[apparmor] [PATCH 11/20] Fix: variable expansion for link target
John Johansen
john.johansen at canonical.com
Fri May 29 08:39:17 UTC 2015
link rules with a variable in the link target, eg.
link /foo -> @{var},
do not currently have the variable expanded
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
parser/parser_variable.c | 5 +++++
parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_ok_link_3.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_src_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_src_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_src_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_src_ok_link_3.sd | 11 +++++++++++
.../tst/simple_tests/file/var1_target_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_target_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var1_target_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_target_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var1_target_ok_link_3.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_ok_link_3.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_src_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_src_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_src_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_src_ok_link_3.sd | 11 +++++++++++
.../tst/simple_tests/file/var2_target_ok_audit_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_target_ok_deny_link.sd | 10 ++++++++++
parser/tst/simple_tests/file/var2_target_ok_link_1.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_target_ok_link_2.sd | 11 +++++++++++
parser/tst/simple_tests/file/var2_target_ok_link_3.sd | 11 +++++++++++
31 files changed, 323 insertions(+)
create mode 100644 parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var1_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var1_ok_link_3.sd
create mode 100644 parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var1_src_ok_link_3.sd
create mode 100644 parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var1_target_ok_link_3.sd
create mode 100644 parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var2_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var2_ok_link_3.sd
create mode 100644 parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var2_src_ok_link_3.sd
create mode 100644 parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_1.sd
create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_2.sd
create mode 100644 parser/tst/simple_tests/file/var2_target_ok_link_3.sd
diff --git a/parser/parser_variable.c b/parser/parser_variable.c
index e1f6543..ac334dc 100644
--- a/parser/parser_variable.c
+++ b/parser/parser_variable.c
@@ -254,6 +254,11 @@ static int process_variables_in_entries(struct cod_entry *entry_list)
error = expand_entry_variables(&entry->name);
if (error)
return error;
+ if (entry->link_name) {
+ error = expand_entry_variables(&entry->link_name);
+ if (error)
+ return error;
+ }
}
return 0;
diff --git a/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
new file mode 100644
index 0000000..e806a20
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
new file mode 100644
index 0000000..8074a4e
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link @{var} -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_1.sd b/parser/tst/simple_tests/file/var1_ok_link_1.sd
new file mode 100644
index 0000000..9ea1db0
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ @{var} rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_2.sd b/parser/tst/simple_tests/file/var1_ok_link_2.sd
new file mode 100644
index 0000000..fae61f6
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link @{var} -> @{var},
+ @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_ok_link_3.sd b/parser/tst/simple_tests/file/var1_ok_link_3.sd
new file mode 100644
index 0000000..3dccf98
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset @{var} -> @{var},
+ @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
new file mode 100644
index 0000000..03f2600
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
new file mode 100644
index 0000000..063c6ed
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link @{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_1.sd b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
new file mode 100644
index 0000000..9ea1db0
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ @{var} rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_2.sd b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
new file mode 100644
index 0000000..d02822c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link @{var} -> /tmp/**,
+ /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_src_ok_link_3.sd b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
new file mode 100644
index 0000000..c48af60
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset @{var} -> /tmp/**,
+ /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
new file mode 100644
index 0000000..9c5a08c
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
new file mode 100644
index 0000000..03c4bb6
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link /alpha/beta -> @{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_1.sd b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
new file mode 100644
index 0000000..7841cb3
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ /alpha/beta rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_2.sd b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
new file mode 100644
index 0000000..219a56e
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link /alpha/beta -> @{var},
+ @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var1_target_ok_link_3.sd b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
new file mode 100644
index 0000000..aecf731
--- /dev/null
+++ b/parser/tst/simple_tests/file/var1_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset /alpha/beta -> @{var},
+ @{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
new file mode 100644
index 0000000..3f7211b
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
new file mode 100644
index 0000000..eed94b9
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link /foo@{var} -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_1.sd b/parser/tst/simple_tests/file/var2_ok_link_1.sd
new file mode 100644
index 0000000..fe1b2dc
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ /foo@{var} rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_2.sd b/parser/tst/simple_tests/file/var2_ok_link_2.sd
new file mode 100644
index 0000000..7d496b9
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link /foo@{var} -> /foo@{var},
+ /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_ok_link_3.sd b/parser/tst/simple_tests/file/var2_ok_link_3.sd
new file mode 100644
index 0000000..026b8aa
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset /foo@{var} -> /foo@{var},
+ /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
new file mode 100644
index 0000000..2d880b1
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
new file mode 100644
index 0000000..a6c4bac
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link /foo@{var} -> /tmp/**,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_1.sd b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
new file mode 100644
index 0000000..fe1b2dc
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ /foo@{var} rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_2.sd b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
new file mode 100644
index 0000000..5bc6ef8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link /foo@{var} -> /tmp/**,
+ /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_src_ok_link_3.sd b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
new file mode 100644
index 0000000..0bdd95f
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_src_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset /foo@{var} -> /tmp/**,
+ /tmp/** r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
new file mode 100644
index 0000000..675c3e8
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_audit_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ audit deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
new file mode 100644
index 0000000..8332124
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_deny_link.sd
@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ deny link /alpha/beta -> /foo@{var},
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_1.sd b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
new file mode 100644
index 0000000..7841cb3
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_1.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ /alpha/beta rl,
+ /gamma/* rwl,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_2.sd b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
new file mode 100644
index 0000000..5ca93a7
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_2.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link /alpha/beta -> /foo@{var},
+ /foo@{var} r,
+}
+
diff --git a/parser/tst/simple_tests/file/var2_target_ok_link_3.sd b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
new file mode 100644
index 0000000..db36600
--- /dev/null
+++ b/parser/tst/simple_tests/file/var2_target_ok_link_3.sd
@@ -0,0 +1,11 @@
+#
+#=DESCRIPTION simple link access test
+#=EXRESULT PASS
+#
+
+@{var}=/test
+profile test {
+ link subset /alpha/beta -> /foo@{var},
+ /foo@{var} r,
+}
+
--
2.1.4
More information about the AppArmor
mailing list