[apparmor] [PATCH 3/8] add optional allow prefix to the language
Tyler Hicks
tyhicks at canonical.com
Wed Sep 11 08:47:42 UTC 2013
From: John Johansen <john.johansen at canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_misc.c | 1 +
parser/parser_yacc.y | 2 +
parser/tst/simple_tests/capability/ok_allow1.sd | 156 ++++++++++++++++++++
parser/tst/simple_tests/capability/ok_allow2.sd | 160 +++++++++++++++++++++
parser/tst/simple_tests/capability/ok_allow3.sd | 9 ++
parser/tst/simple_tests/file/allow/ok_1.sd | 7 +
parser/tst/simple_tests/file/allow/ok_3.sd | 9 ++
parser/tst/simple_tests/file/allow/ok_append_1.sd | 13 ++
parser/tst/simple_tests/file/allow/ok_carat_1.sd | 7 +
parser/tst/simple_tests/file/allow/ok_carat_2.sd | 7 +
parser/tst/simple_tests/file/allow/ok_comma_1.sd | 7 +
parser/tst/simple_tests/file/allow/ok_comma_2.sd | 7 +
.../file/allow/ok_embedded_spaces_1.sd | 6 +
.../file/allow/ok_embedded_spaces_2.sd | 6 +
.../file/allow/ok_embedded_spaces_3.sd | 6 +
.../simple_tests/file/allow/ok_inv_char_class.sd | 7 +
parser/tst/simple_tests/file/allow/ok_lock_1.sd | 17 +++
parser/tst/simple_tests/file/allow/ok_mmap_1.sd | 12 ++
parser/tst/simple_tests/file/allow/ok_mmap_2.sd | 14 ++
19 files changed, 453 insertions(+)
create mode 100644 parser/tst/simple_tests/capability/ok_allow1.sd
create mode 100644 parser/tst/simple_tests/capability/ok_allow2.sd
create mode 100644 parser/tst/simple_tests/capability/ok_allow3.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_3.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_append_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_2.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_2.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_lock_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_1.sd
create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_2.sd
diff --git a/parser/parser_misc.c b/parser/parser_misc.c
index d864737..24dd53d 100644
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -74,6 +74,7 @@ static struct keyword_table keyword_table[] = {
{"subset", TOK_SUBSET},
{"audit", TOK_AUDIT},
{"deny", TOK_DENY},
+ {"allow", TOK_ALLOW},
{"set", TOK_SET},
{"rlimit", TOK_RLIMIT},
{"alias", TOK_ALIAS},
diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
index d259f50..7b7556c 100644
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -111,6 +111,7 @@ void add_local_entry(struct codomain *cod);
%token TOK_SUBSET
%token TOK_AUDIT
%token TOK_DENY
+%token TOK_ALLOW
%token TOK_PROFILE
%token TOK_SET
%token TOK_ALIAS
@@ -519,6 +520,7 @@ opt_owner_flag: { /* nothing */ $$ = 0; }
| TOK_OTHER { $$ = 2; };
opt_deny: { /* nothing */ $$ = 0; }
+ | TOK_ALLOW { $$ = 0; }
| TOK_DENY { $$ = 1; }
opt_prefix: opt_audit_flag opt_deny opt_owner_flag
diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd b/parser/tst/simple_tests/capability/ok_allow1.sd
new file mode 100644
index 0000000..57eeb3e
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow1.sd
@@ -0,0 +1,156 @@
+#
+#=DESCRIPTION validate some uses of capabilties.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+ allow capability chown,
+ allow capability dac_override,
+ allow capability dac_read_search,
+ allow capability fowner,
+ allow capability fsetid,
+ allow capability kill,
+ allow capability setgid,
+ allow capability setuid,
+ allow capability setpcap,
+ allow capability linux_immutable,
+ allow capability net_bind_service,
+ allow capability net_broadcast,
+ allow capability net_admin,
+ allow capability net_raw,
+ allow capability ipc_lock,
+ allow capability ipc_owner,
+ allow capability sys_module,
+ allow capability sys_rawio,
+ allow capability sys_chroot,
+ allow capability sys_ptrace,
+ allow capability sys_pacct,
+ allow capability sys_admin,
+ allow capability sys_boot,
+ allow capability sys_nice,
+ allow capability sys_resource,
+ allow capability sys_time,
+ allow capability sys_tty_config,
+ allow capability mknod,
+ allow capability lease,
+ allow capability audit_write,
+ allow capability audit_control,
+ allow capability setfcap,
+ allow capability mac_override,
+}
+
+/does/not/exist2 {
+ ^chown {
+ allow capability chown,
+ }
+ ^dac_override {
+ allow capability dac_override,
+ }
+ ^dac_read_search {
+ allow capability dac_read_search,
+ }
+ ^fowner {
+ allow capability fowner,
+ }
+ ^fsetid {
+ allow capability fsetid,
+ }
+ ^kill {
+ allow capability kill,
+ }
+ ^setgid {
+ allow capability setgid,
+ }
+ ^setuid {
+ allow capability setuid,
+ }
+ ^setpcap {
+ allow capability setpcap,
+ }
+ ^linux_immutable {
+ allow capability linux_immutable,
+ }
+ ^net_bind_service {
+ allow capability net_bind_service,
+ }
+ ^net_broadcast {
+ allow capability net_broadcast,
+ }
+ ^net_admin {
+ allow capability net_admin,
+ }
+ ^net_raw {
+ allow capability net_raw,
+ }
+ ^ipc_lock {
+ allow capability ipc_lock,
+ }
+ ^ipc_owner {
+ allow capability ipc_owner,
+ }
+ ^sys_module {
+ allow capability sys_module,
+ }
+ ^sys_rawio {
+ allow capability sys_rawio,
+ }
+ ^sys_chroot {
+ allow capability sys_chroot,
+ }
+ ^sys_ptrace {
+ allow capability sys_ptrace,
+ }
+ ^sys_pacct {
+ allow capability sys_pacct,
+ }
+ ^sys_admin {
+ allow capability sys_admin,
+ }
+ ^sys_boot {
+ allow capability sys_boot,
+ }
+ ^sys_nice {
+ allow capability sys_nice,
+ }
+ ^sys_resource {
+ allow capability sys_resource,
+ }
+ ^sys_time {
+ allow capability sys_time,
+ }
+ ^sys_tty_config {
+ allow capability sys_tty_config,
+ }
+ ^mknod {
+ allow capability mknod,
+ }
+ ^lease {
+ allow capability lease,
+ }
+ ^audit_write {
+ allow capability audit_write,
+ }
+ ^audit_control {
+ allow capability audit_control,
+ }
+}
+
+# Test for duplicates?
+/does/not/exist3 {
+ allow capability mknod,
+ allow capability mknod,
+}
+
+/does/not/exit101 {
+ allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
+/does/not/exit102 {
+ allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+ allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd b/parser/tst/simple_tests/capability/ok_allow2.sd
new file mode 100644
index 0000000..e3ad26e
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow2.sd
@@ -0,0 +1,160 @@
+#
+#=DESCRIPTION validate some uses of capabilties.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+ audit allow capability chown,
+ audit allow capability dac_override,
+ audit allow capability dac_read_search,
+ audit allow capability fowner,
+ audit allow capability fsetid,
+ audit allow capability kill,
+ audit allow capability setgid,
+ audit allow capability setuid,
+ audit allow capability setpcap,
+ audit allow capability linux_immutable,
+ audit allow capability net_bind_service,
+ audit allow capability net_broadcast,
+ audit allow capability net_admin,
+ audit allow capability net_raw,
+ audit allow capability ipc_lock,
+ audit allow capability ipc_owner,
+ audit allow capability sys_module,
+ audit allow capability sys_rawio,
+ audit allow capability sys_chroot,
+ audit allow capability sys_ptrace,
+ audit allow capability sys_pacct,
+ audit allow capability sys_admin,
+ audit allow capability sys_boot,
+ audit allow capability sys_nice,
+ audit allow capability sys_resource,
+ audit allow capability sys_time,
+ audit allow capability sys_tty_config,
+ audit allow capability mknod,
+ audit allow capability lease,
+ audit allow capability audit_write,
+ audit allow capability audit_control,
+ audit allow capability setfcap,
+ audit allow capability mac_override,
+}
+
+/does/not/exist2 {
+ ^chown {
+ deny capability chown,
+ }
+ ^dac_override {
+ deny capability dac_override,
+ }
+ ^dac_read_search {
+ deny capability dac_read_search,
+ }
+ ^fowner {
+ deny capability fowner,
+ }
+ ^fsetid {
+ deny capability fsetid,
+ }
+ ^kill {
+ deny capability kill,
+ }
+ ^setgid {
+ deny capability setgid,
+ }
+ ^setuid {
+ deny capability setuid,
+ }
+ ^setpcap {
+ deny capability setpcap,
+ }
+ ^linux_immutable {
+ deny capability linux_immutable,
+ }
+ ^net_bind_service {
+ deny capability net_bind_service,
+ }
+ ^net_broadcast {
+ deny capability net_broadcast,
+ }
+ ^net_admin {
+ deny capability net_admin,
+ }
+ ^net_raw {
+ deny capability net_raw,
+ }
+ ^ipc_lock {
+ deny capability ipc_lock,
+ }
+ ^ipc_owner {
+ deny capability ipc_owner,
+ }
+ ^sys_module {
+ deny capability sys_module,
+ }
+ ^sys_rawio {
+ deny capability sys_rawio,
+ }
+ ^sys_chroot {
+ deny capability sys_chroot,
+ }
+ ^sys_ptrace {
+ deny capability sys_ptrace,
+ }
+ ^sys_pacct {
+ deny capability sys_pacct,
+ }
+ ^sys_admin {
+ deny capability sys_admin,
+ }
+ ^sys_boot {
+ deny capability sys_boot,
+ }
+ ^sys_nice {
+ deny capability sys_nice,
+ }
+ ^sys_resource {
+ deny capability sys_resource,
+ }
+ ^sys_time {
+ deny capability sys_time,
+ }
+ ^sys_tty_config {
+ deny capability sys_tty_config,
+ }
+ ^mknod {
+ deny capability mknod,
+ }
+ ^lease {
+ deny capability lease,
+ }
+ ^audit_write {
+ deny capability audit_write,
+ }
+ ^audit_control {
+ deny capability audit_control,
+ }
+}
+
+# Test for duplicates?
+/does/not/exist3 {
+ capability mknod,
+ audit allow capability mknod,
+ deny capability mknod,
+ audit allow capability mknod,
+ deny capability mknod,
+ allow capability mknod,
+}
+
+/does/not/exit101 {
+ allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
+/does/not/exit102 {
+ audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+ deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
diff --git a/parser/tst/simple_tests/capability/ok_allow3.sd b/parser/tst/simple_tests/capability/ok_allow3.sd
new file mode 100644
index 0000000..6dc21a3
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow3.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION validate some uses of capabilties.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+ allow capability,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_1.sd b/parser/tst/simple_tests/file/allow/ok_1.sd
new file mode 100644
index 0000000..2d20f86
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_1.sd
@@ -0,0 +1,7 @@
+#
+#=Description basic file rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /usr/bin/foo r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_3.sd b/parser/tst/simple_tests/file/allow/ok_3.sd
new file mode 100644
index 0000000..0c7da93
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_3.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION A simple successful profile
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /usr/bin/foo r,
+ allow /usr/bin/blah rix,
+}
+
diff --git a/parser/tst/simple_tests/file/allow/ok_append_1.sd b/parser/tst/simple_tests/file/allow/ok_append_1.sd
new file mode 100644
index 0000000..01792f3
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_append_1.sd
@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION test append
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /bin/cat a,
+ allow /bin/true ra,
+ allow /bin/false ma,
+ allow /lib/libc.so la,
+ allow /bin/less ixa,
+ allow /bin/more pxa,
+ allow /a uxa,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_carat_1.sd b/parser/tst/simple_tests/file/allow/ok_carat_1.sd
new file mode 100644
index 0000000..6199607
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_carat_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION carat in pathname
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /foo^bar r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_carat_2.sd b/parser/tst/simple_tests/file/allow/ok_carat_2.sd
new file mode 100644
index 0000000..7521a8e
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_carat_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION trailing carat in pathname
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /foo/bar^ r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_comma_1.sd b/parser/tst/simple_tests/file/allow/ok_comma_1.sd
new file mode 100644
index 0000000..1b12577
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_comma_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION comma in pathname
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /foo,bar r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_comma_2.sd b/parser/tst/simple_tests/file/allow/ok_comma_2.sd
new file mode 100644
index 0000000..4979da8
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_comma_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION comma at end of pathname
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow "/foobar," r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
new file mode 100644
index 0000000..52b373f
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
@@ -0,0 +1,6 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+
+/bin/foo {
+ allow "/abc\ def" r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
new file mode 100644
index 0000000..f22ea3a
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
@@ -0,0 +1,6 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+
+/bin/foo {
+ allow "/abc def" r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
new file mode 100644
index 0000000..7c72166
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
@@ -0,0 +1,6 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+
+"/bin/fo o" {
+ allow "/abc def" r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
new file mode 100644
index 0000000..c35e528
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION carat in pathname
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /foo[^me]bar r,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_lock_1.sd b/parser/tst/simple_tests/file/allow/ok_lock_1.sd
new file mode 100644
index 0000000..e67e635
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_lock_1.sd
@@ -0,0 +1,17 @@
+#
+#=DESCRIPTION k and other perms do not conflict
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /bin/a k,
+ allow /bin/b rk,
+ allow /bin/c wk,
+ allow /bin/d ak,
+ allow /bin/e lk,
+ allow /bin/e mk,
+ allow /bin/f pxk,
+ allow /bin/g Pxk,
+ allow /bin/h ixk,
+ allow /bin/i uxk,
+ allow /bin/j Uxk,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_mmap_1.sd b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd
new file mode 100644
index 0000000..4d62d54
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION m and [uUpPi]x do not conflict
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /bin/cat mix,
+ allow /bin/true mpx,
+ allow /bin/false mux,
+ allow /lib/libc.so rwlm,
+ allow /bin/less mUx,
+ allow /bin/more mPx,
+}
diff --git a/parser/tst/simple_tests/file/allow/ok_mmap_2.sd b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd
new file mode 100644
index 0000000..487be5a
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd
@@ -0,0 +1,14 @@
+#
+#=DESCRIPTION m and [upi]x do not conflict, seperate rules
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ allow /bin/cat rm,
+ allow /bin/cat ix,
+ allow /bin/true px,
+ allow /bin/true m,
+ allow /bin/false m,
+ allow /bin/false ux,
+ allow /lib/libc.so rwl,
+ allow /lib/libc.so m,
+}
--
1.8.3.2
More information about the AppArmor
mailing list