apparmor/parser/tst/simple_tests/capability/ok_allow5.sd

#
#=DESCRIPTION validate audit allow w/capabilities in hats.
#=EXRESULT PASS
# vim:syntax=apparmor
# Last Modified: Sun Apr 17 19:44:44 2005
#

/does/not/exist2 {
  ^chown {
    audit allow capability chown,
  }
  ^dac_override {
    audit allow capability dac_override,
  }
  ^dac_read_search {
    audit allow capability dac_read_search,
  }
  ^fowner {
    audit allow capability fowner,
  }
  ^fsetid {
    audit allow capability fsetid,
  }
  ^kill {
    audit allow capability kill,
  }
  ^setgid {
    audit allow capability setgid,
  }
  ^setuid {
    audit allow capability setuid,
  }
  ^setpcap {
    audit allow capability setpcap,
  }
  ^linux_immutable {
    audit allow capability linux_immutable,
  }
  ^net_bind_service {
    audit allow capability net_bind_service,
  }
  ^net_broadcast {
    audit allow capability net_broadcast,
  }
  ^net_admin {
    audit allow capability net_admin,
  }
  ^net_raw {
    audit allow capability net_raw,
  }
  ^ipc_lock {
    audit allow capability ipc_lock,
  }
  ^ipc_owner {
    audit allow capability ipc_owner,
  }
  ^sys_module {
    audit allow capability sys_module,
  }
  ^sys_rawio {
    audit allow capability sys_rawio,
  }
  ^sys_chroot {
    audit allow capability sys_chroot,
  }
  ^sys_ptrace {
    audit allow capability sys_ptrace,
  }
  ^sys_pacct {
    audit allow capability sys_pacct,
  }
  ^sys_admin {
    audit allow capability sys_admin,
  }
  ^sys_boot {
    audit allow capability sys_boot,
  }
  ^sys_nice {
    audit allow capability sys_nice,
  }
  ^sys_resource {
    audit allow capability sys_resource,
  }
  ^sys_time {
    audit allow capability sys_time,
  }
  ^sys_tty_config {
    audit allow capability sys_tty_config,
  }
  ^mknod {
    audit allow capability mknod,
  }
  ^lease {
    audit allow capability lease,
  }
  ^audit_write {
    audit allow capability audit_write,
  }
  ^audit_control {
    audit allow capability audit_control,
  }
}
add optional allow prefix to the language From: John Johansen <john.johansen@canonical.com> let allow be used as a prefix in place of deny. Allow is the default and is implicit so it is not needed but some user keep tripping over it, and it makes the language more symmetric eg. /foo rw, allow /foo rw, deny /foo rw, Patch history: v1: - initial revision v2: - rename yacc target rule from opt_deny to opt_perm_mode to reflect that it can be either an allow or deny modifier - break apart tests into more digestible chunks and to clarify their purpose - fix some tests to exercise 'audit allow' - add negative tests for 'allow' and 'deny' in the same rule - add support for 'allow' keyword to apparmor.vim - fix a bug in apparmor.vim to let it recognize multiple capability entries in a single line. v3: - add support for optional keywords on capability rules in regression tests, as well as the bare capability keyword (via 'cap:ALL') - add allow, deny, and conflicting capability behavioral regression tests - fix vim syntax modeline to refer to apparmor in parser tests - adjust FILE regex in vim syntax file creator script Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2013-09-20 06:48:56 -07:00			`#`
			`#=DESCRIPTION validate audit allow w/capabilities in hats.`
			`#=EXRESULT PASS`
			`# vim:syntax=apparmor`
			`# Last Modified: Sun Apr 17 19:44:44 2005`
			`#`

			`/does/not/exist2 {`
			`^chown {`
			`audit allow capability chown,`
			`}`
			`^dac_override {`
			`audit allow capability dac_override,`
			`}`
			`^dac_read_search {`
			`audit allow capability dac_read_search,`
			`}`
			`^fowner {`
			`audit allow capability fowner,`
			`}`
			`^fsetid {`
			`audit allow capability fsetid,`
			`}`
			`^kill {`
			`audit allow capability kill,`
			`}`
			`^setgid {`
			`audit allow capability setgid,`
			`}`
			`^setuid {`
			`audit allow capability setuid,`
			`}`
			`^setpcap {`
			`audit allow capability setpcap,`
			`}`
			`^linux_immutable {`
			`audit allow capability linux_immutable,`
			`}`
			`^net_bind_service {`
			`audit allow capability net_bind_service,`
			`}`
			`^net_broadcast {`
			`audit allow capability net_broadcast,`
			`}`
			`^net_admin {`
			`audit allow capability net_admin,`
			`}`
			`^net_raw {`
			`audit allow capability net_raw,`
			`}`
			`^ipc_lock {`
			`audit allow capability ipc_lock,`
			`}`
			`^ipc_owner {`
			`audit allow capability ipc_owner,`
			`}`
			`^sys_module {`
			`audit allow capability sys_module,`
			`}`
			`^sys_rawio {`
			`audit allow capability sys_rawio,`
			`}`
			`^sys_chroot {`
			`audit allow capability sys_chroot,`
			`}`
			`^sys_ptrace {`
			`audit allow capability sys_ptrace,`
			`}`
			`^sys_pacct {`
			`audit allow capability sys_pacct,`
			`}`
			`^sys_admin {`
			`audit allow capability sys_admin,`
			`}`
			`^sys_boot {`
			`audit allow capability sys_boot,`
			`}`
			`^sys_nice {`
			`audit allow capability sys_nice,`
			`}`
			`^sys_resource {`
			`audit allow capability sys_resource,`
			`}`
			`^sys_time {`
			`audit allow capability sys_time,`
			`}`
			`^sys_tty_config {`
			`audit allow capability sys_tty_config,`
			`}`
			`^mknod {`
			`audit allow capability mknod,`
			`}`
			`^lease {`
			`audit allow capability lease,`
			`}`
			`^audit_write {`
			`audit allow capability audit_write,`
			`}`
			`^audit_control {`
			`audit allow capability audit_control,`
			`}`
			`}`