[apparmor] [PATCH 05/14] Fix: variable expansion for link target

John Johansen Thu, 04 Jun 2015 03:58:10 -0700

link rules with a variable in the link target, eg.
   link /foo -> @{var},


do not currently have the variable expanded

Signed-off-by: John Johansen <[email protected]>
---
 parser/parser_variable.c                                      |  5 +++++
 parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd       | 10 ++++++++++
 parser/tst/simple_tests/file/var1_ok_deny_link.sd             | 10 ++++++++++
 parser/tst/simple_tests/file/var1_ok_link_1.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var1_ok_link_2.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var1_ok_link_3.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd   | 10 ++++++++++
 parser/tst/simple_tests/file/var1_src_ok_deny_link.sd         | 10 ++++++++++
 parser/tst/simple_tests/file/var1_src_ok_link_1.sd            | 11 +++++++++++
 parser/tst/simple_tests/file/var1_src_ok_link_2.sd            | 11 +++++++++++
 parser/tst/simple_tests/file/var1_src_ok_link_3.sd            | 11 +++++++++++
 .../tst/simple_tests/file/var1_target_ok_audit_deny_link.sd   | 10 ++++++++++
 parser/tst/simple_tests/file/var1_target_ok_deny_link.sd      | 10 ++++++++++
 parser/tst/simple_tests/file/var1_target_ok_link_1.sd         | 11 +++++++++++
 parser/tst/simple_tests/file/var1_target_ok_link_2.sd         | 11 +++++++++++
 parser/tst/simple_tests/file/var1_target_ok_link_3.sd         | 11 +++++++++++
 parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd       | 10 ++++++++++
 parser/tst/simple_tests/file/var2_ok_deny_link.sd             | 10 ++++++++++
 parser/tst/simple_tests/file/var2_ok_link_1.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var2_ok_link_2.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var2_ok_link_3.sd                | 11 +++++++++++
 parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd   | 10 ++++++++++
 parser/tst/simple_tests/file/var2_src_ok_deny_link.sd         | 10 ++++++++++
 parser/tst/simple_tests/file/var2_src_ok_link_1.sd            | 11 +++++++++++
 parser/tst/simple_tests/file/var2_src_ok_link_2.sd            | 11 +++++++++++
 parser/tst/simple_tests/file/var2_src_ok_link_3.sd            | 11 +++++++++++
 .../tst/simple_tests/file/var2_target_ok_audit_deny_link.sd   | 10 ++++++++++
 parser/tst/simple_tests/file/var2_target_ok_deny_link.sd      | 10 ++++++++++
 parser/tst/simple_tests/file/var2_target_ok_link_1.sd         | 11 +++++++++++
 parser/tst/simple_tests/file/var2_target_ok_link_2.sd         | 11 +++++++++++
 parser/tst/simple_tests/file/var2_target_ok_link_3.sd         | 11 +++++++++++
 31 files changed, 323 insertions(+)
 create mode 100644 parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var1_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var1_ok_link_3.sd
 create mode 100644 parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_3.sd
 create mode 100644 
parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_3.sd
 create mode 100644 parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var2_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var2_ok_link_3.sd
 create mode 100644 parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_3.sd
 create mode 100644 
parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
 create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_1.sd
 create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_2.sd
 create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_3.sd

diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index e1f6543..ac334dc 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -254,6 +254,11 @@ static int process_variables_in_entries(struct cod_entry 
*entry_list)
                error = expand_entry_variables(&entry->name);
                if (error)
                        return error;
+               if (entry->link_name) {
+                       error = expand_entry_variables(&entry->link_name);
+                       if (error)
+                               return error;
+               }
        }
 
        return 0;
diff --git a/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
new file mode 100644
index 0000000..e806a20
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
new file mode 100644
index 0000000..8074a4e
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_1.sd 
b/parser/tst/simple_tests/file/var1_ok_link_1.sd
new file mode 100644
index 0000000..9ea1db0
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  @{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_2.sd 
b/parser/tst/simple_tests/file/var1_ok_link_2.sd
new file mode 100644
index 0000000..fae61f6
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link @{var} -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_3.sd 
b/parser/tst/simple_tests/file/var1_ok_link_3.sd
new file mode 100644
index 0000000..3dccf98
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset @{var} -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
new file mode 100644
index 0000000..03f2600
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
new file mode 100644
index 0000000..063c6ed
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_1.sd 
b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
new file mode 100644
index 0000000..9ea1db0
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  @{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_2.sd 
b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
new file mode 100644
index 0000000..d02822c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link @{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_3.sd 
b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
new file mode 100644
index 0000000..c48af60
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset @{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
new file mode 100644
index 0000000..9c5a08c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
new file mode 100644
index 0000000..03c4bb6
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_1.sd 
b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
new file mode 100644
index 0000000..7841cb3
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /alpha/beta rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_2.sd 
b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
new file mode 100644
index 0000000..219a56e
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /alpha/beta -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_3.sd 
b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
new file mode 100644
index 0000000..aecf731
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /alpha/beta -> @{var},
+  @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
new file mode 100644
index 0000000..3f7211b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
new file mode 100644
index 0000000..eed94b9
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_1.sd 
b/parser/tst/simple_tests/file/var2_ok_link_1.sd
new file mode 100644
index 0000000..fe1b2dc
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /foo@{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_2.sd 
b/parser/tst/simple_tests/file/var2_ok_link_2.sd
new file mode 100644
index 0000000..7d496b9
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /foo@{var} -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_3.sd 
b/parser/tst/simple_tests/file/var2_ok_link_3.sd
new file mode 100644
index 0000000..026b8aa
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /foo@{var} -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
new file mode 100644
index 0000000..2d880b1
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
new file mode 100644
index 0000000..a6c4bac
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_1.sd 
b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
new file mode 100644
index 0000000..fe1b2dc
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /foo@{var} rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_2.sd 
b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
new file mode 100644
index 0000000..5bc6ef8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /foo@{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_3.sd 
b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
new file mode 100644
index 0000000..0bdd95f
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /foo@{var} -> /tmp/**,
+  /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd 
b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
new file mode 100644
index 0000000..675c3e8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  audit deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd 
b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
new file mode 100644
index 0000000..8332124
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_1.sd 
b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
new file mode 100644
index 0000000..7841cb3
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  /alpha/beta rl,
+  /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_2.sd 
b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
new file mode 100644
index 0000000..5ca93a7
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link /alpha/beta -> /foo@{var},
+  /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_3.sd 
b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
new file mode 100644
index 0000000..db36600
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+  link subset /alpha/beta -> /foo@{var},
+  /foo@{var} r,
+}
+
-- 
2.1.4


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH 05/14] Fix: variable expansion for link target

Reply via email to