[apparmor] [PATCH 07/13] Make expressing all capabilities easier

John Johansen john.johansen at canonical.com
Tue Feb 14 20:59:11 UTC 2012 

On 02/14/2012 11:21 AM, Kees Cook wrote:
> On Tue, Feb 14, 2012 at 09:32:29AM -0800, John Johansen wrote:
>> Allow the capability rule to be bare to represent all capabilities similar
>> to how network, and other rule types work.
>>
>>   capability,
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>>  parser/parser_yacc.y                        |   18 +++++++-----------
>>  parser/tst/simple_tests/capability/bad_3.sd |    9 +++++++++
>>  parser/tst/simple_tests/capability/bad_4.sd |    9 +++++++++
>>  parser/tst/simple_tests/capability/ok3.sd   |    9 +++++++++
>>  4 files changed, 34 insertions(+), 11 deletions(-)
>>  create mode 100644 parser/tst/simple_tests/capability/bad_3.sd
>>  create mode 100644 parser/tst/simple_tests/capability/bad_4.sd
>>  create mode 100644 parser/tst/simple_tests/capability/ok3.sd
>>
>> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
>> index 2a4fa5d..fff7e23 100644
>> --- a/parser/parser_yacc.y
>> +++ b/parser/parser_yacc.y
>> @@ -1057,10 +1057,15 @@ set_caps:	TOK_SET TOK_CAPABILITY caps TOK_END_OF_RULE
>>  
>>  capability:	TOK_CAPABILITY caps TOK_END_OF_RULE
>>  	{
>> -		$$ = $2;
>> +		if ($2 == 0) {
>> +			/* bare capability keyword - set all caps */
>> +			$$ = 0xffffffffffffffff;
> 
> Should this be something more dynamic, using _LINUX_CAPABILITY_U32S_3 or
> something similar to detect size, or is it sufficient to assume unsigned
> long now?
> 
safe for now in that if 64 bit isn't enough we need to patch the rest of
the capability code as well, but yeah it should be more dynamic.  Its
on the low priority todo list.

> If it's safe, then:
> 
> Acked-by: Kees Cook <kees at ubuntu.com>
> 
> :)
> 
>> +		} else
>> +			$$ = $2;
>>  	};
>>  
>> -caps: caps TOK_ID
>> +caps: { /* nothing */ $$ = 0; }
>> +	| caps TOK_ID
>>  	{
>>  		int cap = name_to_capability($2);
>>  		if (cap == -1)
>> @@ -1069,15 +1074,6 @@ caps: caps TOK_ID
>>  		$$ = $1 | CAP_TO_MASK(cap);
>>  	}
>>  
>> -caps: TOK_ID
>> -	{
>> -		int cap = name_to_capability($1);
>> -		if (cap == -1)
>> -			yyerror(_("Invalid capability %s."), $1);
>> -		free($1);
>> -		$$ = CAP_TO_MASK(cap);
>> -	};
>> -
>>  %%
>>  #define MAXBUFSIZE 4096
>>  
>> diff --git a/parser/tst/simple_tests/capability/bad_3.sd b/parser/tst/simple_tests/capability/bad_3.sd
>> new file mode 100644
>> index 0000000..00e4f4b
>> --- /dev/null
>> +++ b/parser/tst/simple_tests/capability/bad_3.sd
>> @@ -0,0 +1,9 @@
>> +#
>> +#=DESCRIPTION fail CAP_XXX syntax.
>> +#=EXRESULT FAIL
>> +# vim:syntax=subdomain
>> +# Last Modified: Sun Apr 17 19:44:44 2005
>> +#
>> +/does/not/exist {
>> +  capability chown CAP_CHOWN,
>> +}
>> diff --git a/parser/tst/simple_tests/capability/bad_4.sd b/parser/tst/simple_tests/capability/bad_4.sd
>> new file mode 100644
>> index 0000000..502c74a
>> --- /dev/null
>> +++ b/parser/tst/simple_tests/capability/bad_4.sd
>> @@ -0,0 +1,9 @@
>> +#
>> +#=DESCRIPTION fail unknown keyword
>> +#=EXRESULT FAIL
>> +# vim:syntax=subdomain
>> +# Last Modified: Sun Apr 17 19:44:44 2005
>> +#
>> +/does/not/exist {
>> +  capability chown foobar,
>> +}
>> diff --git a/parser/tst/simple_tests/capability/ok3.sd b/parser/tst/simple_tests/capability/ok3.sd
>> new file mode 100644
>> index 0000000..454b96c
>> --- /dev/null
>> +++ b/parser/tst/simple_tests/capability/ok3.sd
>> @@ -0,0 +1,9 @@
>> +#
>> +#=DESCRIPTION validate some uses of capabilties.
>> +#=EXRESULT PASS
>> +# vim:syntax=subdomain
>> +# Last Modified: Sun Apr 17 19:44:44 2005
>> +#
>> +/does/not/exist {
>> +	capability,
>> +}
>> -- 
>> 1.7.9
>>
>>
>> -- 
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

More information about the AppArmor mailing list