[apparmor] [patch] parser: tests: exercise local and peer addr perms
Seth Arnold
seth.arnold at canonical.com
Fri Sep 19 00:03:46 UTC 2014
On Thu, Sep 18, 2014 at 04:53:47PM -0700, Steve Beattie wrote:
> On Thu, Sep 18, 2014 at 10:15:26AM -0500, Tyler Hicks wrote:
> > This patch updates the parser code to reject rules that contain local
> > socket permissions and peer conditional elements. The error message for
> > that condition is also corrected to resolve a copy and paste mistake
> > from the D-Bus rule parsing code.
> >
> > The patch also updates the man page to correctly describe the two sets
> > of socket permissions and fixes an example rule that resulted in a
> > parser error after the change described above.
> >
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
>
> Some test cases to go along with that patch (bind was already covered).
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Excellent.
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> parser/tst/simple_tests/unix/bad_attr_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_attr_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_attr_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_attr_4.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_create_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_create_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_listen_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_listen_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_opt_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_opt_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_opt_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_opt_4.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_shutdown_1.sd | 7 +++++++
> parser/tst/simple_tests/unix/bad_shutdown_2.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_5.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_attr_6.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_create_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_listen_3.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_5.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_opt_6.sd | 7 +++++++
> parser/tst/simple_tests/unix/ok_shutdown_3.sd | 7 +++++++
> 21 files changed, 147 insertions(+)
>
> Index: b/parser/tst/simple_tests/unix/bad_attr_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_attr_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getattr w/peer modifier
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix getattr peer=(addr=none),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_attr_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_attr_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getattr acceptance test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (getattr) peer=(label=unconfined),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_5.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getattr w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix getattr addr=none,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_attr_6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_attr_6.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setattr w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix setattr addr=none,
> +}
> Index: b/parser/tst/simple_tests/unix/bad_create_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_create_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix create w/peer acceptance test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix create peer=(label=/usr/sbin/apache2),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_create_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_create_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix create acceptance test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (create) peer=(addr=@somesuch),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_shutdown_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_shutdown_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix shutdown w/peer test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix shutdown peer=(addr=none),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_shutdown_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_shutdown_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix shutdown acceptance test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (shutdown) peer=(label=@{profile_name}),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_shutdown_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_shutdown_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix shutdown w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix shutdown addr=@HypotheticalServiceDaemon,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_create_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_create_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix create w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix create addr=none,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_listen_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_listen_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix listen w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix listen addr=@foo**,
> +}
> Index: b/parser/tst/simple_tests/unix/bad_listen_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_listen_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix listen w/peer test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix listen peer=(label=you_cannot_label_me),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_listen_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_listen_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix listen w/peer test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (listen) peer=(addr=@unknown),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_attr_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_attr_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setattr w/peer test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix setattr peer=(label=orange),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_attr_4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_attr_4.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setattr w/peer addr test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (setattr) peer=(addr=@spork),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_opt_1.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_opt_1.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getopt w/peer addr test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix getopt peer=(addr=none),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_opt_2.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_opt_2.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getopt w/peer label test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (getopt) peer=(label=strongbad),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_opt_3.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_opt_3.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setopt w/peer addr test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix setopt peer=(addr=@/dbus-vfs-daemon/socket-*),
> +}
> Index: b/parser/tst/simple_tests/unix/bad_opt_4.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/bad_opt_4.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setopt w/peer label test
> +#=EXRESULT FAIL
> +
> +profile a_profile {
> + unix (setopt) peer=(label=unconfined),
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_5.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_5.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix getopt w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix getopt addr=@private/defer,
> +}
> Index: b/parser/tst/simple_tests/unix/ok_opt_6.sd
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/simple_tests/unix/ok_opt_6.sd
> @@ -0,0 +1,7 @@
> +#
> +#=DESCRIPTION simple unix setopt w/addr acceptance test
> +#=EXRESULT PASS
> +
> +profile a_profile {
> + unix setopt addr=none,
> +}
>
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140918/104e91cf/attachment-0001.pgp>
More information about the AppArmor
mailing list