[apparmor] [PATCH 1/3] Add support for variable expansion in profile names, and attachments

Steve Beattie steve at nxnw.org
Fri Jul 10 23:26:23 UTC 2015


On Wed, Jun 17, 2015 at 04:21:11AM -0700, John Johansen wrote:
> allow
>   @{FOO}=bar
>   /foo@{FOO} { }
> 
> to be expanded into
>   /foobar { }
> 
> and
>   @{FOO}=bar baz
>   /foo@{FOO} { }
> 
> to be expanded into
>   /foo{bar,baz} { }
> which is used as a regular expression for attachment purposes
> 
> Further allow variable expansion in attachment specifications
>   profile foo /foo@{FOO} { }
> 
> profile name (if begun with profile keyword) and attachments to begin
> with a variable
>   profile @{FOO} { }
>   profile /foo @{FOO} { }
>   profile @{FOO} @{BAR} {}

Ugh, this points out one of the failings of always using the {,} alternation
replacement when expanding variables. Consider:

  @{FOO}=bar baz

  profile @{FOO} /usr/bin/biff { }

With the current setup, it expands to:

  profile {bar,baz} /usr/bin/biff { }

which I'm not really sure is what we want for the profile name. But
expanding it out into separate 'foo' and 'bar' profiles is also
problematic because both profiles will have the same match pattern.
(One way to solve it kernel side would be to allow multiple names for
a given profile, but I haven't fully thought through the consequences
of that.)

It also gets wonky when trying to use that variable in a peer label
reference;

  profile OTHER_THING /bin/other_thing {
    signal peer=@{FOO},
  }

as, like you're trying to solve with quoting in the @{profile_name}
case, the above won't work for the exact same reason.

> hats
>   ^@{FOO}
>   hat @{FOO}
> 
> and for subprofiles as well
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

In the end, though, I think this is an improvement, so with Christian's
changes, Acked-by: Steve Beattie <steve at nxnw.org>.

> ---
>  parser/parser_variable.c                              | 19 ++++++++++++++++++-
>  parser/parser_yacc.y                                  | 13 +++++++------
>  parser/tst/simple_tests/vars/vars_profile_name_01.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_02.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_03.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_04.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_05.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_06.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_07.sd  | 10 ++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_08.sd  | 10 ++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_09.sd  |  9 +++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_10.sd  |  9 +++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_11.sd  |  9 +++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_12.sd  | 11 +++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_13.sd  | 11 +++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_14.sd  | 11 +++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_15.sd  | 11 +++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_16.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_17.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_18.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_19.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_20.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_21.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_22.sd  | 10 ++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_23.sd  |  7 +++++++
>  parser/tst/simple_tests/vars/vars_profile_name_24.sd  |  8 ++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_25.sd  | 10 ++++++++++
>  parser/tst/simple_tests/vars/vars_profile_name_26.sd  | 10 ++++++++++
>  .../tst/simple_tests/vars/vars_profile_name_bad_1.sd  |  8 ++++++++
>  .../tst/simple_tests/vars/vars_profile_name_bad_2.sd  |  6 ++++++
>  30 files changed, 271 insertions(+), 7 deletions(-)
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_01.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_02.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_03.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_04.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_05.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_06.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_07.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_08.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_09.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_10.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_11.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_12.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_13.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_14.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_15.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_16.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_17.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_18.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_19.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_20.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_21.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_22.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_23.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_24.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_25.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_26.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_bad_1.sd
>  create mode 100644 parser/tst/simple_tests/vars/vars_profile_name_bad_2.sd
> 
> diff --git a/parser/parser_variable.c b/parser/parser_variable.c
> index ac334dc..7250c0b 100644
> --- a/parser/parser_variable.c
> +++ b/parser/parser_variable.c
> @@ -275,12 +275,29 @@ static int process_variables_in_rules(Profile &prof)
>  	return 0;
>  }
>  
> +static int process_variables_in_name(Profile &prof)
> +{
> +	/* this needs to be done before alias expansion, ie. altnames are
> +	 * setup
> +	 */
> +	int error = expand_entry_variables(&prof.name);
> +	if (!error && prof.attachment)
> +		error = expand_entry_variables(&prof.attachment);
> +
> +	return error;
> +}
>  
>  int process_profile_variables(Profile *prof)
>  {
>  	int error = 0, rc;
>  
> -	error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(true).c_str());
> +	/* needs to be before PROFILE_NAME_VARIABLE so that variable will
> +	 * have the correct name
> +	 */
> +	error = process_variables_in_name(*prof);
> +
> +	if (!error)
> +		error = new_set_var(PROFILE_NAME_VARIABLE, prof->get_name(true).c_str());
>  
>  	if (!error)
>  		error = process_variables_in_entries(prof->entries);
> diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y
> index b3083d5..d529e97 100644
> --- a/parser/parser_yacc.y
> +++ b/parser/parser_yacc.y
> @@ -252,6 +252,7 @@ void add_local_entry(Profile *prof);
>  %type <val_list> valuelist
>  %type <boolean> expr
>  %type <id>	id_or_var
> +%type <id>	opt_id_or_var
>  %type <boolean> opt_subset_flag
>  %type <boolean> opt_audit_flag
>  %type <boolean> opt_owner_flag
> @@ -307,7 +308,10 @@ opt_ns: { /* nothing */ $$ = NULL; }
>  opt_id: { /* nothing */ $$ = NULL; }
>  	| TOK_ID { $$ = $1; }
>  
> -profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
> +opt_id_or_var: { /* nothing */ $$ = NULL; }
> +	| id_or_var { $$ = $1; }
> +
> +profile_base: TOK_ID opt_id_or_var flags TOK_OPEN rules TOK_CLOSE
>  	{
>  		Profile *prof = $5;
>  
> @@ -317,11 +321,8 @@ profile_base: TOK_ID opt_id flags TOK_OPEN rules TOK_CLOSE
>  
>  		prof->name = $1;
>  		prof->attachment = $2;
> -		if ($2 && $2[0] != '/')
> -			/* we don't support variables as part of the profile
> -			 * name or attachment atm
> -			 */
> -			yyerror(_("Profile attachment must begin with a '/'."));
> +		if ($2 && !($2[0] == '/' || strncmp($2, "@{", 2) == 0))
> +			yyerror(_("Profile attachment must begin with a '/' or variable."));
>  		prof->flags = $3;
>  		if (force_complain && kernel_abi_version == 5)
>  			/* newer abis encode force complain as part of the
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_01.sd b/parser/tst/simple_tests/vars/vars_profile_name_01.sd
> new file mode 100644
> index 0000000..a83c2e7
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_01.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +/does/not/exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_02.sd b/parser/tst/simple_tests/vars/vars_profile_name_02.sd
> new file mode 100644
> index 0000000..672af43
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_02.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar baz
> +
> +/does/not/exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_03.sd b/parser/tst/simple_tests/vars/vars_profile_name_03.sd
> new file mode 100644
> index 0000000..23037c8
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_03.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION profiles declared with the profile keyword can begin with var
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_04.sd b/parser/tst/simple_tests/vars/vars_profile_name_04.sd
> new file mode 100644
> index 0000000..3224759
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_04.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION profiles declared with the profile keyword can begin with var
> +#=EXRESULT PASS
> +
> +@{FOO}=bar baz
> +
> +profile @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_05.sd b/parser/tst/simple_tests/vars/vars_profile_name_05.sd
> new file mode 100644
> index 0000000..1fc0758
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_05.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not /exist{@{FOO},} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_06.sd b/parser/tst/simple_tests/vars/vars_profile_name_06.sd
> new file mode 100644
> index 0000000..b051c24
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_06.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar baz
> +
> +profile /does/not /exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_07.sd b/parser/tst/simple_tests/vars/vars_profile_name_07.sd
> new file mode 100644
> index 0000000..6ec43e5
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_07.sd
> @@ -0,0 +1,10 @@
> +#=DESCRIPTION profiles declared with the profile keyword can begin with var
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_08.sd b/parser/tst/simple_tests/vars/vars_profile_name_08.sd
> new file mode 100644
> index 0000000..99dfd56
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_08.sd
> @@ -0,0 +1,10 @@
> +#=DESCRIPTION profiles declared with the profile keyword can begin with var
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=bar baz
> +
> +profile /does/not/exist @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_09.sd b/parser/tst/simple_tests/vars/vars_profile_name_09.sd
> new file mode 100644
> index 0000000..48c11bf
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_09.sd
> @@ -0,0 +1,9 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +@{BAR}=baz
> +
> +profile /does/not@{BAR} /exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_10.sd b/parser/tst/simple_tests/vars/vars_profile_name_10.sd
> new file mode 100644
> index 0000000..e6a574f
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_10.sd
> @@ -0,0 +1,9 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +
> +@{FOO}=bar baz
> +@{BAR}=baz
> +
> +profile /does/not@{BAR} /exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_11.sd b/parser/tst/simple_tests/vars/vars_profile_name_11.sd
> new file mode 100644
> index 0000000..ed007f5
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_11.sd
> @@ -0,0 +1,9 @@
> +#=DESCRIPTION profiles declared with the profile keyword have var and var attachment
> +#=EXRESULT PASS
> +
> +@{FOO}=/bar /baz
> +@{BAR}=baz foo
> +
> +profile /does/not/exist@{BAR} @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_12.sd b/parser/tst/simple_tests/vars/vars_profile_name_12.sd
> new file mode 100644
> index 0000000..8e3a405
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_12.sd
> @@ -0,0 +1,11 @@
> +#=DESCRIPTION profiles declared with the profile keyword can expand var and have var attachment
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=bar baz
> +@{BAR}=baz foo
> +
> +profile /does/not/exist@{BAR} @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_13.sd b/parser/tst/simple_tests/vars/vars_profile_name_13.sd
> new file mode 100644
> index 0000000..9c91f6e
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_13.sd
> @@ -0,0 +1,11 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=bar
> +@{BAR}=baz
> +
> +profile @{BAR} @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_14.sd b/parser/tst/simple_tests/vars/vars_profile_name_14.sd
> new file mode 100644
> index 0000000..feffe81
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_14.sd
> @@ -0,0 +1,11 @@
> +#=DESCRIPTION reference variables in rules that also have alternations
> +#=EXRESULT PASS
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=/bar /baz
> +@{BAR}=baz
> +
> +profile @{BAR} @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_15.sd b/parser/tst/simple_tests/vars/vars_profile_name_15.sd
> new file mode 100644
> index 0000000..37aa388
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_15.sd
> @@ -0,0 +1,11 @@
> +#=DESCRIPTION profiles declared with the profile keyword can begin with var
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=bar baz
> +@{BAR}=baz foo
> +
> +profile @{BAR} @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_16.sd b/parser/tst/simple_tests/vars/vars_profile_name_16.sd
> new file mode 100644
> index 0000000..f2d66f2
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_16.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in sub profile name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  profile foo@{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_17.sd b/parser/tst/simple_tests/vars/vars_profile_name_17.sd
> new file mode 100644
> index 0000000..1c44b85
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_17.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in sub profile name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  profile @{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_18.sd b/parser/tst/simple_tests/vars/vars_profile_name_18.sd
> new file mode 100644
> index 0000000..fd5b54f
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_18.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in hat name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  ^foo@{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_19.sd b/parser/tst/simple_tests/vars/vars_profile_name_19.sd
> new file mode 100644
> index 0000000..1c44b85
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_19.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in sub profile name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  profile @{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_20.sd b/parser/tst/simple_tests/vars/vars_profile_name_20.sd
> new file mode 100644
> index 0000000..f2d66f2
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_20.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in sub profile name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  profile foo@{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_21.sd b/parser/tst/simple_tests/vars/vars_profile_name_21.sd
> new file mode 100644
> index 0000000..a27b94c
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_21.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION var in hat name
> +#=EXRESULT PASS
> +
> +@{FOO}=bar
> +
> +profile /does/not/exist {
> +  ^@{FOO} { }
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_22.sd b/parser/tst/simple_tests/vars/vars_profile_name_22.sd
> new file mode 100644
> index 0000000..a42afba
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_22.sd
> @@ -0,0 +1,10 @@
> +#=DESCRIPTION all attachment expansions must start with /
> +#=EXRESULT FAIL
> +#=TODO
> +# This test needs check on @{FOO} attachment having leading / post var expansion
> +
> +@{FOO}=/bar baz
> +
> +profile /does/not/exist @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_23.sd b/parser/tst/simple_tests/vars/vars_profile_name_23.sd
> new file mode 100644
> index 0000000..5bb2122
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_23.sd
> @@ -0,0 +1,7 @@
> +#=DESCRIPTION reference variables in profile name is undefined
> +#=EXRESULT FAIL
> +
> +
> +/does/not/exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_24.sd b/parser/tst/simple_tests/vars/vars_profile_name_24.sd
> new file mode 100644
> index 0000000..ebfb403
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_24.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION reference variables is null
> +#=EXRESULT FAIL
> +
> +@{FOO}=
> +
> +/does/not/exist@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_25.sd b/parser/tst/simple_tests/vars/vars_profile_name_25.sd
> new file mode 100644
> index 0000000..56ce8ba
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_25.sd
> @@ -0,0 +1,10 @@
> +#=DESCRIPTION reference variables is null
> +#=EXRESULT FAIL
> +#=TODO
> +#needs post var expansion check that variable contained a value
> +
> +@{FOO}=
> +
> +@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_26.sd b/parser/tst/simple_tests/vars/vars_profile_name_26.sd
> new file mode 100644
> index 0000000..e81acb9
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_26.sd
> @@ -0,0 +1,10 @@
> +#=DESCRIPTION reference variables is null
> +#=EXRESULT FAIL
> +#=TODO
> +#needs post var expansion check that variable contained a value
> +
> +@{FOO}=
> +
> +profile bar @{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_bad_1.sd b/parser/tst/simple_tests/vars/vars_profile_name_bad_1.sd
> new file mode 100644
> index 0000000..0b308c8
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_bad_1.sd
> @@ -0,0 +1,8 @@
> +#=DESCRIPTION bare profile names must start with /
> +#=EXRESULT FAIL
> +
> +@{FOO}=bar
> +
> +@{FOO} {
> +  /does/not/exist r,
> +}
> diff --git a/parser/tst/simple_tests/vars/vars_profile_name_bad_2.sd b/parser/tst/simple_tests/vars/vars_profile_name_bad_2.sd
> new file mode 100644
> index 0000000..009d0b8
> --- /dev/null
> +++ b/parser/tst/simple_tests/vars/vars_profile_name_bad_2.sd
> @@ -0,0 +1,6 @@
> +#=DESCRIPTION special @{profile_name} not defined for profile name declaration
> +#=EXRESULT FAIL
> +
> +profile @{profile_name} {
> +  /does/not/exist r,
> +}

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150710/71600b48/attachment-0001.pgp>


More information about the AppArmor mailing list