~ubuntu-branches/ubuntu/trusty/apparmor/trusty-updates

« back to all changes in this revision

Viewing changes to .pc/change-signal-syntax.patch/parser/signal.c

Committer: Package Import Robot
Author(s): Jamie Strandboge
Date: 2014-04-04 01:07:24 UTC
Revision ID: package-import@ubuntu.com-20140404010724-n7pyk2cd5er3gi6m

Tags: 2.8.95~2430-0ubuntu5

debian/control: add versioned Breaks to apparmor for lxc, libvirt-bin,
lightdm and apparmor-easyprof-ubuntu

files added:
.pc/add-profile-name-variable.patch

.pc/add-profile-name-variable.patch/parser

.pc/add-profile-name-variable.patch/parser/parser.h

.pc/add-profile-name-variable.patch/parser/parser_symtab.c

.pc/add-profile-name-variable.patch/parser/parser_variable.c

.pc/add-profile-name-variable.patch/parser/profile.h

.pc/add-profile-name-variable.patch/parser/tst

.pc/add-profile-name-variable.patch/parser/tst/simple_tests

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_01.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_02.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_03.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_04.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_05.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_06.sd

.pc/add-profile-name-variable.patch/parser/tst/simple_tests/vars/vars_auto_profile_name_07.sd

.pc/change-ptrace-syntax.patch

.pc/change-ptrace-syntax.patch/parser

.pc/change-ptrace-syntax.patch/parser/parser_yacc.y

.pc/change-ptrace-syntax.patch/parser/ptrace.c

.pc/change-ptrace-syntax.patch/parser/ptrace.h

.pc/change-signal-syntax.patch

.pc/change-signal-syntax.patch/parser

.pc/change-signal-syntax.patch/parser/dbus.c

.pc/change-signal-syntax.patch/parser/parser.h

.pc/change-signal-syntax.patch/parser/parser_lex.l

.pc/change-signal-syntax.patch/parser/parser_misc.c

.pc/change-signal-syntax.patch/parser/parser_yacc.y

.pc/change-signal-syntax.patch/parser/signal.c

.pc/change-signal-syntax.patch/parser/signal.h

.pc/dnsmasq-libvirtd-signal-ptrace.patch

.pc/dnsmasq-libvirtd-signal-ptrace.patch/profiles

.pc/dnsmasq-libvirtd-signal-ptrace.patch/profiles/apparmor.d

.pc/dnsmasq-libvirtd-signal-ptrace.patch/profiles/apparmor.d/usr.sbin.dnsmasq

.pc/fix-double-comma-in-preprocessor-output.patch

.pc/fix-double-comma-in-preprocessor-output.patch/parser

.pc/fix-double-comma-in-preprocessor-output.patch/parser/parser_lex.l

.pc/fix-garbage-in-preprocessor-output.patch

.pc/fix-garbage-in-preprocessor-output.patch/parser

.pc/fix-garbage-in-preprocessor-output.patch/parser/parser_lex.l

.pc/fix-names-treated-as-condlistid.patch

.pc/fix-names-treated-as-condlistid.patch/parser

.pc/fix-names-treated-as-condlistid.patch/parser/parser_lex.l

.pc/manpage-signal-ptrace.patch

.pc/manpage-signal-ptrace.patch/parser

.pc/manpage-signal-ptrace.patch/parser/apparmor.d.pod

.pc/mediate-ptrace.patch

.pc/mediate-ptrace.patch/parser

.pc/mediate-ptrace.patch/parser/Makefile

.pc/mediate-ptrace.patch/parser/parser.h

.pc/mediate-ptrace.patch/parser/parser_common.c

.pc/mediate-ptrace.patch/parser/parser_lex.l

.pc/mediate-ptrace.patch/parser/parser_main.c

.pc/mediate-ptrace.patch/parser/parser_misc.c

.pc/mediate-ptrace.patch/parser/parser_regex.c

.pc/mediate-ptrace.patch/parser/parser_yacc.y

.pc/mediate-ptrace.patch/parser/ptrace.c

.pc/mediate-ptrace.patch/parser/ptrace.h

.pc/mediate-signals.patch

.pc/mediate-signals.patch/parser

.pc/mediate-signals.patch/parser/Makefile

.pc/mediate-signals.patch/parser/parser.h

.pc/mediate-signals.patch/parser/parser_common.c

.pc/mediate-signals.patch/parser/parser_lex.l

.pc/mediate-signals.patch/parser/parser_main.c

.pc/mediate-signals.patch/parser/parser_misc.c

.pc/mediate-signals.patch/parser/parser_regex.c

.pc/mediate-signals.patch/parser/parser_yacc.y

.pc/mediate-signals.patch/parser/policydb.h

.pc/mediate-signals.patch/parser/signal.c

.pc/mediate-signals.patch/parser/signal.h

.pc/python-utils-file-support.patch

.pc/python-utils-file-support.patch/utils

.pc/python-utils-file-support.patch/utils/apparmor

.pc/python-utils-file-support.patch/utils/apparmor/aa.py

.pc/python-utils-file-support.patch/utils/test

.pc/python-utils-file-support.patch/utils/test/test-regex_matches.py

.pc/python-utils-pivot_root-support.patch

.pc/python-utils-pivot_root-support.patch/utils

.pc/python-utils-pivot_root-support.patch/utils/apparmor

.pc/python-utils-pivot_root-support.patch/utils/apparmor/aa.py

.pc/python-utils-pivot_root-support.patch/utils/apparmor/rules.py

.pc/python-utils-pivot_root-support.patch/utils/test

.pc/python-utils-pivot_root-support.patch/utils/test/test-pivot_root_parse.py

.pc/python-utils-pivot_root-support.patch/utils/test/test-regex_matches.py

.pc/python-utils-ptrace-support.patch

.pc/python-utils-ptrace-support.patch/utils

.pc/python-utils-ptrace-support.patch/utils/apparmor

.pc/python-utils-ptrace-support.patch/utils/apparmor/aa.py

.pc/python-utils-ptrace-support.patch/utils/apparmor/rules.py

.pc/python-utils-ptrace-support.patch/utils/test

.pc/python-utils-ptrace-support.patch/utils/test/test-ptrace_parse.py

.pc/python-utils-ptrace-support.patch/utils/test/test-regex_matches.py

.pc/python-utils-signal-support.patch

.pc/python-utils-signal-support.patch/utils

.pc/python-utils-signal-support.patch/utils/apparmor

.pc/python-utils-signal-support.patch/utils/apparmor/aa.py

.pc/python-utils-signal-support.patch/utils/apparmor/rules.py

.pc/python-utils-signal-support.patch/utils/test

.pc/python-utils-signal-support.patch/utils/test/test-regex_matches.py

.pc/python-utils-signal-support.patch/utils/test/test-signal_parse.py

.pc/symtab-tests-and-seenlist-bug.patch

.pc/symtab-tests-and-seenlist-bug.patch/parser

.pc/symtab-tests-and-seenlist-bug.patch/parser/parser_symtab.c

.pc/test-ptrace-rules.patch

.pc/test-ptrace-rules.patch/tests

.pc/test-ptrace-rules.patch/tests/regression

.pc/test-ptrace-rules.patch/tests/regression/apparmor

.pc/test-ptrace-rules.patch/tests/regression/apparmor/capabilities.sh

.pc/test-ptrace-rules.patch/tests/regression/apparmor/mkprofile.pl

.pc/test-ptrace-rules.patch/tests/regression/apparmor/ptrace.sh

.pc/test-ptrace-rules.patch/tests/regression/apparmor/ptrace_v5.inc

.pc/test-ptrace-rules.patch/tests/regression/apparmor/ptrace_v6.inc

.pc/test-signal-rules.patch

.pc/test-signal-rules.patch/tests

.pc/test-signal-rules.patch/tests/regression

.pc/test-signal-rules.patch/tests/regression/apparmor

.pc/test-signal-rules.patch/tests/regression/apparmor/exec.sh

.pc/test-signal-rules.patch/tests/regression/apparmor/mkprofile.pl

.pc/test-signal-rules.patch/tests/regression/apparmor/regex.sh

.pc/update-base-abstraction-for-signals-and-ptrace.patch

.pc/update-base-abstraction-for-signals-and-ptrace.patch/profiles

.pc/update-base-abstraction-for-signals-and-ptrace.patch/profiles/apparmor.d

.pc/update-base-abstraction-for-signals-and-ptrace.patch/profiles/apparmor.d/abstractions

.pc/update-base-abstraction-for-signals-and-ptrace.patch/profiles/apparmor.d/abstractions/base

.pc/update-chromium-browser.patch

.pc/update-chromium-browser.patch/profiles

.pc/update-chromium-browser.patch/profiles/apparmor.d

.pc/update-chromium-browser.patch/profiles/apparmor.d/usr.bin.chromium-browser

.pc/update-tests-for-new-semantics.patch

.pc/update-tests-for-new-semantics.patch/tests

.pc/update-tests-for-new-semantics.patch/tests/regression

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/dbus.inc

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/exec_qual.sh

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/mmap.sh

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/ptrace_v6.inc

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/pwrite.sh

.pc/update-tests-for-new-semantics.patch/tests/regression/apparmor/rw.sh

debian/patches/add-profile-name-variable.patch

debian/patches/change-ptrace-syntax.patch

debian/patches/change-signal-syntax.patch

debian/patches/dnsmasq-libvirtd-signal-ptrace.patch

debian/patches/fix-double-comma-in-preprocessor-output.patch

debian/patches/fix-garbage-in-preprocessor-output.patch

debian/patches/fix-names-treated-as-condlistid.patch

debian/patches/manpage-signal-ptrace.patch

debian/patches/mediate-ptrace.patch

debian/patches/mediate-signals.patch

debian/patches/python-utils-file-support.patch

debian/patches/python-utils-pivot_root-support.patch

debian/patches/python-utils-ptrace-support.patch

debian/patches/python-utils-signal-support.patch

debian/patches/symtab-tests-and-seenlist-bug.patch

debian/patches/test-ptrace-rules.patch

debian/patches/test-signal-rules.patch

debian/patches/update-base-abstraction-for-signals-and-ptrace.patch

debian/patches/update-chromium-browser.patch

debian/patches/update-tests-for-new-semantics.patch

parser/ptrace.c

parser/ptrace.h

parser/signal.c

parser/signal.h

parser/tst/simple_tests/vars/vars_auto_profile_name_01.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_02.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_03.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_04.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_05.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_06.sd

parser/tst/simple_tests/vars/vars_auto_profile_name_07.sd

tests/regression/apparmor/ptrace_v5.inc

tests/regression/apparmor/ptrace_v6.inc

utils/test/test-pivot_root_parse.py

utils/test/test-ptrace_parse.py

utils/test/test-signal_parse.py

files modified:
.pc/applied-patches

debian/changelog

debian/control

debian/patches/series

parser/Makefile

parser/apparmor.d.pod

parser/dbus.c

parser/parser.h

parser/parser_common.c

parser/parser_lex.l

parser/parser_main.c

parser/parser_misc.c

parser/parser_regex.c

parser/parser_symtab.c

parser/parser_variable.c

parser/parser_yacc.y

parser/policydb.h

parser/profile.h

profiles/apparmor.d/abstractions/base

profiles/apparmor.d/usr.bin.chromium-browser

profiles/apparmor.d/usr.sbin.dnsmasq

tests/regression/apparmor/capabilities.sh

tests/regression/apparmor/dbus.inc

tests/regression/apparmor/exec.sh

tests/regression/apparmor/exec_qual.sh

tests/regression/apparmor/mkprofile.pl

tests/regression/apparmor/mmap.sh

tests/regression/apparmor/ptrace.sh

tests/regression/apparmor/pwrite.sh

tests/regression/apparmor/regex.sh

tests/regression/apparmor/rw.sh

utils/apparmor/aa.py

utils/apparmor/rules.py

utils/test/test-regex_matches.py

Show diffs side-by-side

added added

removed removed

.pc/change-signal-syntax.patch/parser/signal.c

* This program is free software; you can redistribute it and/or

* modify it under the terms of version 2 of the GNU General Public

* License published by the Free Software Foundation.

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program; if not, contact Novell, Inc. or Canonical

* Ltd.

#include <stdlib.h>

#include <string.h>

#include <sys/apparmor.h>

#include <iomanip>

#include <string>

#include <iostream>

#include <sstream>

#include <map>

#include "parser.h"

#include "profile.h"

#include "parser_yacc.h"

#include "signal.h"

#define MAXMAPPED_SIG 35

#define MINRT_SIG 128 /* base of RT sigs */

#define MAXRT_SIG 32 /* Max RT above MINRT_SIG */

/* Signal names mapped to and internal ordering */

static struct signal_map { const char *name; int num; } signal_map[] = {

{"hup", 1},

{"int", 2},

{"quit", 3},

{"ill", 4},

{"trap", 5},

{"abrt", 6},

{"bus", 7},

{"fpe", 8},

{"kill", 9},

{"usr1", 10},

{"segv", 11},

{"usr2", 12},

{"pipe", 13},

{"alrm", 14},

{"term", 15},

{"stkflt", 16},

{"chld", 17},

{"cont", 18},

{"stop", 19},

{"stp", 20},

{"ttin", 21},

{"ttou", 22},

{"urg", 23},

{"xcpu", 24},

{"xfsz", 25},

{"vtalrm", 26},

{"prof", 27},

{"winch", 28},

{"io", 29},

{"pwr", 30},

{"sys", 31},

{"emt", 32},

{"exists", 35},

/* terminate */

{NULL, 0}

};

/* this table is ordered post sig_map[sig] mapping */

static const char *const sig_names[MAXMAPPED_SIG + 1] = {

"unknown",

"hup",

"int",

"quit",

"ill",

"trap",

"abrt",

"bus",

"fpe",

"kill",

"usr1",

"segv",

"usr2",

"pipe",

"alrm",

"term",

"stkflt",

"chld",

"cont",

"stop",

100

"stp",

101

"ttin",

102

"ttou",

103

"urg",

104

"xcpu",

105

"xfsz",

106

"vtalrm",

107

"prof",

108

"winch",

109

"io",

110

"pwr",

111

"sys",

112

"emt",

113

"lost",

114

"unused",

115

116

"exists", /* always last existance test mapped to MAXMAPPED_SIG */

117

};

118

119

120

int parse_signal_mode(const char *str_mode, int *mode, int fail)

121

{

122

return parse_X_mode("signal", AA_VALID_SIGNAL_PERMS, str_mode, mode, fail);

123

}

124

125

static int find_signal_mapping(const char *sig)

126

{

127

if (strncmp("rtmin+", sig, 6) == 0) {

128

char *end;

129

unsigned long n = strtoul(sig + 6, &end, 10);

130

if (end == sig || n > MAXRT_SIG)

131

return -1;

132

return MINRT_SIG + n;

133

} else {

134

for (int i = 0; signal_map[i].name; i++) {

135

if (strcmp(sig, signal_map[i].name) == 0)

136

return signal_map[i].num;

137

}

138

}

139

return -1;

140

}

141

142

void signal_rule::extract_sigs(struct value_list **list)

143

{

144

struct value_list *entry, *tmp, *prev = NULL;

145

list_for_each_safe(*list, entry, tmp) {

146

int i = find_signal_mapping(entry->value);

147

if (i != -1) {

148

signals.insert(i);

149

list_remove_at(*list, prev, entry);

150

free_value_list(entry);

151

} else {

152

yyerror("unknown signal \"%s\"\n", entry->value);

153

prev = entry;

154

}

155

}

156

}

157

158

void signal_rule::move_conditionals(struct cond_entry *conds)

159

{

160

struct cond_entry *cond_ent;

161

162

list_for_each(conds, cond_ent) {

163

/* for now disallow keyword 'in' (list) */

164

if (!cond_ent->eq)

165

yyerror("keyword \"in\" is not allowed in signal rules\n");

166

if (strcmp(cond_ent->name, "set") == 0) {

167

extract_sigs(&cond_ent->vals);

168

} else {

169

yyerror("invalid signal rule conditional \"%s\"\n",

170

cond_ent->name);

171

}

172

}

173

}

174

175

signal_rule::signal_rule(int mode_p, struct cond_entry *conds,

176

char *peer):

177

signals(), peer_label(peer), audit(0), deny(0)

178

{

179

if (mode_p) {

180

mode = mode_p;

181

if (mode & ~AA_VALID_SIGNAL_PERMS)

182

yyerror("mode contains invalid permission for signals\n");

183

} else {

184

mode = AA_VALID_SIGNAL_PERMS;

185

}

186

187

move_conditionals(conds);

188

189

free_cond_list(conds);

190

}

191

192

ostream &signal_rule::dump(ostream &os)

193

{

194

if (audit)

195

os << "audit ";

196

if (deny)

197

os << "deny ";

198

199

os << "signal";

200

201

if (mode != AA_VALID_SIGNAL_PERMS) {

202

os << " (";

203

204

if (mode & AA_MAY_SEND)

205

os << "send ";

206

if (mode & AA_MAY_RECEIVE)

207

os << "receive ";

208

os << ")";

209

}

210

211

if (!signals.empty()) {

212

os << " set=(";

213

for (Signals::iterator i = signals.begin(); i != signals.end();

214

i++) {

215

if (i != signals.begin())

216

os << ", ";

217

if (*i < MINRT_SIG)

218

os << sig_names[*i];

219

else

220

os << "rtmin+" << (*i - MINRT_SIG);

221

}

222

os << ")";

223

}

224

225

if (peer_label)

226

os << " " << peer_label;

227

228

os << ",\n";

229

230

return os;

231

}

232

233

int signal_rule::expand_variables(void)

234

{

235

return expand_entry_variables(&peer_label);

236

}

237

238

/* do we want to warn once/profile or just once per compile?? */

239

static void warn_once(const char *name)

240

{

241

static const char *warned_name = NULL;

242

243

if (warned_name != name) {

244

cerr << "Warning from profile " << name << " (";

245

if (current_filename)

246

cerr << current_filename;

247

else

248

cerr << "stdin";

249

cerr << ") signal rules not enforced\n";

250

warned_name = name;

251

}

252

}

253

254

int signal_rule::gen_policy_re(Profile &prof)

255

{

256

std::ostringstream buffer;

257

std::string buf;

258

259

pattern_t ptype;

260

int pos;

261

262

/* Currently do not generate the rules if the kernel doesn't support

263

* it. We may want to switch this so that a compile could be

264

* used for full support on kernels that don't support the feature

265

266

if (!kernel_supports_signal) {

267

warn_once(prof.name);

268

return RULE_NOT_SUPPORTED;

269

}

270

271

if (signals.size() == 0) {

272

/* not conditional on signal set, so will generate a label

273

* rule as well

274

275

buffer << "(" << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_LABEL << "\\x" << AA_CLASS_SIGNAL << "|";

276

}

277

278

buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_SIGNAL;

279

280

if (signals.size()) {

281

buffer << "[";

282

for (Signals::iterator i = signals.begin(); i != signals.end(); i++) {

283

buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << *i;

284

}

285

buffer << "]";

286

} else {

287

/* match any char */

288

buffer << ".";

289

}

290

291

if (signals.size() == 0) {

292

/* close alternation */

293

buffer << ")";

294

}

295

if (peer_label) {

296

ptype = convert_aaregex_to_pcre(peer_label, 0, buf, &pos);

297

if (ptype == ePatternInvalid)

298

goto fail;

299

buffer << buf;

300

} else {

301

buffer << anyone_match_pattern;

302

}

303

304

buf = buffer.str();

305

if (mode & (AA_MAY_SEND | AA_MAY_RECEIVE)) {

306

if (!prof.policy.rules->add_rule(buf.c_str(), deny, mode, audit,

307

dfaflags))

308

goto fail;

309

}

310

311

return RULE_OK;

312

313

fail:

314

return RULE_ERROR;

315

}

Older »