mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

parser: Add support for automatic @{attach_path} variable

Browse Source 
Have the parser extract the attachment path from the profile declaration
and make it available as a variable within the profile. This allows
profile rules to use the executable attachment path in rules.

eg.
```
  profile ex /bin/** {
     @{attach_path} r,
     # ...
  }

  profile /path/to/bin {
     @{attach_path} r,
     # ...
}
```

if a profile does not define an attachment like

```
  profile noattach {
     @{attach_path} r,
  }
```

the apparmor_parser will fail the compile with the error.

```
  Found reference to variable attach_path, but is never declared
```

The attachment xattr/label conditionals are not made available at
this time as regular file path rules can not use them.

Similarly a @{exec_path} variable is made available. It is different
than @{attach_path} in that it is intended to be a kernel variable
that represents the specific executable that was matched at run
time. However to support policy on kernels that don't define the
kernel variable it has a fallback value that is the same as
@{attach_path}.

This patch is a follow on to MR:1637 (https://gitlab.com/apparmor/apparmor/-/merge_requests/1637)
and is similar to how the apparmor.d project uses the manually setup
@{exec_path} variable.

We can bike shed over the variable name. @{attach_path} was chosen
here because this is the attachment conditional path for the
executable, not the executable's actual path. While @{exec_path} is
intended to be the applications actual executable path.
support the @{exec_path} kernel variable (all of them atm).

Notes:

The minimize.sh tests are changed because this patch causes path based
profile names to create an attachment. This could be done by doing the
attach_variable expansion in the alternate location marked by the
patch, but since the kernel is going to start doing this for all
profiles that don't have an attachment it is better for the parser to
do it, as it can optimize better.

This patch may cause breakage if policy declares either @{attach_path}
or @{exec_path} this will not be dealt with here, but in a subsequent
patch that allows variables to have a local scope so that the compiler
defined vars will just get declared locally.

Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2025-04-20 16:34:51 -07:00
parent b7ce9b81fa
commit 699507f90a
29 changed files with 508 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
parser/apparmor.d.pod
View File

@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>,
F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
The special B<@{profile_name}> variable is set to the profile name and may be
used in all policy.
=head3 Special builtin variables
AppArmor has some builtin variables that are not declared in policy
but are available to be used in policy.
@{profile_name} - the profile name
@{attach_path} - the profile exec attachment path - if one has been defined
@{exec_path} - the executables path
The B<@{profile_name}> variable is set to the profile name and may be
used in all policy. It is only defined when used inside of a profile.
The B<@{attach_path}> variable is only defined if the profile will attach
to an executable. It will be the path attachment specification or
if that is not defined it may be the profile's name if the profile name
is a path.
The B<@{exec_path}> variable like B<@{attach_path}> is only defined if
the profile attaches to an executable. If the kernel supports it as a
kernel variable, it will be set to the specific path that matches the
executable at run time. If the kernel does not support kernel variables
it will have the same value as B<@{attach_path}>.
=head3 Notes on variable expansion and the / character

6
parser/parser.h
View File

@ -294,9 +294,10 @@ do { \
version; \
})
/* The parser fills this variable in automatically */
/* The parser fills these variable in automatically */
#define PROFILE_NAME_VARIABLE "profile_name"
#define PROFILE_ATTACH_VAR "attach_path"
#define PROFILE_EXEC_VAR "exec_path"
/* from parser_common.c */
extern uint32_t policy_version;
@ -395,6 +396,7 @@ extern const char *basedir;
#define glob_default 0
#define glob_null 1
const char *local_name(const char *name);
extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
std::string& pcre, int *first_re_pos);
extern bool build_list_val_expr(std::string& buffer, struct value_list *list);

72
parser/parser_variable.c
View File

@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof)
* setup
*/
int error = expand_entry_variables(&prof.name);
if (!error && prof.attachment)
error = expand_entry_variables(&prof.attachment);
if (!error) {
if (prof.attachment)
error = expand_entry_variables(&prof.attachment);
else if (prof.name[0] == '/') {
/* had to wait to do this until after processing the
* variables in the profile name
*/
prof.attachment = strdup(local_name(prof.name));
if (!prof.attachment) {
errno = ENOMEM;
return -1;
}
filter_slashes(prof.attachment);
}
}
if (!error && prof.flags.disconnected_path)
error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path);
if (!error && prof.flags.disconnected_ipc)
@ -331,23 +345,59 @@ int process_profile_variables(Profile *prof)
*/
error = process_variables_in_name(*prof);
if (!error) {
/* escape profile name elements that could be interpreted
* as regular expressions.
if (error)
goto out;
/* escape profile name elements that could be interpreted as
* regular expressions.
*/
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
if (error)
goto out;
if (prof->attachment) {
/* IF we didn't want a path based profile name to generate
* an attachment. The code could be moved here. Add the
* output fed into the vars directly instead of setting
* the attachment.
*/
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
/* need to take into account alias, but not yet */
error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment);
if (error)
goto cleanup_name;
/* update to use kernel vars if available */
error = new_set_var(PROFILE_EXEC_VAR, prof->attachment);
if (error)
goto cleanup_attach;
}
if (!error)
error = process_variables_in_entries(prof->entries);
if (!error)
error = process_variables_in_rules(*prof);
error = process_variables_in_entries(prof->entries);
if (error)
goto cleanup;
error = process_variables_in_rules(*prof);
cleanup:
/* ideally these variables would be local scoped and we would not
* have to clean them up here, but unfortunately variables
* don't support that yet.
*/
if (prof->attachment) {
rc = delete_set_var(PROFILE_EXEC_VAR);
if (!error)
error = rc;
}
cleanup_attach:
if (prof->attachment) {
rc = delete_set_var(PROFILE_ATTACH_VAR);
if (!error)
error = rc;
}
cleanup_name:
rc = delete_set_var(PROFILE_NAME_VARIABLE);
if (!error)
error = rc;
out:
return error;
}

140
parser/tst/equality.sh
View File

@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \
#### end of wrapper fn
}
test_parser_variables()
{
######## @{profile_name} #######
verify_binary_equality "@{profile_name} expands correctly" \
"/t { @{profile_name} r, }" \
"/t { /t r, }"
verify_binary_equality "@{profile_name} expands correcly - filter /" \
"/t { /r/@{profile_name} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{profile_name} expands correcly - add globbing" \
"/t { @{profile_name}/** r, }" \
"/t { /t/** r, }"
#re expression are escaped in profile names so /t/* becomes /t/\*
verify_binary_inequality "@{profile_name} w/pat expands correctly" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{profile_name} w/pat expands correctly" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/\* r, }"
verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \
"/t/* { @{profile_name} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \
"/t/* { @{profile_name}/a r, }" \
"/t/* { /t/\*/a r, }"
verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \
"/t/* { @{profile_name}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \
"/t/** { @{profile_name}/** r, }" \
"/t/** { /t/\*\*/** r, }"
######## @{attach_path} #######
verify_binary_equality "@{attach_path} expands correctly" \
"/t { @{attach_path} r, }" \
"/t { /t r, }"
verify_binary_equality "@{attach_path} expands correcly - filter /" \
"/t { /r/@{attach_path} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{attach_path} expands correcly - add globbing" \
"/t { @{attach_path}/** r, }" \
"/t { /t/** r, }"
verify_binary_equality "@{attach_path} w/pat expands correctly" \
"/t/* { @{attach_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \
"/t/* { @{attach_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \
"/t/* { @{attach_path}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{attach_path} w/attachment expands correctly" \
"profile a /t { @{attach_path} r, }" \
"profile a /t { /t r, }"
verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \
"profile a /t { /r/@{attach_path} r, }" \
"profile a /t { /r/t r, }"
verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \
"profile a /t { @{attach_path}/** r, }" \
"profile a /t { /t/** r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \
"profile a /t/* { @{attach_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \
"profile a /t/* { @{attach_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \
"profile a /t/* { @{attach_path}/** r, }" \
"profile a /t/* { /t/*/** r, }"
######## @{exec_path} #######
verify_binary_equality "@{exec_path} expands correctly" \
"/t { @{exec_path} r, }" \
"/t { /t r, }"
verify_binary_equality "@{exec_path} expands correcly - filter /" \
"/t { /r/@{exec_path} r, }" \
"/t { /r/t r, }"
verify_binary_equality "@{exec_path} expands correcly - add globbing" \
"/t { @{exec_path}/** r, }" \
"/t { /t/** r, }"
verify_binary_equality "@{exec_path} w/pat expands correctly" \
"/t/* { @{exec_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \
"/t/* { @{exec_path} r, }" \
"/t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \
"/t/* { @{exec_path}/** r, }" \
"/t/* { /t/*/** r, }"
verify_binary_equality "@{exec_path} w/attachment expands correctly" \
"profile a /t { @{exec_path} r, }" \
"profile a /t { /t r, }"
verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \
"profile a /t { /r/@{exec_path} r, }" \
"profile a /t { /r/t r, }"
verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \
"profile a /t { @{exec_path}/** r, }" \
"profile a /t { /t/** r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \
"profile a /t/* { @{exec_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \
"profile a /t/* { @{exec_path} r, }" \
"profile a /t/* { /t/* r, }"
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \
"profile a /t/* { @{exec_path}/** r, }" \
"profile a /t/* { /t/*/** r, }"
}
run_tests()
{
@ -1082,6 +1220,8 @@ run_tests()
"@{BAR}=bin/ \#value
/t { /@{BAR} r, }"
test_parser_variables
# verify combinations of different priority levels
# for single rule comparisons, rules should keep same expected result
# even when the priorities are different.

20
parser/tst/minimize.sh
View File

@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
# {a} (0x 40030/0/0/0)
echo -n "Minimize profiles basic perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -93,7 +93,7 @@ echo "ok"
# {9} (0x 12804a/0/2800a/0)
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -112,7 +112,7 @@ echo "ok"
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -130,7 +130,7 @@ echo "ok"
# {c} (0x 40030/0/0/0)
echo -n "Minimize profiles audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
echo "failed"
exit 1;
fi
@ -155,7 +155,7 @@ echo "ok"
## NOTE: change count from 6 to 7 when extend perms is not dependent on
## prompt rules being present
echo -n "Minimize profiles extended no-filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
echo "failed"
exit 1;
fi
@ -173,7 +173,7 @@ echo "ok"
# {2} (0x 4/0//0/0/0) <- from policydb still showing up bug
echo -n "Minimize profiles extended filter audit deny perms "
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
echo "failed"
exit 1;
fi
@ -208,7 +208,7 @@ echo "ok"
#
echo -n "Minimize profiles xtrans "
if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed"
exit 1;
fi
@ -216,7 +216,7 @@ echo "ok"
# same test as above + audit
echo -n "Minimize profiles audit xtrans "
if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
echo "failed"
exit 1;
fi
@ -229,7 +229,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/14005)
echo -n "Minimize profiles deny xtrans "
if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
echo "failed"
exit 1;
fi
@ -241,7 +241,7 @@ echo "ok"
# {3} (0x 0/fe17f85/0/0)
echo -n "Minimize profiles audit deny xtrans "
if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
echo "failed"
exit 1;
fi

9
parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto attach_path variable in rules
#=EXRESULT PASS
profile /a/test/profile {
/a/test/profile rix,
@{attach_path} rwk,
}

9
parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto atach_path variable in rules
#=EXRESULT PASS
profile this_is_a_test /a/test/profile {
/a/test/profile rix,
/run/@{attach_path}/tmp rwk,
}

9
parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto attach_path from profile
#=EXRESULT PASS
/test/profile {
/test/profile rix,
/run/@{attach_path}/tmp rwk,
}

10
parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile spork /a/*/c {
@{attach_path}/** rw,
}
}

10
parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/b/c {
@{attach_path}/** rw,
}
}

10
parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/*/c {
@{attach_path}/** rw,
}
}

20
parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd Normal file
View File

@ -0,0 +1,20 @@
#=DESCRIPTION ensure attach_path expansion after subprofiles works
#=EXRESULT PASS
profile top_profile /test/profile {
/first/path/@{attach_path}/tmp rwk,
profile spork {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
hat spelunkk {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
# Does this expand properly?
/second/path/@{attach_path}/tmp rk,
}

9
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_1.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto @{attach_path} variable in rules when not created
#=EXRESULT FAIL
test/profile {
/a/test/profile rix,
mr @{attach_path},
}

12
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd Normal file
View File

@ -0,0 +1,12 @@
#=DESCRIPTION reference auto attach_path from profile
#=EXRESULT FAIL
/test/profile {
/test/profile rix,
# hat does not have an attachment and profile's attachment doesn't apply
^spork {
owner /tmp/* r,
/spork/@{attach_path}/** rw,
}
}

16
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd Normal file
View File

@ -0,0 +1,16 @@
#=DESCRIPTION ensure attach_path expansion after subprofiles works
#=EXRESULT FAIL
profile top_profile /test/profile {
/first/path/@{attach_path}/tmp rwk,
# subprofile doesn't have attach_pathes
hat spelunkk {
owner /tmp/* r,
/run/@{attach_path}/** rw,
}
# Does this expand properly?
/second/path/@{attach_path}/tmp rk,
}

10
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto attach_path variable collides with user defined
#=EXRESULT FAIL
@{attach_path}=/BAD
profile /a/test/profile {
/a/test/profile rix,
@{attach_path} rwk,
}

11
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd Normal file
View File

@ -0,0 +1,11 @@
#=DESCRIPTION reference auto attach_path variable in rules w/hats
#=EXRESULT FAIL
profile idf3s2A6GX8vrk /simple/profile {
/test/profile rix,
^test {
/run/@{attach_path}/tmp rwk,
}
}

9
parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path variable in rules
#=EXRESULT PASS
profile /a/test/profile {
/a/test/profile rix,
@{exec_path} rwk,
}

9
parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path variable in rules
#=EXRESULT PASS
profile this_is_a_test /a/test/profile {
/a/test/profile rix,
/run/@{exec_path}/tmp rwk,
}

9
parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto exec_path from profile
#=EXRESULT PASS
/test/profile {
/test/profile rix,
/run/@{exec_path}/tmp rwk,
}

10
parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile spork /a/*/c {
@{exec_path}/** rw,
}
}

10
parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/b/c {
@{exec_path}/** rw,
}
}

10
parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable in child
#=EXRESULT PASS
# no attachment in parent
profile top_profile {
profile /a/*/c {
@{exec_path}/** rw,
}
}

20
parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd Normal file
View File

@ -0,0 +1,20 @@
#=DESCRIPTION ensure exec_path expansion after subprofiles works
#=EXRESULT PASS
profile top_profile /test/profile {
/first/path/@{exec_path}/tmp rwk,
profile spork {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
hat spelunkk {
owner /tmp/* r,
/run/@{profile_name}/** rw,
}
# Does this expand properly?
/second/path/@{exec_path}/tmp rk,
}

9
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_1.sd Normal file
View File

@ -0,0 +1,9 @@
#=DESCRIPTION reference auto @{exec_path} variable in rules when not created
#=EXRESULT FAIL
test/profile {
/a/test/profile rix,
mr @{exec_path},
}

12
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd Normal file
View File

@ -0,0 +1,12 @@
#=DESCRIPTION reference auto exec_path from profile
#=EXRESULT FAIL
/test/profile {
/test/profile rix,
# hat does not have an attachment and profile's attachment doesn't apply
^spork {
owner /tmp/* r,
/spork/@{exec_path}/** rw,
}
}

16
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd Normal file
View File

@ -0,0 +1,16 @@
#=DESCRIPTION ensure exec_path expansion after subprofiles works
#=EXRESULT FAIL
profile top_profile /test/profile {
/first/path/@{exec_path}/tmp rwk,
# subprofile doesn't have exec_pathes
hat spelunkk {
owner /tmp/* r,
/run/@{exec_path}/** rw,
}
# Does this expand properly?
/second/path/@{exec_path}/tmp rk,
}

10
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd Normal file
View File

@ -0,0 +1,10 @@
#=DESCRIPTION reference auto exec_path variable collides with user defined
#=EXRESULT FAIL
@{exec_path}=/BAD
profile /a/test/profile {
/a/test/profile rix,
@{exec_path} rwk,
}

11
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd Normal file
View File

@ -0,0 +1,11 @@
#=DESCRIPTION reference auto exec_path variable in rules w/hats
#=EXRESULT FAIL
profile idf3s2A6GX8vrk /simple/profile {
/test/profile rix,
^test {
/run/@{exec_path}/tmp rwk,
}
}