[apparmor] [PATCH 4/2] parser: Test the 'allow' modifier

John Johansen john.johansen at canonical.com
Sat Mar 14 01:05:37 UTC 2015


On 03/13/2015 04:46 PM, Steve Beattie wrote:
> On Fri, Mar 13, 2015 at 04:27:46PM -0700, John Johansen wrote:
>> On 03/13/2015 03:52 PM, Steve Beattie wrote:
>>> Do audit deny and deny result in different DFAs or the same? Should we
>>> have (in)equality tests for those as well?
>>>
>> well technically, the same dfa but different permission tables. So the
>> binary is different, and yes it would be a good idea to make sure they
>> differ as well.
>>
>> And while we are at it we could probably come up with some dfa tests
>> where deny is used to carve a perm out of a rule. And check that that
>> is different, and then do one where said deny based dfa is equiv to
>> a set of allow rules.
>>
>> This of course will be more involved than doing the prefix tests here,
>> I will have to think about a good set of rules to use.
> 
> Something like ensuring
> 
>   allow /foo/[abc] r,
>   deny /foo/b r,
> 
> generates a different permission table as
> 
>   allow /foo/[abc] r,
> 
> but generates the same permission tables as
> 
>   allow /foo/[ac] r,
> 
yeah, that is a nice simple one





More information about the AppArmor mailing list