[apparmor] [PATCH 3/8] add optional allow prefix to the language v2
Christian Boltz
apparmor at cboltz.de
Tue Sep 17 12:01:44 UTC 2013
Hello,
Am Montag, 16. September 2013 schrieb Steve Beattie:
> - fix a bug in apparmor.vim to let it recognize multiple
> capability entries in a single line.
I didn't know this is possible ;-)
@Kshitij: you'll also need to allow this in the py tools.
> Index: b/parser/tst/simple_tests/capability/ok_allow1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow1.sd
> @@ -0,0 +1,41 @@
> +#
> +#=DESCRIPTION validate uses of allow/capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
new files should use
# vim:syntax=apparmor
(and when you are bored, you should also change all existing profiles ;-)
> Index: b/parser/tst/simple_tests/capability/ok_allow2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow2.sd
> @@ -0,0 +1,101 @@
> +#
> +#=DESCRIPTION validate uses of allow/capabilities in hats
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
same here...
> Index: b/parser/tst/simple_tests/capability/ok_allow3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow3.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate allow w/multiple capabilities in a line.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here
> +++ b/parser/tst/simple_tests/file/allow/ok_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_3.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_append_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_carat_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_carat_2.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_comma_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_comma_2.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_lock_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd
> +++ b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd
All those files don't have a vim: header. Maybe you can add it?
> Index: b/utils/vim/create-apparmor.vim.py
> ===================================================================
> --- a/utils/vim/create-apparmor.vim.py
> +++ b/utils/vim/create-apparmor.vim.py
> - 'FILE': r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
> + 'FILE': r'\v^\s*(audit\s+)?((deny|allow)\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
vi has a restriction on how many (...) you use per line (IIRC 9 - I hit
the limit in the past), so we shouldn't add (...) if not really needed.
Please use (deny\s+|allow\s+) instead of ((deny|allow)\s+)
(like you did for 'auditdenyowner' and 'auditdeny')
> Index: b/parser/tst/simple_tests/capability/ok_allow4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow4.sd
> @@ -0,0 +1,41 @@
> +#
> +#=DESCRIPTION validate audit allow w/capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
..=apparmor
> Index: b/parser/tst/simple_tests/capability/ok_allow5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow5.sd
> @@ -0,0 +1,102 @@
> +#
> +#=DESCRIPTION validate audit allow w/capabilities in hats.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
same here...
> Index: b/parser/tst/simple_tests/capability/ok_allow6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow6.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate audit allow w/multiple capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_allow7.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow7.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate allow with bare capability keyword.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_allow9.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow9.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION validate audit allow with bare capability keyword.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
> @@ -0,0 +1,12 @@
> +#
> +#=DESCRIPTION validate allow of duplicate capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
> @@ -0,0 +1,12 @@
> +#
> +#=DESCRIPTION validate audit allow of duplicate capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
> @@ -0,0 +1,14 @@
> +#
> +#=DESCRIPTION validate allow of duplicate multiple capabilities.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
> @@ -0,0 +1,14 @@
> +#
> +#=DESCRIPTION validate audit allow of duplicate multiple
> capabilities. +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
> @@ -0,0 +1,17 @@
> +#
> +#=DESCRIPTION validate duplicate multiple capabilities w/differing
> perm mods. +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here
> Index: b/utils/vim/apparmor.vim.in
> ===================================================================
> --- a/utils/vim/apparmor.vim.in
> +++ b/utils/vim/apparmor.vim.in
> @@ -132,7 +132,7 @@ syn keyword sdCapKey @@sdKapKe
> -syn match sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@) @@EOL@@ ...
> +syn match sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@ ...
(lines shortened for readability)
Looks good, even if it adds two more (...) ;-)
The more interesting question is: how do we color the line if it contains
"dangerous" and "normal" capabilities?
> Index: b/parser/tst/simple_tests/capability/ok_allow10.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow10.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate audit allow with bare capability in hat.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... =apparmor
> Index: b/parser/tst/simple_tests/capability/ok_allow8.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_allow8.sd
> @@ -0,0 +1,11 @@
> +#
> +#=DESCRIPTION validate allow with bare capability in hat.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
same here...
> Index: b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
> @@ -0,0 +1,16 @@
> +#
> +#=DESCRIPTION validate duplicate capability entries.
> +#=EXRESULT PASS
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/bad_5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_5.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail conflicting perm mod same line
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain
... and here ...
> Index: b/parser/tst/simple_tests/capability/bad_6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/capability/bad_6.sd
> @@ -0,0 +1,9 @@
> +#
> +#=DESCRIPTION fail conflicting perm mod same line
> +#=EXRESULT FAIL
> +# vim:syntax=subdomain
... and here ;-)
In other words: please s/syntax=subdomain/syntax=apparmor/ in the patch ;-)
Regards,
Christian Boltz
--
Andere würde ich jetzt nach dem entsprechenden Bugreport fragen, aber
Du hast ja vermutlich Bugzilla miterfunden und wirst irgendwo in den
OpenSUSE-Danksagungen erwähnt - NOT. [Martin Schröder in opensuse-de]
More information about the AppArmor
mailing list