mapping.lua: Improvements to conditional rules

- new conditional action 'if_active_exec_policy_is = "policyname"'
- conditional actions in rules can now be used to select exec policy, too.

1 files changed, 46 insertions, 28 deletions

diff --git a/lua_scripts/mapping.lua b/lua_scripts/mapping.lua
index 320ea78..b70c632 100644
--- a/lua_scripts/mapping.lua
+++ b/lua_scripts/mapping.lua
@@ -290,10 +290,11 @@ function sbox_execute_replace_rule(path, replacement, rule)
 	return ret
 end
 
--- returns path and readonly_flag
+-- returns exec_policy, path and readonly_flag
 function sbox_execute_conditional_actions(binary_name,
 		func_name, rp, path, rule)
 	local actions = rule.actions
+	local ret_exec_policy = nil
 
 	local a
 	for a = 1, table.maxn(actions) do
@@ -301,43 +302,61 @@ function sbox_execute_conditional_actions(binary_name,
 			sb.log("debug", string.format("try %d", a))
 		end
 
-		local ret_ro = false
-		if (actions[a].readonly) then
-			ret_ro = actions[a].readonly
-		end
+		-- each member in the "actions" array is a 
+		-- candidate for the rule which will be applied
+		local rule_cand = actions[a]
 
-		-- first, if there are any unconditional actions:
-		if (actions[a].use_orig_path) then
-			return path, ret_ro
-		elseif (actions[a].map_to) then
-			return actions[a].map_to .. path, ret_ro
+		local ret_ro = false
+		if (rule_cand.readonly) then
+			ret_ro = rule_cand.readonly
 		end
 
-		-- next try conditional destinations: build a path to
-		-- "tmp_dest", and if that destination exists, use that path.
-		local tmp_dest = nil
-		if (actions[a].if_exists_then_map_to) then
-			tmp_dest = actions[a].if_exists_then_map_to .. path
-		elseif (actions[a].if_exists_then_replace_by) then
-			tmp_dest = sbox_execute_replace_rule(path,
-				actions[a].if_exists_then_replace_by, rule)
-		end
-		if (tmp_dest ~= nil) then
+		if (rule_cand.if_exists_then_map_to or
+		    rule_cand.if_exists_then_replace_by) then
+			-- conditional destinations: build a path to
+			-- "tmp_dest", and if that destination exists, use that path.
+			local tmp_dest = nil
+			if (rule_cand.if_exists_then_map_to) then
+				tmp_dest = rule_cand.if_exists_then_map_to .. path
+			else
+				tmp_dest = sbox_execute_replace_rule(path,
+					rule_cand.if_exists_then_replace_by, rule)
+			end
 			if (sb.path_exists(tmp_dest)) then
 				if (debug_messages_enabled) then
-					sb.log("debug", string.format("target exists: => %s", tmp_dest))
+					sb.log("debug", string.format(
+						"target exists: => %s", tmp_dest))
+				end
+				if (rule_cand.exec_policy ~= nil) then
+					ret_exec_policy = rule_cand.exec_policy
 				end
-				return tmp_dest, ret_ro
+				return ret_exec_policy, tmp_dest, ret_ro
+			end
+		elseif (rule_cand.if_active_exec_policy_is) then
+			local ep = get_active_exec_policy()
+
+			if (ep ~= nil and ep.name == rule_cand.if_active_exec_policy_is) then
+				return sbox_execute_rule(binary_name,
+					 func_name, rp, path, rule_cand)
 			end
 		else
-			sb.log("error", string.format("error in rule: no valid conditional actions for '%s'", path))
+			-- there MUST BE unconditional actions:
+			if (rule_cand.use_orig_path 
+			    or rule_cand.map_to or rule_cand.replace_by) then
+				return sbox_execute_rule(binary_name,
+					 func_name, rp, path, rule_cand)
+			else
+				sb.log("error", string.format(
+					"error in rule: no valid conditional actions for '%s'",
+					path))
+			end
 		end
 	end
 
 	-- no valid action found. This should not happen.
 	sb.log("error", string.format("mapping rule for '%s': execution of conditional actions failed", path))
 
-	return path, false
+	return ret_exec_policy, path, false
 end
 
 -- returns exec_policy, path and readonly_flag
@@ -356,10 +375,9 @@ function sbox_execute_rule(binary_name, func_name, rp, path, rule)
 	if (rule.use_orig_path) then
 		ret_path = path
 	elseif (rule.actions) then
-		-- FIXME: sbox_execute_conditional_actions should also
-		-- be able to return exec_policy
-		ret_path, ret_ro = sbox_execute_conditional_actions(binary_name,
-			func_name, rp, path, rule)
+		ret_exec_policy, ret_path, ret_ro = 
+			sbox_execute_conditional_actions(binary_name,
+				func_name, rp, path, rule)
 	elseif (rule.map_to) then
 		if (rule.map_to == "/") then
 			ret_path = path