[apparmor] [PATCH 07/13] Make expressing all capabilities easier

John Johansen john.johansen at canonical.com
Tue Feb 14 17:32:29 UTC 2012


Allow the capability rule to be bare to represent all capabilities similar
to how network, and other rule types work.

  capability,

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/parser_yacc.y                        |   18 +++++++-----------
 parser/tst/simple_tests/capability/bad_3.sd |    9 +++++++++
 parser/tst/simple_tests/capability/bad_4.sd |    9 +++++++++
 parser/tst/simple_tests/capability/ok3.sd   |    9 +++++++++
 4 files changed, 34 insertions(+), 11 deletions(-)
 create mode 100644 parser/tst/simple_tests/capability/bad_3.sd
 create mode 100644 parser/tst/simple_tests/capability/bad_4.sd
 create mode 100644 parser/tst/simple_tests/capability/ok3.sd

diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index 2a4fa5d..fff7e23 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -1057,10 +1057,15 @@ set_caps:	TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
 
 capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
 	{
-		$$ = $2;
+		if ($2 == 0) {
+			/* bare capability keyword - set all caps */
+			$$ = 0xffffffffffffffff;
+		} else
+			$$ = $2;
 	};
 
-caps: caps TOK_ID
+caps: { /* nothing */ $$ = 0; }
+	| caps TOK_ID
 	{
 		int cap = name_to_capability($2);
 		if (cap == -1)
@@ -1069,15 +1074,6 @@ caps: caps TOK_ID
 		$$ = $1 | CAP_TO_MASK(cap);
 	}
 
-caps: TOK_ID
-	{
-		int cap = name_to_capability($1);
-		if (cap == -1)
-			yyerror(_("Invalid capability %s."), $1);
-		free($1);
-		$$ = CAP_TO_MASK(cap);
-	};
-
 %%
 #define MAXBUFSIZE 4096
 
diff --git a/parser/tst/simple_tests/capability/bad_3.sd b/parser/tst/simple_tests/capability/bad_3.sd
new file mode 100644
index 0000000..00e4f4b
--- /dev/null
+++ b/parser/tst/simple_tests/capability/bad_3.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION fail CAP_XXX syntax.
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  capability chown CAP_CHOWN,
+}
diff --git a/parser/tst/simple_tests/capability/bad_4.sd b/parser/tst/simple_tests/capability/bad_4.sd
new file mode 100644
index 0000000..502c74a
--- /dev/null
+++ b/parser/tst/simple_tests/capability/bad_4.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION fail unknown keyword
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  capability chown foobar,
+}
diff --git a/parser/tst/simple_tests/capability/ok3.sd b/parser/tst/simple_tests/capability/ok3.sd
new file mode 100644
index 0000000..454b96c
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok3.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION validate some uses of capabilties.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+	capability,
+}
-- 
1.7.9




More information about the AppArmor mailing list