[apparmor] [PATCH 01/11] Merge profile and :namespace:profile parsing into a single rule. This also fixes a bug where the profile keyword was not allowed to proceed profiles with a namespace declaration.
John Johansen
john.johansen at canonical.com
Tue Dec 14 08:58:38 GMT 2010
---
parser/parser.h | 1 +
parser/parser_alias.c | 10 ++-
parser/parser_policy.c | 2 +
parser/parser_regex.c | 7 +-
parser/parser_yacc.y | 18 ++-
.../profile/local/local_named_profile_ok1.sd | 40 ++++++
.../profile/local/local_named_profiles_ok1.sd | 26 ++++
.../profile/local/local_named_profiles_ok2.sd | 36 ++++++
.../profile/profile_basic_named_ok1.sd | 19 +++
.../simple_tests/profile/profile_ns_named_ok1.sd | 30 +++++
.../simple_tests/profile/profile_ns_named_ok2.sd | 34 +++++
.../simple_tests/profile/profile_ns_named_ok3.sd | 61 ++++++++++
parser/tst/simple_tests/profile/re_named_ok1.sd | 66 ++++++++++
parser/tst/simple_tests/profile/re_named_ok2.sd | 127 ++++++++++++++++++++
parser/tst/simple_tests/profile/re_named_ok3.sd | 127 ++++++++++++++++++++
parser/tst/simple_tests/profile/re_named_ok4.sd | 127 ++++++++++++++++++++
parser/tst/simple_tests/profile/re_named_ok5.sd | 127 ++++++++++++++++++++
.../profile/simple_named_ok_no_rules.sd | 25 ++++
18 files changed, 875 insertions(+), 8 deletions(-)
create mode 100644 parser/tst/simple_tests/profile/local/local_named_profile_ok1.sd
create mode 100644 parser/tst/simple_tests/profile/local/local_named_profiles_ok1.sd
create mode 100644 parser/tst/simple_tests/profile/local/local_named_profiles_ok2.sd
create mode 100644 parser/tst/simple_tests/profile/profile_basic_named_ok1.sd
create mode 100644 parser/tst/simple_tests/profile/profile_ns_named_ok1.sd
create mode 100644 parser/tst/simple_tests/profile/profile_ns_named_ok2.sd
create mode 100644 parser/tst/simple_tests/profile/profile_ns_named_ok3.sd
create mode 100644 parser/tst/simple_tests/profile/re_named_ok1.sd
create mode 100644 parser/tst/simple_tests/profile/re_named_ok2.sd
create mode 100644 parser/tst/simple_tests/profile/re_named_ok3.sd
create mode 100644 parser/tst/simple_tests/profile/re_named_ok4.sd
create mode 100644 parser/tst/simple_tests/profile/re_named_ok5.sd
create mode 100644 parser/tst/simple_tests/profile/simple_named_ok_no_rules.sd
diff --git a/parser/parser.h b/parser/parser.h
index 03db29d..0eed1d8 100644
--- a/parser/parser.h
+++ b/parser/parser.h
@@ -88,6 +88,7 @@ struct alt_name {
struct codomain {
char *namespace;
char *name; /* codomain name */
+ char *attachment;
struct alt_name *altnames;
void *xmatch;
size_t xmatch_size;
diff --git a/parser/parser_alias.c b/parser/parser_alias.c
index 81c65fb..d25d5c4 100644
--- a/parser/parser_alias.c
+++ b/parser/parser_alias.c
@@ -159,6 +159,7 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
{
struct alias_rule **t = (struct alias_rule **) nodep;
struct codomain *cod = target_cod;
+ char *name;
int len;
if (value == preorder || value == endorder)
@@ -166,9 +167,14 @@ static void process_name(const void *nodep, VISIT value, int __unused level)
len = strlen((*t)->from);
- if (cod->name && strncmp((*t)->from, cod->name, len) == 0) {
+ if (cod->attachment)
+ name = cod->attachment;
+ else
+ name = cod->name;
+
+ if (name && strncmp((*t)->from, name, len) == 0) {
struct alt_name *alt;
- char *new = do_alias(*t, cod->name);
+ char *new = do_alias(*t, name);
if (!new)
return;
/* aliases create alternate names */
diff --git a/parser/parser_policy.c b/parser/parser_policy.c
index b218d86..5fe777a 100644
--- a/parser/parser_policy.c
+++ b/parser/parser_policy.c
@@ -736,6 +736,8 @@ void free_policy(struct codomain *cod)
free(cod->dfa);
if (cod->name)
free(cod->name);
+ if (cod->attachment)
+ free(cod->attachment);
if (cod->namespace)
free(cod->namespace);
if (cod->network_allowed)
diff --git a/parser/parser_regex.c b/parser/parser_regex.c
index d43138a..f38ea4f 100644
--- a/parser/parser_regex.c
+++ b/parser/parser_regex.c
@@ -388,14 +388,17 @@ static int process_profile_name_xmatch(struct codomain *cod)
const char *name;
/* don't filter_slashes for profile names */
- name = local_name(cod->name);
+ if (cod->attachment)
+ name = cod->attachment;
+ else
+ name = local_name(cod->name);
ptype = convert_aaregex_to_pcre(name, 0, tbuf, PATH_MAX + 3,
&cod->xmatch_len);
if (ptype == ePatternInvalid) {
PERROR(_("%s: Invalid profile name '%s' - bad regular expression\n"), progname, name);
return FALSE;
- } else if (ptype == ePatternBasic && !cod->altnames) {
+ } else if (ptype == ePatternBasic && !(cod->altnames || cod->attachment)) {
/* no regex so do not set xmatch */
cod->xmatch = NULL;
cod->xmatch_len = 0;
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index c5482c0..f04e923 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -190,6 +190,7 @@ void add_local_entry(struct codomain *cod);
%type <boolean> opt_owner_flag
%type <boolean> opt_profile_flag
%type <id> opt_namespace
+%type <id> opt_id
%type <transition> opt_named_transition
%%
@@ -213,22 +214,31 @@ opt_profile_flag: { /* nothing */ $$ = 0; }
opt_namespace: { /* nothing */ $$ = NULL; }
| TOK_COLON TOK_ID TOK_COLON { $$ = $2; }
-profile_base: TOK_ID flags TOK_OPEN rules TOK_CLOSE
+opt_id: { /* nothing */ $$ = NULL; }
+ | TOK_ID { $$ = $1; }
+
+profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
{
- struct codomain *cod = $4;
+ struct codomain *cod = $5;
if (!cod) {
yyerror(_("Memory allocation error."));
}
cod->name = $1;
- cod->flags = $2;
+ cod->attachment = $2;
+ if ($2 && $2[0] != '/')
+ /* we don't support variables as part of the profile
+ * name or attachment atm
+ */
+ yyerror(_("Profile attachment must begin with a '/'."));
+ cod->flags = $3;
if (force_complain)
cod->flags.complain = 1;
post_process_nt_entries(cod);
PDEBUG("%s: flags='%s%s'\n",
- $2,
+ $3,
cod->flags.complain ? "complain, " : "",
cod->flags.audit ? "audit" : "");
diff --git a/parser/tst/simple_tests/profile/local/local_named_profile_ok1.sd b/parser/tst/simple_tests/profile/local/local_named_profile_ok1.sd
new file mode 100644
index 0000000..7d535d0
--- /dev/null
+++ b/parser/tst/simple_tests/profile/local/local_named_profile_ok1.sd
@@ -0,0 +1,40 @@
+#
+#=DESCRIPTION simple local (interior) named profile cases
+#=EXRESULT PASS
+#
+/does/not/exist {
+
+ /foo rw,
+ /foo/** rw,
+
+ rw /bar,
+ rw /bar/**,
+
+ profile /bin/grep {
+ /one rw,
+ /one/** rw,
+
+ rw /two,
+ rw /two/**,
+ }
+
+ hat GREP {
+
+ /one r,
+ /one/** r,
+
+ r /two,
+ r /two/**,
+ }
+
+ profile true /bin/true {
+ /three rw,
+ /three/** rw,
+
+ rw /four,
+ rw /four/**,
+ }
+
+ profile false /bin/false {
+ }
+}
diff --git a/parser/tst/simple_tests/profile/local/local_named_profiles_ok1.sd b/parser/tst/simple_tests/profile/local/local_named_profiles_ok1.sd
new file mode 100644
index 0000000..1b41aa0
--- /dev/null
+++ b/parser/tst/simple_tests/profile/local/local_named_profiles_ok1.sd
@@ -0,0 +1,26 @@
+#
+# $Id$
+#=DESCRIPTION Basic parsing test of local (internal) profiles
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+
+ profile grep /bin/grep {
+ #include <includes/base>
+
+ /bin/grep r,
+ /tmp/shmeegol rwm,
+ }
+}
+
diff --git a/parser/tst/simple_tests/profile/local/local_named_profiles_ok2.sd b/parser/tst/simple_tests/profile/local/local_named_profiles_ok2.sd
new file mode 100644
index 0000000..f1aafea
--- /dev/null
+++ b/parser/tst/simple_tests/profile/local/local_named_profiles_ok2.sd
@@ -0,0 +1,36 @@
+#
+# $Id$
+#=DESCRIPTION More basic parsing test of local (internal) profiles
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+
+ profile grep /bin/grep {
+ #include <includes/base>
+
+ /bin/grep r,
+ /tmp/shmeegol rwm,
+ }
+
+ capability setuid,
+
+ profile cat /bin/cat {
+ #include <includes/base>
+
+ /bin/cat r,
+ /tmp/shmeegol w,
+ }
+
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+}
+
diff --git a/parser/tst/simple_tests/profile/profile_basic_named_ok1.sd b/parser/tst/simple_tests/profile/profile_basic_named_ok1.sd
new file mode 100644
index 0000000..d81a521
--- /dev/null
+++ b/parser/tst/simple_tests/profile/profile_basic_named_ok1.sd
@@ -0,0 +1,19 @@
+#
+# $Id$
+#=DESCRIPTION Basic parsing test, name profile duplicate mode bits
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile exist /does/not/exist {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
diff --git a/parser/tst/simple_tests/profile/profile_ns_named_ok1.sd b/parser/tst/simple_tests/profile/profile_ns_named_ok1.sd
new file mode 100644
index 0000000..0a21e7e
--- /dev/null
+++ b/parser/tst/simple_tests/profile/profile_ns_named_ok1.sd
@@ -0,0 +1,30 @@
+#
+# $Id$
+#=DESCRIPTION Basic namespace test wit named profile, duplicate mode bits
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+:foo:exist /does/not/exist {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :foo:exist2 /does/not/exist2 {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
diff --git a/parser/tst/simple_tests/profile/profile_ns_named_ok2.sd b/parser/tst/simple_tests/profile/profile_ns_named_ok2.sd
new file mode 100644
index 0000000..b517272
--- /dev/null
+++ b/parser/tst/simple_tests/profile/profile_ns_named_ok2.sd
@@ -0,0 +1,34 @@
+#
+# $Id$
+#=DESCRIPTION same named profile different namespaces test, duplicate mode bits
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+:foo:exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+profile :bar:exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
diff --git a/parser/tst/simple_tests/profile/profile_ns_named_ok3.sd b/parser/tst/simple_tests/profile/profile_ns_named_ok3.sd
new file mode 100644
index 0000000..7d2f416
--- /dev/null
+++ b/parser/tst/simple_tests/profile/profile_ns_named_ok3.sd
@@ -0,0 +1,61 @@
+#
+# $Id$
+#=DESCRIPTION same named profile mixed with unnamed same attach different namespaces test,
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+:foo:/does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+profile :bar:/does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+profile exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+:foo:exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
+profile :bar:exist /does/not/exist {
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+}
+
diff --git a/parser/tst/simple_tests/profile/re_named_ok1.sd b/parser/tst/simple_tests/profile/re_named_ok1.sd
new file mode 100644
index 0000000..733cdb1
--- /dev/null
+++ b/parser/tst/simple_tests/profile/re_named_ok1.sd
@@ -0,0 +1,66 @@
+#
+# $Id$
+#=DESCRIPTION Basic test that named profiles with re attachment are allowed
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile one /** {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile two /* {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile three /? {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile four /[ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile five /[^ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
diff --git a/parser/tst/simple_tests/profile/re_named_ok2.sd b/parser/tst/simple_tests/profile/re_named_ok2.sd
new file mode 100644
index 0000000..e8673e9
--- /dev/null
+++ b/parser/tst/simple_tests/profile/re_named_ok2.sd
@@ -0,0 +1,127 @@
+#
+# $Id$
+#=DESCRIPTION Basic test that named re local profile names are allowed
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/foo//local1 /** {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+/foo//local2 /* {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+/foo//local3 /? {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+/foo//local4 /[ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+/foo//local5 /[^ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile foo//local6 /** {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile foo//local7 /* {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile foo//local8 /? {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile foo//local9 /[ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile foo//local10 /[^ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
diff --git a/parser/tst/simple_tests/profile/re_named_ok3.sd b/parser/tst/simple_tests/profile/re_named_ok3.sd
new file mode 100644
index 0000000..45b2677
--- /dev/null
+++ b/parser/tst/simple_tests/profile/re_named_ok3.sd
@@ -0,0 +1,127 @@
+#
+# $Id$
+#=DESCRIPTION Basic test that named re profile names are allowed in quotes
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile one "/ **" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile two "/ *" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile three "/ ?" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile four "/ [ab]" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile five "/ [^ab]" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile six "/ **" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile seven "/ *" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile eight "/ ?" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile nine "/ [ab]" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile ten "/ [^ab]" {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
diff --git a/parser/tst/simple_tests/profile/re_named_ok4.sd b/parser/tst/simple_tests/profile/re_named_ok4.sd
new file mode 100644
index 0000000..ffa8d41
--- /dev/null
+++ b/parser/tst/simple_tests/profile/re_named_ok4.sd
@@ -0,0 +1,127 @@
+#
+# $Id$
+#=DESCRIPTION Basic test that re profile names are allowed after :ns:
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+:ns:one /** {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+:ns:two /* {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+:ns:three /? {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+:ns:four /[ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+:ns:five /[^ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :ns:six /** {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :ns:seven /* {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :ns:eight /? {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :ns:nine /[ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile :ns:ten /[^ab] {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
diff --git a/parser/tst/simple_tests/profile/re_named_ok5.sd b/parser/tst/simple_tests/profile/re_named_ok5.sd
new file mode 100644
index 0000000..cfda146
--- /dev/null
+++ b/parser/tst/simple_tests/profile/re_named_ok5.sd
@@ -0,0 +1,127 @@
+#
+# $Id$
+#=DESCRIPTION Basic test that re profile names are allowed that aren't trailing
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+profile one /**a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile two /*a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile three /?a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile four /[ab]a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile five /[^ab]a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile size /**a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile seven /*a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile eight /?a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile nine /[ab]a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
+profile ten /[^ab]a {
+ #include <includes/base>
+
+ /usr/X11R6/lib/lib*so* rrr,
+ /does/not/exist r,
+ /var/log/messages www,
+ /tmp/sd*.foo rwrwwrll,
+ /bin/cat pxpxpxpxpx,
+ /bin/ls ixixixix,
+ /bin/echo uxuxuxuxux,
+}
+
diff --git a/parser/tst/simple_tests/profile/simple_named_ok_no_rules.sd b/parser/tst/simple_tests/profile/simple_named_ok_no_rules.sd
new file mode 100644
index 0000000..f963507
--- /dev/null
+++ b/parser/tst/simple_tests/profile/simple_named_ok_no_rules.sd
@@ -0,0 +1,25 @@
+#
+#=DESCRIPTION simple syntax test -- no actual rules.
+#=EXRESULT PASS
+#
+profile noexist /does/not/exist {
+}
+
+profile noexist2 /does/not/exist2 {
+ ^hat1 {
+ }
+
+ ^hat2 {
+ }
+}
+
+profile noexist3 /does/not/exist {
+}
+
+profile noexist4 /does/not/exist2 {
+ ^hat1 {
+ }
+
+ ^hat2 {
+ }
+}
--
1.7.1
More information about the AppArmor
mailing list