/* * Copyright (c) 2012 * Canonical, Ltd. (All rights reserved) * * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public * License published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. */ #ifndef __AA_PROFILE_H #define __AA_PROFILE_H #include #include #include #include "parser.h" #include "rule.h" #include "libapparmor_re/aare_rules.h" #include "network.h" class Profile; class block { public: }; struct deref_profileptr_lt { bool operator()(Profile * const &lhs, Profile * const &rhs) const; }; class ProfileList { public: set list; typedef set::iterator iterator; iterator begin() { return list.begin(); } iterator end() { return list.end(); } ProfileList() { }; virtual ~ProfileList() { clear(); } virtual bool empty(void) { return list.empty(); } virtual pair insert(Profile *); virtual void erase(ProfileList::iterator pos); void clear(void); void dump(void); void dump_profile_names(bool children); }; class flagvals { public: int hat; int complain; int audit; int path; void dump(void) { printf("Profile Mode:\t"); if (complain) printf("Complain"); else printf("Enforce"); if (audit) printf(", Audit"); if (hat) printf(", Hat"); printf("\n"); } }; struct capabilities { uint64_t allow; uint64_t audit; uint64_t deny; uint64_t quiet; capabilities(void) { allow = audit = deny = quiet = 0; } void dump() { if (allow != 0ull) __debug_capabilities(allow, "Capabilities"); if (audit != 0ull) __debug_capabilities(audit, "Audit Caps"); if (deny != 0ull) __debug_capabilities(deny, "Deny Caps"); if (quiet != 0ull) __debug_capabilities(quiet, "Quiet Caps"); }; }; struct dfa_stuff { aare_rules *rules; void *dfa; size_t size; dfa_stuff(void): rules(NULL), dfa(NULL), size(0) { } }; class Profile { public: char *ns; char *name; char *attachment; struct alt_name *altnames; void *xmatch; size_t xmatch_size; int xmatch_len; /* char *sub_name; */ /* subdomain name or NULL */ /* int default_deny; */ /* TRUE or FALSE */ int local; int local_mode; /* true if local, not hat */ int local_audit; Profile *parent; flagvals flags; struct capabilities caps; struct network net; struct aa_rlimits rlimits; char *exec_table[AA_EXEC_COUNT]; struct cod_entry *entries; RuleList rule_ents; ProfileList hat_table; struct dfa_stuff dfa; struct dfa_stuff policy; Profile(void) { ns = name = attachment = NULL; altnames = NULL; xmatch = NULL; xmatch_size = 0; xmatch_len = 0; local = local_mode = local_audit = 0; parent = NULL; flags = { 0, 0, 0, 0}; rlimits = {0, {}}; std::fill(exec_table, exec_table + AA_EXEC_COUNT, (char *)NULL); entries = NULL; }; virtual ~Profile(); bool operator<(Profile const &rhs)const { if (ns) { if (rhs.ns) { int res = strcmp(ns, rhs.ns); if (res != 0) return res < 0; } else return false; } else if (rhs.ns) return true; return strcmp(name, rhs.name) < 0; } void dump(void) { if (ns) printf("Ns:\t\t%s\n", ns); if (name) printf("Name:\t\t%s\n", name); else printf("Name:\t\t\n"); if (local) { if (parent) printf("Local To:\t%s\n", parent->name); else printf("Local To:\t\n"); } flags.dump(); caps.dump(); net.dump(); if (entries) debug_cod_entries(entries); for (RuleList::iterator i = rule_ents.begin(); i != rule_ents.end(); i++) { (*i)->dump(cout); } printf("\n"); hat_table.dump(); } bool alloc_net_table(); std::string hname(void) { if (!parent) return name; return parent->hname() + "//" + name; } /* assumes ns is set as part of profile creation */ std::string fqname(void) { if (parent) return parent->fqname() + "//" + name; else if (!ns) return hname(); return ":" + std::string(ns) + "://" + hname(); } std::string get_name(bool fqp) { if (fqp) return fqname(); return hname(); } void dump_name(bool fqp) { cout << get_name(fqp);; } }; #endif /* __AA_PROFILE_H */