[apparmor] [patch 18/26] fix: the what names can treated as a condlistid

Seth Arnold seth.arnold at canonical.com
Fri Apr 18 23:56:06 UTC 2014 

On Tue, Apr 15, 2014 at 10:22:25AM -0700, john.johansen at canonical.com wrote:
> The match
>   {VARIABLE_NAME}/{WS}*={WS}*\(
> 
> is too broad causing mount and dbus rules to fail for sets of values eg.
> 
>   mount options=(ro bind)
> 
> Instead of doing a broad match, for now lets lock it down to just
> peer=(...) being the only cond that can cause entry into CONDLISTID
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> ---
>  parser/dbus.c        |   22 ++++++----------------
>  parser/parser.h      |    8 ++++++++
>  parser/parser_lex.l  |   18 ++++++++++--------
>  parser/parser_misc.c |   11 +++++++++++
>  parser/parser_yacc.y |   25 ++++++++++++++-----------
>  parser/signal.c      |    7 ++++---
>  parser/signal.h      |    2 +-
>  7 files changed, 54 insertions(+), 39 deletions(-)
> 
> --- 2.9-test.orig/parser/dbus.c
> +++ 2.9-test/parser/dbus.c
> @@ -38,16 +38,6 @@
>  	return parse_X_mode("DBus", AA_VALID_DBUS_PERMS, str_mode, mode, fail);
>  }
>  
> -static void move_conditional_value(char **dst_ptr, struct cond_entry *cond_ent)
> -{
> -	if (*dst_ptr)
> -		yyerror("dbus conditional \"%s\" can only be specified once\n",
> -			cond_ent->name);
> -
> -	*dst_ptr = cond_ent->vals->value;
> -	cond_ent->vals->value = NULL;
> -}
> -
>  void dbus_rule::move_conditionals(struct cond_entry *conds)
>  {
>  	struct cond_entry *cond_ent;
> @@ -61,17 +51,17 @@
>  				cond_ent->name);
>  
>  		if (strcmp(cond_ent->name, "bus") == 0) {
> -			move_conditional_value(&bus, cond_ent);
> +			move_conditional_value("dbus", &bus, cond_ent);
>  		} else if (strcmp(cond_ent->name, "name") == 0) {
> -			move_conditional_value(&name, cond_ent);
> +			move_conditional_value("dbus", &name, cond_ent);
>  		} else if (strcmp(cond_ent->name, "label") == 0) {
> -			move_conditional_value(&peer_label, cond_ent);
> +			move_conditional_value("dbus", &peer_label, cond_ent);
>  		} else if (strcmp(cond_ent->name, "path") == 0) {
> -			move_conditional_value(&path, cond_ent);
> +			move_conditional_value("dbus", &path, cond_ent);
>  		} else if (strcmp(cond_ent->name, "interface") == 0) {
> -			move_conditional_value(&interface, cond_ent);
> +			move_conditional_value("dbus", &interface, cond_ent);
>  		} else if (strcmp(cond_ent->name, "member") == 0) {
> -			move_conditional_value(&member, cond_ent);
> +			move_conditional_value("dbus", &member, cond_ent);
>  		} else {
>  			yyerror("invalid dbus conditional \"%s\"\n",
>  				cond_ent->name);
> --- 2.9-test.orig/parser/parser.h
> +++ 2.9-test/parser/parser.h
> @@ -78,6 +78,12 @@
>  	struct cond_entry *next;
>  };
>  
> +struct cond_entry_list {
> +	char *name;
> +
> +	struct cond_entry *list;
> +};
> +
>  struct cod_entry {
>  	char *ns;
>  	char *name;
> @@ -362,6 +368,8 @@
>  extern void free_value_list(struct value_list *list);
>  extern void print_value_list(struct value_list *list);
>  extern struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list);
> +extern void move_conditional_value(const char *rulename, char **dst_ptr,
> +				   struct cond_entry *cond_ent);
>  extern void free_cond_entry(struct cond_entry *ent);
>  extern void free_cond_list(struct cond_entry *ents);
>  extern void print_cond_entry(struct cond_entry *ent);
> --- 2.9-test.orig/parser/parser_lex.l
> +++ 2.9-test/parser/parser_lex.l
> @@ -295,19 +295,21 @@
>  }
>  
>  <INITIAL,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE>{
> +	{VARIABLE_NAME}/{WS}*={WS}*\(	{
> +		/* we match to the = in the lexer so that we can switch scanner
> +		 * state.  By the time the parser see the = it may be too late
> +		 * as bison may have requested the next token from the scanner
> +		 */
> +		yylval.id = processid(yytext, yyleng);
> +		PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID);
> +	}
>  	{VARIABLE_NAME}/{WS}*=	{
>  		/* we match to the = in the lexer so that we can switch scanner
>  		 * state.  By the time the parser see the = it may be too late
>  		 * as bison may have requested the next token from the scanner
>  		 */
> -		int token = get_keyword_token(yytext);
> -
> -		if (token == TOK_PEER) {
> -			PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID);
> -		} else {
> -			yylval.id = processid(yytext, yyleng);
> -			PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
> -		}
> +		yylval.id = processid(yytext, yyleng);
> +		PUSH_AND_RETURN(EXTCOND_MODE, TOK_CONDID);
>  	}
>  	{VARIABLE_NAME}/{WS}+in{WS}*\(	{
>  		/* we match to 'in' in the lexer so that we can switch scanner
> --- 2.9-test.orig/parser/parser_misc.c
> +++ 2.9-test/parser/parser_misc.c
> @@ -1205,6 +1205,17 @@
>  	}
>  }
>  
> +void move_conditional_value(const char *rulename, char **dst_ptr,
> +			    struct cond_entry *cond_ent)
> +{
> +	if (*dst_ptr)
> +		yyerror("%s conditional \"%s\" can only be specified once\n",
> +			rulename, cond_ent->name);
> +
> +	*dst_ptr = cond_ent->vals->value;
> +	cond_ent->vals->value = NULL;
> +}
> +
>  struct cond_entry *new_cond_entry(char *name, int eq, struct value_list *list)
>  {
>  	struct cond_entry *ent = (struct cond_entry *) calloc(1, sizeof(struct cond_entry));
> --- 2.9-test.orig/parser/parser_yacc.y
> +++ 2.9-test/parser/parser_yacc.y
> @@ -166,6 +166,7 @@
>  %token TOK_FLAGS
>  
>  %code requires {
> +	#include "parser.h"
>  	#include "profile.h"
>  	#include "mount.h"
>  	#include "dbus.h"
> @@ -194,6 +195,7 @@
>  	char *var_val;
>  	struct value_list *val_list;
>  	struct cond_entry *cond_entry;
> +	struct cond_entry_list cond_entry_list;
>  	int boolean;
>  	struct named_transition transition;
>  	struct prefixes prefix;
> @@ -219,8 +221,8 @@
>  %type <mnt_entry> mnt_rule
>  %type <cond_entry> opt_conds
>  %type <cond_entry> cond
> -%type <cond_entry> cond_list
> -%type <cond_entry> opt_cond_list
> +%type <cond_entry_list> cond_list
> +%type <cond_entry_list> opt_cond_list
>  %type <flags>	flags
>  %type <flags>	flagvals
>  %type <flags>	flagval
> @@ -1145,10 +1147,11 @@
>  
>  cond_list: TOK_CONDLISTID TOK_EQUALS TOK_OPENPAREN opt_conds TOK_CLOSEPAREN
>  	{
> -		$$ = $4;
> +		$$.name = $1;
> +		$$.list = $4;
>  	}
>  
> -opt_cond_list: { /* nothing */ $$ = NULL; }
> +opt_cond_list: { /* nothing */ $$ = { NULL, NULL }; }
>  	| cond_list { $$ = $1; }
>  
>  mnt_rule: TOK_MOUNT opt_conds opt_id TOK_END_OF_RULE
> @@ -1232,7 +1235,12 @@
>  	{
>  		dbus_rule *ent;
>  
> -		ent = new dbus_rule($2, $3, $4);
> +		if ($4.name) {
> +			if (strcmp($4.name, "peer") != 0)
> +				yyerror(_("dbus rule: invalid conditional group %s=()"), $4.name);
> +			free($4.name);
> +		}
> +		ent = new dbus_rule($2, $3, $4.list);
>  		if (!ent) {
>  			yyerror(_("Memory allocation error."));
>  		}
> @@ -1273,12 +1281,7 @@
>  
>  signal_rule: TOK_SIGNAL opt_signal_perm opt_conds TOK_END_OF_RULE
>  	{
> -		signal_rule *ent = new signal_rule($2, $3, NULL);
> -		$$ = ent;
> -	}
> -	|  TOK_SIGNAL opt_signal_perm opt_conds TOK_ID TOK_END_OF_RULE
> -	{
> -		signal_rule *ent = new signal_rule($2, $3, $4);
> +		signal_rule *ent = new signal_rule($2, $3);
>  		$$ = ent;
>  	}
>  
> --- 2.9-test.orig/parser/signal.c
> +++ 2.9-test/parser/signal.c
> @@ -165,6 +165,8 @@
>  			yyerror("keyword \"in\" is not allowed in signal rules\n");
>  		if (strcmp(cond_ent->name, "set") == 0) {
>  			extract_sigs(&cond_ent->vals);
> +		} else if (strcmp(cond_ent->name, "peer") == 0) {
> +			move_conditional_value("signal", &peer_label, cond_ent);
>  		} else {
>  			yyerror("invalid signal rule conditional \"%s\"\n",
>  				cond_ent->name);
> @@ -172,9 +174,8 @@
>  	}
>  }
>  
> -signal_rule::signal_rule(int mode_p, struct cond_entry *conds,
> -			 char *peer):
> -	signals(), peer_label(peer), audit(0), deny(0)
> +signal_rule::signal_rule(int mode_p, struct cond_entry *conds):
> +	signals(), peer_label(NULL), audit(0), deny(0)
>  {
>  	if (mode_p) {
>  		mode = mode_p;
> --- 2.9-test.orig/parser/signal.h
> +++ 2.9-test/parser/signal.h
> @@ -43,7 +43,7 @@
>  	int audit;
>  	int deny;
>  
> -	signal_rule(int mode, struct cond_entry *conds, char *peer);
> +	signal_rule(int mode, struct cond_entry *conds);
>  	virtual ~signal_rule() {
>  		signals.clear();
>  		free(peer_label);
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140418/95f4691c/attachment.pgp>

More information about the AppArmor mailing list