[apparmor] [PATCH 12/20] Add support for bare change_profile rule

John Johansen john.johansen at canonical.com
Fri May 29 08:39:18 UTC 2015 

allow specifying the change_profile keyword

  change_profile,

to grant all permissions change_profile permissions

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_lex.l                                 |  2 +-
 parser/parser_yacc.y                                | 14 ++++++++++++++
 parser/tst/equality.sh                              |  4 ++++
 parser/tst/simple_tests/change_profile/bare_ok_1.sd |  7 +++++++
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 parser/tst/simple_tests/change_profile/bare_ok_1.sd

diff --git a/parser/parser_lex.l b/parser/parser_lex.l
index 0456843..286d9a2 100644
--- a/parser/parser_lex.l
+++ b/parser/parser_lex.l
@@ -612,7 +612,7 @@ LT_EQUAL	<=
 	PUSH_AND_RETURN(state, token);
 }
 
-<INITIAL,NETWORK_MODE,RLIMIT_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
+<INITIAL,NETWORK_MODE,RLIMIT_MODE,CHANGE_PROFILE_MODE,MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE>{
 	{END_OF_RULE}	{
 		if (YY_START != INITIAL)
 			POP_NODUMP();
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 3ebaed4..ce57153 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -1481,6 +1481,20 @@ file_mode: TOK_MODE
 		free($1);
 	}
 
+change_profile: TOK_CHANGE_PROFILE TOK_END_OF_RULE
+	{
+		struct cod_entry *entry;
+		char *rule = strdup("**");
+		if (!rule)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("Matched change_profile,\n");
+		entry = new_entry(NULL, rule, AA_CHANGE_PROFILE, NULL);
+		if (!entry)
+			yyerror(_("Memory allocation error."));
+		PDEBUG("change_profile,\n");
+		$$ = entry;
+	};
+
 change_profile:	TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
 	{
 		struct cod_entry *entry;
diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
index 89a048e..700ac8b 100755
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -458,6 +458,10 @@ verify_binary_equality "Deny of ungranted perm" \
 		       "/t { /foo/[abc] r, }"
 
 
+verify_binary_equality "change_profile == change_profile -> **" \
+		       "/t { change_profile, }" \
+		       "/t { change_profile -> **, }"
+
 if [ $fails -ne 0 -o $errors -ne 0 ]
 then
 	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
diff --git a/parser/tst/simple_tests/change_profile/bare_ok_1.sd b/parser/tst/simple_tests/change_profile/bare_ok_1.sd
new file mode 100644
index 0000000..3ea58d2
--- /dev/null
+++ b/parser/tst/simple_tests/change_profile/bare_ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION change_profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+   change_profile,
+}
-- 
2.1.4

More information about the AppArmor mailing list