1
/* $Id: parser.h 412 2007-02-27 02:29:16Z jrjohansen $ */
4
* Copyright (c) 1999, 2001, 2002, 2004, 2005 NOVELL (All rights reserved)
2
* Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
3
* NOVELL (All rights reserved)
6
* Canonical, Ltd. (All rights reserved)
6
8
* This program is free software; you can redistribute it and/or
7
9
* modify it under the terms of version 2 of the GNU General Public
13
15
* GNU General Public License for more details.
15
17
* You should have received a copy of the GNU General Public License
16
* along with this program; if not, contact Novell, Inc.
18
* along with this program; if not, contact Novell, Inc. or Canonical
19
22
#include <netinet/in.h>
20
#include "pcre/internal.h"
23
#include <sys/resource.h>
21
24
#include "immunix.h"
22
25
#include "libapparmor_re/apparmor_re.h"
24
27
typedef enum pattern_t pattern_t;
36
struct named_transition {
32
42
struct cod_pattern {
33
43
char *regex; // posix regex
34
pcre *compiled; // compiled regex, size is compiled->size
39
struct codomain *codomain ; /* Special codomain defined
51
struct codomain *codomain; /* Special codomain defined
40
52
* just for this executable */
41
int mode ; /* mode is 'or' of AA_* bits */
42
int deny ; /* TRUE or FALSE */
53
int mode; /* mode is 'or' of AA_* bits */
54
int audit; /* audit flags for mode */
55
int deny; /* TRUE or FALSE */
57
int alias_ignore; /* ignore for alias processing */
44
61
pattern_t pattern_type;
45
62
struct cod_pattern pat;
47
64
struct cod_entry *next;
50
struct cod_net_entry {
51
struct in_addr *saddr, *smask;
52
struct in_addr *daddr, *dmask;
53
unsigned short src_port[2], dst_port[2];
56
struct cod_net_entry *next;
67
/* supported AF protocols */
68
struct aa_network_entry {
71
unsigned int protocol;
73
struct aa_network_entry *next;
77
unsigned int specified; /* limits that are set */
78
rlim_t limits[RLIMIT_NLIMITS];
83
struct alt_name *next;
60
88
char *name; /* codomain name */
61
char *sub_name; /* subdomain name or NULL */
62
int default_deny; /* TRUE or FALSE */
90
struct alt_name *altnames;
95
/* char *sub_name; */ /* subdomain name or NULL */
96
/* int default_deny; */ /* TRUE or FALSE */
98
int local_mode; /* true if local, not hat */
101
struct codomain *parent;
64
103
struct flagval flags;
66
unsigned int capabilities;
105
uint64_t capabilities;
111
unsigned int *network_allowed; /* array of type masks
112
* indexed by AF_FAMILY */
113
unsigned int *audit_network;
114
unsigned int *deny_network;
115
unsigned int *quiet_network;
117
struct aa_rlimits rlimits;
119
char *exec_table[AA_EXEC_COUNT];
68
120
struct cod_entry *entries;
69
struct cod_net_entry * net_entries;
71
122
//struct codomain *next;
109
153
#define COD_READ_CHAR 'r'
110
154
#define COD_WRITE_CHAR 'w'
155
#define COD_APPEND_CHAR 'a'
111
156
#define COD_EXEC_CHAR 'x'
157
#define COD_LINK_CHAR 'l'
158
#define COD_LOCK_CHAR 'k'
159
#define COD_MMAP_CHAR 'm'
112
160
#define COD_INHERIT_CHAR 'i'
113
#define COD_LINK_CHAR 'l'
114
#define COD_UNCONSTRAINED_CHAR 'U'
115
#define COD_UNSAFE_UNCONSTRAINED_CHAR 'u'
161
#define COD_UNCONFINED_CHAR 'U'
162
#define COD_UNSAFE_UNCONFINED_CHAR 'u'
116
163
#define COD_PROFILE_CHAR 'P'
117
164
#define COD_UNSAFE_PROFILE_CHAR 'p'
118
#define COD_MMAP_CHAR 'm'
165
#define COD_LOCAL_CHAR 'C'
166
#define COD_UNSAFE_LOCAL_CHAR 'c'
120
168
#define OPTION_ADD 1
121
169
#define OPTION_REMOVE 2
122
170
#define OPTION_REPLACE 3
123
171
#define OPTION_STDOUT 4
172
#define OPTION_OFILE 5
125
174
#define AARE_NONE 0
127
175
#define AARE_DFA 2
179
#define FLAG_CHANGEHAT_1_4 2
180
#define FLAG_CHANGEHAT_1_5 3
181
extern int kernel_supports_network;
182
extern int net_af_max_override;
183
extern int flag_changehat_version;
184
extern int read_implies_exec;
185
extern dfaflags_t dfaflags;
186
extern int preprocess_only;
189
#define PATH_CHROOT_REL 0x1
190
#define PATH_NS_REL 0x2
191
#define PATH_CHROOT_NSATTACH 0x4
192
#define PATH_CHROOT_NO_ATTACH 0x8
193
#define PATH_MEDIATE_DELETED 0x10
194
#define PATH_DELEGATE_DELETED 0x20
195
#define PATH_ATTACH 0x40
196
#define PATH_NO_ATTACH 0x80
130
201
#define PDEBUG(fmt, args...) printf("parser: " fmt, ## args)
152
223
#define list_for_each(LIST, ENTRY) \
153
224
for ((ENTRY) = (LIST); (ENTRY); (ENTRY) = (ENTRY)->next)
225
#define list_for_each_safe(LIST, ENTRY, TMP) \
226
for ((ENTRY) = (LIST), (TMP) = (LIST) ? (LIST)->next : NULL; (ENTRY); (ENTRY) = (TMP), (TMP) = (TMP) ? (TMP)->next : NULL)
154
227
#define list_last_entry(LIST, ENTRY) \
155
228
for ((ENTRY) = (LIST); (ENTRY) && (ENTRY)->next; (ENTRY) = (ENTRY)->next)
158
231
extern char *progname;
159
232
extern char *subdomainbase;
160
233
extern char *profilename;
234
extern char *profile_namespace;
162
236
/* from parser_main */
163
237
extern int force_complain;
238
extern int conf_quiet;
239
extern int conf_verbose;
240
extern int kernel_load;
164
241
extern int regex_type;
242
extern int perms_create;
243
extern struct timespec mru_tstamp;
244
extern void update_mru_tstamp(FILE *file);
165
245
extern void pwarn(char *fmt, ...) __attribute__((__format__(__printf__, 1, 2)));
248
extern void yyrestart(FILE *fp);
167
249
extern int yyparse(void);
168
250
extern void yyerror(char *msg, ...);
169
251
extern int yylex(void);
253
/* parser_include.c */
254
extern char *basedir;
171
256
/* parser_regex.c */
172
257
extern int process_regex(struct codomain *cod);
173
258
extern int post_process_entry(struct cod_entry *entry);
259
extern void reset_regex(void);
175
261
/* parser_variable.c */
176
262
extern int process_variables(struct codomain *cod);
181
267
extern char *processquoted(char *string, int len);
182
268
extern char *processunquoted(char *string, int len);
183
269
extern int get_keyword_token(const char *keyword);
270
extern int name_to_capability(const char *keyword);
271
extern int get_rlimit(const char *name);
184
272
extern char *process_var(const char *var);
185
273
extern int parse_mode(const char *mode);
186
extern struct cod_entry *new_entry(char *id, char *mode);
187
extern struct cod_net_entry *new_network_entry(int action,
188
struct ipv4_endpoints *addrs,
274
extern struct cod_entry *new_entry(char *namespace, char *id, int mode,
276
extern struct aa_network_entry *new_network_ent(unsigned int family,
278
unsigned int protocol);
279
extern struct aa_network_entry *network_entry(const char *family,
281
const char *protocol);
282
extern size_t get_af_max(void);
190
284
extern void debug_cod_list(struct codomain *list);
191
285
/* returns -1 if value != true or false, otherwise 0 == false, 1 == true */
192
286
extern int str_to_boolean(const char* str);
193
287
extern struct cod_entry *copy_cod_entry(struct cod_entry *cod);
194
288
extern void free_cod_entries(struct cod_entry *list);
195
extern void free_net_entries(struct cod_net_entry *list);
196
extern void free_ipv4_endpoints(struct ipv4_endpoints *addrs);
198
290
/* parser_symtab.c */
293
struct set_value *next;
199
295
extern int add_boolean_var(const char *var, int boolean);
200
296
extern int get_boolean_var(const char *var);
201
297
extern int new_set_var(const char *var, const char *value);
202
298
extern int add_set_value(const char *var, const char *value);
203
extern void *get_set_var(const char *var);
204
extern char *get_next_set_value(void **context);
299
extern struct set_value *get_set_var(const char *var);
300
extern char *get_next_set_value(struct set_value **context);
205
301
extern void dump_symtab(void);
206
302
extern void dump_expanded_symtab(void);
303
void free_symtabs(void);
306
extern int new_alias(const char *from, const char *to);
307
extern void replace_aliases(struct codomain *cod);
308
extern void free_aliases(void);
208
310
/* parser_merge.c */
209
311
extern int codomain_merge_rules(struct codomain *cod);
211
313
/* parser_interface.c */
212
314
typedef struct __sdserialize sd_serialize;
213
315
extern int load_codomain(int option, struct codomain *cod);
214
extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod);
316
extern int sd_serialize_profile(sd_serialize *p, struct codomain *cod,
318
extern int sd_load_buffer(int option, char *buffer, int size);
216
322
/* parser_policy.c */
217
323
extern void add_to_list(struct codomain *codomain);
218
324
extern void add_hat_to_policy(struct codomain *policy, struct codomain *hat);
219
325
extern void add_entry_to_policy(struct codomain *policy, struct cod_entry *entry);
220
extern void add_netrule_to_policy(struct codomain *policy, struct cod_net_entry *net_entry);
221
extern int post_process_policy(void);
326
extern void post_process_nt_entries(struct codomain *cod);
327
extern int post_process_policy(int debug_only);
222
328
extern int process_hat_regex(struct codomain *cod);
223
329
extern int process_hat_variables(struct codomain *cod);
224
330
extern int post_merge_rules(void);
226
332
extern struct codomain *merge_policy(struct codomain *a, struct codomain *b);
227
333
extern int load_policy(int option);
228
334
extern int load_hats(sd_serialize *p, struct codomain *cod);
335
extern int load_flattened_hats(struct codomain *cod);
229
336
extern void free_policy(struct codomain *cod);
230
337
extern void dump_policy(void);
231
338
extern void dump_policy_hats(struct codomain *cod);
232
339
extern void dump_policy_names(void);
233
340
extern int die_if_any_regex(void);
341
void free_policies(void);