2
* Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
3
* NOVELL (All rights reserved)
5
* Copyright (c) 2010 - 2012
6
* Canonical Ltd. (All rights reserved)
8
* This program is free software; you can redistribute it and/or
9
* modify it under the terms of version 2 of the GNU General Public
10
* License published by the Free Software Foundation.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, contact Novell, Inc. or Canonical
25
#include <netinet/in.h>
26
#include <sys/resource.h>
28
#include "libapparmor_re/apparmor_re.h"
29
#include "libapparmor_re/aare_rules.h"
33
/* Global variable to pass token to lexer. Will be replaced by parameter
34
* when lexer and parser are made reentrant
36
extern int parser_token;
38
typedef enum pattern_t pattern_t;
47
struct named_transition {
54
char *regex; // posix regex
60
struct value_list *next;
65
struct value_list *vals;
67
struct cond_entry *next;
75
struct codomain *codomain; /* Special codomain defined
76
* just for this executable */
77
int mode; /* mode is 'or' of AA_* bits */
78
int audit; /* audit flags for mode */
79
int deny; /* TRUE or FALSE */
81
int alias_ignore; /* ignore for alias processing */
85
pattern_t pattern_type;
86
struct cod_pattern pat;
88
struct cod_entry *next;
91
/* supported AF protocols */
92
struct aa_network_entry {
95
unsigned int protocol;
97
struct aa_network_entry *next;
101
unsigned int specified; /* limits that are set */
102
rlim_t limits[RLIMIT_NLIMITS];
107
struct alt_name *next;
112
char *name; /* codomain name */
114
struct alt_name *altnames;
119
/* char *sub_name; */ /* subdomain name or NULL */
120
/* int default_deny; */ /* TRUE or FALSE */
122
int local_mode; /* true if local, not hat */
125
struct codomain *parent;
127
struct flagval flags;
129
uint64_t capabilities;
134
unsigned int *network_allowed; /* array of type masks
135
* indexed by AF_FAMILY */
136
unsigned int *audit_network;
137
unsigned int *deny_network;
138
unsigned int *quiet_network;
140
struct aa_rlimits rlimits;
142
char *exec_table[AA_EXEC_COUNT];
143
struct cod_entry *entries;
144
struct mnt_entry *mnt_ents;
147
//struct codomain *next;
149
aare_ruleset_t *dfarules;
154
aare_ruleset_t *policy_rules;
155
int policy_rule_count;
157
size_t policy_dfa_size;
162
unsigned int hat_magic;
165
/* describe an ip address */
169
unsigned short port[2];
172
struct ipv4_endpoints {
173
struct ipv4_desc * src;
174
struct ipv4_desc * dest;
183
#define COD_READ_CHAR 'r'
184
#define COD_WRITE_CHAR 'w'
185
#define COD_APPEND_CHAR 'a'
186
#define COD_EXEC_CHAR 'x'
187
#define COD_LINK_CHAR 'l'
188
#define COD_LOCK_CHAR 'k'
189
#define COD_MMAP_CHAR 'm'
190
#define COD_INHERIT_CHAR 'i'
191
#define COD_UNCONFINED_CHAR 'U'
192
#define COD_UNSAFE_UNCONFINED_CHAR 'u'
193
#define COD_PROFILE_CHAR 'P'
194
#define COD_UNSAFE_PROFILE_CHAR 'p'
195
#define COD_LOCAL_CHAR 'C'
196
#define COD_UNSAFE_LOCAL_CHAR 'c'
199
#define OPTION_REMOVE 2
200
#define OPTION_REPLACE 3
201
#define OPTION_STDOUT 4
202
#define OPTION_OFILE 5
209
#define FLAG_CHANGEHAT_1_4 2
210
#define FLAG_CHANGEHAT_1_5 3
212
extern int preprocess_only;
214
#define PATH_CHROOT_REL 0x1
215
#define PATH_NS_REL 0x2
216
#define PATH_CHROOT_NSATTACH 0x4
217
#define PATH_CHROOT_NO_ATTACH 0x8
218
#define PATH_MEDIATE_DELETED 0x10
219
#define PATH_DELEGATE_DELETED 0x20
220
#define PATH_ATTACH 0x40
221
#define PATH_NO_ATTACH 0x80
226
#define PDEBUG(fmt, args...) printf("parser: " fmt, ## args)
228
#define PDEBUG(fmt, args...) /* Do nothing */
230
#define NPDEBUG(fmt, args...) /* Do nothing */
232
#define PERROR(fmt, args...) fprintf(stderr, fmt, ## args)
242
#define MAX_PORT 65535
245
#define __unused __attribute__ ((unused))
249
#define list_for_each(LIST, ENTRY) \
250
for ((ENTRY) = (LIST); (ENTRY); (ENTRY) = (ENTRY)->next)
251
#define list_for_each_safe(LIST, ENTRY, TMP) \
252
for ((ENTRY) = (LIST), (TMP) = (LIST) ? (LIST)->next : NULL; (ENTRY); (ENTRY) = (TMP), (TMP) = (TMP) ? (TMP)->next : NULL)
253
#define list_last_entry(LIST, ENTRY) \
254
for ((ENTRY) = (LIST); (ENTRY) && (ENTRY)->next; (ENTRY) = (ENTRY)->next)
255
#define list_append(LISTA, LISTB) \
257
typeof(LISTA) ___tmp; \
258
list_last_entry((LISTA), ___tmp);\
259
___tmp->next = (LISTB); \
262
/* from parser_common.c */
263
extern int regex_type;
264
extern int perms_create;
265
extern int net_af_max_override;
266
extern int kernel_load;
267
extern int kernel_supports_network;
268
extern int kernel_supports_mount;
269
extern int flag_changehat_version;
270
extern int conf_verbose;
271
extern int conf_quiet;
272
extern int names_only;
274
extern int current_lineno;
275
extern dfaflags_t dfaflags;
276
extern char *progname;
277
extern char *subdomainbase;
278
extern char *profilename;
279
extern char *profile_namespace;
280
extern char *current_filename;
282
extern int read_implies_exec;
283
extern void pwarn(char *fmt, ...) __attribute__((__format__(__printf__, 1, 2)));
285
/* from parser_main (cannot be used in tst builds) */
286
extern int force_complain;
287
extern struct timespec mru_tstamp;
288
extern void update_mru_tstamp(FILE *file);
290
/* provided by parser_lex.l (cannot be used in tst builds) */
292
extern void yyrestart(FILE *fp);
293
extern int yyparse(void);
294
extern void yyerror(const char *msg, ...);
295
extern int yylex(void);
297
/* parser_include.c */
298
extern char *basedir;
301
extern int process_regex(struct codomain *cod);
302
extern int post_process_entry(struct cod_entry *entry);
303
extern void reset_regex(void);
305
extern int process_policydb(struct codomain *cod);
307
extern int process_policy_ents(struct codomain *cod);
309
/* parser_variable.c */
310
extern int process_variables(struct codomain *cod);
311
extern struct var_string *split_out_var(char *string);
312
extern void free_var_string(struct var_string *var);
315
extern struct value_list *new_value_list(char *value);
316
extern struct value_list *dup_value_list(struct value_list *list);
317
extern void free_value_list(struct value_list *list);
318
extern void print_value_list(struct value_list *list);
319
extern struct cond_entry *new_cond_entry(char *name, struct value_list *list);
320
extern void free_cond_entry(struct cond_entry *ent);
321
extern void print_cond_entry(struct cond_entry *ent);
322
extern char *processid(char *string, int len);
323
extern char *processquoted(char *string, int len);
324
extern char *processunquoted(char *string, int len);
325
extern int get_keyword_token(const char *keyword);
326
extern int name_to_capability(const char *keyword);
327
extern int get_rlimit(const char *name);
328
extern char *process_var(const char *var);
329
extern int parse_mode(const char *mode);
330
extern struct cod_entry *new_entry(char *namespace, char *id, int mode,
332
extern struct aa_network_entry *new_network_ent(unsigned int family,
334
unsigned int protocol);
335
extern struct aa_network_entry *network_entry(const char *family,
337
const char *protocol);
338
extern size_t get_af_max(void);
340
extern void debug_cod_list(struct codomain *list);
341
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
342
extern int str_to_boolean(const char* str);
343
extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
344
extern void free_cod_entries(struct cod_entry *list);
345
extern void free_mnt_entries(struct mnt_entry *list);
347
/* parser_symtab.c */
350
struct set_value *next;
352
extern int add_boolean_var(const char *var, int boolean);
353
extern int get_boolean_var(const char *var);
354
extern int new_set_var(const char *var, const char *value);
355
extern int add_set_value(const char *var, const char *value);
356
extern struct set_value *get_set_var(const char *var);
357
extern char *get_next_set_value(struct set_value **context);
358
extern void dump_symtab(void);
359
extern void dump_expanded_symtab(void);
360
void free_symtabs(void);
363
extern int new_alias(const char *from, const char *to);
364
extern void replace_aliases(struct codomain *cod);
365
extern void free_aliases(void);
368
extern int codomain_merge_rules(struct codomain *cod);
370
/* parser_interface.c */
371
typedef struct __sdserialize sd_serialize;
372
extern int load_codomain(int option, struct codomain *cod);
373
extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
375
extern int sd_load_buffer(int option, char *buffer, int size);
379
/* parser_policy.c */
380
extern void add_to_list(struct codomain *codomain);
381
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
382
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
383
extern void post_process_nt_entries(struct codomain *cod);
384
extern void post_process_mnt_entries(struct codomain *cod);
385
extern int post_process_policy(int debug_only);
386
extern int process_hat_regex(struct codomain *cod);
387
extern int process_hat_variables(struct codomain *cod);
388
extern int process_hat_policydb(struct codomain *cod);
389
extern int post_merge_rules(void);
390
extern int merge_hat_rules(struct codomain *cod);
391
extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
392
extern int load_policy(int option);
393
extern int load_hats(sd_serialize *p, struct codomain *cod);
394
extern int load_flattened_hats(struct codomain *cod);
395
extern void free_policy(struct codomain *cod);
396
extern void dump_policy(void);
397
extern void dump_policy_hats(struct codomain *cod);
398
extern void dump_policy_names(void);
399
extern int die_if_any_regex(void);
400
void free_policies(void);
403
/* For the unit-test builds, we must include function stubs for stuff that
404
* only exists in the excluded object files; everything else should live
405
* in parser_common.c.
409
void yyerror(const char *msg, ...)
415
vsnprintf(buf, sizeof(buf), msg, arg);
418
PERROR(_("AppArmor parser error: %s\n"), buf);
423
#define MY_TEST(statement, error) \
424
if (!(statement)) { \
425
PERROR("FAIL: %s\n", error); \
431
#endif /** __AA_PARSER_H */