[apparmor] [PATCH 2/4] parser: Don't generate accept states for audit deny dbus and mount rules

[Tyler Hicks]

Rules that have the audit and deny modifiers are to be explicitly denied
and audited. However, accept states were incorrectly being generated
with the deny and quiet masks set. This resulted in actions being denied
but not audited.

Here's the old parser output for audit deny dbus and mount rules:

  $ dbus="/t { audit deny dbus, }"
  $ mount="/t { audit deny mount, }"
  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {3} (0x 0/40/0/40)
  {7} (0x 0/46/0/46)
  $ $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  {5} (0x 0/2/0/2)

With this patch, no accept states are generated which means that actions
will be denied and audited:

  $ echo $dbus | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)
  $ echo $mount | apparmor_parser -qQD dfa-states 2>&1 | sed '/^$/,$d'
  {1} <== (allow/deny/audit/quiet)

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 parser/parser_yacc.y | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 3489ba6..6555c4a 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -658,7 +658,9 @@ rules:  rules opt_prefix mnt_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on mount rules"));
-		if ($2.deny) {
+		if ($2.deny && $2.audit) {
+			$3->deny = 1;
+		} else if ($2.deny) {
 			$3->deny = 1;
 			$3->audit = $3->allow;
 		} else if ($2.audit) {
@@ -673,7 +675,9 @@ rules:  rules opt_prefix dbus_rule
 	{
 		if ($2.owner)
 			yyerror(_("owner prefix not allow on dbus rules"));
-		if ($2.deny) {
+		if ($2.deny && $2.audit) {
+			$3->deny = 1;
+		} else if ($2.deny) {
 			$3->deny = 1;
 			$3->audit = $3->mode;
 		} else if ($2.audit) {
-- 
1.8.3.2