mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 10:07:12 +00:00
parser: Add support for automatic @{attach_path} variable
Have the parser extract the attachment path from the profile declaration and make it available as a variable within the profile. This allows profile rules to use the executable attachment path in rules. eg. ``` profile ex /bin/** { @{attach_path} r, # ... } profile /path/to/bin { @{attach_path} r, # ... } ``` if a profile does not define an attachment like ``` profile noattach { @{attach_path} r, } ``` the apparmor_parser will fail the compile with the error. ``` Found reference to variable attach_path, but is never declared ``` The attachment xattr/label conditionals are not made available at this time as regular file path rules can not use them. Similarly a @{exec_path} variable is made available. It is different than @{attach_path} in that it is intended to be a kernel variable that represents the specific executable that was matched at run time. However to support policy on kernels that don't define the kernel variable it has a fallback value that is the same as @{attach_path}. This patch is a follow on to MR:1637 (https://gitlab.com/apparmor/apparmor/-/merge_requests/1637) and is similar to how the apparmor.d project uses the manually setup @{exec_path} variable. We can bike shed over the variable name. @{attach_path} was chosen here because this is the attachment conditional path for the executable, not the executable's actual path. While @{exec_path} is intended to be the applications actual executable path. support the @{exec_path} kernel variable (all of them atm). Notes: The minimize.sh tests are changed because this patch causes path based profile names to create an attachment. This could be done by doing the attach_variable expansion in the alternate location marked by the patch, but since the kernel is going to start doing this for all profiles that don't have an attachment it is better for the parser to do it, as it can optimize better. This patch may cause breakage if policy declares either @{attach_path} or @{exec_path} this will not be dealt with here, but in a subsequent patch that allows variables to have a local scope so that the compiler defined vars will just get declared locally. Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
parent
b7ce9b81fa
commit
699507f90a
@ -1802,8 +1802,29 @@ site-specific customization of B<@{HOMEDIRS}>,
|
||||
F</etc/apparmor.d/tunables/multiarch.d> for B<@{multiarch}> and
|
||||
F</etc/apparmor.d/tunables/xdg-user-dirs.d> for B<@{XDG_*}>.
|
||||
|
||||
The special B<@{profile_name}> variable is set to the profile name and may be
|
||||
used in all policy.
|
||||
=head3 Special builtin variables
|
||||
|
||||
AppArmor has some builtin variables that are not declared in policy
|
||||
but are available to be used in policy.
|
||||
|
||||
@{profile_name} - the profile name
|
||||
@{attach_path} - the profile exec attachment path - if one has been defined
|
||||
@{exec_path} - the executables path
|
||||
|
||||
|
||||
The B<@{profile_name}> variable is set to the profile name and may be
|
||||
used in all policy. It is only defined when used inside of a profile.
|
||||
|
||||
The B<@{attach_path}> variable is only defined if the profile will attach
|
||||
to an executable. It will be the path attachment specification or
|
||||
if that is not defined it may be the profile's name if the profile name
|
||||
is a path.
|
||||
|
||||
The B<@{exec_path}> variable like B<@{attach_path}> is only defined if
|
||||
the profile attaches to an executable. If the kernel supports it as a
|
||||
kernel variable, it will be set to the specific path that matches the
|
||||
executable at run time. If the kernel does not support kernel variables
|
||||
it will have the same value as B<@{attach_path}>.
|
||||
|
||||
=head3 Notes on variable expansion and the / character
|
||||
|
||||
|
@ -294,9 +294,10 @@ do { \
|
||||
version; \
|
||||
})
|
||||
|
||||
/* The parser fills this variable in automatically */
|
||||
/* The parser fills these variable in automatically */
|
||||
#define PROFILE_NAME_VARIABLE "profile_name"
|
||||
|
||||
#define PROFILE_ATTACH_VAR "attach_path"
|
||||
#define PROFILE_EXEC_VAR "exec_path"
|
||||
|
||||
/* from parser_common.c */
|
||||
extern uint32_t policy_version;
|
||||
@ -395,6 +396,7 @@ extern const char *basedir;
|
||||
|
||||
#define glob_default 0
|
||||
#define glob_null 1
|
||||
const char *local_name(const char *name);
|
||||
extern pattern_t convert_aaregex_to_pcre(const char *aare, int anchor, int glob,
|
||||
std::string& pcre, int *first_re_pos);
|
||||
extern bool build_list_val_expr(std::string& buffer, struct value_list *list);
|
||||
|
@ -295,8 +295,22 @@ static int process_variables_in_name(Profile &prof)
|
||||
* setup
|
||||
*/
|
||||
int error = expand_entry_variables(&prof.name);
|
||||
if (!error && prof.attachment)
|
||||
error = expand_entry_variables(&prof.attachment);
|
||||
if (!error) {
|
||||
if (prof.attachment)
|
||||
error = expand_entry_variables(&prof.attachment);
|
||||
else if (prof.name[0] == '/') {
|
||||
/* had to wait to do this until after processing the
|
||||
* variables in the profile name
|
||||
*/
|
||||
prof.attachment = strdup(local_name(prof.name));
|
||||
if (!prof.attachment) {
|
||||
errno = ENOMEM;
|
||||
return -1;
|
||||
}
|
||||
filter_slashes(prof.attachment);
|
||||
}
|
||||
}
|
||||
|
||||
if (!error && prof.flags.disconnected_path)
|
||||
error = process_variable_in_attach_disconnected(&prof.flags.disconnected_path);
|
||||
if (!error && prof.flags.disconnected_ipc)
|
||||
@ -331,23 +345,59 @@ int process_profile_variables(Profile *prof)
|
||||
*/
|
||||
error = process_variables_in_name(*prof);
|
||||
|
||||
if (!error) {
|
||||
/* escape profile name elements that could be interpreted
|
||||
* as regular expressions.
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
/* escape profile name elements that could be interpreted as
|
||||
* regular expressions.
|
||||
*/
|
||||
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
|
||||
if (error)
|
||||
goto out;
|
||||
|
||||
if (prof->attachment) {
|
||||
/* IF we didn't want a path based profile name to generate
|
||||
* an attachment. The code could be moved here. Add the
|
||||
* output fed into the vars directly instead of setting
|
||||
* the attachment.
|
||||
*/
|
||||
error = new_set_var(PROFILE_NAME_VARIABLE, escape_re(prof->get_name(false)).c_str());
|
||||
/* need to take into account alias, but not yet */
|
||||
error = new_set_var(PROFILE_ATTACH_VAR, prof->attachment);
|
||||
if (error)
|
||||
goto cleanup_name;
|
||||
/* update to use kernel vars if available */
|
||||
error = new_set_var(PROFILE_EXEC_VAR, prof->attachment);
|
||||
if (error)
|
||||
goto cleanup_attach;
|
||||
}
|
||||
|
||||
if (!error)
|
||||
error = process_variables_in_entries(prof->entries);
|
||||
|
||||
if (!error)
|
||||
error = process_variables_in_rules(*prof);
|
||||
error = process_variables_in_entries(prof->entries);
|
||||
if (error)
|
||||
goto cleanup;
|
||||
error = process_variables_in_rules(*prof);
|
||||
|
||||
cleanup:
|
||||
/* ideally these variables would be local scoped and we would not
|
||||
* have to clean them up here, but unfortunately variables
|
||||
* don't support that yet.
|
||||
*/
|
||||
if (prof->attachment) {
|
||||
rc = delete_set_var(PROFILE_EXEC_VAR);
|
||||
if (!error)
|
||||
error = rc;
|
||||
}
|
||||
cleanup_attach:
|
||||
if (prof->attachment) {
|
||||
rc = delete_set_var(PROFILE_ATTACH_VAR);
|
||||
if (!error)
|
||||
error = rc;
|
||||
}
|
||||
cleanup_name:
|
||||
rc = delete_set_var(PROFILE_NAME_VARIABLE);
|
||||
if (!error)
|
||||
error = rc;
|
||||
|
||||
out:
|
||||
return error;
|
||||
}
|
||||
|
||||
|
@ -971,6 +971,144 @@ verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \
|
||||
#### end of wrapper fn
|
||||
}
|
||||
|
||||
test_parser_variables()
|
||||
{
|
||||
######## @{profile_name} #######
|
||||
verify_binary_equality "@{profile_name} expands correctly" \
|
||||
"/t { @{profile_name} r, }" \
|
||||
"/t { /t r, }"
|
||||
|
||||
verify_binary_equality "@{profile_name} expands correcly - filter /" \
|
||||
"/t { /r/@{profile_name} r, }" \
|
||||
"/t { /r/t r, }"
|
||||
|
||||
verify_binary_equality "@{profile_name} expands correcly - add globbing" \
|
||||
"/t { @{profile_name}/** r, }" \
|
||||
"/t { /t/** r, }"
|
||||
|
||||
#re expression are escaped in profile names so /t/* becomes /t/\*
|
||||
verify_binary_inequality "@{profile_name} w/pat expands correctly" \
|
||||
"/t/* { @{profile_name} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{profile_name} w/pat expands correctly" \
|
||||
"/t/* { @{profile_name} r, }" \
|
||||
"/t/* { /t/\* r, }"
|
||||
|
||||
verify_binary_inequality "@{profile_name} w/pat expands correcly - filter /" \
|
||||
"/t/* { @{profile_name} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{profile_name} w/pat expands correcly - filter /" \
|
||||
"/t/* { @{profile_name}/a r, }" \
|
||||
"/t/* { /t/\*/a r, }"
|
||||
|
||||
verify_binary_inequality "@{profile_name} w/pat expands correcly - add globbing" \
|
||||
"/t/* { @{profile_name}/** r, }" \
|
||||
"/t/* { /t/*/** r, }"
|
||||
|
||||
verify_binary_equality "@{profile_name} w/pat expands correcly - add globbing" \
|
||||
"/t/** { @{profile_name}/** r, }" \
|
||||
"/t/** { /t/\*\*/** r, }"
|
||||
|
||||
######## @{attach_path} #######
|
||||
verify_binary_equality "@{attach_path} expands correctly" \
|
||||
"/t { @{attach_path} r, }" \
|
||||
"/t { /t r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} expands correcly - filter /" \
|
||||
"/t { /r/@{attach_path} r, }" \
|
||||
"/t { /r/t r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} expands correcly - add globbing" \
|
||||
"/t { @{attach_path}/** r, }" \
|
||||
"/t { /t/** r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/pat expands correctly" \
|
||||
"/t/* { @{attach_path} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/pat expands correcly - filter /" \
|
||||
"/t/* { @{attach_path} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/pat expands correcly - add globbing" \
|
||||
"/t/* { @{attach_path}/** r, }" \
|
||||
"/t/* { /t/*/** r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment expands correctly" \
|
||||
"profile a /t { @{attach_path} r, }" \
|
||||
"profile a /t { /t r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment expands correcly - filter /" \
|
||||
"profile a /t { /r/@{attach_path} r, }" \
|
||||
"profile a /t { /r/t r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment expands correcly - add globbing" \
|
||||
"profile a /t { @{attach_path}/** r, }" \
|
||||
"profile a /t { /t/** r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment w/pat expands correctly" \
|
||||
"profile a /t/* { @{attach_path} r, }" \
|
||||
"profile a /t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - filter /" \
|
||||
"profile a /t/* { @{attach_path} r, }" \
|
||||
"profile a /t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{attach_path} w/attachment w/pat expands correcly - add globbing" \
|
||||
"profile a /t/* { @{attach_path}/** r, }" \
|
||||
"profile a /t/* { /t/*/** r, }"
|
||||
|
||||
######## @{exec_path} #######
|
||||
verify_binary_equality "@{exec_path} expands correctly" \
|
||||
"/t { @{exec_path} r, }" \
|
||||
"/t { /t r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} expands correcly - filter /" \
|
||||
"/t { /r/@{exec_path} r, }" \
|
||||
"/t { /r/t r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} expands correcly - add globbing" \
|
||||
"/t { @{exec_path}/** r, }" \
|
||||
"/t { /t/** r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/pat expands correctly" \
|
||||
"/t/* { @{exec_path} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/pat expands correcly - filter /" \
|
||||
"/t/* { @{exec_path} r, }" \
|
||||
"/t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/pat expands correcly - add globbing" \
|
||||
"/t/* { @{exec_path}/** r, }" \
|
||||
"/t/* { /t/*/** r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment expands correctly" \
|
||||
"profile a /t { @{exec_path} r, }" \
|
||||
"profile a /t { /t r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment expands correcly - filter /" \
|
||||
"profile a /t { /r/@{exec_path} r, }" \
|
||||
"profile a /t { /r/t r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment expands correcly - add globbing" \
|
||||
"profile a /t { @{exec_path}/** r, }" \
|
||||
"profile a /t { /t/** r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment w/pat expands correctly" \
|
||||
"profile a /t/* { @{exec_path} r, }" \
|
||||
"profile a /t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - filter /" \
|
||||
"profile a /t/* { @{exec_path} r, }" \
|
||||
"profile a /t/* { /t/* r, }"
|
||||
|
||||
verify_binary_equality "@{exec_path} w/attachment w/pat expands correcly - add globbing" \
|
||||
"profile a /t/* { @{exec_path}/** r, }" \
|
||||
"profile a /t/* { /t/*/** r, }"
|
||||
}
|
||||
|
||||
run_tests()
|
||||
{
|
||||
@ -1082,6 +1220,8 @@ run_tests()
|
||||
"@{BAR}=bin/ \#value
|
||||
/t { /@{BAR} r, }"
|
||||
|
||||
test_parser_variables
|
||||
|
||||
# verify combinations of different priority levels
|
||||
# for single rule comparisons, rules should keep same expected result
|
||||
# even when the priorities are different.
|
||||
|
@ -78,7 +78,7 @@ APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
|
||||
# {a} (0x 40030/0/0/0)
|
||||
|
||||
echo -n "Minimize profiles basic perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -93,7 +93,7 @@ echo "ok"
|
||||
# {9} (0x 12804a/0/2800a/0)
|
||||
# {c} (0x 40030/0/0/0)
|
||||
echo -n "Minimize profiles audit perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -112,7 +112,7 @@ echo "ok"
|
||||
# {c} (0x 40030/0/0/0)
|
||||
|
||||
echo -n "Minimize profiles deny perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -130,7 +130,7 @@ echo "ok"
|
||||
# {c} (0x 40030/0/0/0)
|
||||
|
||||
echo -n "Minimize profiles audit deny perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 5 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -155,7 +155,7 @@ echo "ok"
|
||||
## NOTE: change count from 6 to 7 when extend perms is not dependent on
|
||||
## prompt rules being present
|
||||
echo -n "Minimize profiles extended no-filter audit deny perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 7 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -173,7 +173,7 @@ echo "ok"
|
||||
# {2} (0x 4/0//0/0/0) <- from policydb still showing up bug
|
||||
|
||||
echo -n "Minimize profiles extended filter audit deny perms "
|
||||
if [ "$(echo "/t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
if [ "$(echo "profile t { /a r, /b w, /c a, /d l, /e k, /f m, audit deny /** w, }" | ${APPARMOR_PARSER} -M features_files/features.extended-perms-no-policydb -QT -O minimize -O filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 6 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -208,7 +208,7 @@ echo "ok"
|
||||
#
|
||||
|
||||
echo -n "Minimize profiles xtrans "
|
||||
if [ "$(echo "/t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
|
||||
if [ "$(echo "profile t { /b px, /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -216,7 +216,7 @@ echo "ok"
|
||||
|
||||
# same test as above + audit
|
||||
echo -n "Minimize profiles audit xtrans "
|
||||
if [ "$(echo "/t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
|
||||
if [ "$(echo "profile t { /b px, audit /* Pixr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 3 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -229,7 +229,7 @@ echo "ok"
|
||||
# {3} (0x 0/fe17f85/0/14005)
|
||||
|
||||
echo -n "Minimize profiles deny xtrans "
|
||||
if [ "$(echo "/t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
|
||||
if [ "$(echo "profile t { /b px, deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 1 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
@ -241,7 +241,7 @@ echo "ok"
|
||||
# {3} (0x 0/fe17f85/0/0)
|
||||
|
||||
echo -n "Minimize profiles audit deny xtrans "
|
||||
if [ "$(echo "/t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
|
||||
if [ "$(echo "profile t { /b px, audit deny /* xr, /a Cx -> foo, }" | ${APPARMOR_PARSER} -M features_files/features.nopolicydb -QT -O minimize -O no-filter-deny -D dfa-states 2>&1 | grep -v '<==' | grep -c '^{.*}(.*)$')" -ne 0 ] ; then
|
||||
echo "failed"
|
||||
exit 1;
|
||||
fi
|
||||
|
9
parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_attach_path_01.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto attach_path variable in rules
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
@{attach_path} rwk,
|
||||
|
||||
}
|
9
parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_attach_path_02.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto atach_path variable in rules
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile this_is_a_test /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
/run/@{attach_path}/tmp rwk,
|
||||
|
||||
}
|
9
parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_attach_path_03.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto attach_path from profile
|
||||
#=EXRESULT PASS
|
||||
|
||||
/test/profile {
|
||||
/test/profile rix,
|
||||
|
||||
/run/@{attach_path}/tmp rwk,
|
||||
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_attach_path_05.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto attach_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile spork /a/*/c {
|
||||
@{attach_path}/** rw,
|
||||
}
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_attach_path_06.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto attach_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile /a/b/c {
|
||||
@{attach_path}/** rw,
|
||||
}
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_attach_path_07.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto attach_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile /a/*/c {
|
||||
@{attach_path}/** rw,
|
||||
}
|
||||
}
|
20
parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd
Normal file
20
parser/tst/simple_tests/vars/vars_auto_attach_path_08.sd
Normal file
@ -0,0 +1,20 @@
|
||||
#=DESCRIPTION ensure attach_path expansion after subprofiles works
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile top_profile /test/profile {
|
||||
|
||||
/first/path/@{attach_path}/tmp rwk,
|
||||
|
||||
profile spork {
|
||||
owner /tmp/* r,
|
||||
/run/@{profile_name}/** rw,
|
||||
}
|
||||
|
||||
hat spelunkk {
|
||||
owner /tmp/* r,
|
||||
/run/@{profile_name}/** rw,
|
||||
}
|
||||
|
||||
# Does this expand properly?
|
||||
/second/path/@{attach_path}/tmp rk,
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto @{attach_path} variable in rules when not created
|
||||
#=EXRESULT FAIL
|
||||
|
||||
test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
mr @{attach_path},
|
||||
|
||||
}
|
12
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd
Normal file
12
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_2.sd
Normal file
@ -0,0 +1,12 @@
|
||||
#=DESCRIPTION reference auto attach_path from profile
|
||||
#=EXRESULT FAIL
|
||||
|
||||
/test/profile {
|
||||
/test/profile rix,
|
||||
|
||||
# hat does not have an attachment and profile's attachment doesn't apply
|
||||
^spork {
|
||||
owner /tmp/* r,
|
||||
/spork/@{attach_path}/** rw,
|
||||
}
|
||||
}
|
16
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd
Normal file
16
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_3.sd
Normal file
@ -0,0 +1,16 @@
|
||||
#=DESCRIPTION ensure attach_path expansion after subprofiles works
|
||||
#=EXRESULT FAIL
|
||||
|
||||
profile top_profile /test/profile {
|
||||
|
||||
/first/path/@{attach_path}/tmp rwk,
|
||||
|
||||
# subprofile doesn't have attach_pathes
|
||||
hat spelunkk {
|
||||
owner /tmp/* r,
|
||||
/run/@{attach_path}/** rw,
|
||||
}
|
||||
|
||||
# Does this expand properly?
|
||||
/second/path/@{attach_path}/tmp rk,
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_4.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto attach_path variable collides with user defined
|
||||
#=EXRESULT FAIL
|
||||
|
||||
@{attach_path}=/BAD
|
||||
profile /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
@{attach_path} rwk,
|
||||
|
||||
}
|
11
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd
Normal file
11
parser/tst/simple_tests/vars/vars_auto_attach_path_bad_5.sd
Normal file
@ -0,0 +1,11 @@
|
||||
#=DESCRIPTION reference auto attach_path variable in rules w/hats
|
||||
#=EXRESULT FAIL
|
||||
|
||||
profile idf3s2A6GX8vrk /simple/profile {
|
||||
/test/profile rix,
|
||||
|
||||
^test {
|
||||
/run/@{attach_path}/tmp rwk,
|
||||
}
|
||||
}
|
||||
|
9
parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_exec_path_01.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in rules
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
@{exec_path} rwk,
|
||||
|
||||
}
|
9
parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_exec_path_02.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in rules
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile this_is_a_test /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
/run/@{exec_path}/tmp rwk,
|
||||
|
||||
}
|
9
parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd
Normal file
9
parser/tst/simple_tests/vars/vars_auto_exec_path_03.sd
Normal file
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto exec_path from profile
|
||||
#=EXRESULT PASS
|
||||
|
||||
/test/profile {
|
||||
/test/profile rix,
|
||||
|
||||
/run/@{exec_path}/tmp rwk,
|
||||
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_exec_path_05.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile spork /a/*/c {
|
||||
@{exec_path}/** rw,
|
||||
}
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_exec_path_06.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile /a/b/c {
|
||||
@{exec_path}/** rw,
|
||||
}
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_exec_path_07.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in child
|
||||
#=EXRESULT PASS
|
||||
|
||||
# no attachment in parent
|
||||
profile top_profile {
|
||||
|
||||
profile /a/*/c {
|
||||
@{exec_path}/** rw,
|
||||
}
|
||||
}
|
20
parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd
Normal file
20
parser/tst/simple_tests/vars/vars_auto_exec_path_08.sd
Normal file
@ -0,0 +1,20 @@
|
||||
#=DESCRIPTION ensure exec_path expansion after subprofiles works
|
||||
#=EXRESULT PASS
|
||||
|
||||
profile top_profile /test/profile {
|
||||
|
||||
/first/path/@{exec_path}/tmp rwk,
|
||||
|
||||
profile spork {
|
||||
owner /tmp/* r,
|
||||
/run/@{profile_name}/** rw,
|
||||
}
|
||||
|
||||
hat spelunkk {
|
||||
owner /tmp/* r,
|
||||
/run/@{profile_name}/** rw,
|
||||
}
|
||||
|
||||
# Does this expand properly?
|
||||
/second/path/@{exec_path}/tmp rk,
|
||||
}
|
@ -0,0 +1,9 @@
|
||||
#=DESCRIPTION reference auto @{exec_path} variable in rules when not created
|
||||
#=EXRESULT FAIL
|
||||
|
||||
test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
mr @{exec_path},
|
||||
|
||||
}
|
12
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd
Normal file
12
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_2.sd
Normal file
@ -0,0 +1,12 @@
|
||||
#=DESCRIPTION reference auto exec_path from profile
|
||||
#=EXRESULT FAIL
|
||||
|
||||
/test/profile {
|
||||
/test/profile rix,
|
||||
|
||||
# hat does not have an attachment and profile's attachment doesn't apply
|
||||
^spork {
|
||||
owner /tmp/* r,
|
||||
/spork/@{exec_path}/** rw,
|
||||
}
|
||||
}
|
16
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd
Normal file
16
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_3.sd
Normal file
@ -0,0 +1,16 @@
|
||||
#=DESCRIPTION ensure exec_path expansion after subprofiles works
|
||||
#=EXRESULT FAIL
|
||||
|
||||
profile top_profile /test/profile {
|
||||
|
||||
/first/path/@{exec_path}/tmp rwk,
|
||||
|
||||
# subprofile doesn't have exec_pathes
|
||||
hat spelunkk {
|
||||
owner /tmp/* r,
|
||||
/run/@{exec_path}/** rw,
|
||||
}
|
||||
|
||||
# Does this expand properly?
|
||||
/second/path/@{exec_path}/tmp rk,
|
||||
}
|
10
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd
Normal file
10
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_4.sd
Normal file
@ -0,0 +1,10 @@
|
||||
#=DESCRIPTION reference auto exec_path variable collides with user defined
|
||||
#=EXRESULT FAIL
|
||||
|
||||
@{exec_path}=/BAD
|
||||
profile /a/test/profile {
|
||||
/a/test/profile rix,
|
||||
|
||||
@{exec_path} rwk,
|
||||
|
||||
}
|
11
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd
Normal file
11
parser/tst/simple_tests/vars/vars_auto_exec_path_bad_5.sd
Normal file
@ -0,0 +1,11 @@
|
||||
#=DESCRIPTION reference auto exec_path variable in rules w/hats
|
||||
#=EXRESULT FAIL
|
||||
|
||||
profile idf3s2A6GX8vrk /simple/profile {
|
||||
/test/profile rix,
|
||||
|
||||
^test {
|
||||
/run/@{exec_path}/tmp rwk,
|
||||
}
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user