mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-25 11:37:49 +00:00
420aea6262
Add basic "understand and keep" support for abi rules, where "understand" means to not error out when seeing an abi rule, and "keep" simply means to keep the original abi rule when serializing a profile. On the long term, abi rules should be parsed (similar to include rules), but for now, this patch is the smallest possible changeset and easy to backport. Note that the only added test is via cleanprof_test.* which is used by minitools_test.py - and does _not_ run if you do a 'make check'. Oh, and of course the simple_tests/abi/ files also get parsed by test-parser-simple-tests.py. BTW: Even serialize_profile_from_old_profile() can handle abi rules :-) This is a backport of 072d3e04514b70bb3b29d4bfe400caa44dd574a2 / !202 to 2.13 (with some adjustments because that commit didn't appy cleanly)
47 lines
700 B
Plaintext
47 lines
700 B
Plaintext
abi <abi/4.19> ,
|
|
|
|
alias /foo -> /bar,
|
|
|
|
#include <tunables/global>
|
|
|
|
# A simple test comment which will persist
|
|
|
|
|
|
/usr/bin/a/simple/cleanprof/test/profile {
|
|
abi "abi/4.20" ,
|
|
|
|
#include <abstractions/base>
|
|
|
|
set rlimit nofile <= 256,
|
|
|
|
audit capability,
|
|
|
|
network stream,
|
|
|
|
dbus send bus=session,
|
|
|
|
signal set=(abrt alrm bus chld fpe hup ill int kill pipe quit segv stkflt term trap usr1 usr2),
|
|
|
|
unix (receive) type=dgram,
|
|
|
|
link subset /alpha/beta -> /tmp/**,
|
|
|
|
allow /home/*/** r,
|
|
allow /home/foo/** w,
|
|
|
|
change_profile,
|
|
|
|
|
|
^foo {
|
|
capability dac_override,
|
|
|
|
/etc/fstab r,
|
|
|
|
}
|
|
}
|
|
/usr/bin/other/cleanprof/test/profile {
|
|
allow /home/*/** rw,
|
|
allow /home/foo/bar r,
|
|
|
|
}
|