[apparmor] [PATCH 04/11] Fix the x intersection consistency test

John Johansen john.johansen at canonical.com
Wed Mar 7 14:17:23 UTC 2012 

The in x intersection consistency test for minimization was failing because
it was screening off the AA_MAY_EXEC permission before passing the exec
information to the consistency test fn.  This resulted in the consistency
test fn not testing the consistency because it treated the permission set
as not having x permissions.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/immunix.h                             |    3 +++
 parser/libapparmor_re/hfa.h                  |    8 ++++----
 parser/tst/simple_tests/xtrans/x-conflict.sd |   11 +++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 parser/tst/simple_tests/xtrans/x-conflict.sd

diff --git a/parser/immunix.h b/parser/immunix.h
index 72446fc..8dc157a 100644
--- a/parser/immunix.h
+++ b/parser/immunix.h
@@ -96,6 +96,9 @@
 
 #define ALL_AA_EXEC_TYPE		(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
 
+#define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
+#define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
+
 #define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
 					 (AA_MAY_LINK << AA_OTHER_SHIFT))
 
diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h
index c77905d..a35becb 100644
--- a/parser/libapparmor_re/hfa.h
+++ b/parser/libapparmor_re/hfa.h
@@ -50,8 +50,8 @@ public:
 	{
 		deny |= rhs.deny;
 
-		if (!is_merged_x_consistent(allow & AA_USER_EXEC_TYPE,
-					    rhs.allow & AA_USER_EXEC_TYPE)) {
+		if (!is_merged_x_consistent(allow & ALL_USER_EXEC,
+					    rhs.allow & ALL_USER_EXEC)) {
 			if ((exact & AA_USER_EXEC_TYPE) &&
 			    !(rhs.exact & AA_USER_EXEC_TYPE)) {
 				/* do nothing */
@@ -64,8 +64,8 @@ public:
 		} else
 			allow |= rhs.allow & AA_USER_EXEC_TYPE;
 
-		if (!is_merged_x_consistent(allow & AA_OTHER_EXEC_TYPE,
-					    rhs.allow & AA_OTHER_EXEC_TYPE)) {
+		if (!is_merged_x_consistent(allow & ALL_OTHER_EXEC,
+					    rhs.allow & ALL_OTHER_EXEC)) {
 			if ((exact & AA_OTHER_EXEC_TYPE) &&
 			    !(rhs.exact & AA_OTHER_EXEC_TYPE)) {
 				/* do nothing */
diff --git a/parser/tst/simple_tests/xtrans/x-conflict.sd b/parser/tst/simple_tests/xtrans/x-conflict.sd
new file mode 100644
index 0000000..92215f9
--- /dev/null
+++ b/parser/tst/simple_tests/xtrans/x-conflict.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
+#=EXRESULT FAIL
+#=TODO
+#
+/usr/bin/foo {
+  /b* px,
+  /* Pixr,
+  /a* Cx -> foo,
+}
+
-- 
1.7.9

More information about the AppArmor mailing list