[apparmor] [PATCH 3/8] add optional allow prefix to the language v2

Christian Boltz apparmor at cboltz.de
Tue Sep 17 12:01:44 UTC 2013


Hello,

Am Montag, 16. September 2013 schrieb Steve Beattie:
>       - fix a bug in apparmor.vim to let it recognize multiple
> 	capability entries in a single line.

I didn't know this is possible ;-)

@Kshitij: you'll also need to allow this in the py tools.

> Index: b/parser/tst/simple_tests/capability/ok_allow1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow1.sd
> @@ -0,0 +1,41 @@
> +#
> +#=DESCRIPTION validate uses of allow/capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

new files should use
    # vim:syntax=apparmor
(and when you are bored, you should also change all existing profiles ;-)

> Index: b/parser/tst/simple_tests/capability/ok_allow2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow2.sd
> @@ -0,0 +1,101 @@
> +#
> +#=DESCRIPTION validate uses of allow/capabilities in hats
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

same here...

> Index: b/parser/tst/simple_tests/capability/ok_allow3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow3.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate allow w/multiple capabilities in a line.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here

> +++ b/parser/tst/simple_tests/file/allow/ok_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_3.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_append_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_carat_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_carat_2.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_comma_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_comma_2.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_lock_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd

> +++ b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd

All those files don't have a vim: header. Maybe you can add it?


> Index: b/utils/vim/create-apparmor.vim.py
> ===================================================================
> --- a/utils/vim/create-apparmor.vim.py
> +++ b/utils/vim/create-apparmor.vim.py

> -    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
> +    'FILE':             r'\v^\s*(audit\s+)?((deny|allow)\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule

vi has a restriction on how many (...) you use per line (IIRC 9 - I hit 
the limit in the past), so we shouldn't add (...) if not really needed.

Please use   (deny\s+|allow\s+)   instead of   ((deny|allow)\s+)
(like you did for 'auditdenyowner' and 'auditdeny')


> Index: b/parser/tst/simple_tests/capability/ok_allow4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow4.sd
> @@ -0,0 +1,41 @@
> +#
> +#=DESCRIPTION validate audit allow w/capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

..=apparmor

> Index: b/parser/tst/simple_tests/capability/ok_allow5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow5.sd
> @@ -0,0 +1,102 @@
> +#
> +#=DESCRIPTION validate audit allow w/capabilities in hats.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

same here...

> Index: b/parser/tst/simple_tests/capability/ok_allow6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate audit allow w/multiple capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_allow7.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow7.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate allow with bare capability keyword.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_allow9.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow9.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate audit allow with bare capability keyword.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
> @@ -0,0 +1,12 @@
> +#
> +#=DESCRIPTION validate allow of duplicate capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
> @@ -0,0 +1,12 @@
> +#
> +#=DESCRIPTION validate audit allow of duplicate capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
> @@ -0,0 +1,14 @@
> +#
> +#=DESCRIPTION  validate allow of duplicate multiple capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
> @@ -0,0 +1,14 @@
> +#
> +#=DESCRIPTION  validate audit allow of duplicate multiple
> capabilities. +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> @@ -0,0 +1,17 @@
> +#
> +#=DESCRIPTION  validate duplicate multiple capabilities w/differing
> perm mods. +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here

> Index: b/utils/vim/apparmor.vim.in
> ===================================================================
> --- a/utils/vim/apparmor.vim.in
> +++ b/utils/vim/apparmor.vim.in
> @@ -132,7 +132,7 @@ syn keyword  sdCapKey          @@sdKapKe

> -syn match  sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)                         @@EOL@@ ...
> +syn match  sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@ ...
                                                                                                                                     
(lines shortened for readability)

Looks good, even if it adds two more (...) ;-)

The more interesting question is: how do we color the line if it contains
"dangerous" and "normal" capabilities?

> Index: b/parser/tst/simple_tests/capability/ok_allow10.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow10.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate audit allow with bare capability in hat.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... =apparmor

> Index: b/parser/tst/simple_tests/capability/ok_allow8.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate allow with bare capability in hat.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

same here...

> Index: b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
> @@ -0,0 +1,16 @@
> +#
> +#=DESCRIPTION validate duplicate capability entries.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/bad_5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_5.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail conflicting perm mod same line
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain

... and here ...

> Index: b/parser/tst/simple_tests/capability/bad_6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_6.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail conflicting perm mod same line
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain

... and here ;-)

In other words: please s/syntax=subdomain/syntax=apparmor/ in the patch ;-)


Regards,

Christian Boltz
-- 
Andere würde ich jetzt nach dem entsprechenden Bugreport fragen, aber
Du hast ja vermutlich Bugzilla miterfunden und wirst irgendwo in den
OpenSUSE-Danksagungen erwähnt - NOT. [Martin Schröder in opensuse-de]




More information about the AppArmor mailing list