[apparmor] [PATCH 2/2] parser: Verify policies change with the audit and deny modifiers
Tyler Hicks
tyhicks at canonical.com
Fri Mar 13 21:40:08 UTC 2015
On 2015-03-13 14:32:47, John Johansen wrote:
> On 03/13/2015 01:48 PM, Tyler Hicks wrote:
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>
> Another patch we should consider is adding tests for
> allow and audit allow
Good idea! Patches sent.
>
> Acked-by: John Johansen <john.johansen at canonical.com>
Thanks! Although, I just realized that I can't commit this like it is.
I'll have to comment out the failing tests and mark them with a FIXME
and the bug numbers, otherwise builds will fail and QA teams will have
nightmares. :)
Is that alright with you?
Tyler
>
> > ---
> > parser/tst/equality.sh | 36 ++++++++++++++++++++++++++++++++++++
> > 1 file changed, 36 insertions(+)
> >
> > diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
> > index 1a5d9e5..170ef26 100755
> > --- a/parser/tst/equality.sh
> > +++ b/parser/tst/equality.sh
> > @@ -252,6 +252,42 @@ verify_binary_equality "dbus minimization found in dbus abstractions" \
> > peer=(name=org.freedesktop.DBus),
> > dbus send bus=session, }"
> >
> > +# Rules compatible with audit, deny, and audit deny
> > +for rule in "capability" "capability mac_admin" \
> > + "network" "network tcp" "network inet6 tcp"\
> > + "mount" "mount /a" "mount /a -> /b" "mount options in (ro) /a -> b" \
> > + "remount" "remount /a" \
> > + "umount" "umount /a" \
> > + "pivot_root" "pivot_root /a" "pivot_root oldroot=/" \
> > + "pivot_root oldroot=/ /a" "pivot_root oldroot=/ /a -> foo" \
> > + "ptrace" "ptrace trace" "ptrace (readby,tracedby) peer=unconfined" \
> > + "signal" "signal (send,receive)" "signal peer=unconfined" \
> > + "signal receive set=(kill)" \
> > + "dbus" "dbus send" "dbus bus=system" "dbus bind name=foo" \
> > + "dbus peer=(label=foo)" "dbus eavesdrop" \
> > + "unix" "unix (create, listen, accept)" "unix addr=@*" "unix addr=none" \
> > + "unix peer=(label=foo)" \
> > + "/f r" "/f w" "/f rwmlk" "/** r" "/**/ w" \
> > + "file /f r" "file /f w" "file /f rwmlk"
> > +do
> > + verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
> > + "/t { ${rule}, }" \
> > + "/t { audit ${rule}, }" \
> > + "/t { deny ${rule}, }" \
> > + "/t { audit deny ${rule}, }"
> > +done
> > +
> > +# Rules that need special treatment for the deny modifier
> > +for rule in "/f ux" "/f Ux" "/f px" "/f Px" "/f ix" \
> > + "file /f ux" "file /f UX" "file /f px" "file /f Px" "file /f ix"
> > +do
> > + verify_binary_inequality "deny, audit deny modifier for \"${rule}\"" \
> > + "/t { ${rule}, }" \
> > + "/t { audit ${rule}, }" \
> > + "/t { deny /f x, }" \
> > + "/t { audit deny /f x, }"
> > +done
> > +
> > if [ $fails -ne 0 -o $errors -ne 0 ]
> > then
> > printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150313/6ac448c5/attachment.pgp>
More information about the AppArmor
mailing list