mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-31 22:35:35 +00:00
Compare commits
44 Commits
v4.0.0-alp
...
v4.0.0-bet
Author | SHA1 | Date | |
---|---|---|---|
|
b264bb62c9 | ||
|
35287c8e1c | ||
|
119e3f38f9 | ||
|
dd0d145a19 | ||
|
f6ad1cbe1e | ||
|
8a5e7227db | ||
|
79ee3eb180 | ||
|
052dd987b3 | ||
|
7e25be7b0b | ||
|
ddefe11a40 | ||
|
b83cf90b82 | ||
|
e3cb9e1669 | ||
|
924b335dfc | ||
|
a2da64304f | ||
|
bb53886211 | ||
|
746f76d3e1 | ||
|
35f25a251b | ||
|
c09f58a364 | ||
|
909e330fd0 | ||
|
88907253e4 | ||
|
124e73ec93 | ||
|
4b1bc85022 | ||
|
c4f649da92 | ||
|
108f489f2b | ||
|
4d2172e82e | ||
|
95d9ba8d8b | ||
|
420d3395fc | ||
|
4608d32628 | ||
|
2394ca82c5 | ||
|
105b50502b | ||
|
105bdfdeb9 | ||
|
f9d38c9b2c | ||
|
3ea050eb30 | ||
|
b49822a48d | ||
|
32bba24468 | ||
|
fd25954c56 | ||
|
ca3afe1691 | ||
|
2577fbf077 | ||
|
2b8cf1be80 | ||
|
89a9f76733 | ||
|
4621af8ead | ||
|
668f5af436 | ||
|
48d475036a | ||
|
0e378f52a8 |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -266,6 +266,8 @@ tests/regression/apparmor/mmap
|
||||
tests/regression/apparmor/mount
|
||||
tests/regression/apparmor/move_mount
|
||||
tests/regression/apparmor/named_pipe
|
||||
tests/regression/apparmor/net_finegrained_rcv
|
||||
tests/regression/apparmor/net_finegrained_snd
|
||||
tests/regression/apparmor/net_raw
|
||||
tests/regression/apparmor/open
|
||||
tests/regression/apparmor/openat
|
||||
|
@@ -17,7 +17,7 @@ stages:
|
||||
- uname -a
|
||||
|
||||
.install-c-build-deps: &install-c-build-deps
|
||||
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
||||
- apt-get install --no-install-recommends -y build-essential apache2-dev autoconf autoconf-archive automake bison dejagnu flex libpam-dev libtool pkg-config python3-all-dev python3-setuptools ruby-dev swig zlib1g-dev
|
||||
|
||||
build-all:
|
||||
stage: build
|
||||
|
@@ -773,8 +773,8 @@ static int print_usage(const char *command, bool error)
|
||||
" --pretty-json same data as --json, formatted for human consumption as well\n"
|
||||
" --verbose (default) displays data points about loaded policy set\n"
|
||||
" --quiet don't output error messages\n"
|
||||
" -h [(legacy|filter)] this message, or info on the specified option\n"
|
||||
" --help[=(legacy|filter)] this message, or info on the specified option\n",
|
||||
" -h[(legacy|filters)] this message, or info on the specified option\n"
|
||||
" --help[=(legacy|filters)] this message, or info on the specified option\n",
|
||||
command);
|
||||
|
||||
exit(status);
|
||||
@@ -830,7 +830,7 @@ static int parse_args(int argc, char **argv)
|
||||
};
|
||||
|
||||
// Using exit here is temporary
|
||||
while ((opt = getopt_long(argc, argv, "+vh", long_opts, NULL)) != -1) {
|
||||
while ((opt = getopt_long(argc, argv, "+vh::", long_opts, NULL)) != -1) {
|
||||
switch (opt) {
|
||||
case ARG_ENABLED:
|
||||
exit(aa_is_enabled() == 1 ? 0 : AA_EXIT_DISABLED);
|
||||
|
@@ -1 +1 @@
|
||||
4.0.0~alpha4
|
||||
4.0.0~beta1
|
||||
|
@@ -92,6 +92,13 @@ if test "$ac_cv_prog_cc_c99" = "no"; then
|
||||
AC_MSG_ERROR([C99 mode is required to build libapparmor])
|
||||
fi
|
||||
|
||||
EXTRA_CFLAGS="-Wall $(EXTRA_WARNINGS) -fPIC"
|
||||
AX_CHECK_COMPILE_FLAG([-flto-partition=none], , , [-Werror])
|
||||
AS_VAR_IF([ax_cv_check_cflags__Werror__flto_partition_none], [yes],
|
||||
[EXTRA_CFLAGS="$EXTRA_CFLAGS -flto-partition=none"]
|
||||
,)
|
||||
AC_SUBST([AM_CFLAGS], ["$EXTRA_CFLAGS"])
|
||||
|
||||
AC_OUTPUT(
|
||||
Makefile
|
||||
doc/Makefile
|
||||
|
@@ -33,9 +33,9 @@ INCLUDES = $(all_includes)
|
||||
# After changing the AA_LIB_* variables, also update EXPECTED_SO_NAME.
|
||||
|
||||
AA_LIB_CURRENT = 18
|
||||
AA_LIB_REVISION = 0
|
||||
AA_LIB_REVISION = 1
|
||||
AA_LIB_AGE = 17
|
||||
EXPECTED_SO_NAME = libapparmor.so.1.17.0
|
||||
EXPECTED_SO_NAME = libapparmor.so.1.17.1
|
||||
|
||||
SUFFIXES = .pc.in .pc
|
||||
|
||||
@@ -45,7 +45,6 @@ include $(COMMONDIR)/Make.rules
|
||||
BUILT_SOURCES = grammar.h scanner.h af_protos.h
|
||||
AM_LFLAGS = -v
|
||||
AM_YFLAGS = -d -p aalogparse_
|
||||
AM_CFLAGS = -Wall $(EXTRA_WARNINGS) -fPIC -flto-partition=none
|
||||
AM_CPPFLAGS = -D_GNU_SOURCE -I$(top_srcdir)/include/
|
||||
scanner.h: scanner.l
|
||||
$(LEX) -v $<
|
||||
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1709108389.303:12383): apparmor="DENIED" operation="mount" class="mount" info="failed mntpnt match" error=-13 profile="/home/user/test/testmount" name="/tmp/foo/" pid=14155 comm="testmount" flags="ro, remount"
|
@@ -0,0 +1,15 @@
|
||||
START
|
||||
File: testcase_remount_01.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1709108389.303:12383
|
||||
Operation: mount
|
||||
Profile: /home/user/test/testmount
|
||||
Name: /tmp/foo/
|
||||
Command: testmount
|
||||
Info: failed mntpnt match
|
||||
ErrorCode: 13
|
||||
PID: 14155
|
||||
Flags: ro, remount
|
||||
Class: mount
|
||||
Epoch: 1709108389
|
||||
Audit subid: 12383
|
@@ -0,0 +1,4 @@
|
||||
/home/user/test/testmount {
|
||||
mount options=(remount, ro) -> /tmp/foo/,
|
||||
|
||||
}
|
@@ -0,0 +1 @@
|
||||
type=AVC msg=audit(1709025786.045:43147): apparmor="DENIED" operation="umount" class="mount" profile="/home/user/test/testmount" name="/mnt/a/" pid=26697 comm="testmount"
|
@@ -0,0 +1,12 @@
|
||||
START
|
||||
File: testcase_umount_01.in
|
||||
Event type: AA_RECORD_DENIED
|
||||
Audit ID: 1709025786.045:43147
|
||||
Operation: umount
|
||||
Profile: /home/user/test/testmount
|
||||
Name: /mnt/a/
|
||||
Command: testmount
|
||||
PID: 26697
|
||||
Class: mount
|
||||
Epoch: 1709025786
|
||||
Audit subid: 43147
|
@@ -0,0 +1,4 @@
|
||||
/home/user/test/testmount {
|
||||
umount /mnt/a/,
|
||||
|
||||
}
|
@@ -70,7 +70,10 @@ CFLAGS = -g -pg -fprofile-arcs -ftest-coverage
|
||||
endif
|
||||
endif #CFLAGS
|
||||
|
||||
CFLAGS += -flto-partition=none
|
||||
HAVE_FLTO_PARTITION_NONE:=$(shell ${CC} -E -flto-partition=none /dev/null 1>/dev/null 2>&1 && echo true)
|
||||
ifeq ($(HAVE_FLTO_PARTITION_NONE),true)
|
||||
CFLAGS += -flto-partition=none
|
||||
endif
|
||||
|
||||
EXTRA_CXXFLAGS = ${CFLAGS} ${CPPFLAGS} ${CXX_WARNINGS} -std=gnu++0x
|
||||
EXTRA_CFLAGS = ${EXTRA_CXXFLAGS} ${CPP_WARNINGS}
|
||||
|
@@ -202,7 +202,7 @@ void unix_rule::downgrade_rule(Profile &prof) {
|
||||
if (audit == AUDIT_FORCE)
|
||||
prof.net.audit[AF_UNIX] |= mask;
|
||||
const char *error;
|
||||
network_rule *netv8 = new network_rule(AF_UNIX, sock_type_n);
|
||||
network_rule *netv8 = new network_rule(perms, AF_UNIX, sock_type_n);
|
||||
if(!netv8->add_prefix({audit, rule_mode, owner}, error))
|
||||
yyerror(error);
|
||||
prof.rule_ents.push_back(netv8);
|
||||
|
@@ -83,7 +83,7 @@ void all_rule::add_implied_rules(Profile &prof)
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
rule = new network_rule(NULL);
|
||||
rule = new network_rule(0, (struct cond_entry *)NULL, (struct cond_entry *)NULL);
|
||||
(void) rule->add_prefix(*prefix);
|
||||
prof.rule_ents.push_back(rule);
|
||||
|
||||
|
@@ -12,8 +12,7 @@
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, contact Novell, Inc. or Canonical
|
||||
* Ltd.
|
||||
* along with this program; if not, contact Canonical Ltd.
|
||||
*/
|
||||
|
||||
#ifndef __AA_BIGNUM_H
|
||||
@@ -29,10 +28,9 @@ class bignum
|
||||
{
|
||||
public:
|
||||
std::vector<uint8_t> data;
|
||||
uint64_t sad = 543;
|
||||
uint8_t base;
|
||||
bool negative = false;
|
||||
bignum () {}
|
||||
bignum () : base(0) {}
|
||||
|
||||
bignum (unsigned long val) {
|
||||
if (val == 0)
|
||||
|
@@ -20,6 +20,7 @@
|
||||
#include <string>
|
||||
#include <sstream>
|
||||
#include <map>
|
||||
#include <arpa/inet.h>
|
||||
|
||||
#include "lib.h"
|
||||
#include "parser.h"
|
||||
@@ -298,7 +299,59 @@ const struct network_tuple *net_find_mapping(const struct network_tuple *map,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void network_rule::move_conditionals(struct cond_entry *conds)
|
||||
bool parse_ipv4_address(const char *input, struct ip_address *result)
|
||||
{
|
||||
struct in_addr addr;
|
||||
if (inet_pton(AF_INET, input, &addr) == 1) {
|
||||
result->family = AF_INET;
|
||||
result->address.address_v4 = addr.s_addr;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool parse_ipv6_address(const char *input, struct ip_address *result)
|
||||
{
|
||||
struct in6_addr addr;
|
||||
if (inet_pton(AF_INET6, input, &addr) == 1) {
|
||||
result->family = AF_INET6;
|
||||
memcpy(result->address.address_v6, addr.s6_addr, 16);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool parse_ip(const char *ip, struct ip_address *result)
|
||||
{
|
||||
return parse_ipv6_address(ip, result) ||
|
||||
parse_ipv4_address(ip, result);
|
||||
}
|
||||
|
||||
bool parse_port_number(const char *port_entry, uint16_t *port) {
|
||||
char *eptr;
|
||||
unsigned long port_tmp = strtoul(port_entry, &eptr, 10);
|
||||
|
||||
if (port_tmp >= 0 && port_entry != eptr &&
|
||||
*eptr == '\0' && port_tmp <= UINT16_MAX) {
|
||||
*port = port_tmp;
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
bool network_rule::parse_port(ip_conds &entry)
|
||||
{
|
||||
entry.is_port = true;
|
||||
return parse_port_number(entry.sport, &entry.port);
|
||||
}
|
||||
|
||||
bool network_rule::parse_address(ip_conds &entry)
|
||||
{
|
||||
entry.is_ip = true;
|
||||
return parse_ip(entry.sip, &entry.ip);
|
||||
}
|
||||
|
||||
void network_rule::move_conditionals(struct cond_entry *conds, ip_conds &ip_cond)
|
||||
{
|
||||
struct cond_entry *cond_ent;
|
||||
|
||||
@@ -306,10 +359,18 @@ void network_rule::move_conditionals(struct cond_entry *conds)
|
||||
/* for now disallow keyword 'in' (list) */
|
||||
if (!cond_ent->eq)
|
||||
yyerror("keyword \"in\" is not allowed in network rules\n");
|
||||
|
||||
/* no valid conditionals atm */
|
||||
yyerror("invalid network rule conditional \"%s\"\n",
|
||||
cond_ent->name);
|
||||
if (strcmp(cond_ent->name, "ip") == 0) {
|
||||
move_conditional_value("network", &ip_cond.sip, cond_ent);
|
||||
if (!parse_address(ip_cond))
|
||||
yyerror("network invalid ip='%s'\n", ip_cond.sip);
|
||||
} else if (strcmp(cond_ent->name, "port") == 0) {
|
||||
move_conditional_value("network", &ip_cond.sport, cond_ent);
|
||||
if (!parse_port(ip_cond))
|
||||
yyerror("network invalid port='%s'\n", ip_cond.sport);
|
||||
} else {
|
||||
yyerror("invalid network rule conditional \"%s\"\n",
|
||||
cond_ent->name);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -322,7 +383,8 @@ void network_rule::set_netperm(unsigned int family, unsigned int type)
|
||||
network_perms[family] |= 1 << type;
|
||||
}
|
||||
|
||||
network_rule::network_rule(struct cond_entry *conds):
|
||||
network_rule::network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
{
|
||||
size_t family_index;
|
||||
@@ -331,12 +393,25 @@ network_rule::network_rule(struct cond_entry *conds):
|
||||
set_netperm(family_index, 0xFFFFFFFF);
|
||||
}
|
||||
|
||||
move_conditionals(conds);
|
||||
move_conditionals(conds, local);
|
||||
move_conditionals(peer_conds, peer);
|
||||
free_cond_list(conds);
|
||||
free_cond_list(peer_conds);
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
if (perms & ~AA_VALID_NET_PERMS)
|
||||
yyerror("perms contains invalid permissions for network rules\n");
|
||||
else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
|
||||
yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
|
||||
} else {
|
||||
perms = AA_VALID_NET_PERMS;
|
||||
}
|
||||
}
|
||||
|
||||
network_rule::network_rule(const char *family, const char *type,
|
||||
const char *protocol, struct cond_entry *conds):
|
||||
network_rule::network_rule(perms_t perms_p, const char *family, const char *type,
|
||||
const char *protocol, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
{
|
||||
const struct network_tuple *mapping = NULL;
|
||||
@@ -355,15 +430,37 @@ network_rule::network_rule(const char *family, const char *type,
|
||||
if (network_map.empty())
|
||||
yyerror(_("Invalid network entry."));
|
||||
|
||||
move_conditionals(conds);
|
||||
move_conditionals(conds, local);
|
||||
move_conditionals(peer_conds, peer);
|
||||
free_cond_list(conds);
|
||||
free_cond_list(peer_conds);
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
if (perms & ~AA_VALID_NET_PERMS)
|
||||
yyerror("perms contains invalid permissions for network rules\n");
|
||||
else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
|
||||
yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
|
||||
} else {
|
||||
perms = AA_VALID_NET_PERMS;
|
||||
}
|
||||
}
|
||||
|
||||
network_rule::network_rule(unsigned int family, unsigned int type):
|
||||
network_rule::network_rule(perms_t perms_p, unsigned int family, unsigned int type):
|
||||
dedup_perms_rule_t(AA_CLASS_NETV8)
|
||||
{
|
||||
network_map[family].push_back({ family, type, 0xFFFFFFFF });
|
||||
set_netperm(family, type);
|
||||
|
||||
if (perms_p) {
|
||||
perms = perms_p;
|
||||
if (perms & ~AA_VALID_NET_PERMS)
|
||||
yyerror("perms contains invalid permissions for network rules\n");
|
||||
else if ((perms & ~AA_PEER_NET_PERMS) && has_peer_conds())
|
||||
yyerror("network 'create', 'shutdown', 'setattr', 'getattr', 'bind', 'listen', 'setopt', and/or 'getopt' accesses cannot be used with peer socket conditionals\n");
|
||||
} else {
|
||||
perms = AA_VALID_NET_PERMS;
|
||||
}
|
||||
}
|
||||
|
||||
ostream &network_rule::dump(ostream &os)
|
||||
@@ -428,6 +525,79 @@ void network_rule::warn_once(const char *name)
|
||||
rule_t::warn_once(name, "network rules not enforced");
|
||||
}
|
||||
|
||||
std::string gen_ip_cond(const struct ip_address ip)
|
||||
{
|
||||
std::ostringstream oss;
|
||||
int i;
|
||||
if (ip.family == AF_INET) {
|
||||
/* add a byte containing the size of the following ip */
|
||||
oss << "\\x04";
|
||||
|
||||
u8 *byte = (u8 *) &ip.address.address_v4; /* in network byte order */
|
||||
for (i = 0; i < 4; i++)
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(byte[i]);
|
||||
} else {
|
||||
/* add a byte containing the size of the following ip */
|
||||
oss << "\\x10";
|
||||
for (i = 0; i < 16; ++i)
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(ip.address.address_v6[i]);
|
||||
}
|
||||
return oss.str();
|
||||
}
|
||||
|
||||
std::string gen_port_cond(uint16_t port)
|
||||
{
|
||||
std::ostringstream oss;
|
||||
if (port > 0) {
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((port & 0xff00) >> 8);
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (port & 0xff);
|
||||
} else {
|
||||
oss << "..";
|
||||
}
|
||||
return oss.str();
|
||||
}
|
||||
|
||||
void network_rule::gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd)
|
||||
{
|
||||
/* encode protocol */
|
||||
if (!is_cmd) {
|
||||
if (entry.is_ip) {
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((entry.ip.family & 0xff00) >> 8);
|
||||
oss << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (entry.ip.family & 0xff);
|
||||
} else {
|
||||
oss << "..";
|
||||
}
|
||||
}
|
||||
|
||||
if (entry.is_port) {
|
||||
/* encode port type (privileged - 1, remote - 2, unprivileged - 0) */
|
||||
if (!is_peer && perms & AA_NET_BIND && entry.port < IPPORT_RESERVED)
|
||||
oss << "\\x01";
|
||||
else if (is_peer)
|
||||
oss << "\\x02";
|
||||
else
|
||||
oss << "\\x00";
|
||||
|
||||
oss << gen_port_cond(entry.port);
|
||||
} else {
|
||||
/* port type + port number */
|
||||
if (!is_cmd)
|
||||
oss << ".";
|
||||
oss << "..";
|
||||
}
|
||||
|
||||
if (entry.is_ip) {
|
||||
oss << gen_ip_cond(entry.ip);
|
||||
} else {
|
||||
/* encode 0 to indicate there's no ip (ip size) */
|
||||
oss << "\\x00";
|
||||
}
|
||||
|
||||
oss << "\\-x01"; /* oob separator */
|
||||
oss << default_match_pattern; /* label - not used for now */
|
||||
oss << "\\x00"; /* null transition */
|
||||
}
|
||||
|
||||
bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mask) {
|
||||
std::ostringstream buffer;
|
||||
std::string buf;
|
||||
@@ -441,13 +611,59 @@ bool network_rule::gen_net_rule(Profile &prof, u16 family, unsigned int type_mas
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << ((type_mask & 0xff00) >> 8);
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << (type_mask & 0xff);
|
||||
}
|
||||
buf = buffer.str();
|
||||
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
if (!features_supports_inet) {
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(AA_VALID_NET_PERMS),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(AA_VALID_NET_PERMS) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
if (perms & AA_PEER_NET_PERMS) {
|
||||
gen_ip_conds(buffer, peer, true, false);
|
||||
|
||||
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
|
||||
|
||||
gen_ip_conds(buffer, local, false, true);
|
||||
|
||||
buf = buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
if ((perms & AA_NET_LISTEN) || (perms & AA_NET_OPT)) {
|
||||
gen_ip_conds(buffer, local, false, false);
|
||||
|
||||
if (perms & AA_NET_LISTEN) {
|
||||
std::ostringstream cmd_buffer;
|
||||
cmd_buffer << buffer.str();
|
||||
cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
|
||||
/* length of queue allowed - not used for now */
|
||||
cmd_buffer << "..";
|
||||
buf = cmd_buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
if (perms & AA_NET_OPT) {
|
||||
std::ostringstream cmd_buffer;
|
||||
cmd_buffer << buffer.str();
|
||||
cmd_buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
|
||||
/* level - not used for now */
|
||||
cmd_buffer << "..";
|
||||
/* socket mapping - not used for now */
|
||||
cmd_buffer << "..";
|
||||
buf = cmd_buffer.str();
|
||||
if (!prof.policy.rules->add_rule(buf.c_str(), rule_mode == RULE_DENY, map_perms(perms),
|
||||
dedup_perms_rule_t::audit == AUDIT_FORCE ? map_perms(perms) : 0,
|
||||
parseopts))
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
@@ -75,6 +75,10 @@
|
||||
#define AA_PEER_NET_PERMS (AA_VALID_NET_PERMS & (~AA_LOCAL_NET_PERMS | \
|
||||
AA_NET_ACCEPT))
|
||||
|
||||
#define CMD_ADDR 1
|
||||
#define CMD_LISTEN 2
|
||||
#define CMD_OPT 4
|
||||
|
||||
struct network_tuple {
|
||||
const char *family_name;
|
||||
unsigned int family;
|
||||
@@ -104,22 +108,58 @@ int net_find_type_val(const char *type);
|
||||
const char *net_find_type_name(int type);
|
||||
const char *net_find_af_name(unsigned int af);
|
||||
|
||||
struct ip_address {
|
||||
union {
|
||||
uint8_t address_v6[16];
|
||||
uint32_t address_v4;
|
||||
} address;
|
||||
uint16_t family;
|
||||
};
|
||||
|
||||
class ip_conds {
|
||||
public:
|
||||
char *sip = NULL;
|
||||
char *sport = NULL;
|
||||
|
||||
bool is_ip = false;
|
||||
bool is_port = false;
|
||||
|
||||
uint16_t port;
|
||||
struct ip_address ip;
|
||||
|
||||
void free_conds() {
|
||||
if (sip)
|
||||
free(sip);
|
||||
if (sport)
|
||||
free(sport);
|
||||
}
|
||||
};
|
||||
|
||||
class network_rule: public dedup_perms_rule_t {
|
||||
void move_conditionals(struct cond_entry *conds);
|
||||
void move_conditionals(struct cond_entry *conds, ip_conds &ip_cond);
|
||||
public:
|
||||
std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
|
||||
std::unordered_map<unsigned int, perms_t> network_perms;
|
||||
|
||||
ip_conds peer;
|
||||
ip_conds local;
|
||||
|
||||
bool has_local_conds(void) { return local.sip || local.sport; }
|
||||
bool has_peer_conds(void) { return peer.sip || peer.sport; }
|
||||
/* empty constructor used only for the profile to access
|
||||
* static elements to maintain compatibility with
|
||||
* AA_CLASS_NET */
|
||||
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8) { }
|
||||
network_rule(struct cond_entry *conds);
|
||||
network_rule(const char *family, const char *type,
|
||||
const char *protocol, struct cond_entry *conds);
|
||||
network_rule(unsigned int family, unsigned int type);
|
||||
network_rule(perms_t perms_p, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds);
|
||||
network_rule(perms_t perms_p, const char *family, const char *type,
|
||||
const char *protocol, struct cond_entry *conds,
|
||||
struct cond_entry *peer_conds);
|
||||
network_rule(perms_t perms_p, unsigned int family, unsigned int type);
|
||||
virtual ~network_rule()
|
||||
{
|
||||
peer.free_conds();
|
||||
local.free_conds();
|
||||
if (allow) {
|
||||
free(allow);
|
||||
allow = NULL;
|
||||
@@ -138,9 +178,12 @@ public:
|
||||
}
|
||||
};
|
||||
|
||||
void gen_ip_conds(std::ostringstream &oss, ip_conds entry, bool is_peer, bool is_cmd);
|
||||
bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask);
|
||||
void set_netperm(unsigned int family, unsigned int type);
|
||||
void update_compat_net(void);
|
||||
bool parse_address(ip_conds &entry);
|
||||
bool parse_port(ip_conds &entry);
|
||||
|
||||
virtual bool valid_prefix(const prefixes &p, const char *&error) {
|
||||
if (p.owner) {
|
||||
|
@@ -341,6 +341,7 @@ extern int kernel_load;
|
||||
extern int kernel_supports_setload;
|
||||
extern int features_supports_network;
|
||||
extern int features_supports_networkv8;
|
||||
extern int features_supports_inet;
|
||||
extern int kernel_supports_policydb;
|
||||
extern int kernel_supports_diff_encode;
|
||||
extern int features_supports_mount;
|
||||
|
@@ -69,6 +69,7 @@ int kernel_load = 1;
|
||||
int kernel_supports_setload = 0; /* kernel supports atomic set loads */
|
||||
int features_supports_network = 0; /* kernel supports network rules */
|
||||
int features_supports_networkv8 = 0; /* kernel supports 4.17 network rules */
|
||||
int features_supports_inet = 0; /* kernel supports inet network rules */
|
||||
int features_supports_unix = 0; /* kernel supports unix socket rules */
|
||||
int kernel_supports_policydb = 0; /* kernel supports new policydb */
|
||||
int features_supports_mount = 0; /* kernel supports mount rules */
|
||||
|
@@ -517,12 +517,6 @@ GT >
|
||||
}
|
||||
}
|
||||
|
||||
<NETWORK_MODE>{
|
||||
{IDS} {
|
||||
yylval.id = strdup(yytext);
|
||||
RETURN_TOKEN(TOK_ID);
|
||||
}
|
||||
}
|
||||
|
||||
<CHANGE_PROFILE_MODE>{
|
||||
safe { RETURN_TOKEN(TOK_SAFE); }
|
||||
@@ -558,7 +552,7 @@ GT >
|
||||
{LT_EQUAL} { RETURN_TOKEN(TOK_LE); }
|
||||
}
|
||||
|
||||
<UNIX_MODE>{
|
||||
<UNIX_MODE,NETWORK_MODE>{
|
||||
listen { RETURN_TOKEN(TOK_LISTEN); }
|
||||
accept { RETURN_TOKEN(TOK_ACCEPT); }
|
||||
connect { RETURN_TOKEN(TOK_CONNECT); }
|
||||
@@ -567,7 +561,7 @@ GT >
|
||||
shutdown { RETURN_TOKEN(TOK_SHUTDOWN); }
|
||||
}
|
||||
|
||||
<UNIX_MODE,USERNS_MODE,MQUEUE_MODE>{
|
||||
<UNIX_MODE,USERNS_MODE,MQUEUE_MODE,NETWORK_MODE>{
|
||||
create { RETURN_TOKEN(TOK_CREATE); }
|
||||
}
|
||||
|
||||
@@ -576,12 +570,12 @@ GT >
|
||||
delete { RETURN_TOKEN(TOK_DELETE); }
|
||||
}
|
||||
|
||||
<UNIX_MODE,MQUEUE_MODE>{
|
||||
<UNIX_MODE,MQUEUE_MODE,NETWORK_MODE>{
|
||||
getattr { RETURN_TOKEN(TOK_GETATTR); }
|
||||
setattr { RETURN_TOKEN(TOK_SETATTR); }
|
||||
}
|
||||
|
||||
<DBUS_MODE,UNIX_MODE>{
|
||||
<DBUS_MODE,UNIX_MODE,NETWORK_MODE>{
|
||||
bind { RETURN_TOKEN(TOK_BIND); }
|
||||
}
|
||||
|
||||
@@ -589,7 +583,7 @@ GT >
|
||||
eavesdrop { RETURN_TOKEN(TOK_EAVESDROP); }
|
||||
}
|
||||
|
||||
<DBUS_MODE,SIGNAL_MODE,UNIX_MODE>{
|
||||
<DBUS_MODE,SIGNAL_MODE,UNIX_MODE,NETWORK_MODE>{
|
||||
send { RETURN_TOKEN(TOK_SEND); }
|
||||
receive { RETURN_TOKEN(TOK_RECEIVE); }
|
||||
}
|
||||
@@ -600,7 +594,7 @@ GT >
|
||||
tracedby { RETURN_TOKEN(TOK_TRACEDBY); }
|
||||
}
|
||||
|
||||
<DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE>{
|
||||
<DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,NETWORK_MODE>{
|
||||
read { RETURN_TOKEN(TOK_READ); }
|
||||
write { RETURN_TOKEN(TOK_WRITE); }
|
||||
{OPEN_PAREN} {
|
||||
@@ -621,7 +615,7 @@ GT >
|
||||
sqpoll { RETURN_TOKEN(TOK_SQPOLL); }
|
||||
}
|
||||
|
||||
<MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,IOURING_MODE>{
|
||||
<MOUNT_MODE,DBUS_MODE,SIGNAL_MODE,PTRACE_MODE,UNIX_MODE,MQUEUE_MODE,IOURING_MODE,NETWORK_MODE>{
|
||||
({IDS_NOEQ}|{LABEL}|{QUOTED_ID}) {
|
||||
yylval.id = processid(yytext, yyleng);
|
||||
RETURN_TOKEN(TOK_ID);
|
||||
|
@@ -919,6 +919,9 @@ void set_supported_features()
|
||||
features_supports_networkv8 = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network_v8");
|
||||
features_supports_inet = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_inet");
|
||||
features_supports_unix = features_intersect(kernel_features,
|
||||
policy_features,
|
||||
"network/af_unix");
|
||||
|
@@ -882,7 +882,7 @@ static std::string generate_regex_range(bignum start, bignum end)
|
||||
std::ostringstream result;
|
||||
std::vector<std::pair<bignum, bignum>> regex_range;
|
||||
int j;
|
||||
regex_range = regex_range_generator(start, end);
|
||||
regex_range = regex_range_generator(std::move(start), std::move(end));
|
||||
for (auto &i: regex_range) {
|
||||
bignum sstart = i.first;
|
||||
bignum send = i.second;
|
||||
@@ -942,7 +942,7 @@ int convert_range(std::string& buffer, bignum start, bignum end)
|
||||
pattern_t ptype;
|
||||
int pos;
|
||||
|
||||
std::string regex_range = generate_regex_range(start, end);
|
||||
std::string regex_range = generate_regex_range(std::move(start), std::move(end));
|
||||
|
||||
if (!regex_range.empty()) {
|
||||
ptype = convert_aaregex_to_pcre(regex_range.c_str(), 0, glob_default, buffer, &pos);
|
||||
|
@@ -1083,27 +1083,48 @@ link_rule: TOK_LINK opt_subset_flag id_or_var TOK_ARROW id_or_var TOK_END_OF_RUL
|
||||
$$ = entry;
|
||||
};
|
||||
|
||||
network_rule: TOK_NETWORK opt_conds TOK_END_OF_RULE
|
||||
network_rule: TOK_NETWORK opt_net_perm opt_conds opt_cond_list TOK_END_OF_RULE
|
||||
{
|
||||
network_rule *entry = new network_rule($2);
|
||||
network_rule *entry;
|
||||
|
||||
if ($4.name) {
|
||||
if (strcmp($4.name, "peer") != 0)
|
||||
yyerror(_("network rule: invalid conditional group %s=()"), $4.name);
|
||||
free($4.name);
|
||||
}
|
||||
entry = new network_rule($2, $3, $4.list);
|
||||
$$ = entry;
|
||||
}
|
||||
|
||||
network_rule: TOK_NETWORK TOK_ID opt_conds TOK_END_OF_RULE
|
||||
network_rule: TOK_NETWORK opt_net_perm TOK_ID opt_conds opt_cond_list TOK_END_OF_RULE
|
||||
{
|
||||
network_rule *entry = new network_rule($2, NULL, NULL, $3);
|
||||
free($2);
|
||||
$$ = entry;
|
||||
}
|
||||
network_rule *entry;
|
||||
|
||||
network_rule: TOK_NETWORK TOK_ID TOK_ID opt_conds TOK_END_OF_RULE
|
||||
{
|
||||
network_rule *entry = new network_rule($2, $3, NULL, $4);
|
||||
free($2);
|
||||
if ($5.name) {
|
||||
if (strcmp($5.name, "peer") != 0)
|
||||
yyerror(_("network rule: invalid conditional group %s=()"), $5.name);
|
||||
free($5.name);
|
||||
}
|
||||
entry = new network_rule($2, $3, NULL, NULL, $4, $5.list);
|
||||
free($3);
|
||||
$$ = entry;
|
||||
}
|
||||
|
||||
network_rule: TOK_NETWORK opt_net_perm TOK_ID TOK_ID opt_conds opt_cond_list TOK_END_OF_RULE
|
||||
{
|
||||
network_rule *entry;
|
||||
|
||||
if ($6.name) {
|
||||
if (strcmp($6.name, "peer") != 0)
|
||||
yyerror(_("network rule: invalid conditional group %s=()"), $6.name);
|
||||
free($6.name);
|
||||
}
|
||||
entry = new network_rule($2, $3, $4, NULL, $5, $6.list);
|
||||
free($3);
|
||||
free($4);
|
||||
$$ = entry;
|
||||
}
|
||||
|
||||
cond: TOK_CONDID
|
||||
{
|
||||
struct cond_entry *ent;
|
||||
|
8
parser/tst/simple_tests/network/network_bad_10.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_10.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=127.0.0.1 port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_11.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_11.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=127.0.0.1 port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_12.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_12.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=[invalid] port=80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_13.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_13.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=::1 port=-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_14.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_14.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=::1 port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_15.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_15.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=::1 port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_16.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_16.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_17.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_17.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(port=-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_18.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_18.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_19.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_19.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.39-192.168.0.4),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_20.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_20.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.39-invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_21.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_21.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.39-::58c2),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_22.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_22.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_23.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_23.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=80-192.168.0.39),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_24.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_24.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(port=80-65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_25.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_25.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(port=443-80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_26.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_26.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=invalid/80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_27.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_27.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.1/-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_28.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_28.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.1/invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_29.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_29.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=192.168.0.1/33),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_30.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_30.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_31.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_31.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_32.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_32.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/129),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_33.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_33.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=127.0.0.1 port=test,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_34.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_34.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=127.0.0.1 port=test peer=(ip=127.0.0.1 port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_35.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_35.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=127.0.0.1 port=65536,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_36.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_36.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=127.0.0.1 port=65536 peer=(ip=127.0.0.1 port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_37.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_37.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=[invalid] port=80,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_38.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_38.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=[invalid] port=80 peer=(ip=[invalid] port=80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_39.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_39.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=-1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_40.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_40.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=-1 peer=(ip=::1 port=-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_41.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_41.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=test,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_42.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_42.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip - port conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=test peer=(ip=::1 port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_43.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_43.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=65536,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_44.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_44.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=::1 port=65536 peer=(ip=::1 port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_45.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_45.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=65536,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_46.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_46.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=65536 peer=(port=65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_47.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_47.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=-1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_48.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_48.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=-1 peer=(port=-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_49.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_49.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=test,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_5.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_5.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=10,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_50.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_50.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network port range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=test peer=(port=test),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_51.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_51.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-192.168.0.4,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_52.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_52.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-192.168.0.4 peer=(ip=192.168.0.39-192.168.0.4),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_53.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_53.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-invalid,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_54.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_54.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-invalid peer=(ip=192.168.0.39-invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_55.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_55.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-::58c2,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_56.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_56.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.39-::58c2 peer=(ip=192.168.0.39-::58c2),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_57.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_57.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_58.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_58.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39 peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f-192.168.0.39),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_59.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_59.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=80-192.168.0.39,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_6.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_6.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=10.2,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_60.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_60.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=80-192.168.0.39 peer=(ip=80-192.168.0.39),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_61.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_61.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=80-65536,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_62.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_62.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=80-65536 peer=(port=80-65536),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_63.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_63.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=443-80,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_64.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_64.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network range test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network port=443-80 peer=(port=443-80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_65.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_65.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=invalid/80,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_66.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_66.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=invalid/80 peer=(ip=invalid/80),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_67.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_67.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/-1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_68.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_68.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/-1 peer=(ip=192.168.0.1/-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_69.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_69.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/invalid,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_7.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_7.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=test,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_70.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_70.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/invalid peer=(ip=192.168.0.1/invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_71.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_71.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/33,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_72.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_72.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=192.168.0.1/33 peer=(ip=192.168.0.1/33),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_73.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_73.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/-1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_74.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_74.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/-1 peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/-1),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_75.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_75.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/invalid,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_76.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_76.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/invalid peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/invalid),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_77.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_77.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/129,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_78.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_78.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network subnet test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=2001:1884:d02e:2759:d30:f166:71c9:288f/129 peer=(ip=2001:1884:d02e:2759:d30:f166:71c9:288f/129),
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_79.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_79.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network ip=-1,
|
||||
|
||||
}
|
8
parser/tst/simple_tests/network/network_bad_8.sd
Normal file
8
parser/tst/simple_tests/network/network_bad_8.sd
Normal file
@@ -0,0 +1,8 @@
|
||||
#
|
||||
#=DESCRIPTION invalid network ip conditional test
|
||||
#=EXRESULT FAIL
|
||||
#
|
||||
/usr/bin/foo {
|
||||
network peer=(ip=-1),
|
||||
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user