From e087db57b23e73e1777e116a452f26227a7f731f Mon Sep 17 00:00:00 2001 From: John Johansen Date: Thu, 16 Feb 2012 08:06:04 -0800 Subject: [PATCH] Allow the 'file' keyword to be optionally used on file rules. Add the optional 'file' keyword to the language/grammer. The main reason for doing this is to support false token injection. Which is needed to move towards the parser being broken out into an api that can be used to parse individual rule types, separate from parsing the whole file. Since we are adding the token to the grammar expose it to userspace with the 'file' keyword. While not needed it helps bring consistency, as all the other rule types start with a keyword (capability, network, rlimit, ...). Also allow the bare keyword to be used to represent allowing all file operations, just as with network and capability. Domain transitions are defaulted to ix. Thus file, is equivalent to /** rwlkmix, Signed-off-by: John Johansen Acked-by: Kees Cook --- parser/parser_misc.c | 1 + parser/parser_yacc.y | 63 +++++++++++++------ parser/tst/simple_tests/file/file/bad_1.sd | 7 +++ .../simple_tests/file/file/bad_append_1.sd | 8 +++ .../tst/simple_tests/file/file/bad_comma_1.sd | 7 +++ .../file/file/bad_embedded_spaces_1.sd | 6 ++ .../tst/simple_tests/file/file/bad_lock_1.sd | 8 +++ .../file/file/dos_line_endings.sd | 41 ++++++++++++ .../file/file/front_perms_ok_1.sd | 24 +++++++ parser/tst/simple_tests/file/file/ok_1.sd | 7 +++ parser/tst/simple_tests/file/file/ok_2.sd | 7 +++ parser/tst/simple_tests/file/file/ok_3.sd | 9 +++ .../tst/simple_tests/file/file/ok_append_1.sd | 13 ++++ .../tst/simple_tests/file/file/ok_carat_1.sd | 7 +++ .../tst/simple_tests/file/file/ok_carat_2.sd | 7 +++ .../tst/simple_tests/file/file/ok_comma_1.sd | 7 +++ .../tst/simple_tests/file/file/ok_comma_2.sd | 7 +++ .../file/file/ok_embedded_spaces_1.sd | 6 ++ .../file/file/ok_embedded_spaces_2.sd | 6 ++ .../file/file/ok_embedded_spaces_3.sd | 6 ++ .../file/file/ok_inv_char_class.sd | 7 +++ .../tst/simple_tests/file/file/ok_lock_1.sd | 17 +++++ .../tst/simple_tests/file/file/ok_mmap_1.sd | 12 ++++ .../tst/simple_tests/file/file/ok_mmap_2.sd | 14 +++++ .../tst/simple_tests/file/file/owner/bad_3.sd | 8 +++ .../tst/simple_tests/file/file/owner/bad_4.sd | 8 +++ .../tst/simple_tests/file/file/owner/bad_5.sd | 8 +++ .../tst/simple_tests/file/file/owner/bad_6.sd | 8 +++ .../tst/simple_tests/file/file/owner/bad_7.sd | 8 +++ .../tst/simple_tests/file/file/owner/bad_8.sd | 9 +++ .../tst/simple_tests/file/file/owner/ok_1.sd | 25 ++++++++ 31 files changed, 352 insertions(+), 19 deletions(-) create mode 100644 parser/tst/simple_tests/file/file/bad_1.sd create mode 100644 parser/tst/simple_tests/file/file/bad_append_1.sd create mode 100644 parser/tst/simple_tests/file/file/bad_comma_1.sd create mode 100644 parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd create mode 100644 parser/tst/simple_tests/file/file/bad_lock_1.sd create mode 100644 parser/tst/simple_tests/file/file/dos_line_endings.sd create mode 100644 parser/tst/simple_tests/file/file/front_perms_ok_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_2.sd create mode 100644 parser/tst/simple_tests/file/file/ok_3.sd create mode 100644 parser/tst/simple_tests/file/file/ok_append_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_carat_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_carat_2.sd create mode 100644 parser/tst/simple_tests/file/file/ok_comma_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_comma_2.sd create mode 100644 parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd create mode 100644 parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd create mode 100644 parser/tst/simple_tests/file/file/ok_inv_char_class.sd create mode 100644 parser/tst/simple_tests/file/file/ok_lock_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_mmap_1.sd create mode 100644 parser/tst/simple_tests/file/file/ok_mmap_2.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_3.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_4.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_5.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_6.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_7.sd create mode 100644 parser/tst/simple_tests/file/file/owner/bad_8.sd create mode 100644 parser/tst/simple_tests/file/file/owner/ok_1.sd diff --git a/parser/parser_misc.c b/parser/parser_misc.c index ea77da781..8aca06101 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -77,6 +77,7 @@ static struct keyword_table keyword_table[] = { {"alias", TOK_ALIAS}, {"rewrite", TOK_ALIAS}, {"ptrace", TOK_PTRACE}, + {"file", TOK_FILE}, /* terminate */ {NULL, 0} }; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 18662ed56..45083d922 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -116,6 +116,7 @@ void add_local_entry(struct codomain *cod); %token TOK_OPENPAREN %token TOK_CLOSEPAREN %token TOK_COMMA +%token TOK_FILE /* rlimits */ %token TOK_RLIMIT @@ -175,6 +176,10 @@ void add_local_entry(struct codomain *cod); %type cond_rule %type network_rule %type rule +%type file_rule +%type file_rule_tail +%type link_rule +%type ptrace_rule %type frule %type flags %type flagvals @@ -197,6 +202,7 @@ void add_local_entry(struct codomain *cod); %type opt_id %type opt_named_transition %type opt_unsafe +%type opt_file %% @@ -891,24 +897,16 @@ opt_named_transition: $$.name = $5; }; +rule: file_rule { $$ = $1; } + | link_rule { $$ = $1; } + | ptrace_rule {$$ = $1; } + opt_unsafe: { /* nothing */ $$ = 0; } | TOK_UNSAFE { $$ = 1; }; | TOK_SAFE { $$ = 2; }; -rule: opt_unsafe frule - { - if ($1) { - if (!($2->mode & AA_EXEC_BITS)) - yyerror(_("unsafe rule missing exec permissions")); - if ($1 == 1) { - $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) & - ALL_AA_EXEC_UNSAFE; - } - else if ($1 == 2) - $2->mode &= ~ALL_AA_EXEC_UNSAFE; - } - $$ = $2; - }; +opt_file: { /* nothing */ $$ = 0; } + | TOK_FILE { $$ = 1; } frule: id_or_var file_mode opt_named_transition TOK_END_OF_RULE { @@ -932,16 +930,43 @@ frule: file_mode opt_subset_flag id_or_var opt_named_transition TOK_END_OF_RULE } }; -rule: opt_unsafe id_or_var file_mode id_or_var +file_rule: TOK_FILE TOK_END_OF_RULE + { + char *path = strdup("/**"); + if (!path) + yyerror(_("Memory allocation error.")); + $$ = do_file_rule(NULL, path, ((AA_BASE_PERMS & ~AA_EXEC_TYPE) | + (AA_EXEC_INHERIT | AA_MAY_EXEC)), + NULL, NULL); + } + | opt_file file_rule_tail { $$ = $2; } + + +file_rule_tail: opt_unsafe frule + { + if ($1) { + if (!($2->mode & AA_EXEC_BITS)) + yyerror(_("unsafe rule missing exec permissions")); + if ($1 == 1) { + $2->mode |= (($2->mode & AA_EXEC_BITS) << 8) & + ALL_AA_EXEC_UNSAFE; + } + else if ($1 == 2) + $2->mode &= ~ALL_AA_EXEC_UNSAFE; + } + $$ = $2; + }; + +file_rule_tail: opt_unsafe id_or_var file_mode id_or_var { /* Oopsie, we appear to be missing an EOL marker. If we * were *smart*, we could work around it. Since we're * obviously not smart, we'll just punt with a more * sensible error. */ - yyerror(_("missing an end of line character? (entry: %s)"), $1); + yyerror(_("missing an end of line character? (entry: %s)"), $2); }; -rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE +link_rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; PDEBUG("Matched: link tok_id (%s) -> (%s)\n", $3, $5); @@ -951,7 +976,7 @@ rule: TOK_LINK opt_subset_flag TOK_ID TOK_ARROW TOK_ID TOK_END_OF_RULE $$ = entry; }; -rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE +ptrace_rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; entry = new_entry(NULL, $2, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); @@ -960,7 +985,7 @@ rule: TOK_PTRACE TOK_ID TOK_END_OF_RULE $$ = entry; }; -rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE +ptrace_rule: TOK_PTRACE TOK_COLON TOK_ID TOK_COLON TOK_ID TOK_END_OF_RULE { struct cod_entry *entry; entry = new_entry($3, $5, AA_USER_PTRACE | AA_OTHER_PTRACE, NULL); diff --git a/parser/tst/simple_tests/file/file/bad_1.sd b/parser/tst/simple_tests/file/file/bad_1.sd new file mode 100644 index 000000000..53cc0545a --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw, +} diff --git a/parser/tst/simple_tests/file/file/bad_append_1.sd b/parser/tst/simple_tests/file/file/bad_append_1.sd new file mode 100644 index 000000000..677e2a309 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_append_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION w and a conflict +#=EXRESULT FAIL +# +/usr/bin/foo { + file /a wa, +} + diff --git a/parser/tst/simple_tests/file/file/bad_comma_1.sd b/parser/tst/simple_tests/file/file/bad_comma_1.sd new file mode 100644 index 000000000..c44df8cd8 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_comma_1.sd @@ -0,0 +1,7 @@ +k# +#=DESCRIPTION comma in pathname +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foobar, r, +} diff --git a/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd b/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd new file mode 100644 index 000000000..3bb933336 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_embedded_spaces_1.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT FAIL + +/bin/foo { + file /abc\ def r, +} diff --git a/parser/tst/simple_tests/file/file/bad_lock_1.sd b/parser/tst/simple_tests/file/file/bad_lock_1.sd new file mode 100644 index 000000000..854f5bab4 --- /dev/null +++ b/parser/tst/simple_tests/file/file/bad_lock_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION k to be lower case +#=EXRESULT FAIL +# +/usr/bin/foo { + file /bin/ls K, +} + diff --git a/parser/tst/simple_tests/file/file/dos_line_endings.sd b/parser/tst/simple_tests/file/file/dos_line_endings.sd new file mode 100644 index 000000000..1257f6350 --- /dev/null +++ b/parser/tst/simple_tests/file/file/dos_line_endings.sd @@ -0,0 +1,41 @@ +# vim:syntax=subdomain +# Last Modified: Wed Aug 31 11:14:09 2005 +#=DESCRIPTION dos line endings +#=EXRESULT PASS +/usr/lib/RealPlayer10/realplay { + #include + #include + + file /bin/bash ix, + file /bin/sed ixr, + file /bin/true ixr, + file /etc/opt/gnome/pango/pango.modules r, + file /opt/gnome/lib/gtk-2.0/2.4.0/loaders/* r, + file /opt/gnome/lib/lib*so* r, + file /opt/gnome/lib/pango/1.4.0/modules/* r, + file /opt/gnome/share/icons r, + file /opt/gnome/share/icons/** r, + file /opt/gnome/bin/nautilus rux, + file /root r, + file /root/.Xauthority r, + file /root/.fonts.cache-1 r, + file /root/.realplayerrc rw, + file /home/*/ r, + file /home/*/.Xauthority r, + file /home/*/.fonts.cache-1 r, + file /home/*/.realplayerrc rw, + file /usr/X11R6/lib/Acrobat7/Resource/Font/* r, + file /usr/X11R6/lib/Acrobat7/Resource/Font/PFM/* r, + file /usr/lib/RealPlayer10/** r, + file /usr/lib/RealPlayer10/realplay.bin ixr, + file /usr/lib/jvm/java-1.4.2-sun-1.4.2.06/jre/lib/fonts/** r, + file /usr/lib/ooo-2.0/share/fonts/** r, + file /opt/MozillaFirefox/bin/firefox.sh pxr, + file /opt/MozillaFirefox/lib/firefox-bin pxr, + file /opt/MozillaFirefox/lib/init.d r, + file /usr/bin/opera pxr, + file /usr/share/icons r, + file /usr/share/icons/** r, + file /opt/gnome/share/pixmaps r, + file /opt/gnome/share/pixmaps/** r, +} diff --git a/parser/tst/simple_tests/file/file/front_perms_ok_1.sd b/parser/tst/simple_tests/file/file/front_perms_ok_1.sd new file mode 100644 index 000000000..bdf13404e --- /dev/null +++ b/parser/tst/simple_tests/file/file/front_perms_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION perms before pathname +#=EXRESULT PASS +# +/usr/bin/foo { + + file r /foo1, + file w /foo1, + file a /foo1, + file k /foo1, + file m /foo1, + file l /foo1, + file px /foo1, + file Px /foo2, + file ux /foo3, + file Ux /foo4, + file ix /foo5, + file unsafe px /foo6, + file unsafe Px /foo7, + file unsafe ux /foo8, + file unsafe Ux /foo9, + file unsafe ix /foo10, + +} diff --git a/parser/tst/simple_tests/file/file/ok_1.sd b/parser/tst/simple_tests/file/file/ok_1.sd new file mode 100644 index 000000000..2b5dce970 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# +/usr/bin/foo { + file /usr/bin/foo r, +} diff --git a/parser/tst/simple_tests/file/file/ok_2.sd b/parser/tst/simple_tests/file/file/ok_2.sd new file mode 100644 index 000000000..6d5f26e6d --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_2.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# +/usr/bin/foo { + file, +} diff --git a/parser/tst/simple_tests/file/file/ok_3.sd b/parser/tst/simple_tests/file/file/ok_3.sd new file mode 100644 index 000000000..f274f1c62 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION A simple successful profile +#=EXRESULT PASS +# +/usr/bin/foo { + file /usr/bin/foo r, + file /usr/bin/blah rix, +} + diff --git a/parser/tst/simple_tests/file/file/ok_append_1.sd b/parser/tst/simple_tests/file/file/ok_append_1.sd new file mode 100644 index 000000000..de8f9df44 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_append_1.sd @@ -0,0 +1,13 @@ +# +#=DESCRIPTION test append +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat a, + file /bin/true ra, + file /bin/false ma, + file /lib/libc.so la, + file /bin/less ixa, + file /bin/more pxa, + file /a uxa, +} diff --git a/parser/tst/simple_tests/file/file/ok_carat_1.sd b/parser/tst/simple_tests/file/file/ok_carat_1.sd new file mode 100644 index 000000000..ed44a9562 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_carat_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo^bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_carat_2.sd b/parser/tst/simple_tests/file/file/ok_carat_2.sd new file mode 100644 index 000000000..b222b7ce2 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_carat_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION trailing carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo/bar^ r, +} diff --git a/parser/tst/simple_tests/file/file/ok_comma_1.sd b/parser/tst/simple_tests/file/file/ok_comma_1.sd new file mode 100644 index 000000000..2be666aeb --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_comma_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo,bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_comma_2.sd b/parser/tst/simple_tests/file/file/ok_comma_2.sd new file mode 100644 index 000000000..33ac37272 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_comma_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma at end of pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file "/foobar," r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd new file mode 100644 index 000000000..10ad90c4e --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_1.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + file "/abc\ def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd new file mode 100644 index 000000000..caff2a1c7 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_2.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + file "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd b/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd new file mode 100644 index 000000000..138ae2a3e --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_embedded_spaces_3.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +"/bin/fo o" { + file "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/file/ok_inv_char_class.sd b/parser/tst/simple_tests/file/file/ok_inv_char_class.sd new file mode 100644 index 000000000..9a36c3dc9 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_inv_char_class.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + file /foo[^me]bar r, +} diff --git a/parser/tst/simple_tests/file/file/ok_lock_1.sd b/parser/tst/simple_tests/file/file/ok_lock_1.sd new file mode 100644 index 000000000..e28739c38 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_lock_1.sd @@ -0,0 +1,17 @@ +# +#=DESCRIPTION k and other perms do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/a k, + file /bin/b rk, + file /bin/c wk, + file /bin/d ak, + file /bin/e lk, + file /bin/e mk, + file /bin/f pxk, + file /bin/g Pxk, + file /bin/h ixk, + file /bin/i uxk, + file /bin/j Uxk, +} diff --git a/parser/tst/simple_tests/file/file/ok_mmap_1.sd b/parser/tst/simple_tests/file/file/ok_mmap_1.sd new file mode 100644 index 000000000..21a8c36e8 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_mmap_1.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION m and [uUpPi]x do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat mix, + file /bin/true mpx, + file /bin/false mux, + file /lib/libc.so rwlm, + file /bin/less mUx, + file /bin/more mPx, +} diff --git a/parser/tst/simple_tests/file/file/ok_mmap_2.sd b/parser/tst/simple_tests/file/file/ok_mmap_2.sd new file mode 100644 index 000000000..eef6f5cb2 --- /dev/null +++ b/parser/tst/simple_tests/file/file/ok_mmap_2.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION m and [upi]x do not conflict, seperate rules +#=EXRESULT PASS +# +/usr/bin/foo { + file /bin/cat rm, + file /bin/cat ix, + file /bin/true px, + file /bin/true m, + file /bin/false m, + file /bin/false ux, + file /lib/libc.so rwl, + file /lib/libc.so m, +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_3.sd b/parser/tst/simple_tests/file/file/owner/bad_3.sd new file mode 100644 index 000000000..d489667a9 --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_3.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner can not follow path name +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foo owner rw, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_4.sd b/parser/tst/simple_tests/file/file/owner/bad_4.sd new file mode 100644 index 000000000..f826f63d3 --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_4.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner cannot follow permission +#=EXRESULT FAIL +# +/usr/bin/foo { + file /foo rw owner, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_5.sd b/parser/tst/simple_tests/file/file/owner/bad_5.sd new file mode 100644 index 000000000..125f9ef9f --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_5.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner rules must have comma termination +#=EXRESULT FAIL +# +/usr/bin/foo { + owner file /foo rw + file /bar rw, +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_6.sd b/parser/tst/simple_tests/file/file/owner/bad_6.sd new file mode 100644 index 000000000..ae3fabc3c --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_6.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner not allowed after forward perm +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw owner /foo, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_7.sd b/parser/tst/simple_tests/file/file/owner/bad_7.sd new file mode 100644 index 000000000..6287df16c --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_7.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION owner not allowed after pathname in forward rule +#=EXRESULT FAIL +# +/usr/bin/foo { + file rw /foo owner, + +} diff --git a/parser/tst/simple_tests/file/file/owner/bad_8.sd b/parser/tst/simple_tests/file/file/owner/bad_8.sd new file mode 100644 index 000000000..0c96d4a0b --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/bad_8.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION owner block needs } termination +#=EXRESULT FAIL +# +/usr/bin/foo { + owner { + file rw foo, + +} diff --git a/parser/tst/simple_tests/file/file/owner/ok_1.sd b/parser/tst/simple_tests/file/file/owner/ok_1.sd new file mode 100644 index 000000000..02ea445cd --- /dev/null +++ b/parser/tst/simple_tests/file/file/owner/ok_1.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION test owner flag for file rules +#=EXRESULT PASS +# +/usr/bin/foo { + + owner file /foo rw, + owner file /foo/** rw, + + owner file rw /bar, + owner file rw /bar/**, + + owner { + file /one rw, + file /one/** rw, + + file rw /two, + file rw /two/**, + } + + owner { + + } + +}