diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 67e6d6b85..f267f8362 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -74,6 +74,7 @@ static struct keyword_table keyword_table[] = { {"subset", TOK_SUBSET}, {"audit", TOK_AUDIT}, {"deny", TOK_DENY}, + {"allow", TOK_ALLOW}, {"set", TOK_SET}, {"rlimit", TOK_RLIMIT}, {"alias", TOK_ALIAS}, diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index f1d41b9df..1c45c22bd 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -111,6 +111,7 @@ void add_local_entry(struct codomain *cod); %token TOK_SUBSET %token TOK_AUDIT %token TOK_DENY +%token TOK_ALLOW %token TOK_PROFILE %token TOK_SET %token TOK_ALIAS @@ -223,7 +224,7 @@ void add_local_entry(struct codomain *cod); %type opt_owner_flag %type opt_profile_flag %type opt_flags -%type opt_deny +%type opt_perm_mode %type opt_namespace %type opt_id %type opt_prefix @@ -518,10 +519,11 @@ opt_owner_flag: { /* nothing */ $$ = 0; } | TOK_OWNER { $$ = 1; }; | TOK_OTHER { $$ = 2; }; -opt_deny: { /* nothing */ $$ = 0; } +opt_perm_mode: { /* nothing */ $$ = 0; } + | TOK_ALLOW { $$ = 0; } | TOK_DENY { $$ = 1; } -opt_prefix: opt_audit_flag opt_deny opt_owner_flag +opt_prefix: opt_audit_flag opt_perm_mode opt_owner_flag { $$.audit = $1; $$.deny = $2; diff --git a/parser/tst/simple_tests/capability/bad_5.sd b/parser/tst/simple_tests/capability/bad_5.sd new file mode 100644 index 000000000..0d15f7a1f --- /dev/null +++ b/parser/tst/simple_tests/capability/bad_5.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION fail conflicting perm mod same line +#=EXRESULT FAIL +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + allow deny capability chown, +} diff --git a/parser/tst/simple_tests/capability/bad_6.sd b/parser/tst/simple_tests/capability/bad_6.sd new file mode 100644 index 000000000..d250c0474 --- /dev/null +++ b/parser/tst/simple_tests/capability/bad_6.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION fail conflicting perm mod same line +#=EXRESULT FAIL +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + audit allow deny capability chown, +} diff --git a/parser/tst/simple_tests/capability/ok_allow1.sd b/parser/tst/simple_tests/capability/ok_allow1.sd new file mode 100644 index 000000000..c44c7a618 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow1.sd @@ -0,0 +1,41 @@ +# +#=DESCRIPTION validate uses of allow/capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + allow capability chown, + allow capability dac_override, + allow capability dac_read_search, + allow capability fowner, + allow capability fsetid, + allow capability kill, + allow capability setgid, + allow capability setuid, + allow capability setpcap, + allow capability linux_immutable, + allow capability net_bind_service, + allow capability net_broadcast, + allow capability net_admin, + allow capability net_raw, + allow capability ipc_lock, + allow capability ipc_owner, + allow capability sys_module, + allow capability sys_rawio, + allow capability sys_chroot, + allow capability sys_ptrace, + allow capability sys_pacct, + allow capability sys_admin, + allow capability sys_boot, + allow capability sys_nice, + allow capability sys_resource, + allow capability sys_time, + allow capability sys_tty_config, + allow capability mknod, + allow capability lease, + allow capability audit_write, + allow capability audit_control, + allow capability setfcap, + allow capability mac_override, +} diff --git a/parser/tst/simple_tests/capability/ok_allow10.sd b/parser/tst/simple_tests/capability/ok_allow10.sd new file mode 100644 index 000000000..ce13db05f --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow10.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION validate audit allow with bare capability in hat. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + ^capability { + audit allow capability, + } +} diff --git a/parser/tst/simple_tests/capability/ok_allow2.sd b/parser/tst/simple_tests/capability/ok_allow2.sd new file mode 100644 index 000000000..9daa1a42d --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow2.sd @@ -0,0 +1,101 @@ +# +#=DESCRIPTION validate uses of allow/capabilities in hats +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist2 { + ^chown { + allow capability chown, + } + ^dac_override { + allow capability dac_override, + } + ^dac_read_search { + allow capability dac_read_search, + } + ^fowner { + allow capability fowner, + } + ^fsetid { + allow capability fsetid, + } + ^kill { + allow capability kill, + } + ^setgid { + allow capability setgid, + } + ^setuid { + allow capability setuid, + } + ^setpcap { + allow capability setpcap, + } + ^linux_immutable { + allow capability linux_immutable, + } + ^net_bind_service { + allow capability net_bind_service, + } + ^net_broadcast { + allow capability net_broadcast, + } + ^net_admin { + allow capability net_admin, + } + ^net_raw { + allow capability net_raw, + } + ^ipc_lock { + allow capability ipc_lock, + } + ^ipc_owner { + allow capability ipc_owner, + } + ^sys_module { + allow capability sys_module, + } + ^sys_rawio { + allow capability sys_rawio, + } + ^sys_chroot { + allow capability sys_chroot, + } + ^sys_ptrace { + allow capability sys_ptrace, + } + ^sys_pacct { + allow capability sys_pacct, + } + ^sys_admin { + allow capability sys_admin, + } + ^sys_boot { + allow capability sys_boot, + } + ^sys_nice { + allow capability sys_nice, + } + ^sys_resource { + allow capability sys_resource, + } + ^sys_time { + allow capability sys_time, + } + ^sys_tty_config { + allow capability sys_tty_config, + } + ^mknod { + allow capability mknod, + } + ^lease { + allow capability lease, + } + ^audit_write { + allow capability audit_write, + } + ^audit_control { + allow capability audit_control, + } +} diff --git a/parser/tst/simple_tests/capability/ok_allow3.sd b/parser/tst/simple_tests/capability/ok_allow3.sd new file mode 100644 index 000000000..8d2c3bf8e --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION validate allow w/multiple capabilities in a line. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exit101 { + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + +} diff --git a/parser/tst/simple_tests/capability/ok_allow4.sd b/parser/tst/simple_tests/capability/ok_allow4.sd new file mode 100644 index 000000000..0b5065908 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow4.sd @@ -0,0 +1,41 @@ +# +#=DESCRIPTION validate audit allow w/capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + audit allow capability chown, + audit allow capability dac_override, + audit allow capability dac_read_search, + audit allow capability fowner, + audit allow capability fsetid, + audit allow capability kill, + audit allow capability setgid, + audit allow capability setuid, + audit allow capability setpcap, + audit allow capability linux_immutable, + audit allow capability net_bind_service, + audit allow capability net_broadcast, + audit allow capability net_admin, + audit allow capability net_raw, + audit allow capability ipc_lock, + audit allow capability ipc_owner, + audit allow capability sys_module, + audit allow capability sys_rawio, + audit allow capability sys_chroot, + audit allow capability sys_ptrace, + audit allow capability sys_pacct, + audit allow capability sys_admin, + audit allow capability sys_boot, + audit allow capability sys_nice, + audit allow capability sys_resource, + audit allow capability sys_time, + audit allow capability sys_tty_config, + audit allow capability mknod, + audit allow capability lease, + audit allow capability audit_write, + audit allow capability audit_control, + audit allow capability setfcap, + audit allow capability mac_override, +} diff --git a/parser/tst/simple_tests/capability/ok_allow5.sd b/parser/tst/simple_tests/capability/ok_allow5.sd new file mode 100644 index 000000000..eb8c05fc6 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow5.sd @@ -0,0 +1,102 @@ +# +#=DESCRIPTION validate audit allow w/capabilities in hats. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exist2 { + ^chown { + audit allow capability chown, + } + ^dac_override { + audit allow capability dac_override, + } + ^dac_read_search { + audit allow capability dac_read_search, + } + ^fowner { + audit allow capability fowner, + } + ^fsetid { + audit allow capability fsetid, + } + ^kill { + audit allow capability kill, + } + ^setgid { + audit allow capability setgid, + } + ^setuid { + audit allow capability setuid, + } + ^setpcap { + audit allow capability setpcap, + } + ^linux_immutable { + audit allow capability linux_immutable, + } + ^net_bind_service { + audit allow capability net_bind_service, + } + ^net_broadcast { + audit allow capability net_broadcast, + } + ^net_admin { + audit allow capability net_admin, + } + ^net_raw { + audit allow capability net_raw, + } + ^ipc_lock { + audit allow capability ipc_lock, + } + ^ipc_owner { + audit allow capability ipc_owner, + } + ^sys_module { + audit allow capability sys_module, + } + ^sys_rawio { + audit allow capability sys_rawio, + } + ^sys_chroot { + audit allow capability sys_chroot, + } + ^sys_ptrace { + audit allow capability sys_ptrace, + } + ^sys_pacct { + audit allow capability sys_pacct, + } + ^sys_admin { + audit allow capability sys_admin, + } + ^sys_boot { + audit allow capability sys_boot, + } + ^sys_nice { + audit allow capability sys_nice, + } + ^sys_resource { + audit allow capability sys_resource, + } + ^sys_time { + audit allow capability sys_time, + } + ^sys_tty_config { + audit allow capability sys_tty_config, + } + ^mknod { + audit allow capability mknod, + } + ^lease { + audit allow capability lease, + } + ^audit_write { + audit allow capability audit_write, + } + ^audit_control { + audit allow capability audit_control, + } +} diff --git a/parser/tst/simple_tests/capability/ok_allow6.sd b/parser/tst/simple_tests/capability/ok_allow6.sd new file mode 100644 index 000000000..3372a4e57 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION validate audit allow w/multiple capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exit101 { + audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + +} diff --git a/parser/tst/simple_tests/capability/ok_allow7.sd b/parser/tst/simple_tests/capability/ok_allow7.sd new file mode 100644 index 000000000..a2b03f040 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow7.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION validate allow with bare capability keyword. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + allow capability, +} diff --git a/parser/tst/simple_tests/capability/ok_allow8.sd b/parser/tst/simple_tests/capability/ok_allow8.sd new file mode 100644 index 000000000..dcf197204 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION validate allow with bare capability in hat. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + ^capability { + allow capability, + } +} diff --git a/parser/tst/simple_tests/capability/ok_allow9.sd b/parser/tst/simple_tests/capability/ok_allow9.sd new file mode 100644 index 000000000..4e16a0b93 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_allow9.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION validate audit allow with bare capability keyword. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist { + audit allow capability, +} diff --git a/parser/tst/simple_tests/capability/ok_dup_allow1.sd b/parser/tst/simple_tests/capability/ok_dup_allow1.sd new file mode 100644 index 000000000..2052b908c --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow1.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION validate allow of duplicate capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +# Test for duplicates? +/does/not/exist3 { + allow capability mknod, + allow capability mknod, +} diff --git a/parser/tst/simple_tests/capability/ok_dup_allow2.sd b/parser/tst/simple_tests/capability/ok_dup_allow2.sd new file mode 100644 index 000000000..06d47bd0c --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow2.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION validate audit allow of duplicate capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +# Test for duplicates? +/does/not/exist3 { + audit allow capability mknod, + audit allow capability mknod, +} diff --git a/parser/tst/simple_tests/capability/ok_dup_allow3.sd b/parser/tst/simple_tests/capability/ok_dup_allow3.sd new file mode 100644 index 000000000..9eccce412 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow3.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION validate allow of duplicate multiple capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exit102 { + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + +} + diff --git a/parser/tst/simple_tests/capability/ok_dup_allow4.sd b/parser/tst/simple_tests/capability/ok_dup_allow4.sd new file mode 100644 index 000000000..492ecc42d --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow4.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION validate audit allow of duplicate multiple capabilities. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exit102 { + audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + + audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + +} + diff --git a/parser/tst/simple_tests/capability/ok_dup_allow5.sd b/parser/tst/simple_tests/capability/ok_dup_allow5.sd new file mode 100644 index 000000000..3bdc75b31 --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow5.sd @@ -0,0 +1,17 @@ +# +#=DESCRIPTION validate duplicate multiple capabilities w/differing perm mods. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +/does/not/exit102 { + allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + + audit allow capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + + audit deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, + + deny capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control, +} + diff --git a/parser/tst/simple_tests/capability/ok_dup_allow6.sd b/parser/tst/simple_tests/capability/ok_dup_allow6.sd new file mode 100644 index 000000000..63c48012e --- /dev/null +++ b/parser/tst/simple_tests/capability/ok_dup_allow6.sd @@ -0,0 +1,16 @@ +# +#=DESCRIPTION validate duplicate capability entries. +#=EXRESULT PASS +# vim:syntax=apparmor +# Last Modified: Sun Apr 17 19:44:44 2005 +# + +# Test for duplicates? +/does/not/exist3 { + capability mknod, + audit allow capability mknod, + deny capability mknod, + audit allow capability mknod, + deny capability mknod, + allow capability mknod, +} diff --git a/parser/tst/simple_tests/file/allow/ok_1.sd b/parser/tst/simple_tests/file/allow/ok_1.sd new file mode 100644 index 000000000..a28a7c5cf --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_1.sd @@ -0,0 +1,8 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /usr/bin/foo r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_3.sd b/parser/tst/simple_tests/file/allow/ok_3.sd new file mode 100644 index 000000000..252ffea30 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_3.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION A simple successful profile +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /usr/bin/foo r, + allow /usr/bin/blah rix, +} + diff --git a/parser/tst/simple_tests/file/allow/ok_append_1.sd b/parser/tst/simple_tests/file/allow/ok_append_1.sd new file mode 100644 index 000000000..b1085d21e --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_append_1.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION test append +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /bin/cat a, + allow /bin/true ra, + allow /bin/false ma, + allow /lib/libc.so la, + allow /bin/less ixa, + allow /bin/more pxa, + allow /a uxa, +} diff --git a/parser/tst/simple_tests/file/allow/ok_carat_1.sd b/parser/tst/simple_tests/file/allow/ok_carat_1.sd new file mode 100644 index 000000000..c31ef9c3c --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_carat_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /foo^bar r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_carat_2.sd b/parser/tst/simple_tests/file/allow/ok_carat_2.sd new file mode 100644 index 000000000..342aa2c3c --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_carat_2.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION trailing carat in pathname +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /foo/bar^ r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_comma_1.sd b/parser/tst/simple_tests/file/allow/ok_comma_1.sd new file mode 100644 index 000000000..ae58f10c6 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_comma_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION comma in pathname +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /foo,bar r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_comma_2.sd b/parser/tst/simple_tests/file/allow/ok_comma_2.sd new file mode 100644 index 000000000..1728dc3b3 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_comma_2.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION comma at end of pathname +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow "/foobar," r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd new file mode 100644 index 000000000..345e4825c --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_1.sd @@ -0,0 +1,7 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS +# vim:syntax=apparmor + +/bin/foo { + allow "/abc\ def" r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd new file mode 100644 index 000000000..3334f8da9 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_2.sd @@ -0,0 +1,7 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS +# vim:syntax=apparmor + +/bin/foo { + allow "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd new file mode 100644 index 000000000..7cb68d80f --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_embedded_spaces_3.sd @@ -0,0 +1,7 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS +# vim:syntax=apparmor + +"/bin/fo o" { + allow "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd new file mode 100644 index 000000000..009df1194 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_inv_char_class.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /foo[^me]bar r, +} diff --git a/parser/tst/simple_tests/file/allow/ok_lock_1.sd b/parser/tst/simple_tests/file/allow/ok_lock_1.sd new file mode 100644 index 000000000..defed2f75 --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_lock_1.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION k and other perms do not conflict +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /bin/a k, + allow /bin/b rk, + allow /bin/c wk, + allow /bin/d ak, + allow /bin/e lk, + allow /bin/e mk, + allow /bin/f pxk, + allow /bin/g Pxk, + allow /bin/h ixk, + allow /bin/i uxk, + allow /bin/j Uxk, +} diff --git a/parser/tst/simple_tests/file/allow/ok_mmap_1.sd b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd new file mode 100644 index 000000000..c02d76b5b --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_mmap_1.sd @@ -0,0 +1,13 @@ +# +#=DESCRIPTION m and [uUpPi]x do not conflict +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /bin/cat mix, + allow /bin/true mpx, + allow /bin/false mux, + allow /lib/libc.so rwlm, + allow /bin/less mUx, + allow /bin/more mPx, +} diff --git a/parser/tst/simple_tests/file/allow/ok_mmap_2.sd b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd new file mode 100644 index 000000000..6d40c3b1f --- /dev/null +++ b/parser/tst/simple_tests/file/allow/ok_mmap_2.sd @@ -0,0 +1,15 @@ +# +#=DESCRIPTION m and [upi]x do not conflict, seperate rules +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + allow /bin/cat rm, + allow /bin/cat ix, + allow /bin/true px, + allow /bin/true m, + allow /bin/false m, + allow /bin/false ux, + allow /lib/libc.so rwl, + allow /lib/libc.so m, +} diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh index 50feacca8..4eb706843 100644 --- a/tests/regression/apparmor/capabilities.sh +++ b/tests/regression/apparmor/capabilities.sh @@ -91,10 +91,17 @@ for TEST in ${TESTS} ; do my_entries=$(eval echo \${${TEST}_extra_entries}) settest ${TEST} + # base case, unconfined runchecktest "${TEST} -- unconfined" pass ${my_arg} + + # no capabilities allowed genprofile ${my_entries} runchecktest "${TEST} -- no caps" fail ${my_arg} + # all capabilities allowed + genprofile cap:ALL ${my_entries} + runchecktest "${TEST} -- all caps" pass ${my_arg} + # iterate through each of the capabilities for cap in ${CAPABILITIES} ; do if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then @@ -111,6 +118,11 @@ for TEST in ${TESTS} ; do settest ${testwrapper} genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries} runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg} + + # all capabilities allowed + genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries} + runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg} + for cap in ${CAPABILITIES} ; do if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then expected_result=pass @@ -123,3 +135,79 @@ for TEST in ${TESTS} ; do done +cap=sys_chroot +settest syscall_chroot + +# test deny keyword works +genprofile cap:${cap}:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, deny keyword" fail ${syscall_chroot_args} + +# test allow keyword works +genprofile cap:${cap}:allow ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow keyword" pass ${syscall_chroot_args} + +### allow/deny overlap tests ### + +# test allow & deny keyword behavior, allow first +genprofile cap:${cap}:allow cap:${cap}:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, allow first" fail ${syscall_chroot_args} + +# test implicit allow & deny keyword behavior, allow first +genprofile cap:${cap} cap:${cap}:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, allow first" fail ${syscall_chroot_args} + +# test allow & deny keyword behavior, deny first +genprofile cap:${cap}:deny cap:${cap}:allow ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny keyword, deny first" fail ${syscall_chroot_args} + +# test implicit allow & deny keyword behavior, deny first +genprofile cap:${cap}:deny cap:${cap} ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny keyword, deny first" fail ${syscall_chroot_args} + +# test allow all & deny all capability keyword behavior, allow first +genprofile cap:ALL:allow cap:ALL:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, allow first" fail ${syscall_chroot_args} + +# test implicit allow all & deny all capability keyword behavior, allow first +genprofile cap:ALL cap:ALL:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny all caps keyword, allow first" fail ${syscall_chroot_args} + +# test allow all & deny all capability keyword behavior, deny first +genprofile cap:ALL:deny cap:ALL:allow ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny all caps keyword, deny first" fail ${syscall_chroot_args} + +# test implicit allow all & deny all capability keyword behavior, deny first +genprofile cap:ALL:deny cap:ALL ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all caps keyword, deny first" fail ${syscall_chroot_args} + +# test allow all & deny keywords behavior, allow first +genprofile cap:ALL:allow cap:${cap}:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, allow first" fail ${syscall_chroot_args} + +# test implicit allow all & deny keywords behavior, allow first +genprofile cap:ALL cap:${cap}:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, allow first" fail ${syscall_chroot_args} + +# test allow all & deny keywords behavior, deny first +genprofile cap:${cap}:deny cap:ALL:allow ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow all & deny keyword, deny first" fail ${syscall_chroot_args} + +# test implicit allow all & deny keywords behavior, deny first +genprofile cap:${cap}:deny cap:ALL ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow all & deny keyword, deny first" fail ${syscall_chroot_args} + +# test allow & deny all keywords behavior, allow first +genprofile cap:${cap}:allow cap:ALL:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, allow first" fail ${syscall_chroot_args} + +# test implicit allow & deny all keywords behavior, allow first +genprofile cap:${cap} cap:ALL:deny ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, allow first" fail ${syscall_chroot_args} + +# test allow & deny all keywords behavior, deny first +genprofile cap:ALL:deny cap:${cap}:allow ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, allow & deny all keyword, deny first" fail ${syscall_chroot_args} + +# test implicit allow & deny all keywords behavior, deny first +genprofile cap:ALL:deny cap:${cap} ${syscall_chroot_extra_entries} +runchecktest "syscall_chroot -- capability ${cap}, implicit allow & deny all keyword, deny first" fail ${syscall_chroot_args} diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl index 678acc256..1c1fc6b40 100755 --- a/tests/regression/apparmor/mkprofile.pl +++ b/tests/regression/apparmor/mkprofile.pl @@ -157,10 +157,20 @@ sub gen_network($) { sub gen_cap($) { my $rule = shift; my @rules = split (/:/, $rule); - if (@rules != 2) { - (!$nowarn) && print STDERR "Warning: invalid capability description '$rule', ignored\n"; + if (@rules == 2) { + if ($rules[1] =~ /^ALL$/) { + push (@{$output_rules{$hat}}, " capability,\n"); + } else { + push (@{$output_rules{$hat}}, " capability $rules[1],\n"); + } + } elsif (@rules == 3) { + if ($rules[1] =~ /^ALL$/) { + push (@{$output_rules{$hat}}, " $rules[2] capability,\n"); + } else { + push (@{$output_rules{$hat}}, " $rules[2] capability $rules[1],\n"); + } } else { - push (@{$output_rules{$hat}}, " capability $rules[1],\n"); + (!$nowarn) && print STDERR "Warning: invalid capability description '$rule', ignored\n"; } } diff --git a/utils/vim/apparmor.vim.in b/utils/vim/apparmor.vim.in index b2504e482..39067c94f 100644 --- a/utils/vim/apparmor.vim.in +++ b/utils/vim/apparmor.vim.in @@ -132,7 +132,7 @@ syn keyword sdCapKey @@sdKapKey@@ syn keyword sdCapDanger @@sdKapKeyDanger@@ " full line. Keywords are from sdCapKey + sdCapDanger -syn match sdCap /\v^\s*@@auditdeny@@capability\s+(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude +syn match sdCap /\v^\s*@@auditdeny@@capability\s+((@@sdKapKeyRegex@@)\s+)*(@@sdKapKeyRegex@@)@@EOL@@/ contains=sdCapKey,sdCapDanger,sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude " all capabilities ('capability' without any keyword) syn match sdCapDanger /\v^\s*@@auditdeny@@capability@@EOL@@/ contains=sdComment nextgroup=@sdEntry,sdComment,sdError,sdInclude diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index 819fe0614..dc10ffb2c 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -88,12 +88,12 @@ filename=r'(\/|\@\{\S*\})\S*' aa_regex_map = { 'FILENAME': filename, - 'FILE': r'\v^\s*(audit\s+)?(deny\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule + 'FILE': r'\v^\s*(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?' + filename + r'\s+', # Start of a file rule # (whitespace_+_, owner etc. flag_?_, filename pattern, whitespace_+_) 'DENYFILE': r'\v^\s*(audit\s+)?deny\s+(owner\s+)?' + filename + r'\s+', # deny, otherwise like FILE - 'auditdenyowner': r'(audit\s+)?(deny\s+)?(owner\s+)?', + 'auditdenyowner': r'(audit\s+)?(deny\s+|allow\s+)?(owner\s+)?', 'audit_DENY_owner': r'(audit\s+)?deny\s+(owner\s+)?', # must include "deny", otherwise like auditdenyowner - 'auditdeny': r'(audit\s+)?(deny\s+)?', + 'auditdeny': r'(audit\s+)?(deny\s+|allow\s+)?', 'EOL': r'\s*,(\s*$|(\s*#.*$)\@=)', # End of a line (whitespace_?_, comma, whitespace_?_ comment.*) 'TRANSITION': r'(\s+-\>\s+\S+)?', 'sdKapKey': " ".join(benign_caps),