[apparmor] [PATCH 3/8] add optional allow prefix to the language

Steve Beattie steve at nxnw.org
Thu Sep 12 22:48:18 UTC 2013


On Wed, Sep 11, 2013 at 01:47:42AM -0700, Tyler Hicks wrote:
> From: John Johansen <john.johansen at canonical.com>
> 
> let allow be used as a prefix in place of deny.  Allow is the default
> and is implicit so it is not needed but some user keep tripping over
> it, and it makes the language more symmetric
> 
>    eg.
>       /foo rw,
>       allow /foo rw,
>       deny /foo rw,
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

A couple of comments:

> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index d259f50..7b7556c 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -519,6 +520,7 @@ opt_owner_flag: { /* nothing */ $$ = 0; }
>  	| TOK_OTHER { $$ = 2; };
>  
>  opt_deny: { /* nothing */ $$ = 0; }
> +	| TOK_ALLOW { $$ = 0; }
>  	| TOK_DENY { $$ = 1; }

It's a little odd to keep the rule as 'opt_deny' when it now accepts
the 'allow' keyword. I'm at a little loss as to what to call it,
perhaps 'opt_perm_type'?

>  opt_prefix: opt_audit_flag opt_deny opt_owner_flag
> diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd b/parser/tst/simple_tests/capability/ok_allow1.sd

I know the ok_allow{1,2}.sd tests are mimicking the layout of existing
tests, but as an organizational point, I'd prefer to see these broken up
a bit to help keep test cases smaller on better focused. So for example,
breaking up ok_allow1.sd into 3 or more tests:

 - one with the does_not_exist profile
 - one with the does_not_exist2 profile and hats
 - the trailing profiles into one test or separate tests

Editing the DESCRIPTION to clarify the specific language element they're
focused on helps, too, for later trying to figure out what's going on
when a test starts failing (and for reviewing to see if the tests
implement their intent).

> new file mode 100644
> index 0000000..57eeb3e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow1.sd
> @@ -0,0 +1,156 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  allow capability chown,
> +  allow capability dac_override,
> +  allow capability dac_read_search,
> +  allow capability fowner,
> +  allow capability fsetid,
> +  allow capability kill,
> +  allow capability setgid,
> +  allow capability setuid,
> +  allow capability setpcap,
> +  allow capability linux_immutable,
> +  allow capability net_bind_service,
> +  allow capability net_broadcast,
> +  allow capability net_admin,
> +  allow capability net_raw,
> +  allow capability ipc_lock,
> +  allow capability ipc_owner,
> +  allow capability sys_module,
> +  allow capability sys_rawio,
> +  allow capability sys_chroot,
> +  allow capability sys_ptrace,
> +  allow capability sys_pacct,
> +  allow capability sys_admin,
> +  allow capability sys_boot,
> +  allow capability sys_nice,
> +  allow capability sys_resource,
> +  allow capability sys_time,
> +  allow capability sys_tty_config,
> +  allow capability mknod,
> +  allow capability lease,
> +  allow capability audit_write,
> +  allow capability audit_control,
> +  allow capability setfcap,
> +  allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> +  ^chown { 
> +    allow capability chown,
> +  }
> +  ^dac_override { 
> +    allow capability dac_override,
> +  }
> +  ^dac_read_search { 
> +    allow capability dac_read_search,
> +  }
> +  ^fowner { 
> +    allow capability fowner,
> +  }
> +  ^fsetid { 
> +    allow capability fsetid,
> +  }
> +  ^kill { 
> +    allow capability kill,
> +  }
> +  ^setgid { 
> +    allow capability setgid,
> +  }
> +  ^setuid { 
> +    allow capability setuid,
> +  }
> +  ^setpcap { 
> +    allow capability setpcap,
> +  }
> +  ^linux_immutable { 
> +    allow capability linux_immutable,
> +  }
> +  ^net_bind_service { 
> +    allow capability net_bind_service,
> +  }
> +  ^net_broadcast { 
> +    allow capability net_broadcast,
> +  }
> +  ^net_admin { 
> +    allow capability net_admin,
> +  }
> +  ^net_raw { 
> +    allow capability net_raw,
> +  }
> +  ^ipc_lock { 
> +    allow capability ipc_lock,
> +  }
> +  ^ipc_owner { 
> +    allow capability ipc_owner,
> +  }
> +  ^sys_module { 
> +    allow capability sys_module,
> +  }
> +  ^sys_rawio { 
> +    allow capability sys_rawio,
> +  }
> +  ^sys_chroot { 
> +    allow capability sys_chroot,
> +  }
> +  ^sys_ptrace { 
> +    allow capability sys_ptrace,
> +  }
> +  ^sys_pacct { 
> +    allow capability sys_pacct,
> +  }
> +  ^sys_admin { 
> +    allow capability sys_admin,
> +  }
> +  ^sys_boot { 
> +    allow capability sys_boot,
> +  }
> +  ^sys_nice { 
> +    allow capability sys_nice,
> +  }
> +  ^sys_resource { 
> +    allow capability sys_resource,
> +  }
> +  ^sys_time { 
> +    allow capability sys_time,
> +  }
> +  ^sys_tty_config { 
> +    allow capability sys_tty_config,
> +  }
> +  ^mknod { 
> +    allow capability mknod,
> +  }
> +  ^lease { 
> +    allow capability lease,
> +  }
> +  ^audit_write {
> +    allow capability audit_write,
> +  }
> +  ^audit_control {
> +    allow capability audit_control,
> +  }
> +}
> +
> +# Test for duplicates?
> +/does/not/exist3 {
> +  allow capability mknod,
> +  allow capability mknod,
> +}
> +
> +/does/not/exit101 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> +/does/not/exit102 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd b/parser/tst/simple_tests/capability/ok_allow2.sd

Is the following test case supposed to be testing

  audit allow capability CAPNAME,

syntax? Because the hat tests in /does/not/exist2 don't do that.

> new file mode 100644
> index 0000000..e3ad26e
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow2.sd
> @@ -0,0 +1,160 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +  audit allow capability chown,
> +  audit allow capability dac_override,
> +  audit allow capability dac_read_search,
> +  audit allow capability fowner,
> +  audit allow capability fsetid,
> +  audit allow capability kill,
> +  audit allow capability setgid,
> +  audit allow capability setuid,
> +  audit allow capability setpcap,
> +  audit allow capability linux_immutable,
> +  audit allow capability net_bind_service,
> +  audit allow capability net_broadcast,
> +  audit allow capability net_admin,
> +  audit allow capability net_raw,
> +  audit allow capability ipc_lock,
> +  audit allow capability ipc_owner,
> +  audit allow capability sys_module,
> +  audit allow capability sys_rawio,
> +  audit allow capability sys_chroot,
> +  audit allow capability sys_ptrace,
> +  audit allow capability sys_pacct,
> +  audit allow capability sys_admin,
> +  audit allow capability sys_boot,
> +  audit allow capability sys_nice,
> +  audit allow capability sys_resource,
> +  audit allow capability sys_time,
> +  audit allow capability sys_tty_config,
> +  audit allow capability mknod,
> +  audit allow capability lease,
> +  audit allow capability audit_write,
> +  audit allow capability audit_control,
> +  audit allow capability setfcap,
> +  audit allow capability mac_override,
> +}
> +
> +/does/not/exist2 {
> +  ^chown {
> +    deny capability chown,
> +  }
> +  ^dac_override {
> +    deny capability dac_override,
> +  }
> +  ^dac_read_search {
> +    deny capability dac_read_search,
> +  }
> +  ^fowner {
> +    deny capability fowner,
> +  }
> +  ^fsetid {
> +    deny capability fsetid,
> +  }
> +  ^kill {
> +    deny capability kill,
> +  }
> +  ^setgid {
> +    deny capability setgid,
> +  }
> +  ^setuid {
> +    deny capability setuid,
> +  }
> +  ^setpcap {
> +    deny capability setpcap,
> +  }
> +  ^linux_immutable {
> +    deny capability linux_immutable,
> +  }
> +  ^net_bind_service {
> +    deny capability net_bind_service,
> +  }
> +  ^net_broadcast {
> +    deny capability net_broadcast,
> +  }
> +  ^net_admin {
> +    deny capability net_admin,
> +  }
> +  ^net_raw {
> +    deny capability net_raw,
> +  }
> +  ^ipc_lock {
> +    deny capability ipc_lock,
> +  }
> +  ^ipc_owner {
> +    deny capability ipc_owner,
> +  }
> +  ^sys_module {
> +    deny capability sys_module,
> +  }
> +  ^sys_rawio {
> +    deny capability sys_rawio,
> +  }
> +  ^sys_chroot {
> +    deny capability sys_chroot,
> +  }
> +  ^sys_ptrace {
> +    deny capability sys_ptrace,
> +  }
> +  ^sys_pacct {
> +    deny capability sys_pacct,
> +  }
> +  ^sys_admin {
> +    deny capability sys_admin,
> +  }
> +  ^sys_boot {
> +    deny capability sys_boot,
> +  }
> +  ^sys_nice {
> +    deny capability sys_nice,
> +  }
> +  ^sys_resource {
> +    deny capability sys_resource,
> +  }
> +  ^sys_time {
> +    deny capability sys_time,
> +  }
> +  ^sys_tty_config {
> +    deny capability sys_tty_config,
> +  }
> +  ^mknod {
> +    deny capability mknod,
> +  }
> +  ^lease {
> +    deny capability lease,
> +  }
> +  ^audit_write {
> +    deny capability audit_write,
> +  }
> +  ^audit_control {
> +    deny capability audit_control,
> +  }
> +}
> +
> +# Test for duplicates?
> +/does/not/exist3 {
> +  capability mknod,
> +  audit allow capability mknod,
> +  deny capability mknod,
> +  audit allow capability mknod,
> +  deny capability mknod,
> +  allow capability mknod,
> +}
> +

What's the testing intent with the following 2 test profiles?

> +/does/not/exit101 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> +/does/not/exit102 {
> +  audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +}
> +
> diff --git a/parser/tst/simple_tests/capability/ok_allow3.sd b/parser/tst/simple_tests/capability/ok_allow3.sd
> new file mode 100644
> index 0000000..6dc21a3
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow3.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate some uses of capabilties.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +/does/not/exist {
> +	allow capability,
> +}

Do you also want a test profile like

  /does/not/exist2 {
    ^capability {
	allow capability,
    }
  }

as well? And 'audit allow' cases as well?

Some negative cases like e.g. 'allow deny STUFF' would probably be
useful, too.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130912/f0ac22e9/attachment-0001.pgp>


More information about the AppArmor mailing list