Allow the capability rule to be bare to represent all capabilities similar to how network, and other rule types work.
capability, Signed-off-by: John Johansen <[email protected]> --- parser/parser_yacc.y | 18 +++++++----------- parser/tst/simple_tests/capability/bad_3.sd | 9 +++++++++ parser/tst/simple_tests/capability/bad_4.sd | 9 +++++++++ parser/tst/simple_tests/capability/ok3.sd | 9 +++++++++ 4 files changed, 34 insertions(+), 11 deletions(-) create mode 100644 parser/tst/simple_tests/capability/bad_3.sd create mode 100644 parser/tst/simple_tests/capability/bad_4.sd create mode 100644 parser/tst/simple_tests/capability/ok3.sd diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 2a4fa5d..fff7e23 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -1057,10 +1057,15 @@ set_caps: TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE capability: TOK_CAPABILITY caps TOK_END_OF_RULE { - $$ = $2; + if ($2 == 0) { + /* bare capability keyword - set all caps */ + $$ = 0xffffffffffffffff; + } else + $$ = $2; }; -caps: caps TOK_ID +caps: { /* nothing */ $$ = 0; } + | caps TOK_ID { int cap = name_to_capability($2); if (cap == -1) @@ -1069,15 +1074,6 @@ caps: caps TOK_ID $$ = $1 | CAP_TO_MASK(cap); } -caps: TOK_ID - { - int cap = name_to_capability($1); - if (cap == -1) - yyerror(_("Invalid capability %s."), $1); - free($1); - $$ = CAP_TO_MASK(cap); - }; - %% #define MAXBUFSIZE 4096 diff --git a/parser/tst/simple_tests/capability/bad_3.sd b/parser/tst/simple_tests/capability/bad_3.sd new file mode 100644 index 0000000..00e4f4b --- /dev/null +++ b/parser/tst/simple_tests/capability/bad_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION fail CAP_XXX syntax. +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + capability chown CAP_CHOWN, +} diff --git a/parser/tst/simple_tests/capability/bad_4.sd b/parser/tst/simple_tests/capability/bad_4.sd new file mode 100644 index 0000000..502c74a --- /dev/null +++ b/parser/tst/simple_tests/capability/bad_4.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION fail unknown keyword +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + capability chown foobar, +} diff --git a/parser/tst/simple_tests/capability/ok3.sd b/parser/tst/simple_tests/capability/ok3.sd new file mode 100644 index 0000000..454b96c --- /dev/null +++ b/parser/tst/simple_tests/capability/ok3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION validate some uses of capabilties. +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + capability, +} -- 1.7.9 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
