[apparmor] [PATCH 03/10] From a3f0ccf618c2016ce5fbaa0fe35d4f194fbefd2b Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen at canonical.com> Date: Sat, 27 Oct 2012 04:49:23 -0700 Subject: [PATCH 03/10] add optional allow prefix to the language

Seth Arnold seth.arnold at canonical.com
Thu Jul 25 01:34:34 UTC 2013


On Sun, Jul 21, 2013 at 10:32:46PM -0700, John Johansen wrote:
> let allow be used as a prefix in place of deny.  Allow is the default
> and is implicit so it is not needed but some user keep tripping over
> it, and it makes the language more symmetric
> 
>    eg.
>       /foo rw,
>       allow /foo rw,
>       deny /foo rw,
> 

Makes sense. Even if it doesn't feel too useful, I do like symmetry. :)

I didn't see any EXRESULT FAIL tests for:

allow deny capability,
allow deny file,
allow deny network,
...
deny allow capability,
deny allow file,
deny allow network,
...

And one small comment in the tests...

> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  parser/parser_misc.c                               |   1 +
>  parser/parser_yacc.y                               |   2 +
>  parser/tst/simple_tests/capability/ok_allow1.sd    | 156 ++++++++++++++++++++
>  parser/tst/simple_tests/capability/ok_allow2.sd    | 160 +++++++++++++++++++++
>  parser/tst/simple_tests/capability/ok_allow3.sd    |   9 ++
>  parser/tst/simple_tests/file/allow/ok_1.sd         |   7 +
>  parser/tst/simple_tests/file/allow/ok_3.sd         |   9 ++
>  parser/tst/simple_tests/file/allow/ok_append_1.sd  |  13 ++
>  parser/tst/simple_tests/file/allow/ok_carat_1.sd   |   7 +
>  parser/tst/simple_tests/file/allow/ok_carat_2.sd   |   7 +
>  parser/tst/simple_tests/file/allow/ok_comma_1.sd   |   7 +
>  parser/tst/simple_tests/file/allow/ok_comma_2.sd   |   7 +
>  .../file/allow/ok_embedded_spaces_1.sd             |   6 +
>  .../file/allow/ok_embedded_spaces_2.sd             |   6 +
>  .../file/allow/ok_embedded_spaces_3.sd             |   6 +
>  .../simple_tests/file/allow/ok_inv_char_class.sd   |   7 +
>  parser/tst/simple_tests/file/allow/ok_lock_1.sd    |  17 +++
>  parser/tst/simple_tests/file/allow/ok_mmap_1.sd    |  12 ++
>  parser/tst/simple_tests/file/allow/ok_mmap_2.sd    |  14 ++
>  19 files changed, 453 insertions(+)
>  create mode 100644 parser/tst/simple_tests/capability/ok_allow1.sd
>  create mode 100644 parser/tst/simple_tests/capability/ok_allow2.sd
>  create mode 100644 parser/tst/simple_tests/capability/ok_allow3.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_3.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_append_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_2.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_2.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_lock_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_1.sd
>  create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_2.sd
> 
> diff --git a/parser/parser_misc.c b/parser/parser_misc.c
> index 5f211b9..8f52e6c 100644
> --- a/parser/parser_misc.c
> +++ b/parser/parser_misc.c
> @@ -73,6 +73,7 @@ static struct keyword_table keyword_table[] = {
>  	{"subset",		TOK_SUBSET},
>  	{"audit",		TOK_AUDIT},
>  	{"deny",		TOK_DENY},
> +	{"allow",		TOK_ALLOW},
>  	{"set",			TOK_SET},
>  	{"rlimit",		TOK_RLIMIT},
>  	{"alias",		TOK_ALIAS},
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index 27e6c58..c249b01 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -110,6 +110,7 @@ void add_local_entry(struct codomain *cod);
>  %token TOK_SUBSET
>  %token TOK_AUDIT
>  %token TOK_DENY
> +%token TOK_ALLOW
>  %token TOK_PROFILE
>  %token TOK_SET
>  %token TOK_ALIAS
> @@ -502,6 +503,7 @@ opt_owner_flag: { /* nothing */ $$ = 0; }
>  	| TOK_OTHER { $$ = 2; };
>  
>  opt_deny: { /* nothing */ $$ = 0; }
> +	| TOK_ALLOW { $$ = 0; }
>  	| TOK_DENY { $$ = 1; }
>  
>  opt_prefix: opt_audit_flag opt_deny opt_owner_flag
> diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd b/parser/tst/simple_tests/capability/ok_allow1.sd
> new file mode 100644
> index 0000000..57eeb3e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow1.sd
> @@ -0,0 +1,156 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  allow capability chown,
> +  allow capability dac_override,
> +  allow capability dac_read_search,
> +  allow capability fowner,
> +  allow capability fsetid,
> +  allow capability kill,
> +  allow capability setgid,
> +  allow capability setuid,
> +  allow capability setpcap,
> +  allow capability linux_immutable,
> +  allow capability net_bind_service,
> +  allow capability net_broadcast,
> +  allow capability net_admin,
> +  allow capability net_raw,
> +  allow capability ipc_lock,
> +  allow capability ipc_owner,
> +  allow capability sys_module,
> +  allow capability sys_rawio,
> +  allow capability sys_chroot,
> +  allow capability sys_ptrace,
> +  allow capability sys_pacct,
> +  allow capability sys_admin,
> +  allow capability sys_boot,
> +  allow capability sys_nice,
> +  allow capability sys_resource,
> +  allow capability sys_time,
> +  allow capability sys_tty_config,
> +  allow capability mknod,
> +  allow capability lease,
> +  allow capability audit_write,
> +  allow capability audit_control,
> +  allow capability setfcap,
> +  allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> +  ^chown { 
> +    allow capability chown,
> +  }
> +  ^dac_override { 
> +    allow capability dac_override,
> +  }
> +  ^dac_read_search { 
> +    allow capability dac_read_search,
> +  }
> +  ^fowner { 
> +    allow capability fowner,
> +  }
> +  ^fsetid { 
> +    allow capability fsetid,
> +  }
> +  ^kill { 
> +    allow capability kill,
> +  }
> +  ^setgid { 
> +    allow capability setgid,
> +  }
> +  ^setuid { 
> +    allow capability setuid,
> +  }
> +  ^setpcap { 
> +    allow capability setpcap,
> +  }
> +  ^linux_immutable { 
> +    allow capability linux_immutable,
> +  }
> +  ^net_bind_service { 
> +    allow capability net_bind_service,
> +  }
> +  ^net_broadcast { 
> +    allow capability net_broadcast,
> +  }
> +  ^net_admin { 
> +    allow capability net_admin,
> +  }
> +  ^net_raw { 
> +    allow capability net_raw,
> +  }
> +  ^ipc_lock { 
> +    allow capability ipc_lock,
> +  }
> +  ^ipc_owner { 
> +    allow capability ipc_owner,
> +  }
> +  ^sys_module { 
> +    allow capability sys_module,
> +  }
> +  ^sys_rawio { 
> +    allow capability sys_rawio,
> +  }
> +  ^sys_chroot { 
> +    allow capability sys_chroot,
> +  }
> +  ^sys_ptrace { 
> +    allow capability sys_ptrace,
> +  }
> +  ^sys_pacct { 
> +    allow capability sys_pacct,
> +  }
> +  ^sys_admin { 
> +    allow capability sys_admin,
> +  }
> +  ^sys_boot { 
> +    allow capability sys_boot,
> +  }
> +  ^sys_nice { 
> +    allow capability sys_nice,
> +  }
> +  ^sys_resource { 
> +    allow capability sys_resource,
> +  }
> +  ^sys_time { 
> +    allow capability sys_time,
> +  }
> +  ^sys_tty_config { 
> +    allow capability sys_tty_config,
> +  }
> +  ^mknod { 
> +    allow capability mknod,
> +  }
> +  ^lease { 
> +    allow capability lease,
> +  }
> +  ^audit_write {
> +    allow capability audit_write,
> +  }
> +  ^audit_control {
> +    allow capability audit_control,
> +  }
> +}
> +
> +# Test for duplicates?
> +/does/not/exist3 {
> +  allow capability mknod,
> +  allow capability mknod,
> +}
> +
> +/does/not/exit101 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> +/does/not/exit102 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd b/parser/tst/simple_tests/capability/ok_allow2.sd
> new file mode 100644
> index 0000000..e3ad26e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow2.sd
> @@ -0,0 +1,160 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  audit allow capability chown,
> +  audit allow capability dac_override,
> +  audit allow capability dac_read_search,
> +  audit allow capability fowner,
> +  audit allow capability fsetid,
> +  audit allow capability kill,
> +  audit allow capability setgid,
> +  audit allow capability setuid,
> +  audit allow capability setpcap,
> +  audit allow capability linux_immutable,
> +  audit allow capability net_bind_service,
> +  audit allow capability net_broadcast,
> +  audit allow capability net_admin,
> +  audit allow capability net_raw,
> +  audit allow capability ipc_lock,
> +  audit allow capability ipc_owner,
> +  audit allow capability sys_module,
> +  audit allow capability sys_rawio,
> +  audit allow capability sys_chroot,
> +  audit allow capability sys_ptrace,
> +  audit allow capability sys_pacct,
> +  audit allow capability sys_admin,
> +  audit allow capability sys_boot,
> +  audit allow capability sys_nice,
> +  audit allow capability sys_resource,
> +  audit allow capability sys_time,
> +  audit allow capability sys_tty_config,
> +  audit allow capability mknod,
> +  audit allow capability lease,
> +  audit allow capability audit_write,
> +  audit allow capability audit_control,
> +  audit allow capability setfcap,
> +  audit allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> +  ^chown {
> +    deny capability chown,
> +  }
> +  ^dac_override {
> +    deny capability dac_override,
> +  }
> +  ^dac_read_search {
> +    deny capability dac_read_search,
> +  }
> +  ^fowner {
> +    deny capability fowner,
> +  }
> +  ^fsetid {
> +    deny capability fsetid,
> +  }
> +  ^kill {
> +    deny capability kill,
> +  }
> +  ^setgid {
> +    deny capability setgid,
> +  }
> +  ^setuid {
> +    deny capability setuid,
> +  }
> +  ^setpcap {
> +    deny capability setpcap,
> +  }
> +  ^linux_immutable {
> +    deny capability linux_immutable,
> +  }
> +  ^net_bind_service {
> +    deny capability net_bind_service,
> +  }
> +  ^net_broadcast {
> +    deny capability net_broadcast,
> +  }
> +  ^net_admin {
> +    deny capability net_admin,
> +  }
> +  ^net_raw {
> +    deny capability net_raw,
> +  }
> +  ^ipc_lock {
> +    deny capability ipc_lock,
> +  }
> +  ^ipc_owner {
> +    deny capability ipc_owner,
> +  }
> +  ^sys_module {
> +    deny capability sys_module,
> +  }
> +  ^sys_rawio {
> +    deny capability sys_rawio,
> +  }
> +  ^sys_chroot {
> +    deny capability sys_chroot,
> +  }
> +  ^sys_ptrace {
> +    deny capability sys_ptrace,
> +  }
> +  ^sys_pacct {
> +    deny capability sys_pacct,
> +  }
> +  ^sys_admin {
> +    deny capability sys_admin,
> +  }
> +  ^sys_boot {
> +    deny capability sys_boot,
> +  }
> +  ^sys_nice {
> +    deny capability sys_nice,
> +  }
> +  ^sys_resource {
> +    deny capability sys_resource,
> +  }
> +  ^sys_time {
> +    deny capability sys_time,
> +  }
> +  ^sys_tty_config {
> +    deny capability sys_tty_config,
> +  }
> +  ^mknod {
> +    deny capability mknod,
> +  }
> +  ^lease {
> +    deny capability lease,
> +  }
> +  ^audit_write {
> +    deny capability audit_write,
> +  }
> +  ^audit_control {
> +    deny capability audit_control,

Should all these tests really be 'deny'?


Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130724/346862ea/attachment-0001.pgp>


More information about the AppArmor mailing list