[apparmor] [PATCH 4/2] parser: Test the 'allow' modifier
Steve Beattie
steve at nxnw.org
Fri Mar 13 23:46:01 UTC 2015
On Fri, Mar 13, 2015 at 04:27:46PM -0700, John Johansen wrote:
> On 03/13/2015 03:52 PM, Steve Beattie wrote:
> > Do audit deny and deny result in different DFAs or the same? Should we
> > have (in)equality tests for those as well?
> >
> well technically, the same dfa but different permission tables. So the
> binary is different, and yes it would be a good idea to make sure they
> differ as well.
>
> And while we are at it we could probably come up with some dfa tests
> where deny is used to carve a perm out of a rule. And check that that
> is different, and then do one where said deny based dfa is equiv to
> a set of allow rules.
>
> This of course will be more involved than doing the prefix tests here,
> I will have to think about a good set of rules to use.
Something like ensuring
allow /foo/[abc] r,
deny /foo/b r,
generates a different permission table as
allow /foo/[abc] r,
but generates the same permission tables as
allow /foo/[ac] r,
?
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150313/0398f155/attachment-0001.pgp>
More information about the AppArmor
mailing list