=== added file '.bzrignore' --- a/.bzrignore 1970-01-01 00:00:00 +0000 +++ b/.bzrignore 2011-01-10 18:12:33 +0000 @@ -0,0 +1,1 @@ +parser/tst/simple_tests/generated_x/*.sd === modified file 'libraries/libapparmor/testsuite/Makefile.am' --- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000 +++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000 @@ -12,7 +12,7 @@ test_multi_multi_SOURCES = test_multi.c test_multi_multi_CFLAGS = $(CFLAGS) -Wall test_multi_multi_LDFLAGS = $(LDFLAGS) -test_multi_multi_LDADD = ../src/.libs/libapparmor.a +test_multi_multi_LDADD = -L../src/.libs -lapparmor clean-local: rm -f tmp.err.* tmp.out.* site.exp site.bak === modified file 'parser/Makefile' --- a/parser/Makefile 2009-11-11 18:58:57 +0000 +++ b/parser/Makefile 2011-01-10 18:12:33 +0000 @@ -45,11 +45,14 @@ echo "$${warning}"; \ fi ; \ done) -CFLAGS = -O2 -pipe +ifndef CFLAGS +CFLAGS = -g -O2 -pipe ifdef DEBUG CFLAGS = -g endif +endif #CFLAGS + EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE #LEXLIB := -lfl @@ -125,9 +128,20 @@ techdoc.txt: techdoc/index.html w3m -dump $< > $@ -all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf +# targets arranged this way so that people who don't want full docs can +# pick specific targets they want. +main: $(TOOLS) $(Q)make -C po all - $(Q)make -s tests + +manpages: $(MANPAGES) + +htmlmanpages: $(HTMLMANPAGES) + +pdf: techdoc.pdf + +docs: manpages htmlmanpages pdf + +all: main docs tests apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS) rm -f ./libstdc++.a @@ -191,7 +205,7 @@ af_names.h: /usr/include/bits/socket.h LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@ LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@ - cat $@ + # cat $@ cap_names.h: /usr/include/linux/capability.h LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@ @@ -224,7 +238,7 @@ .SILENT: $(AAREOBJECTS) .PHONY: $(AAREOBJECTS) $(AAREOBJECTS): - make -C $(AAREDIR) + make -C $(AAREDIR) CFLAGS="$(CFLAGS)" .SILENT: $(PCREOBJECTS) .PHONY: $(PCREOBJECTS) === modified file 'parser/immunix.h' --- a/parser/immunix.h 2009-08-20 15:41:10 +0000 +++ b/parser/immunix.h 2011-01-10 18:12:33 +0000 @@ -148,12 +148,12 @@ #include static inline int is_merged_x_consistent(int a, int b) { - if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) && + if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) && ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE))) { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b); return 0; } - if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) && + if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) && ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE))) { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b); return 0; === modified file 'parser/libapparmor_re/regexp.y' --- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000 +++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000 @@ -720,17 +720,19 @@ Node *i = t->child[!dir]; for (;dynamic_cast(i); p = i, i = i->child[!dir]) { if (t->child[dir]->eq(i->child[dir])) { + Node *old = t; t->child[!dir]->dup(); - t->release(); t = t->child[!dir]; + old->release(); continue; } } // last altnode of chain check other dir as well if (t->child[dir]->eq(p->child[!dir])) { + Node *old = t; t->child[!dir]->dup(); - t->release(); t = t->child[!dir]; + old->release(); continue; } @@ -2581,9 +2583,9 @@ #define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1) MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE]; -#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2) -MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/ -ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/ +#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */ +MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/ +ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/ extern "C" void aare_reset_matchflags(void) { @@ -2644,8 +2646,8 @@ flip_tree(tree); -/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */ -#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f) +/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */ +#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f) //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS)) // fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]); === modified file 'parser/tst/Makefile' --- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000 +++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000 @@ -11,8 +11,11 @@ all: tests -.PHONY: tests error_output parser_sanity caching -tests: error_output parser_sanity caching +.PHONY: tests error_output gen_xtrans parser_sanity caching +tests: error_output gen_xtrans parser_sanity caching + +gen_xtrans: + perl ./gen-xtrans.pl error_output: $(PARSER) $(PARSER) -S -I errors >/dev/null errors/okay.sd @@ -34,3 +37,6 @@ $(PARSER): make -C $(PARSER_DIR) $(PARSER_BIN) + +clean: + rm -f simple_tests/generated_x/* === added file 'parser/tst/gen-xtrans.pl' --- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000 +++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000 @@ -0,0 +1,152 @@ +#!/usr/bin/perl + +use strict; +use Locale::gettext; +use POSIX; + +setlocale(LC_MESSAGES, ""); + +my $prefix="simple_tests/generated_x"; + +my @trans_types = ("p", "P", "c", "C", "u", "i"); +my @modifiers = ("i", "u"); +my %trans_modifiers = ( + "p" => \@modifiers, + "P" => \@modifiers, + "c" => \@modifiers, + "C" => \@modifiers, + ); + +my @targets = ("", "target", "target2"); +my @null_target = (""); + +my %named_trans = ( + "p" => \@targets, + "P" => \@targets, + "c" => \@targets, + "C" => \@targets, + "u" => \@null_target, + "i" => \@null_target, + ); + +# audit qualifier disabled for now it really shouldn't affect the conflict +# test but it may be worth checking every once in awhile +#my @qualifiers = ("", "owner", "audit", "audit owner"); +my @qualifiers = ("", "owner"); + +my $count = 0; + +gen_conflicting_x(); +gen_overlap_re_exact(); +gen_dominate_re_re(); +gen_ambiguous_re_re(); + +print "Generated $count xtransition interaction tests\n"; + +sub gen_list { + my @output; + foreach my $trans (@trans_types) { + if ($trans_modifiers{$trans}) { + foreach my $mod (@{$trans_modifiers{$trans}}) { + push @output, "${trans}${mod}x"; + } + } + push @output, "${trans}x"; + } + return @output; +} + +sub print_rule($$$$) { + my ($file, $name, $perm, $target) = @_; + print $file "\t${name} ${perm}"; + if ($target ne "") { + print $file " -> $target"; + } + print $file ",\n"; +} + +sub gen_file($$$$$$$$) { + my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_; + +# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n"; + + my $file; + unless (open $file, ">$name") { + print("couldn't open $name\n"); + exit 1; + } + + print $file "#\n"; + print $file "#=DESCRIPTION ${name}\n"; + print $file "#=EXRESULT ${xres}\n"; + print $file "#\n"; + print $file "/usr/bin/foo {\n"; + print_rule($file, $rule1, $perm1, $target1); + print_rule($file, $rule2, $perm2, $target2); + print $file "}"; + close($file); + + $count++; +} + +#NOTE: currently we don't do px to cx, or cx to px conversion +# so +# /foo { +# /* px -> /foo//bar, +# /* cx -> bar, +# +# will conflict +# +#NOTE: conflict tests don't tests leading permissions or using unsafe keywords +# It is assumed that there are extra tests to verify 1 to 1 coorispondance +sub gen_files($$$$) { + my ($name, $rule1, $rule2, $default) = @_; + + my @perms = gen_list(); + +# print "@perms\n"; + + foreach my $i (@perms) { + foreach my $t (@{$named_trans{substr($i, 0, 1)}}) { + foreach my $q (@qualifiers) { + foreach my $j (@perms) { + foreach my $u (@{$named_trans{substr($j, 0, 1)}}) { + foreach my $r (@qualifiers) { + my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd"; +# print "$file\n"; + + #override failures when transitions are the same + my $xres = ${default}; + if ($i eq $j && $t eq $u) { + $xres = "PASS"; + } + + +# print "foo $xres $rule1 $i $t $rule2 $j $u\n"; + gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u); + } + } + } + } + } + } + +} + +sub gen_conflicting_x { + gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL"); +} + +sub gen_overlap_re_exact { + + gen_files("exact", "/bin/cat", "/bin/*", "PASS"); +} + +# we currently don't support this, once supported change to "PASS" +sub gen_dominate_re_re { + gen_files("dominate", "/bin/*", "/bin/**", "FAIL"); +} + +sub gen_ambiguous_re_re { + gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL"); +} === added directory 'parser/tst/simple_tests/generated_x' === added file 'parser/tst/simple_tests/generated_x/readme' --- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000 +++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000 @@ -0,0 +1,2 @@ +Directory for auto generated x-transition tests + === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers' --- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000 +++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000 @@ -18,7 +18,7 @@ /usr/bin/prism PUx, /usr/bin/rekonq PUx, /usr/bin/seamonkey PUx, - /usr/bin/sensible-browser PUxr, + /usr/bin/sensible-browser Pixr, /usr/bin/chromium-browser PUx, /usr/lib/chromium-browser/chromium-browser PUx, === modified file 'profiles/apparmor.d/abstractions/ubuntu-email' --- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000 +++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000 @@ -15,5 +15,5 @@ /usr/bin/tkrat PUx, /usr/lib/thunderbird/thunderbird PUx, - /usr/lib/thunderbird-3*/thunderbird PUx, + /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx, === modified file 'tests/regression/subdomain/changehat_misc.sh' --- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000 +++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000 @@ -64,7 +64,7 @@ echo "*** A 'Killed' message from bash is expected for the following test" runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file -# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL +# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL # PROFILE # 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN settest changehat_fail === modified file 'tests/regression/subdomain/deleted.c' --- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000 +++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000 @@ -90,7 +90,7 @@ } /* test that we can create the file. Not necessarily a (deleted) - * case but lets use flush out other combinations + * case but lets us flush out other combinations. */ fd2=creat(argv[2], S_IRUSR | S_IWUSR); if (fd2 == -1){ === modified file 'tests/regression/subdomain/deleted.sh' --- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000 +++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000 @@ -1,7 +1,7 @@ #! /bin/bash -# $Id$ - +# # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2010 Canonical, Ltd # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -10,7 +10,7 @@ #=NAME deleted #=DESCRIPTION -# Test subdomain is properly working around a kernel in which the kernel +# Test AppArmor is properly working around a kernel in which the kernel # appends (deleted) to deleted files verifies that the d_path appending # (deleted) fix is working #=END @@ -24,6 +24,7 @@ file=$tmpdir/file file2="$tmpdir/file (deleted)" +file3="$tmpdir/unavailable" okperm=rwl subtest=sub @@ -40,8 +41,8 @@ # NO CHANGEHAT TEST - doesn't force revalidation genprofile $file:$okperm - runchecktest "NO CHANGEHAT (access file)" pass nochange $file +runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3 genprofile "$file2":$okperm runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2" @@ -49,6 +50,7 @@ # CHANGEHAT TEST - force revalidation using changehat genprofile $file:$okperm hat:$subtest $file:$okperm runchecktest "CHANGEHAT (access file)" pass $subtest $file +runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3 genprofile "$file2":$okperm hat:$subtest "$file2":$okperm runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2" @@ -115,7 +117,7 @@ # FAIL - confined client, w access to the file genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw -runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file" +runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file" sleep 1 rm -f ${socket} === modified file 'tests/regression/subdomain/mkprofile.pl' --- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000 +++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000 @@ -5,7 +5,7 @@ # # Gawd, I hate writing perl. It shows, too. # -my $__VERSION__='$Id$'; +my $__VERSION__=$0; use strict; use Getopt::Long; === modified file 'tests/regression/subdomain/prologue.inc' --- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000 +++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000 @@ -93,8 +93,10 @@ while [ -h ${link} ] do - if [ -x /usr/bin/readlink ] ; then - target=$(/usr/bin/readlink ${link}) + if [ -x /usr/bin/readlink ] ; then + target=$(/usr/bin/readlink -f ${link}) + elif [ -x /bin/readlink ] ; then + target=$(/bin/readlink -f ${link}) else # I'm sure there's a more perlish way to do this target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));") === modified file 'tests/regression/subdomain/pwrite.sh' --- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000 +++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000 @@ -27,7 +27,7 @@ genprofile $file:$okperm -runtestbg "PWRITE with w" pass $file +runtestbg "PREAD/PWRITE with rw" pass $file sleep 2 === modified file 'tests/regression/subdomain/swap.sh' --- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000 +++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000 @@ -32,7 +32,7 @@ swap_file=$tmpdir/swapfile dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null -/sbin/mkswap ${swap_file} > /dev/null +/sbin/mkswap -f ${swap_file} > /dev/null # TEST 1. Make sure can enable and disable swap unconfined === modified file 'tests/regression/subdomain/syscall.sh' --- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000 +++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000 @@ -1,7 +1,7 @@ #! /bin/bash -# $Id$ - +# # Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2010 Canonical, Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -114,9 +114,9 @@ runchecktest "MKNOD sock (permissions)" fail s $mknod_file ## -## D. SETHOSTNAME +## C. SYSCTL ## -sh syscall_sysctl.sh +bash syscall_sysctl.sh ## ## D. SETHOSTNAME === modified file 'tests/regression/subdomain/unix_fd_server.c' --- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000 +++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000 @@ -2,6 +2,7 @@ /* * Copyright (C) 2002-2005 Novell/SUSE + * Copyright (C) 2010 Canonical, Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as @@ -134,6 +135,7 @@ } /* Check for info re: reading the file */ + memset(inbound_buffer, 0, sizeof(inbound_buffer)); if (recv(in_sock, inbound_buffer, 16,0) == -1 ) { fprintf(stderr, "FAIL - recv %s\n", strerror(errno)); === modified file 'tests/regression/subdomain/xattrs.sh' --- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000 +++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000 @@ -38,41 +38,59 @@ . $bin/prologue.inc -file=$tmpdir/testfile -link=$tmpdir/testlink -dir=$tmpdir/testdir/ +tmpmount=$tmpdir/mountpoint +diskimg=$tmpdir/disk.img +file=$tmpmount/testfile +link=$tmpmount/testlink +dir=$tmpmount/testdir/ okperm=rw badperm=r +# guarantee fs supports user_xattrs +dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null +mkfs.ext3 -q -F ${diskimg} +mkdir ${tmpmount} +mount -o loop,user_xattr ${diskimg} ${tmpmount} + touch $file ln -s $file $link mkdir $dir +add_attrs() +{ + #set the xattr for thos that passed above again so we can test removing it + setfattr -h -n security.sdtest -v hello "$1" + setfattr -h -n trusted.sdtest -v hello "$1" + if [ "$1" != $link ] ; then + setfattr -h -n user.sdtest -v hello "$1" + fi +} + for var in $file $link $dir ; do #write xattr genprofile $var:$badperm xattrtest $var $badperm write security fail #xattrtest $var $badperm write system fail xattrtest $var $badperm write trusted fail - if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi + if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi genprofile $var:$badperm capability:sys_admin xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail #xattrtest $var "$badperm+cap SYS_ADMIN" write system fail xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail - if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi + if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi genprofile $var:$okperm xattrtest $var $okperm write security xpass #xattrtest $var $okperm write system fail xattrtest $var $okperm write trusted fail - if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi + if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi genprofile $var:$okperm capability:sys_admin xattrtest $var "$okperm+cap SYS_ADMIN" write security pass #xattrtest $var "$okperm+cap SYS_ADMIN" write system pass xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass - if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi + if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi #read xattr @@ -80,13 +98,13 @@ xattrtest $var $badperm read security pass #xattrtest $var $badperm read system fail xattrtest $var $badperm read trusted fail - if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi + if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi genprofile $var:$badperm capability:sys_admin xattrtest $var "$badperm+cap SYS_ADMIN" read security pass #xattrtest $var "$badperm+cap SYS_ADMIN" read system pass xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass - if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi + if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi #remove xattr @@ -94,23 +112,25 @@ xattrtest $var $badperm remove security fail #xattrtest $var $badperm remove system fail xattrtest $var $badperm remove trusted fail - if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi + if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi + + add_attrs $var genprofile $var:$badperm capability:sys_admin xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail #xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail - if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi + if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi + + add_attrs $var genprofile $var:$okperm xattrtest $var $okperm remove security xpass #xattrtest $var $okperm remove system fail xattrtest $var $okperm remove trusted fail - if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi + if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi - #set the xattr for thos that passed above again so we can test removing it - setfattr -h -n security.sdtest -v hello $var - if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi + add_attrs $var genprofile $var:$okperm capability:sys_admin xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass @@ -120,3 +140,4 @@ done +umount ${tmpmount} === modified file 'utils/SubDomain.pm' --- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000 +++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000 @@ -2420,7 +2420,7 @@ my $RE_LOG_v2_1_audit = qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/; my $RE_LOG_v2_6_audit = - qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/; + qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/; sub prefetch_next_log_entry { # if we already have an existing cache entry, something's broken @@ -6622,10 +6622,14 @@ LibAppArmor::free_record($event); #map new c and d to w as logprof doesn't support them yet - $rmask =~ s/c/w/g; - $rmask =~ s/d/w/g; - $dmask =~ s/c/w/g; - $dmask =~ s/d/w/g; + if ($rmask) { + $rmask =~ s/c/w/g; + $rmask =~ s/d/w/g; + } + if ($dmask) { + $dmask =~ s/c/w/g; + $dmask =~ s/d/w/g; + } if ($rmask && !validate_log_mode(hide_log_mode($rmask))) { fatal_error(sprintf(gettext('Log contains unknown mode %s.'),