[apparmor] [PATCH 3/8] add optional allow prefix to the language v2

Seth Arnold seth.arnold at canonical.com
Tue Sep 17 00:06:51 UTC 2013 

On Mon, Sep 16, 2013 at 04:49:49PM -0700, Steve Beattie wrote:
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> @@ -0,0 +1,17 @@
> +#
> +#=DESCRIPTION  validate duplicate multiple capabilities w/differing perm mods.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
> +# Last Modified: Sun Apr 17 19:44:44 2005
> +#
> +
> +/does/not/exit102 {
> +  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +
> +  deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
> +}
> +

I think I'd expect the above to FAIL instead of PASS -- 'allow capability
chown' followed by 'deny capability chown' doesn't make much sense. I know
we've decided that 'deny' rules should subtract from the profile, but
having two conflicting lines in one profile hurts my head.

This feels complicated.

What should happen in these cases? (Using without loss of generality
'chown'...)

profile a {
  allow capability chown,
  deny capability chown,
}

profile b {
  allow capability chown,
  deny capability,
}

profile c {
  allow capability,
  deny capability chown,
}


profile aa {
  capability chown,
  deny capability chown,
}

profile bb {
  capability chown,
  deny capability,
}

profile cc {
  capability,
  deny capability chown,
}


Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130916/f278b007/attachment.pgp>

More information about the AppArmor mailing list