[apparmor] [PATCH 4/2] parser: Test the 'allow' modifier

John Johansen john.johansen at canonical.com
Fri Mar 13 23:27:46 UTC 2015


On 03/13/2015 03:52 PM, Steve Beattie wrote:
> On Fri, Mar 13, 2015 at 04:34:08PM -0500, Tyler Hicks wrote:
>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
> 
> Do audit deny and deny result in different DFAs or the same? Should we
> have (in)equality tests for those as well?
> 
well technically, the same dfa but different permission tables. So the
binary is different, and yes it would be a good idea to make sure they
differ as well.

And while we are at it we could probably come up with some dfa tests
where deny is used to carve a perm out of a rule. And check that that
is different, and then do one where said deny based dfa is equiv to
a set of allow rules.

This of course will be more involved than doing the prefix tests here,
I will have to think about a good set of rules to use.

>> ---
>>  parser/tst/equality.sh | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
>> index ea7259f..2258758 100755
>> --- a/parser/tst/equality.sh
>> +++ b/parser/tst/equality.sh
>> @@ -270,6 +270,10 @@ for rule in "capability" "capability mac_admin" \
>>  	"/f r" "/f w" "/f rwmlk" "/** r" "/**/ w" \
>>  	"file /f r" "file /f w" "file /f rwmlk"
>>  do
>> +	verify_binary_equality "allow modifier for \"${rule}\"" \
>> +		"/t { ${rule}, }" \
>> +		"/t { allow ${rule}, }"
>> +
>>  	verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
>>  		"/t { ${rule}, }" \
>>  		"/t { audit ${rule}, }" \
>> @@ -282,6 +286,10 @@ done
>>  for rule in "/f ux" "/f Ux" "/f px" "/f Px" "/f ix" \
>>  	"file /f ux" "file /f UX" "file /f px" "file /f Px" "file /f ix"
>>  do
>> +	verify_binary_equality "allow modifier for \"${rule}\"" \
>> +		"/t { ${rule}, }" \
>> +		"/t { allow ${rule}, }" \
>> +
>>  	verify_binary_inequality "deny, audit deny modifier for \"${rule}\"" \
>>  		"/t { ${rule}, }" \
>>  		"/t { audit ${rule}, }" \
> 
> 
> 




More information about the AppArmor mailing list