97
%token TOK_CHANGE_PROFILE
103
%token TOK_TCP_CONN_ESTB
104
%token TOK_TCP_ACPT_ESTB
116
%token TOK_SOFT_RLIMIT
117
%token TOK_RLIMIT_CPU
118
%token TOK_RLIMIT_FSIZE
119
%token TOK_RLIMIT_DATA
120
%token TOK_RLIMIT_STACK
121
%token TOK_RLIMIT_CORE
122
%token TOK_RLIMIT_RSS
123
%token TOK_RLIMIT_NOFILE
124
%token TOK_RLIMIT_OFILE
126
%token TOK_RLIMIT_NPROC
127
%token TOK_RLIMIT_MEMLOCK
128
%token TOK_RLIMIT_LOCKS
129
%token TOK_RLIMIT_SIGPENDING
130
%token TOK_RLIMIT_MSGQUEUE
131
%token TOK_RLIMIT_NICE
132
%token TOK_RLIMIT_RTPRIO
108
134
/* capabilities */
109
135
%token TOK_CAPABILITY
111
%token TOK_CAP_DAC_OVERRIDE
112
%token TOK_CAP_DAC_READ_SEARCH
113
%token TOK_CAP_FOWNER
114
%token TOK_CAP_FSETID
116
%token TOK_CAP_SETGID
117
%token TOK_CAP_SETUID
118
%token TOK_CAP_SETPCAP
119
%token TOK_CAP_LINUX_IMMUTABLE
120
%token TOK_CAP_NET_BIND_SERVICE
121
%token TOK_CAP_NET_BROADCAST
122
%token TOK_CAP_NET_ADMIN
123
%token TOK_CAP_NET_RAW
124
%token TOK_CAP_IPC_LOCK
125
%token TOK_CAP_IPC_OWNER
126
%token TOK_CAP_SYS_MODULE
127
%token TOK_CAP_SYS_RAWIO
128
%token TOK_CAP_SYS_CHROOT
129
%token TOK_CAP_SYS_PTRACE
130
%token TOK_CAP_SYS_PACCT
131
%token TOK_CAP_SYS_ADMIN
132
%token TOK_CAP_SYS_BOOT
133
%token TOK_CAP_SYS_NICE
134
%token TOK_CAP_SYS_RESOURCE
135
%token TOK_CAP_SYS_TIME
136
%token TOK_CAP_SYS_TTY_CONFIG
139
%token TOK_CAP_AUDIT_WRITE
140
%token TOK_CAP_AUDIT_CONTROL
142
137
/* debug flag values */
144
139
%token TOK_FLAG_OPENPAREN
145
140
%token TOK_FLAG_CLOSEPAREN
146
141
%token TOK_FLAG_SEP
147
%token TOK_FLAG_DEBUG
148
%token TOK_FLAG_COMPLAIN
149
%token TOK_FLAG_AUDIT
160
unsigned long int num;
148
struct aa_network_entry *network_entry;
161
149
struct codomain *cod;
162
struct cod_global_entry *entry;
163
150
struct cod_net_entry *net_entry;
164
151
struct cod_entry *user_entry;
165
struct ipv4_desc *ipv4;
166
struct ipv4_endpoints *endpoints;
167
unsigned short (*port)[2];
169
152
struct flagval flags;
155
unsigned int allowed_protocol;
174
159
struct value_list *val_list;
161
struct named_transition transition;
178
164
%type <id> TOK_ID
179
165
%type <mode> TOK_MODE
166
%type <fmode> file_mode
167
%type <cod> profile_base
180
168
%type <cod> profile
181
169
%type <cod> rules
171
%type <cod> local_profile
183
172
%type <cod> cond_rule
184
%type <net_entry> netrule
173
%type <network_entry> network_rule
185
174
%type <user_entry> rule
187
%type <endpoints> addresses
191
%type <iface> TOK_IFACE interface
192
%type <action> TOK_ACTION
194
%type <port> TOK_PORT_IDENT
196
%type <action> action
175
%type <user_entry> frule
197
176
%type <flags> flags
198
177
%type <flags> flagvals
199
178
%type <flags> flagval
179
%type <flag_id> TOK_FLAG_ID
201
181
%type <cap> capability
183
%type <user_entry> change_profile
202
184
%type <set_var> TOK_SET_VAR
203
185
%type <bool_var> TOK_BOOL_VAR
204
186
%type <var_val> TOK_VALUE
205
187
%type <val_list> valuelist
206
188
%type <boolean> expr
190
%type <boolean> opt_subset_flag
191
%type <boolean> opt_audit_flag
192
%type <boolean> opt_owner_flag
193
%type <boolean> opt_profile_flag
194
%type <id> opt_namespace
196
%type <transition> opt_named_transition
197
%type <boolean> opt_unsafe
211
list: varlist profilelist
201
list: preamble profilelist
212
202
{ /* nothing */ };
214
204
profilelist: { /* nothing */ };
222
profile: TOK_ID flags TOK_OPEN rules TOK_CLOSE
212
opt_profile_flag: { /* nothing */ $$ = 0; }
213
| TOK_PROFILE { $$ = 1; }
214
| hat_start { $$ = 2; }
216
opt_namespace: { /* nothing */ $$ = NULL; }
217
| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
219
opt_id: { /* nothing */ $$ = NULL; }
220
| TOK_ID { $$ = $1; }
222
profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
224
struct codomain *cod = $4;
225
PDEBUG("Matched: id (%s) open rules close\n", $1);
224
struct codomain *cod = $5;
227
227
yyerror(_("Memory allocation error."));
231
cod->attachment = $2;
232
if ($2 && $2[0] != '/')
233
/* we don't support variables as part of the profile
234
* name or attachment atm
236
yyerror(_("Profile attachment must begin with a '/'."));
231
238
if (force_complain)
232
cod->flags = force_complain_flags;
239
cod->flags.complain = 1;
241
post_process_nt_entries(cod);
234
242
PDEBUG("%s: flags='%s%s'\n",
236
244
cod->flags.complain ? "complain, " : "",
237
245
cod->flags.audit ? "audit" : "");
242
varlist: { /* nothing */ }
244
varlist: varlist varassign
251
profile: opt_profile_flag opt_namespace profile_base
253
struct codomain *cod = $3;
255
PDEBUG("Matched: %s://%s { ... }\n", $2, $3->name);
257
PDEBUG("Matched: %s { ... }\n", $3->name);
259
if ($3->name[0] != '/' && !($1 || $2))
260
yyerror(_("Profile names must begin with a '/', namespace or keyword 'profile' or 'hat'."));
268
local_profile: TOK_PROFILE profile_base
271
struct codomain *cod = $2;
274
PDEBUG("Matched: local profile %s { ... }\n", cod->name);
279
hat: hat_start profile_base
281
struct codomain *cod = $2;
283
PDEBUG("Matched: hat %s { ... }\n", code->name);
289
preamble: { /* nothing */ }
290
| preamble alias { /* nothing */ };
291
| preamble varassign { /* nothing */ };
293
alias: TOK_ALIAS TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
295
if (!new_alias($2, $4))
296
yyerror(_("Failed to create alias %s -> %s\n"), $2, $4);
247
301
varassign: TOK_SET_VAR TOK_EQUALS valuelist
400
PDEBUG("matched: rules rule\n");
401
PDEBUG("rules rule: (%s)\n", $2->name);
403
yyerror(_("Assert: `rule' returned NULL."));
490
/* can't fold TOK_DENY in as opt_deny_flag as it messes up the generated
491
* parser, even though it shouldn't
493
rules: rules opt_audit_flag TOK_DENY opt_owner_flag rule
495
PDEBUG("matched: rules rule\n");
496
PDEBUG("rules rule: (%s)\n", $5->name);
498
yyerror(_("Assert: `rule' returned NULL."));
500
if (($5->mode & AA_EXEC_BITS) && ($5->mode & ALL_AA_EXEC_TYPE))
501
yyerror(_("Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'"));
504
$5->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
506
$5->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
507
/* only set audit ctl quieting if the rule is not audited */
509
$5->audit = $5->mode & ~ALL_AA_EXEC_TYPE;
511
add_entry_to_policy($1, $5);
515
rules: rules opt_audit_flag opt_owner_flag rule
517
PDEBUG("matched: rules rule\n");
518
PDEBUG("rules rule: (%s)\n", $4->name);
520
yyerror(_("Assert: `rule' returned NULL."));
521
if (($4->mode & AA_EXEC_BITS) &&
522
!($4->mode & ALL_AA_EXEC_TYPE) &&
524
yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', 'c', or 'u'"));
527
$4->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
529
$4->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
531
$4->audit = $4->mode & ~ALL_AA_EXEC_TYPE;
533
add_entry_to_policy($1, $4);
537
rules: rules opt_audit_flag opt_owner_flag TOK_OPEN rules TOK_CLOSE
539
struct cod_entry *entry, *tmp;
540
PDEBUG("matched: audit block\n");
541
list_for_each_safe($5->entries, entry, tmp) {
543
if (entry->mode & AA_EXEC_BITS) {
545
(entry->mode & ALL_AA_EXEC_TYPE))
546
yyerror(_("Invalid mode, in deny rules 'x' must not be preceded by exec qualifier 'i', 'p', or 'u'"));
547
else if (!entry->deny &&
548
!(entry->mode & ALL_AA_EXEC_TYPE))
549
yyerror(_("Invalid mode, 'x' must be preceded by exec qualifier 'i', 'p', or 'u'"));
552
entry->mode &= (AA_USER_PERMS | AA_SHARED_PERMS | AA_USER_PTRACE);
554
entry->mode &= (AA_OTHER_PERMS | AA_SHARED_PERMS | AA_OTHER_PTRACE);
556
if ($2 && !entry->deny)
557
entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;
558
else if (!$2 && entry->deny)
559
entry->audit = entry->mode & ~ALL_AA_EXEC_TYPE;
560
add_entry_to_policy($1, entry);
563
// fix me transfer rules and free sub codomain
568
rules: rules opt_audit_flag TOK_DENY network_rule
570
struct aa_network_entry *entry, *tmp;
572
PDEBUG("Matched: network rule\n");
574
yyerror(_("Assert: `network_rule' return invalid protocol."));
575
if (!$1->network_allowed) {
576
$1->network_allowed = calloc(get_af_max(),
577
sizeof(unsigned int));
578
$1->audit_network = calloc(get_af_max(),
579
sizeof(unsigned int));
580
$1->deny_network = calloc(get_af_max(),
581
sizeof(unsigned int));
582
$1->quiet_network = calloc(get_af_max(),
583
sizeof(unsigned int));
584
if (!$1->network_allowed || !$1->audit_network ||
585
!$1->deny_network || !$1->quiet_network)
586
yyerror(_("Memory allocation error."));
588
list_for_each_safe($4, entry, tmp) {
589
if (entry->type > SOCK_PACKET) {
590
/* setting mask instead of a bit */
591
$1->deny_network[entry->family] |= entry->type;
593
$1->quiet_network[entry->family] |= entry->type;
596
$1->deny_network[entry->family] |= 1 << entry->type;
598
$1->quiet_network[entry->family] |= 1 << entry->type;
606
rules: rules opt_audit_flag network_rule
608
struct aa_network_entry *entry, *tmp;
610
PDEBUG("Matched: network rule\n");
612
yyerror(_("Assert: `network_rule' return invalid protocol."));
613
if (!$1->network_allowed) {
614
$1->network_allowed = calloc(get_af_max(),
615
sizeof(unsigned int));
616
$1->audit_network = calloc(get_af_max(),
617
sizeof(unsigned int));
618
$1->deny_network = calloc(get_af_max(),
619
sizeof(unsigned int));
620
$1->quiet_network = calloc(get_af_max(),
621
sizeof(unsigned int));
622
if (!$1->network_allowed || !$1->audit_network ||
623
!$1->deny_network || !$1->quiet_network)
624
yyerror(_("Memory allocation error."));
626
list_for_each_safe($3, entry, tmp) {
627
if (entry->type > SOCK_PACKET) {
628
/* setting mask instead of a bit */
629
$1->network_allowed[entry->family] |= entry->type;
631
$1->audit_network[entry->family] |= entry->type;
634
$1->network_allowed[entry->family] |= 1 << entry->type;
636
$1->audit_network[entry->family] |= 1 << entry->type;
644
rules: rules change_profile
646
PDEBUG("matched: rules change_profile\n");
647
PDEBUG("rules change_profile: (%s)\n", $2->name);
649
yyerror(_("Assert: `change_profile' returned NULL."));
404
650
add_entry_to_policy($1, $2);
654
rules: rules opt_audit_flag TOK_DENY capability
410
PDEBUG("Matched: netrules rule\n");
412
yyerror(_("Assert: `netrule' returned NULL."));
413
PDEBUG("Assigning %s\n", inet_ntoa(*$2->saddr));
414
PDEBUG("Assigning %s\n", inet_ntoa(*$2->daddr));
415
add_netrule_to_policy($1, $2);
419
rules: rules capability
421
$1->capabilities = $1->capabilities | CAP_TO_MASK($2);
658
$1->quiet_caps |= $4;
662
rules: rules opt_audit_flag capability
664
$1->capabilities |= $3;
666
$1->audit_caps |= $3;
670
rules: rules set_caps
520
rule: TOK_ID TOK_MODE TOK_END_OF_RULE
522
struct cod_entry *entry;
523
PDEBUG("Matched: tok_id (%s) tok_mode (%s)\n", $1, $2);
524
entry = new_entry($1, $2);
526
yyerror(_("Memory allocation error."));
527
PDEBUG("rule.entry: (%s)\n", entry->name);
532
rule: TOK_SET_VAR TOK_MODE TOK_END_OF_RULE
534
struct cod_entry *entry;
535
PDEBUG("Matched: tok_id (%s) tok_mode (%s)\n", $1, $2);
536
entry = new_entry($1, $2);
538
yyerror(_("Memory allocation error."));
539
PDEBUG("rule.entry: (%s)\n", entry->name);
544
rule: TOK_ID TOK_MODE TOK_ID
852
id_or_var: TOK_ID { $$ = $1; }
853
id_or_var: TOK_SET_VAR { $$ = $1; };
855
opt_named_transition:
861
| TOK_ARROW id_or_var
867
| TOK_ARROW TOK_COLON id_or_var TOK_COLON id_or_var
874
opt_unsafe: { /* nothing */ $$ = 0; }
875
| TOK_UNSAFE { $$ = 1; };
876
| TOK_SAFE { $$ = 2; };
878
rule: opt_unsafe frule
881
if (!($2->mode & AA_EXEC_BITS))
882
yyerror(_("unsafe rule missing exec permissions"));
884
$2->mode |= (($2->mode & AA_EXEC_BITS) << 8) &
888
$2->mode &= ~ALL_AA_EXEC_UNSAFE;
893
frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE
895
$$ = do_file_rule($3.namespace, $1, $2, NULL, $3.name);
898
frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE
900
if ($2 && ($1 & ~AA_LINK_BITS))
901
yyerror(_("subset can only be used with link rules."));
902
if ($4.present && ($1 & AA_LINK_BITS) && ($1 & AA_EXEC_BITS))
903
yyerror(_("link and exec perms conflict on a file rule using ->"));
904
if ($4.present && $4.namespace && ($1 & AA_LINK_BITS))
905
yyerror(_("link perms are not allowed on a named profile transition.\n"));
906
if (($1 & AA_LINK_BITS)) {
907
$$ = do_file_rule(NULL, $3, $1, $4.name, NULL);
911
$$ = do_file_rule($4.namespace, $3, $1, NULL, $4.name);
915
rule: opt_unsafe id_or_var file_mode id_or_var
546
917
/* Oopsie, we appear to be missing an EOL marker. If we
547
918
* were *smart*, we could work around it. Since we're
550
921
yyerror(_("missing an end of line character? (entry: %s)"), $1);
553
hat: TOK_SEP TOK_ID flags TOK_OPEN rules TOK_CLOSE
555
struct codomain *cod = $5;
556
PDEBUG("Matched: sep id (%s) open rules close\n", $2);
558
yyerror(_("Memory allocation error."));
924
rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE
926
struct cod_entry *entry;
927
PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5);
928
entry = new_entry(NULL, $3, AA_LINK_BITS, $5);
930
PDEBUG("rule.entry: link (%s)\n", entry->name);
934
rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE
936
struct cod_entry *entry;
937
entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
939
yyerror(_("Memory allocation error."));
943
rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
945
struct cod_entry *entry;
946
entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL);
948
yyerror(_("Memory allocation error."));
952
network_rule: TOK_NETWORK TOK_END_OF_RULE
955
struct aa_network_entry *new_entry, *entry = NULL;
956
for (family = AF_UNSPEC; family < get_af_max(); family++) {
957
new_entry = new_network_ent(family, 0xffffffff,
960
yyerror(_("Memory allocation error."));
961
new_entry->next = entry;
563
cod->flags = force_complain_flags;
564
PDEBUG("^%s: flags='%s%s'\n",
566
cod->flags.complain ? "complain, " : "",
567
cod->flags.audit ? "audit" : "");
573
* The addition of an entirely new grammer set to our (previously) slim
574
* profile spec is below. It's designed to look quite similar to
575
* (Free|Open)BSD's ipfw rules:
577
* 'tcp_connect to 10.0.0.40:80 via eth0' for example.
581
* We need to verify the following rules:
584
netrule: action addresses interface TOK_END_OF_RULE
586
struct cod_net_entry *entry;
591
yyerror(_("Assert: `addresses' returned NULL."));
593
PDEBUG("Matched action (%d) via (%s)\n", $1, $3);
594
entry = new_network_entry($1, $2, $3);
596
yyerror(_("Memory allocation error."));
598
free_ipv4_endpoints($2);
602
action: TOK_TCP_CONN { $$ = AA_TCP_CONNECT; }
603
| TOK_TCP_ACPT { $$ = AA_TCP_ACCEPT; }
604
| TOK_TCP_CONN_ESTB { $$ = AA_TCP_CONNECTED; }
605
| TOK_TCP_ACPT_ESTB { $$ = AA_TCP_ACCEPTED; }
606
| TOK_UDP_SEND { $$ = AA_UDP_SEND; }
607
| TOK_UDP_RECV { $$ = AA_UDP_RECEIVE; }
611
interface: /* nothing, no interface specified */
615
interface: TOK_VIA TOK_IFACE
617
PDEBUG ("Matched an interface (%s)\n", $2);
967
network_rule: TOK_NETWORK TOK_ID TOK_END_OF_RULE
969
struct aa_network_entry *entry;
970
entry = network_entry($2, NULL, NULL);
972
/* test for short circuiting of family */
973
entry = network_entry(NULL, $2, NULL);
975
yyerror(_("Invalid network entry."));
980
network_rule: TOK_NETWORK TOK_ID TOK_ID TOK_END_OF_RULE
982
struct aa_network_entry *entry;
983
entry = network_entry($2, $3, NULL);
985
yyerror(_("Invalid network entry."));
991
hat_start: TOK_SEP {}
996
/* A single TOK_MODE maps to the same permission in all
1002
change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_ID TOK_END_OF_RULE
1004
struct cod_entry *entry;
1005
PDEBUG("Matched change_profile: tok_id (%s)\n", $3);
1006
entry = new_entry(NULL, $3, AA_CHANGE_PROFILE, NULL);
1008
yyerror(_("Memory allocation error."));
1009
PDEBUG("change_profile.entry: (%s)\n", entry->name);
1013
change_profile: TOK_CHANGE_PROFILE TOK_ARROW TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE
1015
struct cod_entry *entry;
1016
PDEBUG("Matched change_profile: tok_id (%s:%s)\n", $4, $6);
1017
entry = new_entry($4, $6, AA_CHANGE_PROFILE, NULL);
1019
yyerror(_("Memory allocation error."));
1020
PDEBUG("change_profile.entry: (%s)\n", entry->name);
1025
set_caps: TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
1030
capability: TOK_CAPABILITY caps TOK_END_OF_RULE
621
addresses: /* Nothing */
623
struct ipv4_endpoints *addresses;
625
addresses = (struct ipv4_endpoints *)
626
malloc (sizeof (struct ipv4_endpoints));
628
yyerror(_("Memory allocation error."));
629
addresses->src = NULL;
630
addresses->dest = NULL;
635
addresses: TOK_TO address
637
struct ipv4_endpoints *addresses;
639
addresses = (struct ipv4_endpoints *)
640
malloc(sizeof (struct ipv4_endpoints));
642
yyerror(_("Memory allocation error."));
643
addresses->src = NULL;
644
addresses->dest = $2;
649
addresses: TOK_FROM address
651
struct ipv4_endpoints *addresses;
653
addresses = (struct ipv4_endpoints *)
654
malloc(sizeof (struct ipv4_endpoints));
656
yyerror(_("Memory allocation error."));
658
addresses->dest = NULL;
663
addresses: TOK_FROM address TOK_TO address
665
struct ipv4_endpoints *addresses;
667
addresses = (struct ipv4_endpoints *)
668
malloc (sizeof (struct ipv4_endpoints));
670
yyerror(_("Memory allocation error."));
672
addresses->dest = $4;
677
addresses: TOK_TO address TOK_FROM address
679
struct ipv4_endpoints *addresses;
681
addresses = (struct ipv4_endpoints *)
682
malloc(sizeof (struct ipv4_endpoints));
684
yyerror(_("Memory allocation error."));
686
addresses->dest = $2;
691
addresses: TOK_TO address TOK_TO
693
/* better error warnings (hopefully) */
694
yyerror(_("Network entries can only have one TO address."));
696
addresses: TOK_FROM address TOK_FROM
698
/* better error warnings (hopefully) */
699
yyerror(_("Network entries can only have one FROM address."));
701
address: TOK_IP ports
703
/* Bleah, I have to handle address as two rules, because
704
* if the user provides an ip of 0.0.0.0 and no mask, we
705
* treat it as 0.0.0.0/0 instead of 0.0.0.0/32. */
707
struct ipv4_desc *address;
709
address = (struct ipv4_desc *)
710
malloc (sizeof (struct ipv4_desc));
712
yyerror(_("Memory allocation error."));
714
address->port[0] = (*$2)[0];
715
address->port[1] = (*$2)[1];
716
if (inet_aton($1, &(address->addr)) == 0)
717
yyerror(_("`%s' is not a valid ip address."), $1);
718
if (address->addr.s_addr == 0) {
719
/* the user specified 0.0.0.0 without giving an
720
* explicit mask, so treat it as 0.0.0.0/0 */
721
address->mask = htonl (0UL);
723
/* otherwise, treat it as /32 */
724
address->mask = htonl (0xffffffff);
726
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
727
inet_ntoa(address->addr), address->mask,
728
address->port[0], address->port[1]);
735
address: TOK_IP mask ports
737
struct ipv4_desc *address;
739
address = (struct ipv4_desc *)
740
malloc(sizeof (struct ipv4_desc));
742
yyerror(_("Memory allocation error."));
745
address->port[0] = (*$3)[0];
746
address->port[1] = (*$3)[1];
747
if (inet_aton($1, &(address->addr)) == 0)
748
yyerror(_("`%s' is not a valid ip address."), $1);
749
PDEBUG("Matched an IP (%s/%d:%d-%d)\n",
750
inet_ntoa(address->addr), address->mask,
751
address->port[0], address->port[1]);
757
mask: TOK_SLASH TOK_NUM
759
PDEBUG("Matched a netmask (%d)\n", $2);
760
if (($2 < 0) || ($2 > 32))
761
yyerror(_("`/%d' is not a valid netmask."), $2);
762
$$ = htonl(0xffffffff << (32 - $2));
764
mask: TOK_SLASH TOK_IP
767
if (inet_aton($2, &mask) == 0)
768
yyerror(_("`%s' is not a valid netmask."), $2);
769
PDEBUG("Matched a netmask (%d)\n", mask.s_addr);
774
/* nothing, return all ports */
775
unsigned short (*ports)[2];
777
ports = (unsigned short (*)[2])
778
malloc(sizeof (unsigned short [2]));
780
yyerror(_("Memory allocation error."));
781
(*ports)[0] = MIN_PORT;
782
(*ports)[1] = MAX_PORT;
786
ports: TOK_COLON TOK_NUM
788
unsigned short (*ports)[2];
790
PDEBUG("Matched a single port (%d)\n", $2);
791
ports = (unsigned short (*)[2])
792
malloc(sizeof (unsigned short [2]));
793
if (($2 < MIN_PORT) || ($2 > MAX_PORT))
794
yyerror(_("ports must be between %d and %d"),
797
yyerror(_("Memory allocation error."));
803
ports: TOK_COLON TOK_NUM TOK_RANGE TOK_NUM
805
unsigned short (*ports)[2];
807
PDEBUG("Matched a port range (%d,%d)\n", $2, $4);
808
ports = (unsigned short (*)[2])
809
malloc(sizeof (unsigned short [2]));
811
yyerror(_("Memory allocation error."));
812
if (($2 < MIN_PORT) || ($4 > MAX_PORT)
813
|| ($2 < MIN_PORT) || ($4 > MAX_PORT))
814
yyerror(_("ports must be between %d and %d"),
819
if ((*ports)[0] > (*ports)[1])
822
pwarn("expected first port number to be less than the second, swapping (%ld,%ld)\n",
825
(*ports)[0] = (*ports)[1];
832
capability: TOK_CAPABILITY cap TOK_END_OF_RULE
837
cap: TOK_CAP_CHOWN { $$ = CAP_CHOWN; }
838
| TOK_CAP_DAC_OVERRIDE { $$ = CAP_DAC_OVERRIDE; }
839
| TOK_CAP_DAC_READ_SEARCH { $$ = CAP_DAC_READ_SEARCH; }
840
| TOK_CAP_FOWNER { $$ = CAP_FOWNER; }
841
| TOK_CAP_FSETID { $$ = CAP_FSETID; }
842
| TOK_CAP_KILL { $$ = CAP_KILL; }
843
| TOK_CAP_SETGID { $$ = CAP_SETGID; }
844
| TOK_CAP_SETUID { $$ = CAP_SETUID; }
845
| TOK_CAP_SETPCAP { $$ = CAP_SETPCAP; }
846
| TOK_CAP_LINUX_IMMUTABLE { $$ = CAP_LINUX_IMMUTABLE; }
847
| TOK_CAP_NET_BIND_SERVICE { $$ = CAP_NET_BIND_SERVICE; }
848
| TOK_CAP_NET_BROADCAST { $$ = CAP_NET_BROADCAST; }
849
| TOK_CAP_NET_ADMIN { $$ = CAP_NET_ADMIN; }
850
| TOK_CAP_NET_RAW { $$ = CAP_NET_RAW; }
851
| TOK_CAP_IPC_LOCK { $$ = CAP_IPC_LOCK; }
852
| TOK_CAP_IPC_OWNER { $$ = CAP_IPC_OWNER; }
853
| TOK_CAP_SYS_MODULE { $$ = CAP_SYS_MODULE; }
854
| TOK_CAP_SYS_RAWIO { $$ = CAP_SYS_RAWIO; }
855
| TOK_CAP_SYS_CHROOT { $$ = CAP_SYS_CHROOT; }
856
| TOK_CAP_SYS_PTRACE { $$ = CAP_SYS_PTRACE; }
857
| TOK_CAP_SYS_PACCT { $$ = CAP_SYS_PACCT; }
858
| TOK_CAP_SYS_ADMIN { $$ = CAP_SYS_ADMIN; }
859
| TOK_CAP_SYS_BOOT { $$ = CAP_SYS_BOOT; }
860
| TOK_CAP_SYS_NICE { $$ = CAP_SYS_NICE; }
861
| TOK_CAP_SYS_RESOURCE { $$ = CAP_SYS_RESOURCE; }
862
| TOK_CAP_SYS_TIME { $$ = CAP_SYS_TIME; }
863
| TOK_CAP_SYS_TTY_CONFIG { $$ = CAP_SYS_TTY_CONFIG; }
864
| TOK_CAP_MKNOD { $$ = CAP_MKNOD; }
865
| TOK_CAP_LEASE { $$ = CAP_LEASE; }
866
| TOK_CAP_AUDIT_WRITE { $$ = CAP_AUDIT_WRITE; }
867
| TOK_CAP_AUDIT_CONTROL { $$ = CAP_AUDIT_CONTROL; }
1037
int cap = name_to_capability($2);
1039
yyerror(_("Invalid capability %s."), $2);
1041
$$ = $1 | CAP_TO_MASK(cap);
1046
int cap = name_to_capability($1);
1048
yyerror(_("Invalid capability %s."), $1);
1050
$$ = CAP_TO_MASK(cap);
870
1054
#define MAXBUFSIZE 4096