[apparmor] [PATCH 14/20] Update change_profile rules to allow specifying the onexec condition

John Johansen john.johansen at canonical.com
Fri May 29 08:39:20 UTC 2015 

Note: this patch currently overlays onexec with link_name to take
advantage of code already being used on link_name. Ideally what needs
to happen is entry needs to be split into file, link and change_profile
entry classes.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser.h       |  5 ++++-
 parser/parser_lex.l   |  2 +-
 parser/parser_regex.c | 12 +++++++++---
 parser/parser_yacc.y  | 22 ++++++++++++++--------
 4 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/parser/parser.h b/parser/parser.h
index f4566b9..281a6f7 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -100,7 +100,10 @@ struct cond_entry_list {
 struct cod_entry {
 	char *ns;
 	char *name;
-	char *link_name;
+	union {
+		char *link_name;
+		char *onexec;
+	};
 	char *nt_name;
 	Profile *prof;		 	/* Special profile defined
 					 * just for this executable */
diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index 286d9a2..5af788a 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -443,7 +443,7 @@ LT_EQUAL	<=
 
 	({IDS}|{QUOTED_ID}) {
 		yylval.id = processid(yytext, yyleng);
-		POP_AND_RETURN(TOK_ID);
+		RETURN_TOKEN(TOK_ID);
 	}
 }
 
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index 3d5f28e..8c6a26a 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -564,7 +564,7 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 	}
 	if (entry->mode & AA_CHANGE_PROFILE) {
 		const char *vec[3];
-		std::string lbuf;
+		std::string lbuf, xbuf;
 		int index = 1;
 
 		if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
@@ -575,8 +575,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
 			warn_change_profile = 0;
 		}
 
-		/* allow change_profile for all execs */
-		vec[0] = "/[^\\x00]*";
+		if (entry->onexec) {
+			ptype = convert_aaregex_to_pcre(entry->onexec, 0, glob_default, xbuf, &pos);
+			if (ptype == ePatternInvalid)
+				return FALSE;
+			vec[0] = xbuf.c_str();
+		} else
+			/* allow change_profile for all execs */
+			vec[0] = "/[^\\x00]*";
 
 		if (entry->ns) {
 			int pos;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index df3ce15..4ae5bf3 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -1491,36 +1491,42 @@ file_mode: TOK_MODE
 		free($1);
 	}
 
-change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE
+change_profile: TOK_CHANGE_PROFILE opt_id TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
 		char *rule = strdup("**");
 		if (!rule)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("Matched change_profile,\n");
-		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
+			yyerror(_("Exec condition must begin with '/'."));
+		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile,\n");
 		$$ = entry;
 	};
 
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
+change_profile:	TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s)\n", $3);
-		entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL);
+		PDEBUG("Matched change_profile: tok_id (%s)\n", $4);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
+			yyerror(_("Exec condition must begin with '/'."));
+		entry = new_entry(NULL, $4, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile.entry: (%s)\n", entry->name);
 		$$ = entry;
 	};
 
-change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
+change_profile:	TOK_CHANGE_PROFILE opt_id TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
-		PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6);
-		entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL);
+		PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $5, $7);
+		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
+			yyerror(_("Exec condition must begin with '/'."));
+		entry = new_entry($5, $7, AA_CHANGE_PROFILE, $2);
 		if (!entry)
 			yyerror(_("Memory allocation error."));
 		PDEBUG("change_profile.entry: (%s)\n", entry->name);
-- 
2.1.4

More information about the AppArmor mailing list