[apparmor] [PATCH 3/8] add optional allow prefix to the language v3

Steve Beattie steve at nxnw.org
Thu Sep 19 05:46:26 UTC 2013 

On Mon, Sep 16, 2013 at 11:37:28PM -0700, Steve Beattie wrote:
> On Mon, Sep 16, 2013 at 05:06:51PM -0700, Seth Arnold wrote:
> > On Mon, Sep 16, 2013 at 04:49:49PM -0700, Steve Beattie wrote:
> > 
> > I think I'd expect the above to FAIL instead of PASS -- 'allow capability
> > chown' followed by 'deny capability chown' doesn't make much sense. I know
> > we've decided that 'deny' rules should subtract from the profile, but
> > having two conflicting lines in one profile hurts my head.
> > 
> > This feels complicated.
> 
> I started typing up an email prepared to state that this patch was
> extending behavior in the same direction as before, that 'deny'
> rules always override 'allow' rules, and that this patch just adds
> the ability to make explicit the implicit 'allow' in our regular
> rules.

[Alright, here's the email I had started before.]

In this case, the behavior with capabilities is mimicking the already
accepted behavior for file rules, which is that deny rules override
allow rules (even ones without the 'allow' keyword).

This allows you to write something like:

    /usr/bin/** r,
    deny /usr/bin/foo r,

which grants read access to everything under /usr/bin except
/usr/bin/foo. For capabilities, it's less useful, but you could
use it to express something like the following:

  allow capability,  # grants all capabilities...
  deny capability sys_rawio sys_admin,  # ... except these that have
                                        # been denied.

for a pretty loose profile.

All the 'allow' keyword is doing is making explicit the implicit
'allow' preceding every non-denial statement.

> What should happen in these cases? (Using without loss of generality
> 'chown'...)

My understanding:

> profile a {
>   allow capability chown,
>   deny capability chown,
> }

no access to chown capability,

> profile b {
>   allow capability chown,
>   deny capability,
> }

no access to chown capability (or any other).

> profile c {
>   allow capability,
>   deny capability chown,
> }

access to every capability except chown.

> profile aa {
>   capability chown,
>   deny capability chown,
> }

no access to chown capability,

> profile bb {
>   capability chown,
>   deny capability,
> }

no access to chown capability (or any other).

> profile cc {
>   capability,
>   deny capability chown,
> }

access to every capability except chown.

> I'll try to write some behavioral regression tests around this
> tomorrow, rather than just the 'does it parse okay?' tests that are
> included in this patch, to help us determine what correct behavior
> should be and whether this patch achieves that (I have my opinions,
> but would like to hear others', including John's as the original
> author of the patch).

Here's v3 of the patch. I've added some behavioral tests around
overlapping the allow and deny keywords to the capabilities.sh tests.

Subject: add optional allow prefix to the language
From: John Johansen <john.johansen at canonical.com>

let allow be used as a prefix in place of deny.  Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric

   eg.
      /foo rw,
      allow /foo rw,
      deny /foo rw,

Patch history:
  v1: - initial revision

  v2: - rename yacc target rule from opt_deny to opt_perm_mode to reflect
        that it can be either an allow or deny modifier
      - break apart tests into more digestible chunks and to clarify
	their purpose
      - fix some tests to exercise 'audit allow'
      - add negative tests for 'allow' and 'deny' in the same rule
      - add support for 'allow' keyword to apparmor.vim
      - fix a bug in apparmor.vim to let it recognize multiple
	capability entries in a single line.

  v3: - add support for optional keywords on capability rules in
        regression tests, as well as the bare capability keyword (via
        'cap:ALL')
      - add allow, deny, and conflicting capability behavioral
        regression tests
      - fix vim syntax modeline to refer to apparmor in parser tests
      - adjust FILE regex in vim syntax file creator script

Signed-off-by: John Johansen <john.johansen at canonical.com>
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 parser/parser_misc.c                                       |    1 
 parser/parser_yacc.y                                       |    8 -
 parser/tst/simple_tests/capability/bad_5.sd                |    9 +
 parser/tst/simple_tests/capability/bad_6.sd                |    9 +
 parser/tst/simple_tests/capability/ok_allow1.sd            |   41 +++++
 parser/tst/simple_tests/capability/ok_allow10.sd           |   11 +
 parser/tst/simple_tests/capability/ok_allow2.sd            |  101 ++++++++++++
 parser/tst/simple_tests/capability/ok_allow3.sd            |   11 +
 parser/tst/simple_tests/capability/ok_allow4.sd            |   41 +++++
 parser/tst/simple_tests/capability/ok_allow5.sd            |  102 +++++++++++++
 parser/tst/simple_tests/capability/ok_allow6.sd            |   11 +
 parser/tst/simple_tests/capability/ok_allow7.sd            |    9 +
 parser/tst/simple_tests/capability/ok_allow8.sd            |   11 +
 parser/tst/simple_tests/capability/ok_allow9.sd            |    9 +
 parser/tst/simple_tests/capability/ok_dup_allow1.sd        |   12 +
 parser/tst/simple_tests/capability/ok_dup_allow2.sd        |   12 +
 parser/tst/simple_tests/capability/ok_dup_allow3.sd        |   14 +
 parser/tst/simple_tests/capability/ok_dup_allow4.sd        |   14 +
 parser/tst/simple_tests/capability/ok_dup_allow5.sd        |   17 ++
 parser/tst/simple_tests/capability/ok_dup_allow6.sd        |   16 ++
 parser/tst/simple_tests/file/allow/ok_1.sd                 |    8 +
 parser/tst/simple_tests/file/allow/ok_3.sd                 |   10 +
 parser/tst/simple_tests/file/allow/ok_append_1.sd          |   14 +
 parser/tst/simple_tests/file/allow/ok_carat_1.sd           |    8 +
 parser/tst/simple_tests/file/allow/ok_carat_2.sd           |    8 +
 parser/tst/simple_tests/file/allow/ok_comma_1.sd           |    8 +
 parser/tst/simple_tests/file/allow/ok_comma_2.sd           |    8 +
 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd |    7 
 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd |    7 
 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd |    7 
 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd    |    8 +
 parser/tst/simple_tests/file/allow/ok_lock_1.sd            |   18 ++
 parser/tst/simple_tests/file/allow/ok_mmap_1.sd            |   13 +
 parser/tst/simple_tests/file/allow/ok_mmap_2.sd            |   15 +
 tests/regression/apparmor/capabilities.sh                  |   88 +++++++++++
 tests/regression/apparmor/mkprofile.pl                     |   16 +-
 utils/vim/apparmor.vim.in                                  |    2 
 utils/vim/create-apparmor.vim.py                           |    6 
 38 files changed, 700 insertions(+), 10 deletions(-)
 create mode 100644 parser/tst/simple_tests/capability/ok_allow1.sd
 create mode 100644 parser/tst/simple_tests/capability/ok_allow2.sd
 create mode 100644 parser/tst/simple_tests/capability/ok_allow3.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_3.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_append_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_carat_2.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_comma_2.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_lock_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_1.sd
 create mode 100644 parser/tst/simple_tests/file/allow/ok_mmap_2.sd

Index: b/parser/parser_misc.c
===================================================================
--- a/parser/parser_misc.c
+++ b/parser/parser_misc.c
@@ -74,6 +74,7 @@ static struct keyword_table keyword_tabl
 	{"subset",		TOK_SUBSET},
 	{"audit",		TOK_AUDIT},
 	{"deny",		TOK_DENY},
+	{"allow",		TOK_ALLOW},
 	{"set",			TOK_SET},
 	{"rlimit",		TOK_RLIMIT},
 	{"alias",		TOK_ALIAS},
Index: b/parser/parser_yacc.y
===================================================================
--- a/parser/parser_yacc.y
+++ b/parser/parser_yacc.y
@@ -111,6 +111,7 @@ void add_local_entry(struct codomain *co
 %token TOK_SUBSET
 %token TOK_AUDIT
 %token TOK_DENY
+%token TOK_ALLOW
 %token TOK_PROFILE
 %token TOK_SET
 %token TOK_ALIAS
@@ -223,7 +224,7 @@ void add_local_entry(struct codomain *co
 %type <boolean> opt_owner_flag
 %type <boolean> opt_profile_flag
 %type <boolean> opt_flags
-%type <boolean> opt_deny
+%type <boolean> opt_perm_mode
 %type <id>	opt_namespace
 %type <id>	opt_id
 %type <prefix>  opt_prefix
@@ -518,10 +519,11 @@ opt_owner_flag: { /* nothing */ $$ = 0;
 	| TOK_OWNER { $$ = 1; };
 	| TOK_OTHER { $$ = 2; };
 
-opt_deny: { /* nothing */ $$ = 0; }
+opt_perm_mode: { /* nothing */ $$ = 0; }
+	| TOK_ALLOW { $$ = 0; }
 	| TOK_DENY { $$ = 1; }
 
-opt_prefix: opt_audit_flag opt_deny opt_owner_flag
+opt_prefix: opt_audit_flag opt_perm_mode opt_owner_flag
 	{
 		$$.audit = $1;
 		$$.deny = $2;
Index: b/parser/tst/simple_tests/capability/ok_allow1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow1.sd
@@ -0,0 +1,41 @@
+#
+#=DESCRIPTION validate uses of allow/capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  allow capability chown,
+  allow capability dac_override,
+  allow capability dac_read_search,
+  allow capability fowner,
+  allow capability fsetid,
+  allow capability kill,
+  allow capability setgid,
+  allow capability setuid,
+  allow capability setpcap,
+  allow capability linux_immutable,
+  allow capability net_bind_service,
+  allow capability net_broadcast,
+  allow capability net_admin,
+  allow capability net_raw,
+  allow capability ipc_lock,
+  allow capability ipc_owner,
+  allow capability sys_module,
+  allow capability sys_rawio,
+  allow capability sys_chroot,
+  allow capability sys_ptrace,
+  allow capability sys_pacct,
+  allow capability sys_admin,
+  allow capability sys_boot,
+  allow capability sys_nice,
+  allow capability sys_resource,
+  allow capability sys_time,
+  allow capability sys_tty_config,
+  allow capability mknod,
+  allow capability lease,
+  allow capability audit_write,
+  allow capability audit_control,
+  allow capability setfcap,
+  allow capability mac_override,
+}
Index: b/parser/tst/simple_tests/capability/ok_allow2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow2.sd
@@ -0,0 +1,101 @@
+#
+#=DESCRIPTION validate uses of allow/capabilities in hats
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist2 {
+  ^chown {
+    allow capability chown,
+  }
+  ^dac_override {
+    allow capability dac_override,
+  }
+  ^dac_read_search {
+    allow capability dac_read_search,
+  }
+  ^fowner {
+    allow capability fowner,
+  }
+  ^fsetid {
+    allow capability fsetid,
+  }
+  ^kill {
+    allow capability kill,
+  }
+  ^setgid {
+    allow capability setgid,
+  }
+  ^setuid {
+    allow capability setuid,
+  }
+  ^setpcap {
+    allow capability setpcap,
+  }
+  ^linux_immutable {
+    allow capability linux_immutable,
+  }
+  ^net_bind_service {
+    allow capability net_bind_service,
+  }
+  ^net_broadcast {
+    allow capability net_broadcast,
+  }
+  ^net_admin {
+    allow capability net_admin,
+  }
+  ^net_raw {
+    allow capability net_raw,
+  }
+  ^ipc_lock {
+    allow capability ipc_lock,
+  }
+  ^ipc_owner {
+    allow capability ipc_owner,
+  }
+  ^sys_module {
+    allow capability sys_module,
+  }
+  ^sys_rawio {
+    allow capability sys_rawio,
+  }
+  ^sys_chroot {
+    allow capability sys_chroot,
+  }
+  ^sys_ptrace {
+    allow capability sys_ptrace,
+  }
+  ^sys_pacct {
+    allow capability sys_pacct,
+  }
+  ^sys_admin {
+    allow capability sys_admin,
+  }
+  ^sys_boot {
+    allow capability sys_boot,
+  }
+  ^sys_nice {
+    allow capability sys_nice,
+  }
+  ^sys_resource {
+    allow capability sys_resource,
+  }
+  ^sys_time {
+    allow capability sys_time,
+  }
+  ^sys_tty_config {
+    allow capability sys_tty_config,
+  }
+  ^mknod {
+    allow capability mknod,
+  }
+  ^lease {
+    allow capability lease,
+  }
+  ^audit_write {
+    allow capability audit_write,
+  }
+  ^audit_control {
+    allow capability audit_control,
+  }
+}
Index: b/parser/tst/simple_tests/capability/ok_allow3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION validate allow w/multiple capabilities in a line.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exit101 {
+  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
Index: b/parser/tst/simple_tests/file/allow/ok_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_1.sd
@@ -0,0 +1,8 @@
+#
+#=Description basic file rule
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /usr/bin/foo r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_3.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION A simple successful profile
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /usr/bin/foo r,
+  allow /usr/bin/blah rix,
+}
+
Index: b/parser/tst/simple_tests/file/allow/ok_append_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_append_1.sd
@@ -0,0 +1,14 @@
+#
+#=DESCRIPTION test append
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /bin/cat a,
+  allow /bin/true ra,
+  allow /bin/false ma,
+  allow /lib/libc.so la,
+  allow /bin/less ixa,
+  allow /bin/more pxa,
+  allow /a uxa,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_carat_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_carat_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION carat in pathname
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /foo^bar r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_carat_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_carat_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION trailing carat in pathname
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /foo/bar^ r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_comma_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_comma_1.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION comma in pathname
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+   allow /foo,bar r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_comma_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_comma_2.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION comma at end of pathname
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow "/foobar," r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd
@@ -0,0 +1,7 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+# vim:syntax=apparmor
+
+/bin/foo {
+  allow "/abc\ def" r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd
@@ -0,0 +1,7 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+# vim:syntax=apparmor
+
+/bin/foo {
+  allow "/abc def" r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd
@@ -0,0 +1,7 @@
+#=DESCRIPTION Simple test case for embedded spaces
+#=EXRESULT PASS
+# vim:syntax=apparmor
+
+"/bin/fo o" {
+  allow "/abc def" r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd
@@ -0,0 +1,8 @@
+#
+#=DESCRIPTION carat in pathname
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+   allow /foo[^me]bar r,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_lock_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_lock_1.sd
@@ -0,0 +1,18 @@
+#
+#=DESCRIPTION k and other perms do not conflict
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /bin/a k,
+  allow /bin/b rk,
+  allow /bin/c wk,
+  allow /bin/d ak,
+  allow /bin/e lk,
+  allow /bin/e mk,
+  allow /bin/f pxk,
+  allow /bin/g Pxk,
+  allow /bin/h ixk,
+  allow /bin/i uxk,
+  allow /bin/j Uxk,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd
@@ -0,0 +1,13 @@
+#
+#=DESCRIPTION m and [uUpPi]x do not conflict
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /bin/cat mix,
+  allow /bin/true mpx,
+  allow /bin/false mux,
+  allow /lib/libc.so rwlm,
+  allow /bin/less mUx,
+  allow /bin/more mPx,
+}
Index: b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd
@@ -0,0 +1,15 @@
+#
+#=DESCRIPTION m and [upi]x do not conflict, seperate rules
+#=EXRESULT PASS
+# vim:syntax=apparmor
+#
+/usr/bin/foo {
+  allow /bin/cat rm,
+  allow /bin/cat ix,
+  allow /bin/true px,
+  allow /bin/true m,
+  allow /bin/false m,
+  allow /bin/false ux,
+  allow /lib/libc.so rwl,
+  allow /lib/libc.so m,
+}
Index: b/utils/vim/create-apparmor.vim.py
===================================================================
--- a/utils/vim/create-apparmor.vim.py
+++ b/utils/vim/create-apparmor.vim.py
@@ -88,12 +88,12 @@ filename=r'(\/|\@\{\S*\})\S*'
 
 aa_regex_map = {
     'FILENAME':         filename,
-    'FILE':             r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
+    'FILE':             r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule
                         # (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_)
     'DENYFILE':         r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE
-    'auditdenyowner':   r'(audit\s+)?(deny\s+)?(owner\s+)?',
+    'auditdenyowner':   r'(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?',
     'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner
-    'auditdeny':        r'(audit\s+)?(deny\s+)?',
+    'auditdeny':        r'(audit\s+)?(deny\s+|allow\s+)?',
     'EOL':              r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*)
     'TRANSITION':       r'(\s+-\>\s+\S+)?',
     'sdKapKey':         " ".join(benign_caps),
Index: b/parser/tst/simple_tests/capability/ok_allow4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow4.sd
@@ -0,0 +1,41 @@
+#
+#=DESCRIPTION validate audit allow w/capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  audit allow capability chown,
+  audit allow capability dac_override,
+  audit allow capability dac_read_search,
+  audit allow capability fowner,
+  audit allow capability fsetid,
+  audit allow capability kill,
+  audit allow capability setgid,
+  audit allow capability setuid,
+  audit allow capability setpcap,
+  audit allow capability linux_immutable,
+  audit allow capability net_bind_service,
+  audit allow capability net_broadcast,
+  audit allow capability net_admin,
+  audit allow capability net_raw,
+  audit allow capability ipc_lock,
+  audit allow capability ipc_owner,
+  audit allow capability sys_module,
+  audit allow capability sys_rawio,
+  audit allow capability sys_chroot,
+  audit allow capability sys_ptrace,
+  audit allow capability sys_pacct,
+  audit allow capability sys_admin,
+  audit allow capability sys_boot,
+  audit allow capability sys_nice,
+  audit allow capability sys_resource,
+  audit allow capability sys_time,
+  audit allow capability sys_tty_config,
+  audit allow capability mknod,
+  audit allow capability lease,
+  audit allow capability audit_write,
+  audit allow capability audit_control,
+  audit allow capability setfcap,
+  audit allow capability mac_override,
+}
Index: b/parser/tst/simple_tests/capability/ok_allow5.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow5.sd
@@ -0,0 +1,102 @@
+#
+#=DESCRIPTION validate audit allow w/capabilities in hats.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exist2 {
+  ^chown {
+    audit allow capability chown,
+  }
+  ^dac_override {
+    audit allow capability dac_override,
+  }
+  ^dac_read_search {
+    audit allow capability dac_read_search,
+  }
+  ^fowner {
+    audit allow capability fowner,
+  }
+  ^fsetid {
+    audit allow capability fsetid,
+  }
+  ^kill {
+    audit allow capability kill,
+  }
+  ^setgid {
+    audit allow capability setgid,
+  }
+  ^setuid {
+    audit allow capability setuid,
+  }
+  ^setpcap {
+    audit allow capability setpcap,
+  }
+  ^linux_immutable {
+    audit allow capability linux_immutable,
+  }
+  ^net_bind_service {
+    audit allow capability net_bind_service,
+  }
+  ^net_broadcast {
+    audit allow capability net_broadcast,
+  }
+  ^net_admin {
+    audit allow capability net_admin,
+  }
+  ^net_raw {
+    audit allow capability net_raw,
+  }
+  ^ipc_lock {
+    audit allow capability ipc_lock,
+  }
+  ^ipc_owner {
+    audit allow capability ipc_owner,
+  }
+  ^sys_module {
+    audit allow capability sys_module,
+  }
+  ^sys_rawio {
+    audit allow capability sys_rawio,
+  }
+  ^sys_chroot {
+    audit allow capability sys_chroot,
+  }
+  ^sys_ptrace {
+    audit allow capability sys_ptrace,
+  }
+  ^sys_pacct {
+    audit allow capability sys_pacct,
+  }
+  ^sys_admin {
+    audit allow capability sys_admin,
+  }
+  ^sys_boot {
+    audit allow capability sys_boot,
+  }
+  ^sys_nice {
+    audit allow capability sys_nice,
+  }
+  ^sys_resource {
+    audit allow capability sys_resource,
+  }
+  ^sys_time {
+    audit allow capability sys_time,
+  }
+  ^sys_tty_config {
+    audit allow capability sys_tty_config,
+  }
+  ^mknod {
+    audit allow capability mknod,
+  }
+  ^lease {
+    audit allow capability lease,
+  }
+  ^audit_write {
+    audit allow capability audit_write,
+  }
+  ^audit_control {
+    audit allow capability audit_control,
+  }
+}
Index: b/parser/tst/simple_tests/capability/ok_allow6.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow6.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION validate audit allow w/multiple capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exit101 {
+  audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
Index: b/parser/tst/simple_tests/capability/ok_allow7.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow7.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION validate allow with bare capability keyword.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+	allow capability,
+}
Index: b/parser/tst/simple_tests/capability/ok_allow9.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow9.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION validate audit allow with bare capability keyword.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+	audit allow capability,
+}
Index: b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow1.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate allow of duplicate capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+# Test for duplicates?
+/does/not/exist3 {
+  allow capability mknod,
+  allow capability mknod,
+}
Index: b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow2.sd
@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate audit allow of duplicate capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+# Test for duplicates?
+/does/not/exist3 {
+  audit allow capability mknod,
+  audit allow capability mknod,
+}
Index: b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow3.sd
@@ -0,0 +1,14 @@
+#
+#=DESCRIPTION  validate allow of duplicate multiple capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exit102 {
+  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
Index: b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow4.sd
@@ -0,0 +1,14 @@
+#
+#=DESCRIPTION  validate audit allow of duplicate multiple capabilities.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exit102 {
+  audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+  audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+}
+
Index: b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow5.sd
@@ -0,0 +1,17 @@
+#
+#=DESCRIPTION  validate duplicate multiple capabilities w/differing perm mods.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+/does/not/exit102 {
+  allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+  audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+  audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+
+  deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
+}
+
Index: b/utils/vim/apparmor.vim.in
===================================================================
--- a/utils/vim/apparmor.vim.in
+++ b/utils/vim/apparmor.vim.in
@@ -132,7 +132,7 @@ syn keyword  sdCapKey          @@sdKapKe
 syn keyword sdCapDanger	       @@sdKapKeyDanger@@
 
 " full line. Keywords are from sdCapKey + sdCapDanger
-syn match  sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
+syn match  sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 " all capabilities ('capability' without any keyword)
 syn match  sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude
 
Index: b/parser/tst/simple_tests/capability/ok_allow10.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow10.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION validate audit allow with bare capability in hat.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  ^capability {
+     audit allow capability,
+  }
+}
Index: b/parser/tst/simple_tests/capability/ok_allow8.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_allow8.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION validate allow with bare capability in hat.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  ^capability {
+     allow capability,
+  }
+}
Index: b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/ok_dup_allow6.sd
@@ -0,0 +1,16 @@
+#
+#=DESCRIPTION validate duplicate capability entries.
+#=EXRESULT PASS
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+
+# Test for duplicates?
+/does/not/exist3 {
+  capability mknod,
+  audit allow capability mknod,
+  deny capability mknod,
+  audit allow capability mknod,
+  deny capability mknod,
+  allow capability mknod,
+}
Index: b/parser/tst/simple_tests/capability/bad_5.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/bad_5.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION fail conflicting perm mod same line
+#=EXRESULT FAIL
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  allow deny capability chown,
+}
Index: b/parser/tst/simple_tests/capability/bad_6.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/capability/bad_6.sd
@@ -0,0 +1,9 @@
+#
+#=DESCRIPTION fail conflicting perm mod same line
+#=EXRESULT FAIL
+# vim:syntax=apparmor
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist {
+  audit allow deny capability chown,
+}
Index: b/tests/regression/apparmor/capabilities.sh
===================================================================
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@@ -91,10 +91,17 @@ for TEST in ${TESTS} ; do
 	my_entries=$(eval echo \${${TEST}_extra_entries})
 
 	settest ${TEST}
+	# base case, unconfined
 	runchecktest "${TEST} -- unconfined" pass ${my_arg}
+
+	# no capabilities allowed
 	genprofile ${my_entries}
 	runchecktest "${TEST} -- no caps" fail ${my_arg}
 
+	# all capabilities allowed
+	genprofile cap:ALL ${my_entries}
+	runchecktest "${TEST} -- all caps" pass ${my_arg}
+
 	# iterate through each of the capabilities
 	for cap in ${CAPABILITIES} ; do
 		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
@@ -111,6 +118,11 @@ for TEST in ${TESTS} ; do
 	settest ${testwrapper}
 	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
 	runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
+
+	# all capabilities allowed
+	genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
+	runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
+
 	for cap in ${CAPABILITIES} ; do
 		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
 			expected_result=pass
@@ -123,3 +135,79 @@ for TEST in ${TESTS} ; do
 
 done
 
+cap=sys_chroot
+settest syscall_chroot
+
+# test deny keyword works
+genprofile cap:${cap}:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, deny keyword" fail ${syscall_chroot_args}
+
+# test allow keyword works
+genprofile cap:${cap}:allow ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow keyword" pass ${syscall_chroot_args}
+
+### allow/deny overlap tests ###
+
+# test allow & deny keyword behavior, allow first
+genprofile cap:${cap}:allow cap:${cap}:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, allow first" fail ${syscall_chroot_args}
+
+# test implicit allow & deny keyword behavior, allow first
+genprofile cap:${cap} cap:${cap}:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, allow first" fail ${syscall_chroot_args}
+
+# test allow & deny keyword behavior, deny first
+genprofile cap:${cap}:deny cap:${cap}:allow ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, deny first" fail ${syscall_chroot_args}
+
+# test implicit allow & deny keyword behavior, deny first
+genprofile cap:${cap}:deny cap:${cap} ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, deny first" fail ${syscall_chroot_args}
+
+# test allow all & deny all capability keyword behavior, allow first
+genprofile cap:ALL:allow cap:ALL:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, allow first" fail ${syscall_chroot_args}
+
+# test implicit allow all & deny all capability keyword behavior, allow first
+genprofile cap:ALL cap:ALL:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny all caps keyword, allow first" fail ${syscall_chroot_args}
+
+# test allow all & deny all capability keyword behavior, deny first
+genprofile cap:ALL:deny cap:ALL:allow ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, deny first" fail ${syscall_chroot_args}
+
+# test implicit allow all & deny all capability keyword behavior, deny first
+genprofile cap:ALL:deny cap:ALL ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all caps keyword, deny first" fail ${syscall_chroot_args}
+
+# test allow all & deny keywords behavior, allow first
+genprofile cap:ALL:allow cap:${cap}:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, allow first" fail ${syscall_chroot_args}
+
+# test implicit allow all & deny keywords behavior, allow first
+genprofile cap:ALL cap:${cap}:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, allow first" fail ${syscall_chroot_args}
+
+# test allow all & deny keywords behavior, deny first
+genprofile cap:${cap}:deny cap:ALL:allow ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, deny first" fail ${syscall_chroot_args}
+
+# test implicit allow all & deny keywords behavior, deny first
+genprofile cap:${cap}:deny cap:ALL ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, deny first" fail ${syscall_chroot_args}
+
+# test allow & deny all keywords behavior, allow first
+genprofile cap:${cap}:allow cap:ALL:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, allow first" fail ${syscall_chroot_args}
+
+# test implicit allow & deny all keywords behavior, allow first
+genprofile cap:${cap} cap:ALL:deny ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, allow first" fail ${syscall_chroot_args}
+
+# test allow & deny all keywords behavior, deny first
+genprofile cap:ALL:deny cap:${cap}:allow ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, deny first" fail ${syscall_chroot_args}
+
+# test implicit allow & deny all keywords behavior, deny first
+genprofile cap:ALL:deny cap:${cap} ${syscall_chroot_extra_entries}
+runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, deny first" fail ${syscall_chroot_args}
Index: b/tests/regression/apparmor/mkprofile.pl
===================================================================
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -157,10 +157,20 @@ sub gen_network($) {
 sub gen_cap($) {
   my $rule = shift;
   my @rules = split (/:/, $rule);
-  if (@rules != 2) {
-    (!$nowarn) && print STDERR "Warning: invalid capability description '$rule', ignored\n";
+  if (@rules == 2) {
+    if ($rules[1] =~ /^ALL$/) {
+      push (@{$output_rules{$hat}}, "  capability,\n");
+    } else {
+      push (@{$output_rules{$hat}}, "  capability $rules[1],\n");
+    }
+  } elsif (@rules == 3) {
+    if ($rules[1] =~ /^ALL$/) {
+      push (@{$output_rules{$hat}}, "  $rules[2] capability,\n");
+    } else {
+      push (@{$output_rules{$hat}}, "  $rules[2] capability $rules[1],\n");
+    }
   } else {
-    push (@{$output_rules{$hat}}, "  capability $rules[1],\n");
+    (!$nowarn) && print STDERR "Warning: invalid capability description '$rule', ignored\n";
   }
 }
 

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130918/7e371fb8/attachment-0001.pgp>

More information about the AppArmor mailing list