[apparmor] [PATCH 2/2] parser: Verify policies change with the audit and deny modifiers

John Johansen john.johansen at canonical.com
Fri Mar 13 21:55:40 UTC 2015 

On 03/13/2015 02:40 PM, Tyler Hicks wrote:
> On 2015-03-13 14:32:47, John Johansen wrote:
>> On 03/13/2015 01:48 PM, Tyler Hicks wrote:
>>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>>
>> Another patch we should consider is adding tests for
>>   allow and audit allow
> 
> Good idea! Patches sent.
> 
>>
>> Acked-by: John Johansen <john.johansen at canonical.com>
> 
> Thanks! Although, I just realized that I can't commit this like it is.
> I'll have to comment out the failing tests and mark them with a FIXME
> and the bug numbers, otherwise builds will fail and QA teams will have
> nightmares. :)
> 
> Is that alright with you?
> 
uh you should be able to commit to upstream just fine, with out the
changes. Committing to ubuntu will require those changes, but I think
that could wait for the parser patch that fixes the failures


> Tyler
> 
>>
>>> ---
>>>  parser/tst/equality.sh | 36 ++++++++++++++++++++++++++++++++++++
>>>  1 file changed, 36 insertions(+)
>>>
>>> diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
>>> index 1a5d9e5..170ef26 100755
>>> --- a/parser/tst/equality.sh
>>> +++ b/parser/tst/equality.sh
>>> @@ -252,6 +252,42 @@ verify_binary_equality "dbus minimization found in dbus abstractions" \
>>>                     peer=(name=org.freedesktop.DBus),
>>>  	      dbus send bus=session, }"
>>>  
>>> +# Rules compatible with audit, deny, and audit deny
>>> +for rule in "capability" "capability mac_admin" \
>>> +	"network" "network tcp" "network inet6 tcp"\
>>> +	"mount" "mount /a" "mount /a -> /b" "mount options in (ro) /a -> b" \
>>> +	"remount" "remount /a" \
>>> +	"umount" "umount /a" \
>>> +	"pivot_root" "pivot_root /a" "pivot_root oldroot=/" \
>>> +	 "pivot_root oldroot=/ /a" "pivot_root oldroot=/ /a -> foo" \
>>> +	"ptrace" "ptrace trace" "ptrace (readby,tracedby) peer=unconfined" \
>>> +	"signal" "signal (send,receive)" "signal peer=unconfined" \
>>> +	 "signal receive set=(kill)" \
>>> +	"dbus" "dbus send" "dbus bus=system" "dbus bind name=foo" \
>>> +	 "dbus peer=(label=foo)" "dbus eavesdrop" \
>>> +	"unix" "unix (create, listen, accept)" "unix addr=@*" "unix addr=none" \
>>> +	 "unix peer=(label=foo)" \
>>> +	"/f r" "/f w" "/f rwmlk" "/** r" "/**/ w" \
>>> +	"file /f r" "file /f w" "file /f rwmlk"
>>> +do
>>> +	verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
>>> +		"/t { ${rule}, }" \
>>> +		"/t { audit ${rule}, }" \
>>> +		"/t { deny ${rule}, }" \
>>> +		"/t { audit deny ${rule}, }"
>>> +done
>>> +
>>> +# Rules that need special treatment for the deny modifier
>>> +for rule in "/f ux" "/f Ux" "/f px" "/f Px" "/f ix" \
>>> +	"file /f ux" "file /f UX" "file /f px" "file /f Px" "file /f ix"
>>> +do
>>> +	verify_binary_inequality "deny, audit deny modifier for \"${rule}\"" \
>>> +		"/t { ${rule}, }" \
>>> +		"/t { audit ${rule}, }" \
>>> +		"/t { deny /f x, }" \
>>> +		"/t { audit deny /f x, }"
>>> +done
>>> +
>>>  if [ $fails -ne 0 -o $errors -ne 0 ]
>>>  then
>>>  	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
>>>
>>

More information about the AppArmor mailing list