[apparmor] [PATCH 04/11] Fix the x intersection consistency test

Steve Beattie steve at nxnw.org
Wed Mar 7 18:27:33 UTC 2012 

On Wed, Mar 07, 2012 at 06:17:23AM -0800, John Johansen wrote:
> The in x intersection consistency test for minimization was failing because
> it was screening off the AA_MAY_EXEC permission before passing the exec
> information to the consistency test fn.  This resulted in the consistency
> test fn not testing the consistency because it treated the permission set
> as not having x permissions.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

It *looks* sensible, but applying this patch plus the first 2 (but
not the third, which doesn't apply for some reason) results in the
parser testsuite having 11 new failures; without this patch, there's
no failures. I have yet to look into why.

> ---
>  parser/immunix.h                             |    3 +++
>  parser/libapparmor_re/hfa.h                  |    8 ++++----
>  parser/tst/simple_tests/xtrans/x-conflict.sd |   11 +++++++++++
>  3 files changed, 18 insertions(+), 4 deletions(-)
>  create mode 100644 parser/tst/simple_tests/xtrans/x-conflict.sd
> 
> diff --git a/parser/immunix.h b/parser/immunix.h
> index 72446fc..8dc157a 100644
> --- a/parser/immunix.h
> +++ b/parser/immunix.h
> @@ -96,6 +96,9 @@
>  
>  #define ALL_AA_EXEC_TYPE		(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
>  
> +#define ALL_USER_EXEC			(AA_USER_EXEC | AA_USER_EXEC_TYPE)
> +#define ALL_OTHER_EXEC			(AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
> +
>  #define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
>  					 (AA_MAY_LINK << AA_OTHER_SHIFT))
>  
> diff --git a/parser/libapparmor_re/hfa.h b/parser/libapparmor_re/hfa.h
> index c77905d..a35becb 100644
> --- a/parser/libapparmor_re/hfa.h
> +++ b/parser/libapparmor_re/hfa.h
> @@ -50,8 +50,8 @@ public:
>  	{
>  		deny |= rhs.deny;
>  
> -		if (!is_merged_x_consistent(allow & AA_USER_EXEC_TYPE,
> -					    rhs.allow & AA_USER_EXEC_TYPE)) {
> +		if (!is_merged_x_consistent(allow & ALL_USER_EXEC,
> +					    rhs.allow & ALL_USER_EXEC)) {
>  			if ((exact & AA_USER_EXEC_TYPE) &&
>  			    !(rhs.exact & AA_USER_EXEC_TYPE)) {
>  				/* do nothing */
> @@ -64,8 +64,8 @@ public:
>  		} else
>  			allow |= rhs.allow & AA_USER_EXEC_TYPE;
>  
> -		if (!is_merged_x_consistent(allow & AA_OTHER_EXEC_TYPE,
> -					    rhs.allow & AA_OTHER_EXEC_TYPE)) {
> +		if (!is_merged_x_consistent(allow & ALL_OTHER_EXEC,
> +					    rhs.allow & ALL_OTHER_EXEC)) {
>  			if ((exact & AA_OTHER_EXEC_TYPE) &&
>  			    !(rhs.exact & AA_OTHER_EXEC_TYPE)) {
>  				/* do nothing */
> diff --git a/parser/tst/simple_tests/xtrans/x-conflict.sd b/parser/tst/simple_tests/xtrans/x-conflict.sd
> new file mode 100644
> index 0000000..92215f9
> --- /dev/null
> +++ b/parser/tst/simple_tests/xtrans/x-conflict.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION test for conflict resolution in minimization phase of dfa gen
> +#=EXRESULT FAIL
> +#=TODO
> +#
> +/usr/bin/foo {
> +  /b* px,
> +  /* Pixr,
> +  /a* Cx -> foo,
> +}
> +
> -- 
> 1.7.9
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120307/e70e8686/attachment.pgp>

More information about the AppArmor mailing list