apparmor/apparmor-2.5-r1445

706 lines
22 KiB
Plaintext

=== added file '.bzrignore'
--- a/.bzrignore 1970-01-01 00:00:00 +0000
+++ b/.bzrignore 2011-01-10 18:12:33 +0000
@@ -0,0 +1,1 @@
+parser/tst/simple_tests/generated_x/*.sd
=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000
+++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000
@@ -12,7 +12,7 @@
test_multi_multi_SOURCES = test_multi.c
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
test_multi_multi_LDFLAGS = $(LDFLAGS)
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
clean-local:
rm -f tmp.err.* tmp.out.* site.exp site.bak
=== modified file 'parser/Makefile'
--- a/parser/Makefile 2009-11-11 18:58:57 +0000
+++ b/parser/Makefile 2011-01-10 18:12:33 +0000
@@ -45,11 +45,14 @@
echo "$${warning}"; \
fi ; \
done)
-CFLAGS = -O2 -pipe
+ifndef CFLAGS
+CFLAGS = -g -O2 -pipe
ifdef DEBUG
CFLAGS = -g
endif
+endif #CFLAGS
+
EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
#LEXLIB := -lfl
@@ -125,9 +128,20 @@
techdoc.txt: techdoc/index.html
w3m -dump $< > $@
-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+main: $(TOOLS)
$(Q)make -C po all
- $(Q)make -s tests
+
+manpages: $(MANPAGES)
+
+htmlmanpages: $(HTMLMANPAGES)
+
+pdf: techdoc.pdf
+
+docs: manpages htmlmanpages pdf
+
+all: main docs tests
apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
rm -f ./libstdc++.a
@@ -191,7 +205,7 @@
af_names.h: /usr/include/bits/socket.h
LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
- cat $@
+ # cat $@
cap_names.h: /usr/include/linux/capability.h
LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
@@ -224,7 +238,7 @@
.SILENT: $(AAREOBJECTS)
.PHONY: $(AAREOBJECTS)
$(AAREOBJECTS):
- make -C $(AAREDIR)
+ make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
.SILENT: $(PCREOBJECTS)
.PHONY: $(PCREOBJECTS)
=== modified file 'parser/immunix.h'
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h 2011-01-10 18:12:33 +0000
@@ -148,12 +148,12 @@
#include <stdio.h>
static inline int is_merged_x_consistent(int a, int b)
{
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
return 0;
}
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
return 0;
=== modified file 'parser/libapparmor_re/regexp.y'
--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000
@@ -720,17 +720,19 @@
Node *i = t->child[!dir];
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
if (t->child[dir]->eq(i->child[dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
}
// last altnode of chain check other dir as well
if (t->child[dir]->eq(p->child[!dir])) {
+ Node *old = t;
t->child[!dir]->dup();
- t->release();
t = t->child[!dir];
+ old->release();
continue;
}
@@ -2581,9 +2583,9 @@
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
extern "C" void aare_reset_matchflags(void)
{
@@ -2644,8 +2646,8 @@
flip_tree(tree);
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000
@@ -11,8 +11,11 @@
all: tests
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity caching
+
+gen_xtrans:
+ perl ./gen-xtrans.pl
error_output: $(PARSER)
$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
$(PARSER):
make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+ rm -f simple_tests/generated_x/*
=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+ "p" => \@modifiers,
+ "P" => \@modifiers,
+ "c" => \@modifiers,
+ "C" => \@modifiers,
+ );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+ "p" => \@targets,
+ "P" => \@targets,
+ "c" => \@targets,
+ "C" => \@targets,
+ "u" => \@null_target,
+ "i" => \@null_target,
+ );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+ my @output;
+ foreach my $trans (@trans_types) {
+ if ($trans_modifiers{$trans}) {
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
+ push @output, "${trans}${mod}x";
+ }
+ }
+ push @output, "${trans}x";
+ }
+ return @output;
+}
+
+sub print_rule($$$$) {
+ my ($file, $name, $perm, $target) = @_;
+ print $file "\t${name} ${perm}";
+ if ($target ne "") {
+ print $file " -> $target";
+ }
+ print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+ my $file;
+ unless (open $file, ">$name") {
+ print("couldn't open $name\n");
+ exit 1;
+ }
+
+ print $file "#\n";
+ print $file "#=DESCRIPTION ${name}\n";
+ print $file "#=EXRESULT ${xres}\n";
+ print $file "#\n";
+ print $file "/usr/bin/foo {\n";
+ print_rule($file, $rule1, $perm1, $target1);
+ print_rule($file, $rule2, $perm2, $target2);
+ print $file "}";
+ close($file);
+
+ $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+# so
+# /foo {
+# /* px -> /foo//bar,
+# /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+ my ($name, $rule1, $rule2, $default) = @_;
+
+ my @perms = gen_list();
+
+# print "@perms\n";
+
+ foreach my $i (@perms) {
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+ foreach my $q (@qualifiers) {
+ foreach my $j (@perms) {
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+ foreach my $r (@qualifiers) {
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+# print "$file\n";
+
+ #override failures when transitions are the same
+ my $xres = ${default};
+ if ($i eq $j && $t eq $u) {
+ $xres = "PASS";
+ }
+
+
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+ }
+ }
+ }
+ }
+ }
+ }
+
+}
+
+sub gen_conflicting_x {
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000
@@ -18,7 +18,7 @@
/usr/bin/prism PUx,
/usr/bin/rekonq PUx,
/usr/bin/seamonkey PUx,
- /usr/bin/sensible-browser PUxr,
+ /usr/bin/sensible-browser Pixr,
/usr/bin/chromium-browser PUx,
/usr/lib/chromium-browser/chromium-browser PUx,
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000
@@ -15,5 +15,5 @@
/usr/bin/tkrat PUx,
/usr/lib/thunderbird/thunderbird PUx,
- /usr/lib/thunderbird-3*/thunderbird PUx,
+ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,
=== modified file 'tests/regression/subdomain/changehat_misc.sh'
--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000
@@ -64,7 +64,7 @@
echo "*** A 'Killed' message from bash is expected for the following test"
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
# PROFILE
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
settest changehat_fail
=== modified file 'tests/regression/subdomain/deleted.c'
--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000
@@ -90,7 +90,7 @@
}
/* test that we can create the file. Not necessarily a (deleted)
- * case but lets use flush out other combinations
+ * case but lets us flush out other combinations.
*/
fd2=creat(argv[2], S_IRUSR | S_IWUSR);
if (fd2 == -1){
=== modified file 'tests/regression/subdomain/deleted.sh'
--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000
+++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -10,7 +10,7 @@
#=NAME deleted
#=DESCRIPTION
-# Test subdomain is properly working around a kernel in which the kernel
+# Test AppArmor is properly working around a kernel in which the kernel
# appends (deleted) to deleted files verifies that the d_path appending
# (deleted) fix is working
#=END
@@ -24,6 +24,7 @@
file=$tmpdir/file
file2="$tmpdir/file (deleted)"
+file3="$tmpdir/unavailable"
okperm=rwl
subtest=sub
@@ -40,8 +41,8 @@
# NO CHANGEHAT TEST - doesn't force revalidation
genprofile $file:$okperm
-
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
genprofile "$file2":$okperm
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
@@ -49,6 +50,7 @@
# CHANGEHAT TEST - force revalidation using changehat
genprofile $file:$okperm hat:$subtest $file:$okperm
runchecktest "CHANGEHAT (access file)" pass $subtest $file
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
@@ -115,7 +117,7 @@
# FAIL - confined client, w access to the file
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
sleep 1
rm -f ${socket}
=== modified file 'tests/regression/subdomain/mkprofile.pl'
--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000
+++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000
@@ -5,7 +5,7 @@
#
# Gawd, I hate writing perl. It shows, too.
#
-my $__VERSION__='$Id$';
+my $__VERSION__=$0;
use strict;
use Getopt::Long;
=== modified file 'tests/regression/subdomain/prologue.inc'
--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000
+++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000
@@ -93,8 +93,10 @@
while [ -h ${link} ]
do
- if [ -x /usr/bin/readlink ] ; then
- target=$(/usr/bin/readlink ${link})
+ if [ -x /usr/bin/readlink ] ; then
+ target=$(/usr/bin/readlink -f ${link})
+ elif [ -x /bin/readlink ] ; then
+ target=$(/bin/readlink -f ${link})
else
# I'm sure there's a more perlish way to do this
target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")
=== modified file 'tests/regression/subdomain/pwrite.sh'
--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000
+++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000
@@ -27,7 +27,7 @@
genprofile $file:$okperm
-runtestbg "PWRITE with w" pass $file
+runtestbg "PREAD/PWRITE with rw" pass $file
sleep 2
=== modified file 'tests/regression/subdomain/swap.sh'
--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000
@@ -32,7 +32,7 @@
swap_file=$tmpdir/swapfile
dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
-/sbin/mkswap ${swap_file} > /dev/null
+/sbin/mkswap -f ${swap_file} > /dev/null
# TEST 1. Make sure can enable and disable swap unconfined
=== modified file 'tests/regression/subdomain/syscall.sh'
--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000
+++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
#! /bin/bash
-# $Id$
-
+#
# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -114,9 +114,9 @@
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
##
-## D. SETHOSTNAME
+## C. SYSCTL
##
-sh syscall_sysctl.sh
+bash syscall_sysctl.sh
##
## D. SETHOSTNAME
=== modified file 'tests/regression/subdomain/unix_fd_server.c'
--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000
@@ -2,6 +2,7 @@
/*
* Copyright (C) 2002-2005 Novell/SUSE
+ * Copyright (C) 2010 Canonical, Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
@@ -134,6 +135,7 @@
}
/* Check for info re: reading the file */
+ memset(inbound_buffer, 0, sizeof(inbound_buffer));
if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
fprintf(stderr, "FAIL - recv %s\n",
strerror(errno));
=== modified file 'tests/regression/subdomain/xattrs.sh'
--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000
+++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000
@@ -38,41 +38,59 @@
. $bin/prologue.inc
-file=$tmpdir/testfile
-link=$tmpdir/testlink
-dir=$tmpdir/testdir/
+tmpmount=$tmpdir/mountpoint
+diskimg=$tmpdir/disk.img
+file=$tmpmount/testfile
+link=$tmpmount/testlink
+dir=$tmpmount/testdir/
okperm=rw
badperm=r
+# guarantee fs supports user_xattrs
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
+mkfs.ext3 -q -F ${diskimg}
+mkdir ${tmpmount}
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
+
touch $file
ln -s $file $link
mkdir $dir
+add_attrs()
+{
+ #set the xattr for thos that passed above again so we can test removing it
+ setfattr -h -n security.sdtest -v hello "$1"
+ setfattr -h -n trusted.sdtest -v hello "$1"
+ if [ "$1" != $link ] ; then
+ setfattr -h -n user.sdtest -v hello "$1"
+ fi
+}
+
for var in $file $link $dir ; do
#write xattr
genprofile $var:$badperm
xattrtest $var $badperm write security fail
#xattrtest $var $badperm write system fail
xattrtest $var $badperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
genprofile $var:$okperm
xattrtest $var $okperm write security xpass
#xattrtest $var $okperm write system fail
xattrtest $var $okperm write trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
#xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
#read xattr
@@ -80,13 +98,13 @@
xattrtest $var $badperm read security pass
#xattrtest $var $badperm read system fail
xattrtest $var $badperm read trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
#xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
#remove xattr
@@ -94,23 +112,25 @@
xattrtest $var $badperm remove security fail
#xattrtest $var $badperm remove system fail
xattrtest $var $badperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$badperm capability:sys_admin
xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
#xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
+
+ add_attrs $var
genprofile $var:$okperm
xattrtest $var $okperm remove security xpass
#xattrtest $var $okperm remove system fail
xattrtest $var $okperm remove trusted fail
- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
+ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
- #set the xattr for thos that passed above again so we can test removing it
- setfattr -h -n security.sdtest -v hello $var
- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
+ add_attrs $var
genprofile $var:$okperm capability:sys_admin
xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
@@ -120,3 +140,4 @@
done
+umount ${tmpmount}
=== modified file 'utils/SubDomain.pm'
--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000
+++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000
@@ -2420,7 +2420,7 @@
my $RE_LOG_v2_1_audit =
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
my $RE_LOG_v2_6_audit =
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
sub prefetch_next_log_entry {
# if we already have an existing cache entry, something's broken
@@ -6622,10 +6622,14 @@
LibAppArmor::free_record($event);
#map new c and d to w as logprof doesn't support them yet
- $rmask =~ s/c/w/g;
- $rmask =~ s/d/w/g;
- $dmask =~ s/c/w/g;
- $dmask =~ s/d/w/g;
+ if ($rmask) {
+ $rmask =~ s/c/w/g;
+ $rmask =~ s/d/w/g;
+ }
+ if ($dmask) {
+ $dmask =~ s/c/w/g;
+ $dmask =~ s/d/w/g;
+ }
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),