case COD_WRITE_CHAR:
PDEBUG("Parsing DBus mode: found invalid upper case char %c\n",
- this);
+ current);
warn_uppercase();
- this = lower;
+ current = lower;
goto reeval;
break;
default:
if (fail)
yyerror(_("Internal: unexpected DBus mode character '%c' in input"),
- this);
+ current);
else
return 0;
break;
@@ -809,7 +809,7 @@ int parse_dbus_mode(const char *str_mode, int *mode, int fail)
return 1;
}
-struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
+struct cod_entry *new_entry(char *ns, char *id, int mode, char *link_id)
{
struct cod_entry *entry = NULL;
@@ -817,7 +817,7 @@ struct cod_entry *new_entry(char *namespace, char *id, int mode, char *link_id)
if (!entry)
return NULL;
- entry->namespace = namespace;
+ entry->ns = ns;
entry->name = id;
entry->link_name = link_id;
entry->mode = mode;
@@ -841,7 +841,7 @@ struct cod_entry *copy_cod_entry(struct cod_entry *orig)
if (!entry)
return NULL;
- entry->namespace = orig->namespace ? strdup(orig->namespace) : NULL;
+ entry->ns = orig->ns ? strdup(orig->ns) : NULL;
entry->name = strdup(orig->name);
entry->link_name = orig->link_name ? strdup(orig->link_name) : NULL;
entry->mode = orig->mode;
@@ -863,8 +863,8 @@ void free_cod_entries(struct cod_entry *list)
return;
if (list->next)
free_cod_entries(list->next);
- if (list->namespace)
- free(list->namespace);
+ if (list->ns)
+ free(list->ns);
if (list->name)
free(list->name);
if (list->link_name)
@@ -939,8 +939,8 @@ void debug_cod_entries(struct cod_entry *list)
else
printf("\tName:\tNULL\n");
- if (item->namespace)
- printf("\tNamespace:\t(%s)\n", item->namespace);
+ if (item->ns)
+ printf("\tNs:\t(%s)\n", item->ns);
if (AA_LINK_BITS & item->mode)
printf("\tlink:\t(%s)\n", item->link_name ? item->link_name : "/**");
@@ -1037,23 +1037,31 @@ void debug_capabilities(struct codomain *cod)
__debug_capabilities(cod->quiet_caps, "Quiet Caps");
}
+/* Bleah C++ doesn't have non-trivial designated initializers so we just
+ * have to make sure these are in order. This means we are more brittle
+ * but there isn't much we can do.
+ */
const char *sock_types[] = {
- [0] = "none",
- [SOCK_STREAM] = "stream",
- [SOCK_DGRAM] = "dgram",
- [SOCK_RAW] = "raw",
- [SOCK_RDM] = "rdm",
- [SOCK_SEQPACKET] = "seqpacket",
- [SOCK_PACKET] = "packet",
+ "none", /* 0 */
+ "stream", /* 1 [SOCK_STREAM] */
+ "dgram", /* 2 [SOCK_DGRAM] */
+ "raw", /* 3 [SOCK_RAW] */
+ "rdm", /* 4 [SOCK_RDM] */
+ "seqpacket", /* 5 [SOCK_SEQPACKET] */
+ "dccp", /* 6 [SOCK_DCCP] */
+ "invalid", /* 7 */
+ "invalid", /* 8 */
+ "invalid", /* 9 */
+ "packet", /* 10 [SOCK_PACKET] */
/*
* See comment above
- [SOCK_DCCP] = "dccp",
*/
};
#define ALL_TYPES 0x43e
+/* another case of C++ not supporting non-trivial designated initializers */
#undef AA_GEN_NET_ENT
-#define AA_GEN_NET_ENT(name, AF) [AF] = name,
+#define AA_GEN_NET_ENT(name, AF) name, /* [AF] = name, */
static const char *network_families[] = {
#include "af_names.h"
@@ -1132,8 +1140,8 @@ void debug_network(struct codomain *cod)
void debug_cod_list(struct codomain *cod)
{
- if (cod->namespace)
- printf("Namespace:\t\t%s\n", cod->namespace);
+ if (cod->ns)
+ printf("Ns:\t\t%s\n", cod->ns);
if (cod->name)
printf("Name:\t\t%s\n", cod->name);
@@ -1158,7 +1166,7 @@ void debug_cod_list(struct codomain *cod)
struct value_list *new_value_list(char *value)
{
- struct value_list *val = calloc(1, sizeof(struct value_list));
+ struct value_list *val = (struct value_list *) calloc(1, sizeof(struct value_list));
if (val)
val->value = value;
return val;
@@ -1224,7 +1232,7 @@ void print_value_list(struct value_list *list)
struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
{
- struct cond_entry *ent = calloc(1, sizeof(struct cond_entry));
+ struct cond_entry *ent = (struct cond_entry *) calloc(1, sizeof(struct cond_entry));
if (ent) {
ent->name = name;
ent->vals = list;
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index a5f8400..ec3387c 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -19,6 +19,8 @@
* Ltd.
*/
+#include <algorithm>
+
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
@@ -49,12 +51,12 @@ static int codomain_compare(const void *a, const void *b)
struct codomain *B = (struct codomain *) b;
int res = 0;
- if (A->namespace) {
- if (B->namespace)
- res = strcmp(A->namespace, B->namespace);
+ if (A->ns) {
+ if (B->ns)
+ res = strcmp(A->ns, B->ns);
else
res = -1;
- } else if (B->namespace)
+ } else if (B->ns)
res = 1;
if (res)
return res;
@@ -119,7 +121,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
char *name = NULL;
/* check to see if it is a local transition */
- if (!entry->namespace) {
+ if (!entry->ns) {
char *sub = strstr(entry->nt_name, "//");
/* does the subprofile name match the rule */
@@ -138,7 +140,7 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
return AA_EXEC_LOCAL >> 10;
}
/* specified as cix so profile name is implicit */
- name = malloc(strlen(cod->name) + strlen(entry->nt_name)
+ name = (char *) malloc(strlen(cod->name) + strlen(entry->nt_name)
+ 3);
if (!name) {
PERROR("Memory allocation error\n");
@@ -149,16 +151,16 @@ static int add_named_transition(struct codomain *cod, struct cod_entry *entry)
entry->nt_name = name;
}
}
- if (entry->namespace) {
- name = malloc(strlen(entry->namespace) + strlen(entry->nt_name) + 3);
+ if (entry->ns) {
+ name = (char *) malloc(strlen(entry->ns) + strlen(entry->nt_name) + 3);
if (!name) {
PERROR("Memory allocation error\n");
exit(1);
}
- sprintf(name, ":%s:%s", entry->namespace, entry->nt_name);
- free(entry->namespace);
+ sprintf(name, ":%s:%s", entry->ns, entry->nt_name);
+ free(entry->ns);
free(entry->nt_name);
- entry->namespace = NULL;
+ entry->ns = NULL;
entry->nt_name = NULL;
} else {
name = entry->nt_name;
@@ -192,7 +194,7 @@ void post_process_file_entries(struct codomain *cod)
mode |= SHIFT_MODE(n << 10, AA_OTHER_SHIFT);
entry->mode = ((entry->mode & ~AA_ALL_EXEC_MODIFIERS) |
(mode & AA_ALL_EXEC_MODIFIERS));
- entry->namespace = NULL;
+ entry->ns = NULL;
entry->nt_name = NULL;
}
/* FIXME: currently change_profile also implies onexec */
@@ -451,7 +453,7 @@ static void __add_hat_rules_parent(const void *nodep, const VISIT value,
*/
if ((flag_changehat_version == FLAG_CHANGEHAT_1_4) &&
(*t)->parent) {
- char *buffer = malloc(strlen((*t)->name) + 1);
+ char *buffer = (char *) malloc(strlen((*t)->name) + 1);
if (!buffer) {
PERROR("Memory allocation error\n");
exit(1);
@@ -828,8 +830,8 @@ void free_policy(struct codomain *cod)
free(cod->name);
if (cod->attachment)
free(cod->attachment);
- if (cod->namespace)
- free(cod->namespace);
+ if (cod->ns)
+ free(cod->ns);
if (cod->network_allowed)
free(cod->network_allowed);
if (cod->audit_network)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 99a4ac3..aa6a8ca 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -518,9 +518,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
/* allow change_profile for all execs */
vec[0] = "/[^\\x00]*";
- if (entry->namespace) {
+ if (entry->ns) {
int pos;
- ptype = convert_aaregex_to_pcre(entry->namespace, 0, lbuf, PATH_MAX + 8, &pos);
+ ptype = convert_aaregex_to_pcre(entry->ns, 0, lbuf, PATH_MAX + 8, &pos);
vec[index++] = lbuf;
}
vec[index++] = tbuf;
@@ -536,9 +536,9 @@ static int process_dfa_entry(aare_ruleset_t *dfarules, struct cod_entry *entry)
}
if (entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE)) {
int mode = entry->mode & (AA_USER_PTRACE | AA_OTHER_PTRACE);
- if (entry->namespace) {
+ if (entry->ns) {
char *vec[2];
- vec[0] = entry->namespace;
+ vec[0] = entry->ns;
vec[1] = entry->name;
if (!aare_add_rule_vec(dfarules, 0, mode, 0, 2, vec, dfaflags))
return FALSE;
diff --git a/parser/parser_symtab.c b/parser/parser_symtab.c
index 946a99b..10cf18b 100644
--- a/parser/parser_symtab.c
+++ b/parser/parser_symtab.c
@@ -46,51 +46,51 @@ static int __expand_variable(struct symtab *symbol);
static struct symtab *new_symtab_entry(const char *name)
{
- struct symtab *new = calloc(1, sizeof(*new));
+ struct symtab *n = (struct symtab *) calloc(1, sizeof(*n));
- if (!new) {
+ if (!n) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
return NULL;
}
- new->var_name = strndup(name, PATH_MAX);
- if (!new->var_name) {
+ n->var_name = strndup(name, PATH_MAX);
+ if (!n->var_name) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
- free(new);
+ free(n);
return NULL;
}
- return new;
+ return n;
}
static struct set_value *new_set_value(const char *val)
{
- struct set_value *new = calloc(1, sizeof(*new));
+ struct set_value *n = (struct set_value *) calloc(1, sizeof(*n));
- if (!new) {
+ if (!n) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
return NULL;
}
- new->val = strndup(val, PATH_MAX);
- if (!new->val) {
+ n->val = strndup(val, PATH_MAX);
+ if (!n->val) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
- free(new);
+ free(n);
return NULL;
}
- return new;
+ return n;
}
static void free_values(struct set_value *val)
{
- struct set_value *this = val, *tmp;
+ struct set_value *i = val, *tmp;
- while (this) {
- if (this->val)
- free(this->val);
- tmp = this;
- this = this->next;
+ while (i) {
+ if (i->val)
+ free(i->val);
+ tmp = i;
+ i = i->next;
free(tmp);
}
}
@@ -153,26 +153,26 @@ out:
int add_boolean_var(const char *var, int value)
{
- struct symtab *new, **result;
+ struct symtab *n, **result;
int rc = 0;
- new = new_symtab_entry(var);
- if (!new) {
+ n = new_symtab_entry(var);
+ if (!n) {
rc = ENOMEM;
goto err;
}
- new->type = sd_boolean;
- new->boolean = value;
+ n->type = sd_boolean;
+ n->boolean = value;
- result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
+ result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
if (!result) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
rc = errno;
goto err;
}
- if (*result != new) {
+ if (*result != n) {
/* already existing variable */
PERROR("'%s' is already defined\n", var);
rc = 1;
@@ -182,7 +182,7 @@ int add_boolean_var(const char *var, int value)
return 0;
err:
- free_symtab(new);
+ free_symtab(n);
return rc;
};
@@ -213,26 +213,26 @@ out:
*/
int new_set_var(const char *var, const char *value)
{
- struct symtab *new, **result;
+ struct symtab *n, **result;
int rc = 0;
- new = new_symtab_entry(var);
- if (!new) {
+ n = new_symtab_entry(var);
+ if (!n) {
rc = ENOMEM;
goto err;
}
- new->type = sd_set;
- add_to_set(&(new->values), value);
+ n->type = sd_set;
+ add_to_set(&(n->values), value);
- result = (struct symtab **) tsearch(new, &my_symtab, (comparison_fn_t) &compare_symtabs);
+ result = (struct symtab **) tsearch(n, &my_symtab, (comparison_fn_t) &compare_symtabs);
if (!result) {
PERROR("Failed to allocate memory: %s\n", strerror(errno));
rc = errno;
goto err;
}
- if (*result != new) {
+ if (*result != n) {
/* already existing variable */
PERROR("'%s' is already defined\n", var);
rc = 1;
@@ -242,7 +242,7 @@ int new_set_var(const char *var, const char *value)
return 0;
err:
- free_symtab(new);
+ free_symtab(n);
return rc;
}
@@ -382,15 +382,15 @@ static int __expand_variable(struct symtab *symbol)
while (work_list) {
struct symtab *ref;
struct set_value *ref_item;
- struct set_value *this_value = work_list;
+ struct set_value *t_value = work_list;
int rc;
work_list = work_list->next;
- split = split_out_var(this_value->val);
+ split = split_out_var(t_value->val);
if (!split) {
/* fully expanded */
- add_to_set(&expanded, this_value->val);
+ add_to_set(&expanded, t_value->val);
goto next;
}
@@ -399,7 +399,7 @@ static int __expand_variable(struct symtab *symbol)
PERROR("Variable @{%s} is referenced recursively (by @{%s})\n",
split->var, symbol->var_name);
retval = 1;
- free_values(this_value);
+ free_values(t_value);
goto out;
}
@@ -408,14 +408,14 @@ static int __expand_variable(struct symtab *symbol)
PERROR("Variable @{%s} references undefined variable @{%s}\n",
symbol->var_name, split->var);
retval = 3;
- free_values(this_value);
+ free_values(t_value);
goto out;
}
rc = __expand_variable(ref);
if (rc != 0) {
retval = rc;
- free_values(this_value);
+ free_values(t_value);
goto out;
}
@@ -439,8 +439,8 @@ static int __expand_variable(struct symtab *symbol)
}
next:
- this_value->next = NULL;
- free_values(this_value);
+ t_value->next = NULL;
+ free_values(t_value);
free_var_string(split);
}
}
@@ -472,10 +472,10 @@ void expand_variables(void)
static inline void dump_set_values(struct set_value *value)
{
- struct set_value *this = value;
- while (this) {
- printf(" \"%s\"", this->val);
- this = this->next;
+ struct set_value *t = value;
+ while (t) {
+ printf(" \"%s\"", t->val);
+ t = t->next;
}
}
diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index 519be01..fc8bf39 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -54,29 +54,29 @@ static inline char *get_var_end(char *var)
static struct var_string *split_string(char *string, char *var_begin,
char *var_end)
{
- struct var_string *new = calloc(1, sizeof(struct var_string));
+ struct var_string *n = (struct var_string *) calloc(1, sizeof(struct var_string));
unsigned int offset = strlen("@{");
- if (!new) {
+ if (!n) {
PERROR("Memory allocation error\n");
return NULL;
}
if (var_begin != string) {
- new->prefix = strndup(string, var_begin - string);
+ n->prefix = strndup(string, var_begin - string);
}
- new->var = strndup(var_begin + offset, var_end - (var_begin + offset));
+ n->var = strndup(var_begin + offset, var_end - (var_begin + offset));
if (strlen(var_end + 1) != 0) {
- new->suffix = strdup(var_end + 1);
+ n->suffix = strdup(var_end + 1);
}
- return new;
+ return n;
}
struct var_string *split_out_var(char *string)
{
- struct var_string *new = NULL;
+ struct var_string *n = NULL;
char *sptr;
BOOL bEscape = 0; /* flag to indicate escape */
@@ -85,7 +85,7 @@ struct var_string *split_out_var(char *string)
sptr = string;
- while (!new && *sptr) {
+ while (!n && *sptr) {
switch (*sptr) {
case '\\':
if (bEscape) {
@@ -106,7 +106,7 @@ struct var_string *split_out_var(char *string)
PERROR("Empty variable name found!\n");
exit(1);
}
- new = split_string(string, sptr, eptr);
+ n = split_string(string, sptr, eptr);
}
break;
default:
@@ -116,7 +116,7 @@ struct var_string *split_out_var(char *string)
sptr++;
}
- return new;
+ return n;
}
void free_var_string(struct var_string *var)
@@ -191,7 +191,7 @@ static int expand_entry_variables(char **name, void *entry,
int clone_and_chain_cod(void *v)
{
- struct cod_entry *entry = v;
+ struct cod_entry *entry = (struct cod_entry *) v;
struct cod_entry *dup = copy_cod_entry(entry);
if (!dup)
return 0;
@@ -203,7 +203,7 @@ int clone_and_chain_cod(void *v)
int clone_and_chain_mnt(void *v)
{
- struct mnt_entry *entry = v;
+ struct mnt_entry *entry = (struct mnt_entry *) v;
struct mnt_entry *dup = dup_mnt_entry(entry);
if (!dup)
@@ -216,7 +216,7 @@ int clone_and_chain_mnt(void *v)
int clone_and_chain_dbus(void *v)
{
- struct dbus_entry *entry = v;
+ struct dbus_entry *entry = (struct dbus_entry *) v;
struct dbus_entry *dup = dup_dbus_entry(entry);
if (!dup)
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 7b7556c..fb4cfa1 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -68,7 +68,7 @@
int parser_token = 0;
-struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
+struct cod_entry *do_file_rule(char *ns, char *id, int mode,
char *link_id, char *nt);
struct mnt_entry *do_mnt_rule(struct cond_entry *src_conds, char *src,
struct cond_entry *dst_conds, char *dst,
@@ -225,7 +225,7 @@ void add_local_entry(struct codomain *cod);
%type <boolean> opt_profile_flag
%type <boolean> opt_flags
%type <boolean> opt_deny
-%type <id> opt_namespace
+%type <id> opt_ns
%type <id> opt_id
%type <prefix> opt_prefix
%type <fmode> dbus_perm
@@ -253,7 +253,7 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
| TOK_PROFILE { $$ = 1; }
| hat_start { $$ = 2; }
-opt_namespace: { /* nothing */ $$ = NULL; }
+opt_ns: { /* nothing */ $$ = NULL; }
| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
opt_id: { /* nothing */ $$ = NULL; }
@@ -289,7 +289,7 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
};
-profile: opt_profile_flag opt_namespace profile_base
+profile: opt_profile_flag opt_ns profile_base
{
struct codomain *cod = $3;
if ($2)
@@ -300,7 +300,7 @@ profile: opt_profile_flag opt_namespace profile_base
if ($3->name[0] != '/' && !($1 || $2))
yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
- cod->namespace = $2;
+ cod->ns = $2;
if ($1 == 2)
cod->flags.hat = 1;
$$ = cod;
@@ -613,13 +613,13 @@ rules: rules opt_prefix network_rule
if (!$3)
yyerror(_("Assert: `network_rule' return invalid protocol."));
if (!$1->network_allowed) {
- $1->network_allowed = calloc(get_af_max(),
- sizeof(unsigned int));
- $1->audit_network = calloc(get_af_max(),
+ $1->network_allowed = (unsigned int *) calloc(get_af_max(),
+ sizeof(unsigned int));
+ $1->audit_network = (unsigned int *)calloc(get_af_max(),
sizeof(unsigned int));
- $1->deny_network = calloc(get_af_max(),
+ $1->deny_network = (unsigned int *)calloc(get_af_max(),
sizeof(unsigned int));
- $1->quiet_network = calloc(get_af_max(),
+ $1->quiet_network = (unsigned int *)calloc(get_af_max(),
sizeof(unsigned int));
if (!$1->network_allowed || !$1->audit_network ||
!$1->deny_network || !$1->quiet_network)
@@ -914,19 +914,19 @@ id_or_var: TOK_SET_VAR { $$ = $1; };
opt_named_transition:
{ /* nothing */
$$.present = 0;
- $$.namespace = NULL;
+ $$.ns = NULL;
$$.name = NULL;
}
| TOK_ARROW id_or_var
{
$$.present = 1;
- $$.namespace = NULL;
+ $$.ns = NULL;
$$.name = $2;
}
| TOK_ARROW TOK_COLON id_or_var TOK_COLON id_or_var
{
$$.present = 1;
- $$.namespace = $3;
+ $$.ns = $3;
$$.name = $5;
};
@@ -943,7 +943,7 @@ opt_file: { /* nothing */ $$ = 0; }
frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE
{
- $$ = do_file_rule($3.namespace, $1, $2, NULL, $3.name);
+ $$ = do_file_rule($3.ns, $1, $2, NULL, $3.name);
};
frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
@@ -952,14 +952,14 @@ frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
yyerror(_("subset can only be used with link rules."));
if ($4.present && ($1 & AA_LINK_BITS) && ($1 & AA_EXEC_BITS))
yyerror(_("link and exec perms conflict on a file rule using ->"));
- if ($4.present && $4.namespace && ($1 & AA_LINK_BITS))
+ if ($4.present && $4.ns && ($1 & AA_LINK_BITS))
yyerror(_("link perms are not allowed on a named profile transition.\n"));
if (($1 & AA_LINK_BITS)) {
$$ = do_file_rule(NULL, $3, $1, $4.name, NULL);
$$->subset = $2;
} else {
- $$ = do_file_rule($4.namespace, $3, $1, NULL, $4.name);
+ $$ = do_file_rule($4.ns, $3, $1, NULL, $4.name);
}
};
@@ -1139,15 +1139,15 @@ mnt_rule: TOK_UMOUNT opt_conds opt_id TOK_END_OF_RULE
mnt_rule: TOK_PIVOTROOT opt_conds opt_id opt_named_transition TOK_END_OF_RULE
{
char *name = NULL;
- if ($4.present && $4.namespace) {
- name = malloc(strlen($4.namespace) +
- strlen($4.name) + 3);
+ if ($4.present && $4.ns) {
+ name = (char *) malloc(strlen($4.ns) +
+ strlen($4.name) + 3);
if (!name) {
PERROR("Memory allocation error\n");
exit(1);
}
- sprintf(name, ":%s:%s", $4.namespace, $4.name);
- free($4.namespace);
+ sprintf(name, ":%s:%s", $4.ns, $4.name);
+ free($4.ns);
free($4.name);
} else if ($4.present)
name = $4.name;
@@ -1297,12 +1297,12 @@ void yyerror(const char *msg, ...)
exit(1);
}
-struct cod_entry *do_file_rule(char *namespace, char *id, int mode,
+struct cod_entry *do_file_rule(char *ns, char *id, int mode,
char *link_id, char *nt)
{
struct cod_entry *entry;
PDEBUG("Matched: tok_id (%s) tok_mode (0x%x)\n", id, mode);
- entry = new_entry(namespace, id, mode, link_id);
+ entry = new_entry(ns, id, mode, link_id);
if (!entry)
yyerror(_("Memory allocation error."));
entry->nt_name = nt;
@@ -1318,7 +1318,7 @@ void add_local_entry(struct codomain *cod)
/* ugh this has to be called after the hat is attached to its parent */
if (cod->local_mode) {
struct cod_entry *entry;
- char *trans = malloc(strlen(cod->parent->name) +
+ char *trans = (char *) malloc(strlen(cod->parent->name) +
strlen(cod->name) + 3);
char *name = strdup(cod->name);
if (!trans)
@@ -1335,7 +1335,7 @@ void add_local_entry(struct codomain *cod)
}
}
-static char *mnt_cond_msg[] = {"",
+static const char *mnt_cond_msg[] = {"",
" not allowed as source conditional",
" not allowed as target conditional",
"",
diff --git a/parser/tst/simple_tests/network/network_bad_5.sd b/parser/tst/simple_tests/network/network_bad_5.sd
deleted file mode 100644
index a3ca627..0000000
--- a/parser/tst/simple_tests/network/network_bad_5.sd
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-#=DESCRIPTION basic network tests
-#=EXRESULT FAIL
-#
-/usr/bin/foo {
- network unix,
-}
diff --git a/parser/tst/simple_tests/network/network_bad_6.sd b/parser/tst/simple_tests/network/network_bad_6.sd
deleted file mode 100644
index 5483d8d..0000000
--- a/parser/tst/simple_tests/network/network_bad_6.sd
+++ /dev/null
@@ -1,7 +0,0 @@
-#
-#=DESCRIPTION basic network tests
-#=EXRESULT FAIL
-#
-/usr/bin/foo {
- network netlink,
-}
diff --git a/parser/tst/simple_tests/network/network_ok_5.sd b/parser/tst/simple_tests/network/network_ok_5.sd
new file mode 100644
index 0000000..12a0fd5
--- /dev/null
+++ b/parser/tst/simple_tests/network/network_ok_5.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION basic network tests
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ network unix,
+}
diff --git a/parser/tst/simple_tests/network/network_ok_6.sd b/parser/tst/simple_tests/network/network_ok_6.sd
new file mode 100644
index 0000000..42ea6cc
--- /dev/null
+++ b/parser/tst/simple_tests/network/network_ok_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION basic network tests
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ network netlink,
+}
--
1.8.3.2
More information about the AppArmor
mailing list