[apparmor] [PATCH 03/10] From a3f0ccf618c2016ce5fbaa0fe35d4f194fbefd2b Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen at canonical.com> Date: Sat, 27 Oct 2012 04:49:23 -0700 Subject: [PATCH 03/10] add optional allow prefix to the language
Seth Arnold
seth.arnold at canonical.com
Thu Jul 25 01:34:34 UTC 2013
On Sun, Jul 21, 2013 at 10:32:46PM -0700, John Johansen wrote:
> let allow be used as a prefix in place of deny. Allow is the default
> and is implicit so it is not needed but some user keep tripping over
> it, and it makes the language more symmetric
>
> eg.
> /foo rw,
> allow /foo rw,
> deny /foo rw,
>
Makes sense. Even if it doesn't feel too useful, I do like symmetry. :)
I didn't see any EXRESULT FAIL tests for:
allow deny capability,
allow deny file,
allow deny network,
...
deny allow capability,
deny allow file,
deny allow network,
...
And one small comment in the tests...
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
> parser/parser_misc.c | 1 +
> parser/parser_yacc.y | 2 +
> parser/tst/simple_tests/capability/ok_allow1.sd | 156 ++++++++++++++++++++
> parser/tst/simple_tests/capability/ok_allow2.sd | 160 +++++++++++++++++++++
> parser/tst/simple_tests/capability/ok_allow3.sd | 9 ++
> parser/tst/simple_tests/file/allow/ok_1.sd | 7 +
> parser/tst/simple_tests/file/allow/ok_3.sd | 9 ++
> parser/tst/simple_tests/file/allow/ok_append_1.sd | 13 ++
> parser/tst/simple_tests/file/allow/ok_carat_1.sd | 7 +
> parser/tst/simple_tests/file/allow/ok_carat_2.sd | 7 +
> parser/tst/simple_tests/file/allow/ok_comma_1.sd | 7 +
> parser/tst/simple_tests/file/allow/ok_comma_2.sd | 7 +
> .../file/allow/ok_embedded_spaces_1.sd | 6 +
> .../file/allow/ok_embedded_spaces_2.sd | 6 +
> .../file/allow/ok_embedded_spaces_3.sd | 6 +
> .../simple_tests/file/allow/ok_inv_char_class.sd | 7 +
> parser/tst/simple_tests/file/allow/ok_lock_1.sd | 17 +++
> parser/tst/simple_tests/file/allow/ok_mmap_1.sd | 12 ++
> parser/tst/simple_tests/file/allow/ok_mmap_2.sd | 14 ++
> 19 files changed, 453 insertions(+)
> create mode 100644 parser/tst/simple_tests/capability/ok_allow1.sd
> create mode 100644 parser/tst/simple_tests/capability/ok_allow2.sd
> create mode 100644 parser/tst/simple_tests/capability/ok_allow3.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_3.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_append_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_2.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_2.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_lock_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_1.sd
> create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_2.sd
>
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index 5f211b9..8f52e6c 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -73,6 +73,7 @@ static struct keyword_table keyword_table[] = {
> {"subset", TOK_SUBSET},
> {"audit", TOK_AUDIT},
> {"deny", TOK_DENY},
> + {"allow", TOK_ALLOW},
> {"set", TOK_SET},
> {"rlimit", TOK_RLIMIT},
> {"alias", TOK_ALIAS},
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 27e6c58..c249b01 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -110,6 +110,7 @@ void add_local_entry(struct codomain *cod);
> %token TOK_SUBSET
> %token TOK_AUDIT
> %token TOK_DENY
> +%token TOK_ALLOW
> %token TOK_PROFILE
> %token TOK_SET
> %token TOK_ALIAS
> @@ -502,6 +503,7 @@ opt_owner_flag: { /* nothing */ $$ = 0; }
> | TOK_OTHER { $$ = 2; };
>
> opt_deny: { /* nothing */ $$ = 0; }
> + | TOK_ALLOW { $$ = 0; }
> | TOK_DENY { $$ = 1; }
>
> opt_prefix: opt_audit_flag opt_deny opt_owner_flag
> diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd b/parser/tst/simple_tests/capability/ok_allow1.sd
> new file mode 100644
> index 0000000..57eeb3e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow1.sd
> @@ -0,0 +1,156 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> + allow capability chown,
> + allow capability dac_override,
> + allow capability dac_read_search,
> + allow capability fowner,
> + allow capability fsetid,
> + allow capability kill,
> + allow capability setgid,
> + allow capability setuid,
> + allow capability setpcap,
> + allow capability linux_immutable,
> + allow capability net_bind_service,
> + allow capability net_broadcast,
> + allow capability net_admin,
> + allow capability net_raw,
> + allow capability ipc_lock,
> + allow capability ipc_owner,
> + allow capability sys_module,
> + allow capability sys_rawio,
> + allow capability sys_chroot,
> + allow capability sys_ptrace,
> + allow capability sys_pacct,
> + allow capability sys_admin,
> + allow capability sys_boot,
> + allow capability sys_nice,
> + allow capability sys_resource,
> + allow capability sys_time,
> + allow capability sys_tty_config,
> + allow capability mknod,
> + allow capability lease,
> + allow capability audit_write,
> + allow capability audit_control,
> + allow capability setfcap,
> + allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> + ^chown {
> + allow capability chown,
> + }
> + ^dac_override {
> + allow capability dac_override,
> + }
> + ^dac_read_search {
> + allow capability dac_read_search,
> + }
> + ^fowner {
> + allow capability fowner,
> + }
> + ^fsetid {
> + allow capability fsetid,
> + }
> + ^kill {
> + allow capability kill,
> + }
> + ^setgid {
> + allow capability setgid,
> + }
> + ^setuid {
> + allow capability setuid,
> + }
> + ^setpcap {
> + allow capability setpcap,
> + }
> + ^linux_immutable {
> + allow capability linux_immutable,
> + }
> + ^net_bind_service {
> + allow capability net_bind_service,
> + }
> + ^net_broadcast {
> + allow capability net_broadcast,
> + }
> + ^net_admin {
> + allow capability net_admin,
> + }
> + ^net_raw {
> + allow capability net_raw,
> + }
> + ^ipc_lock {
> + allow capability ipc_lock,
> + }
> + ^ipc_owner {
> + allow capability ipc_owner,
> + }
> + ^sys_module {
> + allow capability sys_module,
> + }
> + ^sys_rawio {
> + allow capability sys_rawio,
> + }
> + ^sys_chroot {
> + allow capability sys_chroot,
> + }
> + ^sys_ptrace {
> + allow capability sys_ptrace,
> + }
> + ^sys_pacct {
> + allow capability sys_pacct,
> + }
> + ^sys_admin {
> + allow capability sys_admin,
> + }
> + ^sys_boot {
> + allow capability sys_boot,
> + }
> + ^sys_nice {
> + allow capability sys_nice,
> + }
> + ^sys_resource {
> + allow capability sys_resource,
> + }
> + ^sys_time {
> + allow capability sys_time,
> + }
> + ^sys_tty_config {
> + allow capability sys_tty_config,
> + }
> + ^mknod {
> + allow capability mknod,
> + }
> + ^lease {
> + allow capability lease,
> + }
> + ^audit_write {
> + allow capability audit_write,
> + }
> + ^audit_control {
> + allow capability audit_control,
> + }
> +}
> +
> +# Test for duplicates?
> +/does/not/exist3 {
> + allow capability mknod,
> + allow capability mknod,
> +}
> +
> +/does/not/exit101 {
> + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> +/does/not/exit102 {
> + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd b/parser/tst/simple_tests/capability/ok_allow2.sd
> new file mode 100644
> index 0000000..e3ad26e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow2.sd
> @@ -0,0 +1,160 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> + audit allow capability chown,
> + audit allow capability dac_override,
> + audit allow capability dac_read_search,
> + audit allow capability fowner,
> + audit allow capability fsetid,
> + audit allow capability kill,
> + audit allow capability setgid,
> + audit allow capability setuid,
> + audit allow capability setpcap,
> + audit allow capability linux_immutable,
> + audit allow capability net_bind_service,
> + audit allow capability net_broadcast,
> + audit allow capability net_admin,
> + audit allow capability net_raw,
> + audit allow capability ipc_lock,
> + audit allow capability ipc_owner,
> + audit allow capability sys_module,
> + audit allow capability sys_rawio,
> + audit allow capability sys_chroot,
> + audit allow capability sys_ptrace,
> + audit allow capability sys_pacct,
> + audit allow capability sys_admin,
> + audit allow capability sys_boot,
> + audit allow capability sys_nice,
> + audit allow capability sys_resource,
> + audit allow capability sys_time,
> + audit allow capability sys_tty_config,
> + audit allow capability mknod,
> + audit allow capability lease,
> + audit allow capability audit_write,
> + audit allow capability audit_control,
> + audit allow capability setfcap,
> + audit allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> + ^chown {
> + deny capability chown,
> + }
> + ^dac_override {
> + deny capability dac_override,
> + }
> + ^dac_read_search {
> + deny capability dac_read_search,
> + }
> + ^fowner {
> + deny capability fowner,
> + }
> + ^fsetid {
> + deny capability fsetid,
> + }
> + ^kill {
> + deny capability kill,
> + }
> + ^setgid {
> + deny capability setgid,
> + }
> + ^setuid {
> + deny capability setuid,
> + }
> + ^setpcap {
> + deny capability setpcap,
> + }
> + ^linux_immutable {
> + deny capability linux_immutable,
> + }
> + ^net_bind_service {
> + deny capability net_bind_service,
> + }
> + ^net_broadcast {
> + deny capability net_broadcast,
> + }
> + ^net_admin {
> + deny capability net_admin,
> + }
> + ^net_raw {
> + deny capability net_raw,
> + }
> + ^ipc_lock {
> + deny capability ipc_lock,
> + }
> + ^ipc_owner {
> + deny capability ipc_owner,
> + }
> + ^sys_module {
> + deny capability sys_module,
> + }
> + ^sys_rawio {
> + deny capability sys_rawio,
> + }
> + ^sys_chroot {
> + deny capability sys_chroot,
> + }
> + ^sys_ptrace {
> + deny capability sys_ptrace,
> + }
> + ^sys_pacct {
> + deny capability sys_pacct,
> + }
> + ^sys_admin {
> + deny capability sys_admin,
> + }
> + ^sys_boot {
> + deny capability sys_boot,
> + }
> + ^sys_nice {
> + deny capability sys_nice,
> + }
> + ^sys_resource {
> + deny capability sys_resource,
> + }
> + ^sys_time {
> + deny capability sys_time,
> + }
> + ^sys_tty_config {
> + deny capability sys_tty_config,
> + }
> + ^mknod {
> + deny capability mknod,
> + }
> + ^lease {
> + deny capability lease,
> + }
> + ^audit_write {
> + deny capability audit_write,
> + }
> + ^audit_control {
> + deny capability audit_control,
Should all these tests really be 'deny'?
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130724/346862ea/attachment-0001.pgp>
More information about the AppArmor
mailing list