From 7bd57261c7d93a1f815813d58639a52f4c59eedb Mon Sep 17 00:00:00 2001
From: Niels Provos <provos@cvs.openbsd.org>
Date: Wed, 5 Jun 2002 21:09:03 +0000
Subject: append predicate, instead of prepending.  makes rules sortable again.
 pointed out by dugsong@

---
 bin/systrace/policy.c   | 39 +++++++++++++++++++--------------------
 bin/systrace/systrace.1 |  8 ++++----
 2 files changed, 23 insertions(+), 24 deletions(-)

(limited to 'bin')

diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c
index 187be64a906..c2b50df0b02 100644
--- a/bin/systrace/policy.c
+++ b/bin/systrace/policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: policy.c,v 1.6 2002/06/05 20:52:47 provos Exp $	*/
+/*	$OpenBSD: policy.c,v 1.7 2002/06/05 21:09:02 provos Exp $	*/
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * All rights reserved.
@@ -410,25 +410,6 @@ systrace_readpolicy(char *filename)
 			policy->flags |= POLICY_DETACHED;
 			policy = NULL;
 			continue;
-		} else if (!strncasecmp(p, "if", 2)) {
-			int match;
-			char *predicate;
-
-			/* Process predicates */
-			p += 2;
-			p += strspn(p, " \t");
-			predicate = strsep(&p, ",");
-			if (p == NULL)
-				goto error;
-
-			match = systrace_predicatematch(predicate);
-			if (match == -1)
-				goto error;
-			/* If the predicate does not match skip rule */
-			if (!match)
-				continue;
-
-			p += strspn(p, " \t");
 		}
 
 		emulation = strsep(&p, "-");
@@ -444,6 +425,24 @@ systrace_readpolicy(char *filename)
 		p++;
 		rule = p;
 
+		if ((p = strrchr(p, ',')) != NULL &&
+		    !strncasecmp(p, ", if", 4)) {
+			int match;
+
+			*p = '\0';
+
+			/* Process predicates */
+			p += 4;
+			p += strspn(p, " \t");
+
+			match = systrace_predicatematch(p);
+			if (match == -1)
+				goto error;
+			/* If the predicate does not match skip rule */
+			if (!match)
+				continue;
+		}
+
 		if (filter_parse_simple(rule, &action, &future) == -1) {
 			if (parse_filter(rule, &parsed) == -1)
 				goto error;
diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1
index 2148effc982..a7ff669b38b 100644
--- a/bin/systrace/systrace.1
+++ b/bin/systrace/systrace.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: systrace.1,v 1.11 2002/06/05 20:52:47 provos Exp $
+.\"	$OpenBSD: systrace.1,v 1.12 2002/06/05 21:09:02 provos Exp $
 .\"
 .\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
 .\" All rights reserved.
@@ -96,10 +96,10 @@ The
 .Va cmd-string
 is an arbitrary string enclosed with quotation marks.
 .Pp
-Policy entries can be prefixed with a predicate.
+Policy entries may contain an appended predicate.
 Predicates have the following format:
 .Bd -literal -offset AAA
-"if" {"user", "group"} {"=", "!="} string ","
+", if" {"user", "group"} {"=", "!="} string
 .Ed
 .Pp
 A rule is added to the configured policy only if its predicate
@@ -119,7 +119,7 @@ Policy: /bin/ls, Emulation: native
 	native-open: filename match "$HOME/*" and oflags sub "ro" then permit
 	native-open: filename eq "/etc/pwd.db" and oflags sub "ro" then permit
 [...]
-	if group != wheel, native-open: filename eq "/etc" then deny[eperm]
+	native-open: filename eq "/etc" then deny[eperm], if group != wheel
 .Ed
 .Sh FILES
 .Bl -tag -width xHOME/xsystrace -compact
-- 
cgit v1.2.3