[apparmor] [PATCH 07/13] Make expressing all capabilities easier

Kees Cook kees at ubuntu.com
Tue Feb 14 19:21:21 UTC 2012 

On Tue, Feb 14, 2012 at 09:32:29AM -0800, John Johansen wrote:
> Allow the capability rule to be bare to represent all capabilities similar
> to how network, and other rule types work.
> 
>   capability,
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/parser_yacc.y                        |   18 +++++++-----------
>  parser/tst/simple_tests/capability/bad_3.sd |    9 +++++++++
>  parser/tst/simple_tests/capability/bad_4.sd |    9 +++++++++
>  parser/tst/simple_tests/capability/ok3.sd   |    9 +++++++++
>  4 files changed, 34 insertions(+), 11 deletions(-)
>  create mode 100644 parser/tst/simple_tests/capability/bad_3.sd
>  create mode 100644 parser/tst/simple_tests/capability/bad_4.sd
>  create mode 100644 parser/tst/simple_tests/capability/ok3.sd
> 
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 2a4fa5d..fff7e23 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -1057,10 +1057,15 @@ set_caps:	TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
>  
>  capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
>  	{
> -		$$ = $2;
> +		if ($2 == 0) {
> +			/* bare capability keyword - set all caps */
> +			$$ = 0xffffffffffffffff;

Should this be something more dynamic, using _LINUX_CAPABILITY_U32S_3 or
something similar to detect size, or is it sufficient to assume unsigned
long now?

If it's safe, then:

Acked-by: Kees Cook <kees at ubuntu.com>

:)

> +		} else
> +			$$ = $2;
>  	};
>  
> -caps: caps TOK_ID
> +caps: { /* nothing */ $$ = 0; }
> +	| caps TOK_ID
>  	{
>  		int cap = name_to_capability($2);
>  		if (cap == -1)
> @@ -1069,15 +1074,6 @@ caps: caps TOK_ID
>  		$$ = $1 | CAP_TO_MASK(cap);
>  	}
>  
> -caps: TOK_ID
> -	{
> -		int cap = name_to_capability($1);
> -		if (cap == -1)
> -			yyerror(_("Invalid capability %s."), $1);
> -		free($1);
> -		$$ = CAP_TO_MASK(cap);
> -	};
> -
>  %%
>  #define MAXBUFSIZE 4096
>  
> diff --git a/parser/tst/simple_tests/capability/bad_3.sd b/parser/tst/simple_tests/capability/bad_3.sd
> new file mode 100644
> index 0000000..00e4f4b
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_3.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail CAP_XXX syntax.
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  capability chown CAP_CHOWN,
> +}
> diff --git a/parser/tst/simple_tests/capability/bad_4.sd b/parser/tst/simple_tests/capability/bad_4.sd
> new file mode 100644
> index 0000000..502c74a
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_4.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail unknown keyword
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  capability chown foobar,
> +}
> diff --git a/parser/tst/simple_tests/capability/ok3.sd b/parser/tst/simple_tests/capability/ok3.sd
> new file mode 100644
> index 0000000..454b96c
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok3.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +	capability,
> +}
> -- 
> 1.7.9
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-- 
Kees Cook

More information about the AppArmor mailing list