[apparmor] [PATCH 02/10] Expand Equality tests

Seth Arnold seth.arnold at canonical.com
Mon Mar 23 18:52:38 UTC 2015 

On Fri, Mar 20, 2015 at 11:43:25AM -0700, Steve Beattie wrote:
> On Fri, Mar 20, 2015 at 05:02:26AM -0700, John Johansen wrote:
> > This adds several new equality tests and turned up a couple of more
> > bugs
> > https://launchpad.net/bugs/1433829
> > https://launchpad.net/bugs/1434018
> > 
> > - add link/link subset tests
> > - add pix, Pix, cix, Cix, pux, Pux, cux, Cux and specified profile
> >   transitions (/f px -> b ...)
> > - test equality of leading and trailing permission file rules
> >   ie.   /foo rw, == rw /foo,
> > - test that specific x match overrides generic x rule. ie.
> >   /** ix, /foo px, is different than /** ix, /foo ix,
> > - test that deny removes permission
> >   /f[abc] r, deny /fb r,  is differnt than /f[abc] r,
> > 
> > In addition to adding the new tests, it changes the output of the
> > equality tests, so that if the $verbose variable is not set successful
> > tests only output a period, with failed tests outputing the full
> > info.  If verbose is set the full test info is output as before.
> > 
> > Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> Acked-by: Steve Beattie <steve at nxnw.org> with the following changes
> added:
> 
>  - verify audit and audit allow is equal
>  - verify audit differs from deny and audit deny
>  - verify deny differs from audit deny
>  - make the verbose text a little more useful for some cases
>  - correct overlap exec tests to substitute in looped perms
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Acked for both trunk and 2.9.

Thanks

> ---
>  parser/tst/equality.sh |   54 +++++++++++++++++++++++++++++++++++++++----------
>  1 file changed, 44 insertions(+), 10 deletions(-)
> 
> Index: b/parser/tst/equality.sh
> ===================================================================
> --- a/parser/tst/equality.sh
> +++ b/parser/tst/equality.sh
> @@ -291,12 +291,25 @@ do
>  		"/t { ${rule}, }" \
>  		"/t { allow ${rule}, }"
>  
> +	verify_binary_equality "audit allow modifier for \"${rule}\"" \
> +		"/t { audit ${rule}, }" \
> +		"/t { audit allow ${rule}, }"
> +
>  	verify_binary_inequality "audit, deny, and audit deny modifiers for \"${rule}\"" \
>  		"/t { ${rule}, }" \
>  		"/t { audit ${rule}, }" \
>  		"/t { audit allow ${rule}, }" \
>  		"/t { deny ${rule}, }" \
>  		"/t { audit deny ${rule}, }"
> +
> +	verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
> +		"/t { audit ${rule}, }" \
> +		"/t { deny ${rule}, }" \
> +		"/t { audit deny ${rule}, }"
> +
> +	verify_binary_inequality "deny and audit deny modifiers for \"${rule}\"" \
> +		"/t { deny ${rule}, }" \
> +		"/t { audit deny ${rule}, }"
>  done
>  
>  # Rules that need special treatment for the deny modifier
> @@ -332,6 +345,10 @@ do
>  		"/t { ${rule}, }" \
>  		"/t { allow ${rule}, }"
>  
> +	verify_binary_equality "audit allow modifier for \"${rule}\"" \
> +		"/t { audit ${rule}, }" \
> +		"/t { audit allow ${rule}, }"
> +
>  	# skip rules that don't end with x perm
>  	if [ -n "${rule##*x}" ] ; then continue ; fi
>  
> @@ -341,6 +358,19 @@ do
>  		"/t { audit allow ${rule}, }" \
>  		"/t { deny ${rule% *} x, }" \
>  		"/t { audit deny ${rule% *} x, }"
> +
> +	verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \
> +		"/t { audit ${rule}, }" \
> +		"/t { deny ${rule% *} x, }" \
> +		"/t { audit deny ${rule% *} x, }"
> +
> +done
> +
> +# verify deny and audit deny differ for x perms
> +for prefix in "/f" "/*" "file /f" "file /*" ; do
> +	verify_binary_inequality "deny and audit deny x modifiers for \"${prefix}\"" \
> +		"/t { deny ${prefix} x, }" \
> +		"/t { audit deny ${prefix} x, }"
>  done
>  
>  #Test equality of leading and trailing file permissions
> @@ -357,7 +387,7 @@ for audit in "" "audit" ; do
>  					    "lkm" "rwlk" "rwlm" "rwkm" \
>  					    "ralk" "ralm" "wlkm" "alkm" \
>  					    "rwlkm" "ralkm" ; do
> -					verify_binary_equality "leading and trailing perms" \
> +					verify_binary_equality "leading and trailing perms for \"${perm}\"" \
>  						"/t { ${prefix} /f ${perm}, }" \
>  						"/t { ${prefix} ${perm} /f, }"
>  				done
> @@ -366,7 +396,7 @@ for audit in "" "audit" ; do
>  					    "ix" "pux" "Pux" "pix" "Pix" \
>  					    "cux" "Cux" "cix" "Cix"
>  				do
> -					verify_binary_equality "leading and trailing perms" \
> +					verify_binary_equality "leading and trailing perms for \"${perm}\"" \
>  						"/t { ${prefix} /f ${perm}, }" \
>  						"/t { ${prefix} ${perm} /f, }"
>  				done
> @@ -374,7 +404,7 @@ for audit in "" "audit" ; do
>  					    "pux" "Pux" "pix" "Pix" \
>  					    "cux" "Cux" "cix" "Cix"
>  				do
> -					verify_binary_equality "leading and trailing perms" \
> +					verify_binary_equality "leading and trailing perms for x-transition \"${perm}\"" \
>  						"/t { ${prefix} /f ${perm} -> b, }" \
>  						"/t { ${prefix} ${perm} /f -> b, }"
>  				done
> @@ -396,16 +426,20 @@ do
>  	             "pix -> b" "Pix -> b" "cux -> b" "Cux -> b" \
>  	             "cix -> b" "Cix -> b"
>  	do
> -		if [ "$perm1" ==  "$perm2" ] ; then
> -			verify_binary_equality "Exec - most specific match: same as glob" \
> -				"/t { /* px, /f px, }" \
> -				"/t { /* px, }"
> +		if [ "$perm1" == "$perm2" ] ; then
> +			verify_binary_equality "Exec perm \"${perm1}\" - most specific match: same as glob" \
> +				"/t { /* ${perm1}, /f ${perm2}, }" \
> +				"/t { /* ${perm1}, }"
>  		else
> -			verify_binary_inequality "Exec - most specific match: different from glob" \
> -				"/t { /* px, /f cx, }" \
> -				"/t { /* px, }"
> +			verify_binary_inequality "Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \
> +				"/t { /* ${perm1}, /f ${perm2}, }" \
> +				"/t { /* ${perm1}, }"
>  		fi
>  	done
> +	verify_binary_inequality "Exec \"${perm1}\" vs deny x - most specific match: different from glob" \
> +		"/t { /* ${perm1}, audit deny /f x, }" \
> +		"/t { /* ${perm1}, }"
> +
>  done
>  
>  #Test deny carves out permission
> 
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150323/fbe20da1/attachment.pgp>

More information about the AppArmor mailing list