[apparmor] [PATCH 11/11] parser: Clean up exec mode parsing
John Johansen
john.johansen at canonical.com
Fri May 27 12:28:32 UTC 2016
On 05/25/2016 01:59 PM, Tyler Hicks wrote:
> The opt_unsafe token was being used to represent 'safe' and 'unsafe' so
> it is renamed to opt_exec_mode. Create helpfully named macros to compare
> opt_exec_mode's value against instead of hard-coded '0', '1', and '2'
> values.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_yacc.y | 34 +++++++++++++++++++---------------
> 1 file changed, 19 insertions(+), 15 deletions(-)
>
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index bb40f09..b76634f 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -69,6 +69,10 @@
>
> #define CAP_TO_MASK(x) (1ull << (x))
>
> +#define EXEC_MODE_EMPTY 0
> +#define EXEC_MODE_UNSAFE 1
> +#define EXEC_MODE_SAFE 2
> +
> int parser_token = 0;
>
> struct cod_entry *do_file_rule(char *id, int mode, char *link_id, char *nt);
> @@ -275,7 +279,7 @@ void add_local_entry(Profile *prof);
> %type <unix_entry> unix_rule
> %type <id> opt_target
> %type <id> opt_named_transition
> -%type <boolean> opt_unsafe
> +%type <boolean> opt_exec_mode
> %type <boolean> opt_file
> %%
>
> @@ -1059,9 +1063,9 @@ opt_named_transition: { /* nothing */ $$ = NULL; }
> rule: file_rule { $$ = $1; }
> | link_rule { $$ = $1; }
>
> -opt_unsafe: { /* nothing */ $$ = 0; }
> - | TOK_UNSAFE { $$ = 1; };
> - | TOK_SAFE { $$ = 2; };
> +opt_exec_mode: { /* nothing */ $$ = EXEC_MODE_EMPTY; }
> + | TOK_UNSAFE { $$ = EXEC_MODE_UNSAFE; };
> + | TOK_SAFE { $$ = EXEC_MODE_SAFE; };
>
> opt_file: { /* nothing */ $$ = 0; }
> | TOK_FILE { $$ = 1; }
> @@ -1103,22 +1107,22 @@ file_rule: TOK_FILE TOK_END_OF_RULE
> | opt_file file_rule_tail { $$ = $2; }
>
>
> -file_rule_tail: opt_unsafe frule
> +file_rule_tail: opt_exec_mode frule
> {
> - if ($1) {
> + if ($1 != EXEC_MODE_EMPTY) {
> if (!($2->mode & AA_EXEC_BITS))
> yyerror(_("unsafe rule missing exec permissions"));
> - if ($1 == 1) {
> + if ($1 == EXEC_MODE_UNSAFE) {
> $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) &
> ALL_AA_EXEC_UNSAFE;
> }
> - else if ($1 == 2)
> + else if ($1 == EXEC_MODE_SAFE)
> $2->mode &= ~ALL_AA_EXEC_UNSAFE;
> }
> $$ = $2;
> };
>
> -file_rule_tail: opt_unsafe id_or_var file_mode id_or_var
> +file_rule_tail: opt_exec_mode id_or_var file_mode id_or_var
> {
> /* Oopsie, we appear to be missing an EOL marker. If we
> * were *smart*, we could work around it. Since we're
> @@ -1474,7 +1478,7 @@ file_mode: TOK_MODE
> free($1);
> }
>
> -change_profile: TOK_CHANGE_PROFILE opt_unsafe opt_id opt_named_transition TOK_END_OF_RULE
> +change_profile: TOK_CHANGE_PROFILE opt_exec_mode opt_id opt_named_transition TOK_END_OF_RULE
> {
> struct cod_entry *entry;
> int mode = AA_CHANGE_PROFILE;
> @@ -1482,19 +1486,19 @@ change_profile: TOK_CHANGE_PROFILE opt_unsafe opt_id opt_named_transition TOK_EN
> char *exec = $3;
> char *target = $4;
>
> - if (exec_mode) {
> + if (exec_mode != EXEC_MODE_EMPTY) {
> if (!exec)
> yyerror(_("Exec condition is required when unsafe or safe keywords are present"));
>
> - if (exec_mode == 1) {
> + if (exec_mode == EXEC_MODE_UNSAFE) {
> mode |= (AA_EXEC_BITS | ALL_AA_EXEC_UNSAFE);
> - } else if (exec_mode == 2 &&
> + } else if (exec_mode == EXEC_MODE_SAFE &&
> !kernel_supports_stacking &&
> warnflags & WARN_RULE_DOWNGRADED) {
> pwarn("downgrading change_profile safe rule to unsafe due to lack of necessary kernel support\n");
> /**
> - * No need to do anything because the 'unsafe'
> - * variant is the only supported type of
> + * No need to do anything because 'unsafe' exec
> + * mode is the only supported mode of
> * change_profile rules in non-stacking kernels
> */
> }
>
More information about the AppArmor
mailing list