[apparmor] [PATCH 02/10] Expand Equality tests
Steve Beattie
steve at nxnw.org
Fri Mar 20 18:43:25 UTC 2015
On Fri, Mar 20, 2015 at 05:02:26AM -0700, John Johansen wrote:
> This adds several new equality tests and turned up a couple of more
> bugs
> https://launchpad.net/bugs/1433829
> https://launchpad.net/bugs/1434018
>
> - add link/link subset tests
> - add pix, Pix, cix, Cix, pux, Pux, cux, Cux and specified profile
> transitions (/f px -> b ...)
> - test equality of leading and trailing permission file rules
> ie. /foo rw, == rw /foo,
> - test that specific x match overrides generic x rule. ie.
> /** ix, /foo px, is different than /** ix, /foo ix,
> - test that deny removes permission
> /f[abc] r, deny /fb r, is differnt than /f[abc] r,
>
> In addition to adding the new tests, it changes the output of the
> equality tests, so that if the $verbose variable is not set successful
> tests only output a period, with failed tests outputing the full
> info. If verbose is set the full test info is output as before.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Steve Beattie <steve at nxnw.org> with the following changes
added:
- verify audit and audit allow is equal
- verify audit differs from deny and audit deny
- verify deny differs from audit deny
- make the verbose text a little more useful for some cases
- correct overlap exec tests to substitute in looped perms
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
parser/tst/equality.sh | 54 +++++++++++++++++++++++++++++++++++++++----------
1 file changed, 44 insertions(+), 10 deletions(-)
Index: b/parser/tst/equality.sh
===================================================================
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@@ -291,12 +291,25 @@ do
"/t { ${rule}, }" \
"/t { allow ${rule}, }"
+ verify_binary_equality "audit allow modifier for \"${rule}\"" \
+ "/t { audit ${rule}, }" \
+ "/t { audit allow ${rule}, }"
+
verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
"/t { ${rule}, }" \
"/t { audit ${rule}, }" \
"/t { audit allow ${rule}, }" \
"/t { deny ${rule}, }" \
"/t { audit deny ${rule}, }"
+
+ verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
+ "/t { audit ${rule}, }" \
+ "/t { deny ${rule}, }" \
+ "/t { audit deny ${rule}, }"
+
+ verify_binary_inequality "deny and audit deny modifiers for \"${rule}\"" \
+ "/t { deny ${rule}, }" \
+ "/t { audit deny ${rule}, }"
done
# Rules that need special treatment for the deny modifier
@@ -332,6 +345,10 @@ do
"/t { ${rule}, }" \
"/t { allow ${rule}, }"
+ verify_binary_equality "audit allow modifier for \"${rule}\"" \
+ "/t { audit ${rule}, }" \
+ "/t { audit allow ${rule}, }"
+
# skip rules that don't end with x perm
if [ -n "${rule##*x}" ] ; then continue ; fi
@@ -341,6 +358,19 @@ do
"/t { audit allow ${rule}, }" \
"/t { deny ${rule% *} x, }" \
"/t { audit deny ${rule% *} x, }"
+
+ verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
+ "/t { audit ${rule}, }" \
+ "/t { deny ${rule% *} x, }" \
+ "/t { audit deny ${rule% *} x, }"
+
+done
+
+# verify deny and audit deny differ for x perms
+for prefix in "/f" "/*" "file /f" "file /*" ; do
+ verify_binary_inequality "deny and audit deny x modifiers for \"${prefix}\"" \
+ "/t { deny ${prefix} x, }" \
+ "/t { audit deny ${prefix} x, }"
done
#Test equality of leading and trailing file permissions
@@ -357,7 +387,7 @@ for audit in "" "audit" ; do
"lkm" "rwlk" "rwlm" "rwkm" \
"ralk" "ralm" "wlkm" "alkm" \
"rwlkm" "ralkm" ; do
- verify_binary_equality "leading and trailing perms" \
+ verify_binary_equality "leading and trailing perms for \"${perm}\"" \
"/t { ${prefix} /f ${perm}, }" \
"/t { ${prefix} ${perm} /f, }"
done
@@ -366,7 +396,7 @@ for audit in "" "audit" ; do
"ix" "pux" "Pux" "pix" "Pix" \
"cux" "Cux" "cix" "Cix"
do
- verify_binary_equality "leading and trailing perms" \
+ verify_binary_equality "leading and trailing perms for \"${perm}\"" \
"/t { ${prefix} /f ${perm}, }" \
"/t { ${prefix} ${perm} /f, }"
done
@@ -374,7 +404,7 @@ for audit in "" "audit" ; do
"pux" "Pux" "pix" "Pix" \
"cux" "Cux" "cix" "Cix"
do
- verify_binary_equality "leading and trailing perms" \
+ verify_binary_equality "leading and trailing perms for x-transition \"${perm}\"" \
"/t { ${prefix} /f ${perm} -> b, }" \
"/t { ${prefix} ${perm} /f -> b, }"
done
@@ -396,16 +426,20 @@ do
"pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
"cix -> b" "Cix -> b"
do
- if [ "$perm1" == "$perm2" ] ; then
- verify_binary_equality "Exec - most specific match: same as glob" \
- "/t { /* px, /f px, }" \
- "/t { /* px, }"
+ if [ "$perm1" == "$perm2" ] ; then
+ verify_binary_equality "Exec perm \"${perm1}\" - most specific match: same as glob" \
+ "/t { /* ${perm1}, /f ${perm2}, }" \
+ "/t { /* ${perm1}, }"
else
- verify_binary_inequality "Exec - most specific match: different from glob" \
- "/t { /* px, /f cx, }" \
- "/t { /* px, }"
+ verify_binary_inequality "Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \
+ "/t { /* ${perm1}, /f ${perm2}, }" \
+ "/t { /* ${perm1}, }"
fi
done
+ verify_binary_inequality "Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
+ "/t { /* ${perm1}, audit deny /f x, }" \
+ "/t { /* ${perm1}, }"
+
done
#Test deny carves out permission
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150320/2b5ffe64/attachment.pgp>
More information about the AppArmor
mailing list