[apparmor] [patch] Add more ruletypes to the cleanprof test profiles

Kshitij Gupta kgupta8592 at gmail.com
Sun Feb 21 19:30:33 UTC 2016 

Hello,

On Sat, Dec 26, 2015 at 10:13 PM, Christian Boltz <apparmor at cboltz.de>
wrote:

> Hello,
>
> to ensure aa-cleanprof works as expected (and writing the rules works
> as expected), add some rules for every rule class to the cleanprof.in
> and cleanprof.out test profiles.
>
>
> [ 48-add-more-ruletypes-to-cleanprof-test.diff ]
>
> === modified file ./utils/test/cleanprof_test.in
> --- utils/test/cleanprof_test.in        2015-12-12 13:34:40.549997194
> +0100
> +++ utils/test/cleanprof_test.in        2015-12-26 17:11:27.034328693
> +0100
> @@ -4,12 +4,32 @@
>  /usr/bin/a/simple/cleanprof/test/profile {
>         # Just for the heck of it, this comment wont see the day of light
>         #include <abstractions/base>
> +
> +    capability sys_admin,
> +    audit capability,
> +
> +    change_profile -> /bin/foo,
> +    change_profile,
> +
> +    network inet stream,
> +    network stream,
> +
>         #Below rule comes from abstractions/base
>         allow /usr/share/X11/locale/**  r,
>         allow /home/*/** r,
>
> +    ptrace tracedby peer=/bin/strace,
> +    ptrace tracedby,
>      unix (receive) type=dgram,
>
> +    set rlimit nofile <= 256,
> +    set rlimit nofile <= 64,
> +
> +    signal set=(hup int quit ill trap abrt)
> +             set=(bus,fpe,,,kill,usr1)
> +                      set=segv set=usr2 set=pipe set=alrm set=term
> set=stkflt set=chld,
> +    signal set=(hup int quit),
> +
>      ^foo {
>              /etc/fstab r,
>          capability dac_override,
> === modified file ./utils/test/cleanprof_test.out
> --- utils/test/cleanprof_test.out       2015-12-12 13:34:40.549997194 +0100
> +++ utils/test/cleanprof_test.out       2015-12-26 17:14:06.105337830 +0100
> @@ -6,11 +6,23 @@
>  /usr/bin/a/simple/cleanprof/test/profile {
>    #include <abstractions/base>
>
> +  set rlimit nofile <= 256,
> +
> +  audit capability,
> +
> +  network stream,
> +
> +  signal set=(abrt alrm bus chld fpe hup ill int kill pipe quit segv
> stkflt term trap usr1 usr2),
> +
> +  ptrace tracedby,
> +
>    unix (receive) type=dgram,
>
>    /home/*/** r,
>    /home/foo/** w,
>
> +  change_profile,
> +
>
>    ^foo {
>      capability dac_override,
>
>
While the two profiles and the test looks good to me, it wouldn't hurt to
have a set of more experienced eyes take a look.

Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>

>
> Regards,
>
> Christian Boltz
> --
> > > of course, now everybody will claim how bad it is to fix bugs which
> > > people rely on;
> > No, I wont claim that, in fact I would argue against keeping any bug
> > on which people relies on (known as "backwards compatibility")
> I should have excluded you from the list of everybody...
> [> Cristian Rodríguez and (>>) Dominique Leuenberger in opensuse-factory]
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
>


-- 
Regards,

Kshitij Gupta
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160222/84dc2009/attachment-0001.html>

More information about the AppArmor mailing list