a535402f17
Accepted submit request 59064 from user jeff_mahoney OBS-URL: https://build.opensuse.org/request/show/59064 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apparmor?expand=0&rev=5
706 lines
22 KiB
Plaintext
706 lines
22 KiB
Plaintext
=== added file '.bzrignore'
|
|
--- a/.bzrignore 1970-01-01 00:00:00 +0000
|
|
+++ b/.bzrignore 2011-01-10 18:12:33 +0000
|
|
@@ -0,0 +1,1 @@
|
|
+parser/tst/simple_tests/generated_x/*.sd
|
|
|
|
=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
|
|
--- a/libraries/libapparmor/testsuite/Makefile.am 2008-05-19 22:48:31 +0000
|
|
+++ b/libraries/libapparmor/testsuite/Makefile.am 2011-01-10 18:12:33 +0000
|
|
@@ -12,7 +12,7 @@
|
|
test_multi_multi_SOURCES = test_multi.c
|
|
test_multi_multi_CFLAGS = $(CFLAGS) -Wall
|
|
test_multi_multi_LDFLAGS = $(LDFLAGS)
|
|
-test_multi_multi_LDADD = ../src/.libs/libapparmor.a
|
|
+test_multi_multi_LDADD = -L../src/.libs -lapparmor
|
|
|
|
clean-local:
|
|
rm -f tmp.err.* tmp.out.* site.exp site.bak
|
|
|
|
=== modified file 'parser/Makefile'
|
|
--- a/parser/Makefile 2009-11-11 18:58:57 +0000
|
|
+++ b/parser/Makefile 2011-01-10 18:12:33 +0000
|
|
@@ -45,11 +45,14 @@
|
|
echo "$${warning}"; \
|
|
fi ; \
|
|
done)
|
|
-CFLAGS = -O2 -pipe
|
|
+ifndef CFLAGS
|
|
+CFLAGS = -g -O2 -pipe
|
|
|
|
ifdef DEBUG
|
|
CFLAGS = -g
|
|
endif
|
|
+endif #CFLAGS
|
|
+
|
|
EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
|
|
|
|
#LEXLIB := -lfl
|
|
@@ -125,9 +128,20 @@
|
|
techdoc.txt: techdoc/index.html
|
|
w3m -dump $< > $@
|
|
|
|
-all: $(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
|
|
+# targets arranged this way so that people who don't want full docs can
|
|
+# pick specific targets they want.
|
|
+main: $(TOOLS)
|
|
$(Q)make -C po all
|
|
- $(Q)make -s tests
|
|
+
|
|
+manpages: $(MANPAGES)
|
|
+
|
|
+htmlmanpages: $(HTMLMANPAGES)
|
|
+
|
|
+pdf: techdoc.pdf
|
|
+
|
|
+docs: manpages htmlmanpages pdf
|
|
+
|
|
+all: main docs tests
|
|
|
|
apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
|
|
rm -f ./libstdc++.a
|
|
@@ -191,7 +205,7 @@
|
|
af_names.h: /usr/include/bits/socket.h
|
|
LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/#ifndef AF_\\1\\n# define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
|
|
LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\\([0-9]\\+\\)[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
|
|
- cat $@
|
|
+ # cat $@
|
|
|
|
cap_names.h: /usr/include/linux/capability.h
|
|
LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9xa-f]\\+\\)\\(.*\\)\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
|
|
@@ -224,7 +238,7 @@
|
|
.SILENT: $(AAREOBJECTS)
|
|
.PHONY: $(AAREOBJECTS)
|
|
$(AAREOBJECTS):
|
|
- make -C $(AAREDIR)
|
|
+ make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
|
|
|
|
.SILENT: $(PCREOBJECTS)
|
|
.PHONY: $(PCREOBJECTS)
|
|
|
|
=== modified file 'parser/immunix.h'
|
|
--- a/parser/immunix.h 2009-08-20 15:41:10 +0000
|
|
+++ b/parser/immunix.h 2011-01-10 18:12:33 +0000
|
|
@@ -148,12 +148,12 @@
|
|
#include <stdio.h>
|
|
static inline int is_merged_x_consistent(int a, int b)
|
|
{
|
|
- if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
|
|
+ if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
|
|
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
|
|
{ fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
|
|
return 0;
|
|
}
|
|
- if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
|
|
+ if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
|
|
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
|
|
{ fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
|
|
return 0;
|
|
|
|
=== modified file 'parser/libapparmor_re/regexp.y'
|
|
--- a/parser/libapparmor_re/regexp.y 2010-07-24 14:16:14 +0000
|
|
+++ b/parser/libapparmor_re/regexp.y 2011-01-10 18:12:33 +0000
|
|
@@ -720,17 +720,19 @@
|
|
Node *i = t->child[!dir];
|
|
for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
|
|
if (t->child[dir]->eq(i->child[dir])) {
|
|
+ Node *old = t;
|
|
t->child[!dir]->dup();
|
|
- t->release();
|
|
t = t->child[!dir];
|
|
+ old->release();
|
|
continue;
|
|
}
|
|
}
|
|
// last altnode of chain check other dir as well
|
|
if (t->child[dir]->eq(p->child[!dir])) {
|
|
+ Node *old = t;
|
|
t->child[!dir]->dup();
|
|
- t->release();
|
|
t = t->child[!dir];
|
|
+ old->release();
|
|
continue;
|
|
}
|
|
|
|
@@ -2581,9 +2583,9 @@
|
|
#define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
|
|
MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
|
DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
|
|
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
|
|
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix *u::o*/
|
|
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
|
|
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2) /* double for each of ix pux, unsafe x bits * u::o */
|
|
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE]; /* mods + unsafe + ix + pux * u::o*/
|
|
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
|
|
|
|
extern "C" void aare_reset_matchflags(void)
|
|
{
|
|
@@ -2644,8 +2646,8 @@
|
|
flip_tree(tree);
|
|
|
|
|
|
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
|
|
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
|
|
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
|
|
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
|
|
|
|
//if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
|
|
// fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);
|
|
|
|
=== modified file 'parser/tst/Makefile'
|
|
--- a/parser/tst/Makefile 2010-09-15 18:34:38 +0000
|
|
+++ b/parser/tst/Makefile 2011-01-10 18:12:33 +0000
|
|
@@ -11,8 +11,11 @@
|
|
|
|
all: tests
|
|
|
|
-.PHONY: tests error_output parser_sanity caching
|
|
-tests: error_output parser_sanity caching
|
|
+.PHONY: tests error_output gen_xtrans parser_sanity caching
|
|
+tests: error_output gen_xtrans parser_sanity caching
|
|
+
|
|
+gen_xtrans:
|
|
+ perl ./gen-xtrans.pl
|
|
|
|
error_output: $(PARSER)
|
|
$(PARSER) -S -I errors >/dev/null errors/okay.sd
|
|
@@ -34,3 +37,6 @@
|
|
|
|
$(PARSER):
|
|
make -C $(PARSER_DIR) $(PARSER_BIN)
|
|
+
|
|
+clean:
|
|
+ rm -f simple_tests/generated_x/*
|
|
|
|
=== added file 'parser/tst/gen-xtrans.pl'
|
|
--- a/parser/tst/gen-xtrans.pl 1970-01-01 00:00:00 +0000
|
|
+++ b/parser/tst/gen-xtrans.pl 2011-01-10 18:12:33 +0000
|
|
@@ -0,0 +1,152 @@
|
|
+#!/usr/bin/perl
|
|
+
|
|
+use strict;
|
|
+use Locale::gettext;
|
|
+use POSIX;
|
|
+
|
|
+setlocale(LC_MESSAGES, "");
|
|
+
|
|
+my $prefix="simple_tests/generated_x";
|
|
+
|
|
+my @trans_types = ("p", "P", "c", "C", "u", "i");
|
|
+my @modifiers = ("i", "u");
|
|
+my %trans_modifiers = (
|
|
+ "p" => \@modifiers,
|
|
+ "P" => \@modifiers,
|
|
+ "c" => \@modifiers,
|
|
+ "C" => \@modifiers,
|
|
+ );
|
|
+
|
|
+my @targets = ("", "target", "target2");
|
|
+my @null_target = ("");
|
|
+
|
|
+my %named_trans = (
|
|
+ "p" => \@targets,
|
|
+ "P" => \@targets,
|
|
+ "c" => \@targets,
|
|
+ "C" => \@targets,
|
|
+ "u" => \@null_target,
|
|
+ "i" => \@null_target,
|
|
+ );
|
|
+
|
|
+# audit qualifier disabled for now it really shouldn't affect the conflict
|
|
+# test but it may be worth checking every once in awhile
|
|
+#my @qualifiers = ("", "owner", "audit", "audit owner");
|
|
+my @qualifiers = ("", "owner");
|
|
+
|
|
+my $count = 0;
|
|
+
|
|
+gen_conflicting_x();
|
|
+gen_overlap_re_exact();
|
|
+gen_dominate_re_re();
|
|
+gen_ambiguous_re_re();
|
|
+
|
|
+print "Generated $count xtransition interaction tests\n";
|
|
+
|
|
+sub gen_list {
|
|
+ my @output;
|
|
+ foreach my $trans (@trans_types) {
|
|
+ if ($trans_modifiers{$trans}) {
|
|
+ foreach my $mod (@{$trans_modifiers{$trans}}) {
|
|
+ push @output, "${trans}${mod}x";
|
|
+ }
|
|
+ }
|
|
+ push @output, "${trans}x";
|
|
+ }
|
|
+ return @output;
|
|
+}
|
|
+
|
|
+sub print_rule($$$$) {
|
|
+ my ($file, $name, $perm, $target) = @_;
|
|
+ print $file "\t${name} ${perm}";
|
|
+ if ($target ne "") {
|
|
+ print $file " -> $target";
|
|
+ }
|
|
+ print $file ",\n";
|
|
+}
|
|
+
|
|
+sub gen_file($$$$$$$$) {
|
|
+ my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
|
|
+
|
|
+# print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
|
|
+
|
|
+ my $file;
|
|
+ unless (open $file, ">$name") {
|
|
+ print("couldn't open $name\n");
|
|
+ exit 1;
|
|
+ }
|
|
+
|
|
+ print $file "#\n";
|
|
+ print $file "#=DESCRIPTION ${name}\n";
|
|
+ print $file "#=EXRESULT ${xres}\n";
|
|
+ print $file "#\n";
|
|
+ print $file "/usr/bin/foo {\n";
|
|
+ print_rule($file, $rule1, $perm1, $target1);
|
|
+ print_rule($file, $rule2, $perm2, $target2);
|
|
+ print $file "}";
|
|
+ close($file);
|
|
+
|
|
+ $count++;
|
|
+}
|
|
+
|
|
+#NOTE: currently we don't do px to cx, or cx to px conversion
|
|
+# so
|
|
+# /foo {
|
|
+# /* px -> /foo//bar,
|
|
+# /* cx -> bar,
|
|
+#
|
|
+# will conflict
|
|
+#
|
|
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
|
|
+# It is assumed that there are extra tests to verify 1 to 1 coorispondance
|
|
+sub gen_files($$$$) {
|
|
+ my ($name, $rule1, $rule2, $default) = @_;
|
|
+
|
|
+ my @perms = gen_list();
|
|
+
|
|
+# print "@perms\n";
|
|
+
|
|
+ foreach my $i (@perms) {
|
|
+ foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
|
|
+ foreach my $q (@qualifiers) {
|
|
+ foreach my $j (@perms) {
|
|
+ foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
|
|
+ foreach my $r (@qualifiers) {
|
|
+ my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
|
|
+# print "$file\n";
|
|
+
|
|
+ #override failures when transitions are the same
|
|
+ my $xres = ${default};
|
|
+ if ($i eq $j && $t eq $u) {
|
|
+ $xres = "PASS";
|
|
+ }
|
|
+
|
|
+
|
|
+# print "foo $xres $rule1 $i $t $rule2 $j $u\n";
|
|
+ gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+}
|
|
+
|
|
+sub gen_conflicting_x {
|
|
+ gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
|
|
+}
|
|
+
|
|
+sub gen_overlap_re_exact {
|
|
+
|
|
+ gen_files("exact", "/bin/cat", "/bin/*", "PASS");
|
|
+}
|
|
+
|
|
+# we currently don't support this, once supported change to "PASS"
|
|
+sub gen_dominate_re_re {
|
|
+ gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
|
|
+}
|
|
+
|
|
+sub gen_ambiguous_re_re {
|
|
+ gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
|
|
+}
|
|
|
|
=== added directory 'parser/tst/simple_tests/generated_x'
|
|
=== added file 'parser/tst/simple_tests/generated_x/readme'
|
|
--- a/parser/tst/simple_tests/generated_x/readme 1970-01-01 00:00:00 +0000
|
|
+++ b/parser/tst/simple_tests/generated_x/readme 2011-01-10 18:12:33 +0000
|
|
@@ -0,0 +1,2 @@
|
|
+Directory for auto generated x-transition tests
|
|
+
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
|
|
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers 2010-09-10 15:28:28 +0000
|
|
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers 2011-01-10 18:12:33 +0000
|
|
@@ -18,7 +18,7 @@
|
|
/usr/bin/prism PUx,
|
|
/usr/bin/rekonq PUx,
|
|
/usr/bin/seamonkey PUx,
|
|
- /usr/bin/sensible-browser PUxr,
|
|
+ /usr/bin/sensible-browser Pixr,
|
|
|
|
/usr/bin/chromium-browser PUx,
|
|
/usr/lib/chromium-browser/chromium-browser PUx,
|
|
|
|
=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
|
|
--- a/profiles/apparmor.d/abstractions/ubuntu-email 2010-09-10 15:28:28 +0000
|
|
+++ b/profiles/apparmor.d/abstractions/ubuntu-email 2011-01-10 18:12:33 +0000
|
|
@@ -15,5 +15,5 @@
|
|
/usr/bin/tkrat PUx,
|
|
|
|
/usr/lib/thunderbird/thunderbird PUx,
|
|
- /usr/lib/thunderbird-3*/thunderbird PUx,
|
|
+ /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,
|
|
|
|
|
|
=== modified file 'tests/regression/subdomain/changehat_misc.sh'
|
|
--- a/tests/regression/subdomain/changehat_misc.sh 2006-05-19 17:32:14 +0000
|
|
+++ b/tests/regression/subdomain/changehat_misc.sh 2011-01-10 18:12:33 +0000
|
|
@@ -64,7 +64,7 @@
|
|
echo "*** A 'Killed' message from bash is expected for the following test"
|
|
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
|
|
|
|
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
|
|
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
|
|
# PROFILE
|
|
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
|
|
settest changehat_fail
|
|
|
|
=== modified file 'tests/regression/subdomain/deleted.c'
|
|
--- a/tests/regression/subdomain/deleted.c 2006-05-19 17:32:14 +0000
|
|
+++ b/tests/regression/subdomain/deleted.c 2011-01-10 18:12:33 +0000
|
|
@@ -90,7 +90,7 @@
|
|
}
|
|
|
|
/* test that we can create the file. Not necessarily a (deleted)
|
|
- * case but lets use flush out other combinations
|
|
+ * case but lets us flush out other combinations.
|
|
*/
|
|
fd2=creat(argv[2], S_IRUSR | S_IWUSR);
|
|
if (fd2 == -1){
|
|
|
|
=== modified file 'tests/regression/subdomain/deleted.sh'
|
|
--- a/tests/regression/subdomain/deleted.sh 2007-12-23 01:00:19 +0000
|
|
+++ b/tests/regression/subdomain/deleted.sh 2011-01-10 18:12:33 +0000
|
|
@@ -1,7 +1,7 @@
|
|
#! /bin/bash
|
|
-# $Id$
|
|
-
|
|
+#
|
|
# Copyright (C) 2002-2005 Novell/SUSE
|
|
+# Copyright (C) 2010 Canonical, Ltd
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
@@ -10,7 +10,7 @@
|
|
|
|
#=NAME deleted
|
|
#=DESCRIPTION
|
|
-# Test subdomain is properly working around a kernel in which the kernel
|
|
+# Test AppArmor is properly working around a kernel in which the kernel
|
|
# appends (deleted) to deleted files verifies that the d_path appending
|
|
# (deleted) fix is working
|
|
#=END
|
|
@@ -24,6 +24,7 @@
|
|
|
|
file=$tmpdir/file
|
|
file2="$tmpdir/file (deleted)"
|
|
+file3="$tmpdir/unavailable"
|
|
okperm=rwl
|
|
|
|
subtest=sub
|
|
@@ -40,8 +41,8 @@
|
|
# NO CHANGEHAT TEST - doesn't force revalidation
|
|
|
|
genprofile $file:$okperm
|
|
-
|
|
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
|
|
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
|
|
|
|
genprofile "$file2":$okperm
|
|
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
|
|
@@ -49,6 +50,7 @@
|
|
# CHANGEHAT TEST - force revalidation using changehat
|
|
genprofile $file:$okperm hat:$subtest $file:$okperm
|
|
runchecktest "CHANGEHAT (access file)" pass $subtest $file
|
|
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
|
|
|
|
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
|
|
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
|
|
@@ -115,7 +117,7 @@
|
|
# FAIL - confined client, w access to the file
|
|
|
|
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
|
|
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
|
|
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
|
|
|
|
sleep 1
|
|
rm -f ${socket}
|
|
|
|
=== modified file 'tests/regression/subdomain/mkprofile.pl'
|
|
--- a/tests/regression/subdomain/mkprofile.pl 2009-11-11 18:44:26 +0000
|
|
+++ b/tests/regression/subdomain/mkprofile.pl 2011-01-10 18:12:33 +0000
|
|
@@ -5,7 +5,7 @@
|
|
#
|
|
# Gawd, I hate writing perl. It shows, too.
|
|
#
|
|
-my $__VERSION__='$Id$';
|
|
+my $__VERSION__=$0;
|
|
|
|
use strict;
|
|
use Getopt::Long;
|
|
|
|
=== modified file 'tests/regression/subdomain/prologue.inc'
|
|
--- a/tests/regression/subdomain/prologue.inc 2010-08-26 18:24:41 +0000
|
|
+++ b/tests/regression/subdomain/prologue.inc 2011-01-10 18:12:33 +0000
|
|
@@ -93,8 +93,10 @@
|
|
|
|
while [ -h ${link} ]
|
|
do
|
|
- if [ -x /usr/bin/readlink ] ; then
|
|
- target=$(/usr/bin/readlink ${link})
|
|
+ if [ -x /usr/bin/readlink ] ; then
|
|
+ target=$(/usr/bin/readlink -f ${link})
|
|
+ elif [ -x /bin/readlink ] ; then
|
|
+ target=$(/bin/readlink -f ${link})
|
|
else
|
|
# I'm sure there's a more perlish way to do this
|
|
target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")
|
|
|
|
=== modified file 'tests/regression/subdomain/pwrite.sh'
|
|
--- a/tests/regression/subdomain/pwrite.sh 2007-12-23 00:58:47 +0000
|
|
+++ b/tests/regression/subdomain/pwrite.sh 2011-01-10 18:12:33 +0000
|
|
@@ -27,7 +27,7 @@
|
|
|
|
genprofile $file:$okperm
|
|
|
|
-runtestbg "PWRITE with w" pass $file
|
|
+runtestbg "PREAD/PWRITE with rw" pass $file
|
|
|
|
sleep 2
|
|
|
|
|
|
=== modified file 'tests/regression/subdomain/swap.sh'
|
|
--- a/tests/regression/subdomain/swap.sh 2006-05-19 17:32:14 +0000
|
|
+++ b/tests/regression/subdomain/swap.sh 2011-01-10 18:12:33 +0000
|
|
@@ -32,7 +32,7 @@
|
|
swap_file=$tmpdir/swapfile
|
|
|
|
dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
|
|
-/sbin/mkswap ${swap_file} > /dev/null
|
|
+/sbin/mkswap -f ${swap_file} > /dev/null
|
|
|
|
# TEST 1. Make sure can enable and disable swap unconfined
|
|
|
|
|
|
=== modified file 'tests/regression/subdomain/syscall.sh'
|
|
--- a/tests/regression/subdomain/syscall.sh 2007-12-23 01:02:50 +0000
|
|
+++ b/tests/regression/subdomain/syscall.sh 2011-01-10 18:12:33 +0000
|
|
@@ -1,7 +1,7 @@
|
|
#! /bin/bash
|
|
-# $Id$
|
|
-
|
|
+#
|
|
# Copyright (C) 2002-2005 Novell/SUSE
|
|
+# Copyright (C) 2010 Canonical, Ltd.
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
@@ -114,9 +114,9 @@
|
|
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
|
|
|
|
##
|
|
-## D. SETHOSTNAME
|
|
+## C. SYSCTL
|
|
##
|
|
-sh syscall_sysctl.sh
|
|
+bash syscall_sysctl.sh
|
|
|
|
##
|
|
## D. SETHOSTNAME
|
|
|
|
=== modified file 'tests/regression/subdomain/unix_fd_server.c'
|
|
--- a/tests/regression/subdomain/unix_fd_server.c 2006-05-19 17:32:14 +0000
|
|
+++ b/tests/regression/subdomain/unix_fd_server.c 2011-01-10 18:12:33 +0000
|
|
@@ -2,6 +2,7 @@
|
|
|
|
/*
|
|
* Copyright (C) 2002-2005 Novell/SUSE
|
|
+ * Copyright (C) 2010 Canonical, Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
@@ -134,6 +135,7 @@
|
|
}
|
|
|
|
/* Check for info re: reading the file */
|
|
+ memset(inbound_buffer, 0, sizeof(inbound_buffer));
|
|
if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
|
|
fprintf(stderr, "FAIL - recv %s\n",
|
|
strerror(errno));
|
|
|
|
=== modified file 'tests/regression/subdomain/xattrs.sh'
|
|
--- a/tests/regression/subdomain/xattrs.sh 2010-02-07 07:04:57 +0000
|
|
+++ b/tests/regression/subdomain/xattrs.sh 2011-01-10 18:12:33 +0000
|
|
@@ -38,41 +38,59 @@
|
|
|
|
. $bin/prologue.inc
|
|
|
|
-file=$tmpdir/testfile
|
|
-link=$tmpdir/testlink
|
|
-dir=$tmpdir/testdir/
|
|
+tmpmount=$tmpdir/mountpoint
|
|
+diskimg=$tmpdir/disk.img
|
|
+file=$tmpmount/testfile
|
|
+link=$tmpmount/testlink
|
|
+dir=$tmpmount/testdir/
|
|
okperm=rw
|
|
badperm=r
|
|
|
|
+# guarantee fs supports user_xattrs
|
|
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
|
|
+mkfs.ext3 -q -F ${diskimg}
|
|
+mkdir ${tmpmount}
|
|
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
|
|
+
|
|
touch $file
|
|
ln -s $file $link
|
|
mkdir $dir
|
|
|
|
+add_attrs()
|
|
+{
|
|
+ #set the xattr for thos that passed above again so we can test removing it
|
|
+ setfattr -h -n security.sdtest -v hello "$1"
|
|
+ setfattr -h -n trusted.sdtest -v hello "$1"
|
|
+ if [ "$1" != $link ] ; then
|
|
+ setfattr -h -n user.sdtest -v hello "$1"
|
|
+ fi
|
|
+}
|
|
+
|
|
for var in $file $link $dir ; do
|
|
#write xattr
|
|
genprofile $var:$badperm
|
|
xattrtest $var $badperm write security fail
|
|
#xattrtest $var $badperm write system fail
|
|
xattrtest $var $badperm write trusted fail
|
|
- if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
|
|
|
|
genprofile $var:$badperm capability:sys_admin
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
|
|
#xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
|
|
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
|
|
|
|
genprofile $var:$okperm
|
|
xattrtest $var $okperm write security xpass
|
|
#xattrtest $var $okperm write system fail
|
|
xattrtest $var $okperm write trusted fail
|
|
- if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
|
|
|
|
genprofile $var:$okperm capability:sys_admin
|
|
xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
|
|
#xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
|
|
xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
|
|
- if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
|
|
|
|
|
|
#read xattr
|
|
@@ -80,13 +98,13 @@
|
|
xattrtest $var $badperm read security pass
|
|
#xattrtest $var $badperm read system fail
|
|
xattrtest $var $badperm read trusted fail
|
|
- if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
|
|
|
|
genprofile $var:$badperm capability:sys_admin
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
|
|
#xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
|
|
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
|
|
|
|
|
|
#remove xattr
|
|
@@ -94,23 +112,25 @@
|
|
xattrtest $var $badperm remove security fail
|
|
#xattrtest $var $badperm remove system fail
|
|
xattrtest $var $badperm remove trusted fail
|
|
- if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
|
|
+
|
|
+ add_attrs $var
|
|
|
|
genprofile $var:$badperm capability:sys_admin
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
|
|
#xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
|
|
xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
|
|
- if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
|
|
+
|
|
+ add_attrs $var
|
|
|
|
genprofile $var:$okperm
|
|
xattrtest $var $okperm remove security xpass
|
|
#xattrtest $var $okperm remove system fail
|
|
xattrtest $var $okperm remove trusted fail
|
|
- if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
|
|
+ if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
|
|
|
|
- #set the xattr for thos that passed above again so we can test removing it
|
|
- setfattr -h -n security.sdtest -v hello $var
|
|
- if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
|
|
+ add_attrs $var
|
|
|
|
genprofile $var:$okperm capability:sys_admin
|
|
xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
|
|
@@ -120,3 +140,4 @@
|
|
|
|
done
|
|
|
|
+umount ${tmpmount}
|
|
|
|
=== modified file 'utils/SubDomain.pm'
|
|
--- a/utils/SubDomain.pm 2010-09-21 07:40:50 +0000
|
|
+++ b/utils/SubDomain.pm 2011-01-10 18:12:33 +0000
|
|
@@ -2420,7 +2420,7 @@
|
|
my $RE_LOG_v2_1_audit =
|
|
qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
|
|
my $RE_LOG_v2_6_audit =
|
|
- qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
|
|
+ qr/type=AVC\s+(msg=)?audit\([\d\.\:]+\):\s+apparmor=/;
|
|
|
|
sub prefetch_next_log_entry {
|
|
# if we already have an existing cache entry, something's broken
|
|
@@ -6622,10 +6622,14 @@
|
|
LibAppArmor::free_record($event);
|
|
|
|
#map new c and d to w as logprof doesn't support them yet
|
|
- $rmask =~ s/c/w/g;
|
|
- $rmask =~ s/d/w/g;
|
|
- $dmask =~ s/c/w/g;
|
|
- $dmask =~ s/d/w/g;
|
|
+ if ($rmask) {
|
|
+ $rmask =~ s/c/w/g;
|
|
+ $rmask =~ s/d/w/g;
|
|
+ }
|
|
+ if ($dmask) {
|
|
+ $dmask =~ s/c/w/g;
|
|
+ $dmask =~ s/d/w/g;
|
|
+ }
|
|
|
|
if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
|
|
fatal_error(sprintf(gettext('Log contains unknown mode %s.'),
|
|
|