[apparmor] [patch] Add more ruletypes to the cleanprof test profiles

Christian Boltz apparmor at cboltz.de
Sat Dec 26 16:43:38 UTC 2015 

Hello,

to ensure aa-cleanprof works as expected (and writing the rules works
as expected), add some rules for every rule class to the cleanprof.in
and cleanprof.out test profiles.


[ 48-add-more-ruletypes-to-cleanprof-test.diff ]

=== modified file ./utils/test/cleanprof_test.in
--- utils/test/cleanprof_test.in        2015-12-12 13:34:40.549997194 +0100
+++ utils/test/cleanprof_test.in        2015-12-26 17:11:27.034328693 +0100
@@ -4,12 +4,32 @@
 /usr/bin/a/simple/cleanprof/test/profile {
        # Just for the heck of it, this comment wont see the day of light
        #include <abstractions/base>
+
+    capability sys_admin,
+    audit capability,
+
+    change_profile -> /bin/foo,
+    change_profile,
+
+    network inet stream,
+    network stream,
+
        #Below rule comes from abstractions/base
        allow /usr/share/X11/locale/**  r,
        allow /home/*/** r,
 
+    ptrace tracedby peer=/bin/strace,
+    ptrace tracedby,
     unix (receive) type=dgram,
 
+    set rlimit nofile <= 256,
+    set rlimit nofile <= 64,
+
+    signal set=(hup int quit ill trap abrt)
+             set=(bus,fpe,,,kill,usr1)
+                      set=segv set=usr2 set=pipe set=alrm set=term set=stkflt set=chld,
+    signal set=(hup int quit),
+
     ^foo {
             /etc/fstab r,
         capability dac_override,
=== modified file ./utils/test/cleanprof_test.out
--- utils/test/cleanprof_test.out       2015-12-12 13:34:40.549997194 +0100
+++ utils/test/cleanprof_test.out       2015-12-26 17:14:06.105337830 +0100
@@ -6,11 +6,23 @@
 /usr/bin/a/simple/cleanprof/test/profile {
   #include <abstractions/base>
 
+  set rlimit nofile <= 256,
+
+  audit capability,
+
+  network stream,
+
+  signal set=(abrt alrm bus chld fpe hup ill int kill pipe quit segv stkflt term trap usr1 usr2),
+
+  ptrace tracedby,
+
   unix (receive) type=dgram,
 
   /home/*/** r,
   /home/foo/** w,
 
+  change_profile,
+
 
   ^foo {
     capability dac_override,


Regards,

Christian Boltz
-- 
> > of course, now everybody will claim how bad it is to fix bugs which
> > people rely on;
> No, I wont claim that, in fact I would argue against keeping any bug
> on which people relies on (known as "backwards compatibility")
I should have excluded you from the list of everybody...
[> Cristian Rodríguez and (>>) Dominique Leuenberger in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20151226/3078c16c/attachment.pgp>

More information about the AppArmor mailing list