diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index b6bb3ef39..96f794695 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -117,7 +117,7 @@ B = I | I | 'mediate_deleted' | 'attach_disconnected' | 'attach_disconneced.path='I | 'chroot_relative' | 'debug' | 'interruptible' | 'kill.signal='I -B = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt' +B = 'enforce' | 'complain' | 'kill' | 'default_allow' | 'unconfined' | 'prompt' B = 'audit' @@ -466,12 +466,36 @@ a signal to kill it. permission the action will be allowed, but the violation will be logged with a tag of the access being B. +=item B This mode changes the default behavior of +apparmor from default deny to default allow. When default_allow is +specified the resulting profile will allow operations that the profile +does not have a rule for. This mode is similar to I but +allows for allow and deny rules, specifying audit, and domain +transitions. Profiles in this mode may be be reported as being in +I mode or I mode when introspected from the kernel. + +Note: default_allow is similar and for many profiles will be equivalent +to specifying an I rule in the profile. The default_allow +flag does not provide all the same option that the I rule +provides. + =item B This mode allows a task confined by the profile to -behave as though they are I. This mode allow for an -unconfined behavior that can be later changed to confinement by using -profile replacement. This mode is should not be used under regular -deployment but can be useful during debugging and some system -initialization scenarios. +behave as though it is I. The unconfined behavior can be +later changed to confinement by using profile replacement. This mode +should not be used under regular deployment but can be useful during +debugging and some system initialization scenarios. + +This mode is similar to default_allow and may be emulated by +default_allow in kernels that no longer support a true unconfined +mode. It does not generally allow for specifying deny rules, or allow +rules that override the default behavior, except in a few custom +kernels where unconfined restricts a few operations. It relies on +special customized behavior of the unconfined profile in the kernel +and as such should only be used for debugging. + +Note: true unconfined is being phased out, with unconfined becoming a +replaceable profile. As such unconfined mode will be emulated by a +special profile compiled with the default_allow flag in newer kernels. =item B This mode allows task mediation to send an up call to userspace to ask for a decision when there isn't a rule covering the diff --git a/parser/profile.cc b/parser/profile.cc index 95c4e0756..3d60c7052 100644 --- a/parser/profile.cc +++ b/parser/profile.cc @@ -28,6 +28,7 @@ const char *profile_mode_table[] = { "kill", "unconfined", "prompt", + "default_allow", "conflict" /* should not ever be displayed */ }; diff --git a/parser/profile.h b/parser/profile.h index 154ec492a..a0d2ad268 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -64,9 +64,10 @@ enum profile_mode { MODE_KILL = 3, MODE_UNCONFINED = 4, MODE_PROMPT = 5, - MODE_CONFLICT = 6 /* greater than MODE_LAST */ + MODE_DEFAULT_ALLOW = 6, + MODE_CONFLICT = 7 /* greater than MODE_LAST */ }; -#define MODE_LAST MODE_PROMPT +#define MODE_LAST MODE_DEFAULT_ALLOW static inline enum profile_mode operator++(enum profile_mode &mode) { @@ -85,6 +86,9 @@ static inline enum profile_mode merge_profile_mode(enum profile_mode l, enum pro static inline uint32_t profile_mode_packed(enum profile_mode mode) { + /* until dominance is fixed use unconfined mode for default_allow */ + if (mode == MODE_DEFAULT_ALLOW) + mode = MODE_UNCONFINED; /* kernel doesn't have an unspecified mode everything * shifts down by 1 */ diff --git a/parser/tst/simple_tests/profile/flags/flags_bad70.sd b/parser/tst/simple_tests/profile/flags/flags_bad70.sd new file mode 100644 index 000000000..e25add6e4 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad70.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad71.sd b/parser/tst/simple_tests/profile/flags/flags_bad71.sd new file mode 100644 index 000000000..97db286bf --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad71.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad72.sd b/parser/tst/simple_tests/profile/flags/flags_bad72.sd new file mode 100644 index 000000000..7088458ce --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad72.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad73.sd b/parser/tst/simple_tests/profile/flags/flags_bad73.sd new file mode 100644 index 000000000..f9d578112 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad73.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad74.sd b/parser/tst/simple_tests/profile/flags/flags_bad74.sd new file mode 100644 index 000000000..8fbc9643f --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad74.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad75.sd b/parser/tst/simple_tests/profile/flags/flags_bad75.sd new file mode 100644 index 000000000..d8fc5d3d7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad75.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad76.sd b/parser/tst/simple_tests/profile/flags/flags_bad76.sd new file mode 100644 index 000000000..93f5a7ec7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad76.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad77.sd b/parser/tst/simple_tests/profile/flags/flags_bad77.sd new file mode 100644 index 000000000..3e1665db7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad77.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad78.sd b/parser/tst/simple_tests/profile/flags/flags_bad78.sd new file mode 100644 index 000000000..7c2170113 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad78.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad79.sd b/parser/tst/simple_tests/profile/flags/flags_bad79.sd new file mode 100644 index 000000000..d2fc86e0c --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad79.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad80.sd b/parser/tst/simple_tests/profile/flags/flags_bad80.sd new file mode 100644 index 000000000..a708be110 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad80.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad81.sd b/parser/tst/simple_tests/profile/flags/flags_bad81.sd new file mode 100644 index 000000000..aaf99e787 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad81.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, complain, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad82.sd b/parser/tst/simple_tests/profile/flags/flags_bad82.sd new file mode 100644 index 000000000..9dda584ca --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad82.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, kill, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad83.sd b/parser/tst/simple_tests/profile/flags/flags_bad83.sd new file mode 100644 index 000000000..584628efc --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad83.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, unconfined, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad84.sd b/parser/tst/simple_tests/profile/flags/flags_bad84.sd new file mode 100644 index 000000000..8cd732681 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad84.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad85.sd b/parser/tst/simple_tests/profile/flags/flags_bad85.sd new file mode 100644 index 000000000..c25575331 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad85.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, kill, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad86.sd b/parser/tst/simple_tests/profile/flags/flags_bad86.sd new file mode 100644 index 000000000..4744c4666 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad86.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow, enforce, complain, kill, unconfined, prompt) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok51.sd b/parser/tst/simple_tests/profile/flags/flags_ok51.sd new file mode 100644 index 000000000..f1ed8f9d7 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok51.sd @@ -0,0 +1,74 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist2 r, +} + +/does/not/exist3 flags=(default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist4 flags=(audit,default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist5 flags=(audit,default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} + +/does/not/exist6 (default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist7 (audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist2 r, +} + +/does/not/exist8 (default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist9 (audit,default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist10 (audit,default_allow,audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok52.sd b/parser/tst/simple_tests/profile/flags/flags_ok52.sd new file mode 100644 index 000000000..bf6078d9a --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok52.sd @@ -0,0 +1,39 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist flags=(default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist1 flags=(audit, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(default_allow, audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist3 flags=(default_allow, chroot_relative) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist4 flags=(chroot_relative, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok53.sd b/parser/tst/simple_tests/profile/flags/flags_ok53.sd new file mode 100644 index 000000000..66acd4c72 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok53.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, namespace_relative) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(namespace_relative, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + diff --git a/parser/tst/simple_tests/profile/flags/flags_ok54.sd b/parser/tst/simple_tests/profile/flags/flags_ok54.sd new file mode 100644 index 000000000..fd86697b3 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok54.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# + +/does/not/exist1 flags=(default_allow, mediate_deleted) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(mediate_deleted, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok55.sd b/parser/tst/simple_tests/profile/flags/flags_ok55.sd new file mode 100644 index 000000000..a7a460f64 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok55.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, delegate_deleted) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(delegate_deleted, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok56.sd b/parser/tst/simple_tests/profile/flags/flags_ok56.sd new file mode 100644 index 000000000..6bc5abf89 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok56.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, attach_disconnected) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(attach_disconnected, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok57.sd b/parser/tst/simple_tests/profile/flags/flags_ok57.sd new file mode 100644 index 000000000..d0f9f3967 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok57.sd @@ -0,0 +1,19 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, no_attach_disconnected) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(no_attach_disconnected, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + diff --git a/parser/tst/simple_tests/profile/flags/flags_ok58.sd b/parser/tst/simple_tests/profile/flags/flags_ok58.sd new file mode 100644 index 000000000..317d41b65 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok58.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, chroot_attach) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_attach, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok59.sd b/parser/tst/simple_tests/profile/flags/flags_ok59.sd new file mode 100644 index 000000000..87cb6872d --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok59.sd @@ -0,0 +1,18 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist1 flags=(default_allow, chroot_no_attach) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_no_attach, default_allow) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok60.sd b/parser/tst/simple_tests/profile/flags/flags_ok60.sd new file mode 100644 index 000000000..a2f48f177 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok60.sd @@ -0,0 +1,110 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# + +#============================== + +/does/not/exist1 flags=(default_allow, chroot_relative, mediate_deleted) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist2 flags=(chroot_relative, mediate_deleted, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist12 flags=(default_allow, chroot_relative, delegate_deleted) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist13 flags=(chroot_relative, delegate_deleted, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist22 flags=(default_allow, chroot_relative, attach_disconnected) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist23 flags=(chroot_relative, attach_disconnected, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + +/does/not/exist32 flags=(default_allow, chroot_relative, no_attach_disconnected) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist33 flags=(chroot_relative, no_attach_disconnected, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist42 flags=(default_allow, chroot_relative, chroot_attach) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist43 flags=(chroot_relative, chroot_attach, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + + +#------- + + +/does/not/exist52 flags=(default_allow, chroot_relative, chroot_no_attach) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} + +/does/not/exist53 flags=(chroot_relative, chroot_no_attach, default_allow) { + + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok61.sd b/parser/tst/simple_tests/profile/flags/flags_ok61.sd new file mode 100644 index 000000000..7a12b81e1 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok61.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION verify whitespace is allowed in profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# +/does/not/exist3 flags=(default_allow, audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist5 r, +} + +/does/not/exist4 flags = (audit , default_allow){ + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist7 r, +} + +/does/not/exist5 flags = ( audit , default_allow , audit ) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist8 r, +} diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 6c37c6f67..3d949b479 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -281,7 +281,7 @@ def set_complain(filename, program): # a force-complain symlink is more packaging-friendly, but breaks caching # create_symlink('force-complain', filename) delete_symlink('disable', filename) - change_profile_flags(filename, program, ['enforce', 'kill', 'unconfined', 'prompt'], False) # remove conflicting mode flags + change_profile_flags(filename, program, ['enforce', 'kill', 'unconfined', 'prompt', 'default_allow'], False) # remove conflicting mode flags change_profile_flags(filename, program, 'complain', True) @@ -290,7 +290,7 @@ def set_enforce(filename, program): aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program)) delete_symlink('force-complain', filename) delete_symlink('disable', filename) - change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt'], False) # remove conflicting and complain mode flags + change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt','default_allow'], False) # remove conflicting and complain mode flags def delete_symlink(subdir, filename): diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 33eec798c..343fce2ba 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -170,6 +170,23 @@ exception_not_raised = ( 'profile/flags/flags_bad67.sd', 'profile/flags/flags_bad68.sd', 'profile/flags/flags_bad69.sd', + 'profile/flags/flags_bad70.sd', + 'profile/flags/flags_bad71.sd', + 'profile/flags/flags_bad72.sd', + 'profile/flags/flags_bad73.sd', + 'profile/flags/flags_bad74.sd', + 'profile/flags/flags_bad75.sd', + 'profile/flags/flags_bad76.sd', + 'profile/flags/flags_bad77.sd', + 'profile/flags/flags_bad78.sd', + 'profile/flags/flags_bad79.sd', + 'profile/flags/flags_bad80.sd', + 'profile/flags/flags_bad81.sd', + 'profile/flags/flags_bad82.sd', + 'profile/flags/flags_bad83.sd', + 'profile/flags/flags_bad84.sd', + 'profile/flags/flags_bad85.sd', + 'profile/flags/flags_bad86.sd', 'profile/flags/flags_bad_disconnected_path1.sd', 'profile/flags/flags_bad_disconnected_path2.sd', 'profile/flags/flags_bad_disconnected_path3.sd',