On Sun, Jul 21, 2013 at 10:32:46PM -0700, John Johansen wrote: > let allow be used as a prefix in place of deny. Allow is the default > and is implicit so it is not needed but some user keep tripping over > it, and it makes the language more symmetric > > eg. > /foo rw, > allow /foo rw, > deny /foo rw, >
Makes sense. Even if it doesn't feel too useful, I do like symmetry. :) I didn't see any EXRESULT FAIL tests for: allow deny capability, allow deny file, allow deny network, ... deny allow capability, deny allow file, deny allow network, ... And one small comment in the tests... > Signed-off-by: John Johansen <[email protected]> > --- > parser/parser_misc.c | 1 + > parser/parser_yacc.y | 2 + > parser/tst/simple_tests/capability/ok_allow1.sd | 156 ++++++++++++++++++++ > parser/tst/simple_tests/capability/ok_allow2.sd | 160 > +++++++++++++++++++++ > parser/tst/simple_tests/capability/ok_allow3.sd | 9 ++ > parser/tst/simple_tests/file/allow/ok_1.sd | 7 + > parser/tst/simple_tests/file/allow/ok_3.sd | 9 ++ > parser/tst/simple_tests/file/allow/ok_append_1.sd | 13 ++ > parser/tst/simple_tests/file/allow/ok_carat_1.sd | 7 + > parser/tst/simple_tests/file/allow/ok_carat_2.sd | 7 + > parser/tst/simple_tests/file/allow/ok_comma_1.sd | 7 + > parser/tst/simple_tests/file/allow/ok_comma_2.sd | 7 + > .../file/allow/ok_embedded_spaces_1.sd | 6 + > .../file/allow/ok_embedded_spaces_2.sd | 6 + > .../file/allow/ok_embedded_spaces_3.sd | 6 + > .../simple_tests/file/allow/ok_inv_char_class.sd | 7 + > parser/tst/simple_tests/file/allow/ok_lock_1.sd | 17 +++ > parser/tst/simple_tests/file/allow/ok_mmap_1.sd | 12 ++ > parser/tst/simple_tests/file/allow/ok_mmap_2.sd | 14 ++ > 19 files changed, 453 insertions(+) > create mode 100644 parser/tst/simple_tests/capability/ok_allow1.sd > create mode 100644 parser/tst/simple_tests/capability/ok_allow2.sd > create mode 100644 parser/tst/simple_tests/capability/ok_allow3.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_3.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_append_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_2.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_2.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_lock_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_1.sd > create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_2.sd > > diff --git a/parser/parser_misc.c b/parser/parser_misc.c > index 5f211b9..8f52e6c 100644 > --- a/parser/parser_misc.c > +++ b/parser/parser_misc.c > @@ -73,6 +73,7 @@ static struct keyword_table keyword_table[] = { > {"subset", TOK_SUBSET}, > {"audit", TOK_AUDIT}, > {"deny", TOK_DENY}, > + {"allow", TOK_ALLOW}, > {"set", TOK_SET}, > {"rlimit", TOK_RLIMIT}, > {"alias", TOK_ALIAS}, > diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y > index 27e6c58..c249b01 100644 > --- a/parser/parser_yacc.y > +++ b/parser/parser_yacc.y > @@ -110,6 +110,7 @@ void add_local_entry(struct codomain *cod); > %token TOK_SUBSET > %token TOK_AUDIT > %token TOK_DENY > +%token TOK_ALLOW > %token TOK_PROFILE > %token TOK_SET > %token TOK_ALIAS > @@ -502,6 +503,7 @@ opt_owner_flag: { /* nothing */ $$ = 0; } > | TOK_OTHER { $$ = 2; }; > > opt_deny: { /* nothing */ $$ = 0; } > + | TOK_ALLOW { $$ = 0; } > | TOK_DENY { $$ = 1; } > > opt_prefix: opt_audit_flag opt_deny opt_owner_flag > diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd > b/parser/tst/simple_tests/capability/ok_allow1.sd > new file mode 100644 > index 0000000..57eeb3e > --- /dev/null > +++ b/parser/tst/simple_tests/capability/ok_allow1.sd > @@ -0,0 +1,156 @@ > +# > +#=DESCRIPTION validate some uses of capabilties. > +#=EXRESULT PASS > +# vim:syntax=subdomain > +# Last Modified: Sun Apr 17 19:44:44 2005 > +# > +/does/not/exist { > + allow capability chown, > + allow capability dac_override, > + allow capability dac_read_search, > + allow capability fowner, > + allow capability fsetid, > + allow capability kill, > + allow capability setgid, > + allow capability setuid, > + allow capability setpcap, > + allow capability linux_immutable, > + allow capability net_bind_service, > + allow capability net_broadcast, > + allow capability net_admin, > + allow capability net_raw, > + allow capability ipc_lock, > + allow capability ipc_owner, > + allow capability sys_module, > + allow capability sys_rawio, > + allow capability sys_chroot, > + allow capability sys_ptrace, > + allow capability sys_pacct, > + allow capability sys_admin, > + allow capability sys_boot, > + allow capability sys_nice, > + allow capability sys_resource, > + allow capability sys_time, > + allow capability sys_tty_config, > + allow capability mknod, > + allow capability lease, > + allow capability audit_write, > + allow capability audit_control, > + allow capability setfcap, > + allow capability mac_override, > +} > + > +/does/not/exist2 { > + ^chown { > + allow capability chown, > + } > + ^dac_override { > + allow capability dac_override, > + } > + ^dac_read_search { > + allow capability dac_read_search, > + } > + ^fowner { > + allow capability fowner, > + } > + ^fsetid { > + allow capability fsetid, > + } > + ^kill { > + allow capability kill, > + } > + ^setgid { > + allow capability setgid, > + } > + ^setuid { > + allow capability setuid, > + } > + ^setpcap { > + allow capability setpcap, > + } > + ^linux_immutable { > + allow capability linux_immutable, > + } > + ^net_bind_service { > + allow capability net_bind_service, > + } > + ^net_broadcast { > + allow capability net_broadcast, > + } > + ^net_admin { > + allow capability net_admin, > + } > + ^net_raw { > + allow capability net_raw, > + } > + ^ipc_lock { > + allow capability ipc_lock, > + } > + ^ipc_owner { > + allow capability ipc_owner, > + } > + ^sys_module { > + allow capability sys_module, > + } > + ^sys_rawio { > + allow capability sys_rawio, > + } > + ^sys_chroot { > + allow capability sys_chroot, > + } > + ^sys_ptrace { > + allow capability sys_ptrace, > + } > + ^sys_pacct { > + allow capability sys_pacct, > + } > + ^sys_admin { > + allow capability sys_admin, > + } > + ^sys_boot { > + allow capability sys_boot, > + } > + ^sys_nice { > + allow capability sys_nice, > + } > + ^sys_resource { > + allow capability sys_resource, > + } > + ^sys_time { > + allow capability sys_time, > + } > + ^sys_tty_config { > + allow capability sys_tty_config, > + } > + ^mknod { > + allow capability mknod, > + } > + ^lease { > + allow capability lease, > + } > + ^audit_write { > + allow capability audit_write, > + } > + ^audit_control { > + allow capability audit_control, > + } > +} > + > +# Test for duplicates? > +/does/not/exist3 { > + allow capability mknod, > + allow capability mknod, > +} > + > +/does/not/exit101 { > + allow capability chown dac_override dac_read_search fowner fsetid kill > setgid setuid setpcap linux_immutable net_bind_service net_broadcast > net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot > sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time > sys_tty_config mknod lease audit_write audit_control, > + > +} > + > +/does/not/exit102 { > + allow capability chown dac_override dac_read_search fowner fsetid kill > setgid setuid setpcap linux_immutable net_bind_service net_broadcast > net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot > sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time > sys_tty_config mknod lease audit_write audit_control, > + > + allow capability chown dac_override dac_read_search fowner fsetid kill > setgid setuid setpcap linux_immutable net_bind_service net_broadcast > net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot > sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time > sys_tty_config mknod lease audit_write audit_control, > + > +} > + > diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd > b/parser/tst/simple_tests/capability/ok_allow2.sd > new file mode 100644 > index 0000000..e3ad26e > --- /dev/null > +++ b/parser/tst/simple_tests/capability/ok_allow2.sd > @@ -0,0 +1,160 @@ > +# > +#=DESCRIPTION validate some uses of capabilties. > +#=EXRESULT PASS > +# vim:syntax=subdomain > +# Last Modified: Sun Apr 17 19:44:44 2005 > +# > +/does/not/exist { > + audit allow capability chown, > + audit allow capability dac_override, > + audit allow capability dac_read_search, > + audit allow capability fowner, > + audit allow capability fsetid, > + audit allow capability kill, > + audit allow capability setgid, > + audit allow capability setuid, > + audit allow capability setpcap, > + audit allow capability linux_immutable, > + audit allow capability net_bind_service, > + audit allow capability net_broadcast, > + audit allow capability net_admin, > + audit allow capability net_raw, > + audit allow capability ipc_lock, > + audit allow capability ipc_owner, > + audit allow capability sys_module, > + audit allow capability sys_rawio, > + audit allow capability sys_chroot, > + audit allow capability sys_ptrace, > + audit allow capability sys_pacct, > + audit allow capability sys_admin, > + audit allow capability sys_boot, > + audit allow capability sys_nice, > + audit allow capability sys_resource, > + audit allow capability sys_time, > + audit allow capability sys_tty_config, > + audit allow capability mknod, > + audit allow capability lease, > + audit allow capability audit_write, > + audit allow capability audit_control, > + audit allow capability setfcap, > + audit allow capability mac_override, > +} > + > +/does/not/exist2 { > + ^chown { > + deny capability chown, > + } > + ^dac_override { > + deny capability dac_override, > + } > + ^dac_read_search { > + deny capability dac_read_search, > + } > + ^fowner { > + deny capability fowner, > + } > + ^fsetid { > + deny capability fsetid, > + } > + ^kill { > + deny capability kill, > + } > + ^setgid { > + deny capability setgid, > + } > + ^setuid { > + deny capability setuid, > + } > + ^setpcap { > + deny capability setpcap, > + } > + ^linux_immutable { > + deny capability linux_immutable, > + } > + ^net_bind_service { > + deny capability net_bind_service, > + } > + ^net_broadcast { > + deny capability net_broadcast, > + } > + ^net_admin { > + deny capability net_admin, > + } > + ^net_raw { > + deny capability net_raw, > + } > + ^ipc_lock { > + deny capability ipc_lock, > + } > + ^ipc_owner { > + deny capability ipc_owner, > + } > + ^sys_module { > + deny capability sys_module, > + } > + ^sys_rawio { > + deny capability sys_rawio, > + } > + ^sys_chroot { > + deny capability sys_chroot, > + } > + ^sys_ptrace { > + deny capability sys_ptrace, > + } > + ^sys_pacct { > + deny capability sys_pacct, > + } > + ^sys_admin { > + deny capability sys_admin, > + } > + ^sys_boot { > + deny capability sys_boot, > + } > + ^sys_nice { > + deny capability sys_nice, > + } > + ^sys_resource { > + deny capability sys_resource, > + } > + ^sys_time { > + deny capability sys_time, > + } > + ^sys_tty_config { > + deny capability sys_tty_config, > + } > + ^mknod { > + deny capability mknod, > + } > + ^lease { > + deny capability lease, > + } > + ^audit_write { > + deny capability audit_write, > + } > + ^audit_control { > + deny capability audit_control, Should all these tests really be 'deny'? Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
