diff --git a/parser/parser_regex.c b/parser/parser_regex.c index 310af2084..dc713c82c 100644 --- a/parser/parser_regex.c +++ b/parser/parser_regex.c @@ -492,6 +492,8 @@ static int process_profile_name_xmatch(Profile *prof) return TRUE; } +static int warn_change_profile = 1; + static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) { std::string tbuf; @@ -565,6 +567,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) std::string lbuf; int index = 1; + if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) { + /* don't have profile name here, so until this code + * gets refactored just throw out a generic warning + */ + fprintf(stderr, "Warning kernel does not support audit modifier for change_profile rule.\n"); + warn_change_profile = 0; + } + /* allow change_profile for all execs */ vec[0] = "/[^\\x00]*"; @@ -576,12 +586,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) vec[index++] = tbuf.c_str(); /* regular change_profile rule */ - if (!dfarules->add_rule_vec(0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) + if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) return FALSE; /* onexec rules - both rules are needed for onexec */ - if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, 1, vec, dfaflags)) + if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, 1, vec, dfaflags)) return FALSE; - if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, index, vec, dfaflags)) + if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, index, vec, dfaflags)) return FALSE; } return TRUE; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index ce5715390..df3ce1576 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -785,13 +785,23 @@ rules: rules opt_prefix unix_rule $$ = $1; } -rules: rules change_profile +rules: rules opt_prefix change_profile { PDEBUG("matched: rules change_profile\n"); - PDEBUG("rules change_profile: (%s)\n", $2->name); - if (!$2) + PDEBUG("rules change_profile: (%s)\n", $3->name); + if (!$3) yyerror(_("Assert: `change_profile' returned NULL.")); - add_entry_to_policy($1, $2); + if ($2.owner) + yyerror(_("owner prefix not allowed on unix rules")); + if ($2.deny && $2.audit) { + $3->deny = 1; + } else if ($2.deny) { + $3->deny = 1; + $3->audit = $3->mode; + } else if ($2.audit) { + $3->audit = $3->mode; + } + add_entry_to_policy($1, $3); $$ = $1; }; diff --git a/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd new file mode 100644 index 000000000..0763dc89c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_bare_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_1.sd b/parser/tst/simple_tests/change_profile/a_ok_1.sd new file mode 100644 index 000000000..8dcac5aef --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_2.sd b/parser/tst/simple_tests/change_profile/a_ok_2.sd new file mode 100644 index 000000000..5967dc8db --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> /bin/foo//bar, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_3.sd b/parser/tst/simple_tests/change_profile/a_ok_3.sd new file mode 100644 index 000000000..fba476884 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> :foo:/bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_4.sd b/parser/tst/simple_tests/change_profile/a_ok_4.sd new file mode 100644 index 000000000..025d9d3cf --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit change_profile -> @{LIBVIRT}-foo, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_5.sd b/parser/tst/simple_tests/change_profile/a_ok_5.sd new file mode 100644 index 000000000..9b336e567 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_5.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit change_profile with variable+regex (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_6.sd b/parser/tst/simple_tests/change_profile/a_ok_6.sd new file mode 100644 index 000000000..57684d14b --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + audit change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_7.sd b/parser/tst/simple_tests/change_profile/a_ok_7.sd new file mode 100644 index 000000000..879be48dc --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + audit change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/a_ok_8.sd b/parser/tst/simple_tests/change_profile/a_ok_8.sd new file mode 100644 index 000000000..01e6dc78a --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + audit change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_1.sd b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd new file mode 100644 index 000000000..3ff2991fe --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION audit change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> /bin/*, +} + +/usr/bin/foo2 { + audit change_profile -> /bin/**, +} + +/usr/bin/foo3 { + audit change_profile -> /bin/?, +} + +/usr/bin/foo4 { + audit change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + audit change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_2.sd b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd new file mode 100644 index 000000000..a113defa4 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION audit change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + audit change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + audit change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + audit change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + audit change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + audit change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + audit change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + audit change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + audit change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + audit change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + audit change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + audit change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + audit change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + audit change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + audit change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + audit change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_3.sd b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd new file mode 100644 index 000000000..d60133e8c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION audit change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + audit change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + audit change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + audit change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + audit change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + audit change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + audit change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + audit change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + audit change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + audit change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + audit change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + audit change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + audit change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + audit change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + audit change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + audit change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_4.sd b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd new file mode 100644 index 000000000..a379127e0 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION audit change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + audit change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + audit change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + audit change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + audit change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + audit change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + audit change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + audit change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + audit change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + audit change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + audit change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + audit change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_5.sd b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd new file mode 100644 index 000000000..5dc20208c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION audit change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + audit change_profile -> *, +} + +/usr/bin/foo2 { + audit change_profile -> **, +} + +/usr/bin/foo3 { + audit change_profile -> ?, +} + +/usr/bin/foo4 { + audit change_profile -> [ab], +} + +/usr/bin/foo5 { + audit change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_6.sd b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd new file mode 100644 index 000000000..436ee3c44 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + audit change_profile -> *//ab, +} + +/usr/bin/foo2 { + audit change_profile -> **//ab, +} + +/usr/bin/foo3 { + audit change_profile -> ?//ab, +} + +/usr/bin/foo4 { + audit change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + audit change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + audit change_profile -> ab//*, +} + +/usr/bin/foo7 { + audit change_profile -> ab//**, +} + +/usr/bin/foo8 { + audit change_profile -> ab//?, +} + +/usr/bin/foo9 { + audit change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + audit change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + audit change_profile -> *//*, +} + +/usr/bin/foo12 { + audit change_profile -> **//*, +} + +/usr/bin/foo13 { + audit change_profile -> ?//*, +} + +/usr/bin/foo14 { + audit change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + audit change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_7.sd b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd new file mode 100644 index 000000000..3452d3af0 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + audit change_profile -> :ab:*, +} + +/usr/bin/foo2 { + audit change_profile -> :ab:**, +} + +/usr/bin/foo3 { + audit change_profile -> :ab:?, +} + +/usr/bin/foo4 { + audit change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + audit change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + audit change_profile -> :*:ab, +} + +/usr/bin/foo7 { + audit change_profile -> :**:ab, +} + +/usr/bin/foo8 { + audit change_profile -> :?:ab, +} + +/usr/bin/foo9 { + audit change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + audit change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + audit change_profile -> :*:*, +} + +/usr/bin/foo12 { + audit change_profile -> :**:**, +} + +/usr/bin/foo13 { + audit change_profile -> :?:?, +} + +/usr/bin/foo14 { + audit change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + audit change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/a_re_ok_8.sd b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd new file mode 100644 index 000000000..694892866 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/a_re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION audit change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + audit change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + audit change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + audit change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + audit change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + audit change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + audit change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + audit change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + audit change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + audit change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + audit change_profile -> "/bin/ ?ab", +} + diff --git a/parser/tst/simple_tests/change_profile/aa_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_ok_1.sd new file mode 100644 index 000000000..4950d9a4c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit allow change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_ok_2.sd new file mode 100644 index 000000000..1ba7e7475 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit allow change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> /bin/foo//bar, +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_ok_3.sd new file mode 100644 index 000000000..208d8076c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit allow change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> :foo:/bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_ok_4.sd new file mode 100644 index 000000000..9d139de4c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit allow change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit allow change_profile -> @{LIBVIRT}-foo, +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_ok_5.sd new file mode 100644 index 000000000..9ba2675d7 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_5.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit allow change_profile with variable+regex (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_ok_6.sd new file mode 100644 index 000000000..12182890c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit allow change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + audit allow change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_ok_7.sd new file mode 100644 index 000000000..77c7be692 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit allow change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + audit allow change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/aa_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_ok_8.sd new file mode 100644 index 000000000..786505bef --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit allow change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + audit allow change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd new file mode 100644 index 000000000..7cfc02787 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION audit allow change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> /bin/*, +} + +/usr/bin/foo2 { + audit allow change_profile -> /bin/**, +} + +/usr/bin/foo3 { + audit allow change_profile -> /bin/?, +} + +/usr/bin/foo4 { + audit allow change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + audit allow change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd new file mode 100644 index 000000000..a8967f87d --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION audit allow change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + audit allow change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + audit allow change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + audit allow change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + audit allow change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + audit allow change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + audit allow change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + audit allow change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + audit allow change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + audit allow change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + audit allow change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + audit allow change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + audit allow change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + audit allow change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + audit allow change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + audit allow change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd new file mode 100644 index 000000000..1c533aee5 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION audit allow change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit allow change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + audit allow change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + audit allow change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + audit allow change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + audit allow change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + audit allow change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + audit allow change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + audit allow change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + audit allow change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + audit allow change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + audit allow change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + audit allow change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + audit allow change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + audit allow change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + audit allow change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + audit allow change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd new file mode 100644 index 000000000..297915a70 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION audit allow change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + audit allow change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + audit allow change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + audit allow change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + audit allow change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + audit allow change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + audit allow change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + audit allow change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + audit allow change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + audit allow change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + audit allow change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + audit allow change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd new file mode 100644 index 000000000..3e01b85f2 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION audit allow change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + audit allow change_profile -> *, +} + +/usr/bin/foo2 { + audit allow change_profile -> **, +} + +/usr/bin/foo3 { + audit allow change_profile -> ?, +} + +/usr/bin/foo4 { + audit allow change_profile -> [ab], +} + +/usr/bin/foo5 { + audit allow change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd new file mode 100644 index 000000000..7558377f4 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit allow change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + audit allow change_profile -> *//ab, +} + +/usr/bin/foo2 { + audit allow change_profile -> **//ab, +} + +/usr/bin/foo3 { + audit allow change_profile -> ?//ab, +} + +/usr/bin/foo4 { + audit allow change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + audit allow change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + audit allow change_profile -> ab//*, +} + +/usr/bin/foo7 { + audit allow change_profile -> ab//**, +} + +/usr/bin/foo8 { + audit allow change_profile -> ab//?, +} + +/usr/bin/foo9 { + audit allow change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + audit allow change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + audit allow change_profile -> *//*, +} + +/usr/bin/foo12 { + audit allow change_profile -> **//*, +} + +/usr/bin/foo13 { + audit allow change_profile -> ?//*, +} + +/usr/bin/foo14 { + audit allow change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + audit allow change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd new file mode 100644 index 000000000..b522af806 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit allow change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + audit allow change_profile -> :ab:*, +} + +/usr/bin/foo2 { + audit allow change_profile -> :ab:**, +} + +/usr/bin/foo3 { + audit allow change_profile -> :ab:?, +} + +/usr/bin/foo4 { + audit allow change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + audit allow change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + audit allow change_profile -> :*:ab, +} + +/usr/bin/foo7 { + audit allow change_profile -> :**:ab, +} + +/usr/bin/foo8 { + audit allow change_profile -> :?:ab, +} + +/usr/bin/foo9 { + audit allow change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + audit allow change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + audit allow change_profile -> :*:*, +} + +/usr/bin/foo12 { + audit allow change_profile -> :**:**, +} + +/usr/bin/foo13 { + audit allow change_profile -> :?:?, +} + +/usr/bin/foo14 { + audit allow change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + audit allow change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd new file mode 100644 index 000000000..6a15f5a14 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aa_re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION audit allow change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + audit allow change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + audit allow change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + audit allow change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + audit allow change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + audit allow change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + audit allow change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + audit allow change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + audit allow change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + audit allow change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + audit allow change_profile -> "/bin/ ?ab", +} + diff --git a/parser/tst/simple_tests/change_profile/aao_bad_6.sd b/parser/tst/simple_tests/change_profile/aao_bad_6.sd new file mode 100644 index 000000000..b4109d2b9 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/aao_bad_6.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed on change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + audit allow owner change_profile -> "/bin/foo", +} diff --git a/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd new file mode 100644 index 000000000..e236803e9 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_ok_1.sd new file mode 100644 index 000000000..7df874c67 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_ok_2.sd new file mode 100644 index 000000000..9ca265ade --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit deny change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> /bin/foo//bar, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_ok_3.sd new file mode 100644 index 000000000..ca9537995 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION audit deny change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> :foo:/bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_ok_4.sd new file mode 100644 index 000000000..368389d98 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit deny change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit deny change_profile -> @{LIBVIRT}-foo, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_ok_5.sd new file mode 100644 index 000000000..40ac16795 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_5.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION audit deny change_profile with variable+regex (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + audit deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_ok_6.sd new file mode 100644 index 000000000..cd0af01d8 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit deny change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + audit deny change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_ok_7.sd new file mode 100644 index 000000000..c5c44d04f --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit deny change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + audit deny change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/ad_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_ok_8.sd new file mode 100644 index 000000000..e2f04d782 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION audit deny change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + audit deny change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd new file mode 100644 index 000000000..15268bc8e --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION audit deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> /bin/*, +} + +/usr/bin/foo2 { + audit deny change_profile -> /bin/**, +} + +/usr/bin/foo3 { + audit deny change_profile -> /bin/?, +} + +/usr/bin/foo4 { + audit deny change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + audit deny change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd new file mode 100644 index 000000000..936f1dec9 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION audit deny change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + audit deny change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + audit deny change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + audit deny change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + audit deny change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + audit deny change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + audit deny change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + audit deny change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + audit deny change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + audit deny change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + audit deny change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + audit deny change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + audit deny change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + audit deny change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + audit deny change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + audit deny change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd new file mode 100644 index 000000000..00bb7105c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION audit deny change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + audit deny change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + audit deny change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + audit deny change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + audit deny change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + audit deny change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + audit deny change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + audit deny change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + audit deny change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + audit deny change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + audit deny change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + audit deny change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + audit deny change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + audit deny change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + audit deny change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + audit deny change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + audit deny change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd new file mode 100644 index 000000000..3e7837018 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION audit deny change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + audit deny change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + audit deny change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + audit deny change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + audit deny change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + audit deny change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + audit deny change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + audit deny change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + audit deny change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + audit deny change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + audit deny change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + audit deny change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd new file mode 100644 index 000000000..960d6ca40 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION audit deny change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + audit deny change_profile -> *, +} + +/usr/bin/foo2 { + audit deny change_profile -> **, +} + +/usr/bin/foo3 { + audit deny change_profile -> ?, +} + +/usr/bin/foo4 { + audit deny change_profile -> [ab], +} + +/usr/bin/foo5 { + audit deny change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd new file mode 100644 index 000000000..b3ef1c633 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit deny change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + audit deny change_profile -> *//ab, +} + +/usr/bin/foo2 { + audit deny change_profile -> **//ab, +} + +/usr/bin/foo3 { + audit deny change_profile -> ?//ab, +} + +/usr/bin/foo4 { + audit deny change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + audit deny change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + audit deny change_profile -> ab//*, +} + +/usr/bin/foo7 { + audit deny change_profile -> ab//**, +} + +/usr/bin/foo8 { + audit deny change_profile -> ab//?, +} + +/usr/bin/foo9 { + audit deny change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + audit deny change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + audit deny change_profile -> *//*, +} + +/usr/bin/foo12 { + audit deny change_profile -> **//*, +} + +/usr/bin/foo13 { + audit deny change_profile -> ?//*, +} + +/usr/bin/foo14 { + audit deny change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + audit deny change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd new file mode 100644 index 000000000..db58ac4a5 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION audit deny change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + audit deny change_profile -> :ab:*, +} + +/usr/bin/foo2 { + audit deny change_profile -> :ab:**, +} + +/usr/bin/foo3 { + audit deny change_profile -> :ab:?, +} + +/usr/bin/foo4 { + audit deny change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + audit deny change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + audit deny change_profile -> :*:ab, +} + +/usr/bin/foo7 { + audit deny change_profile -> :**:ab, +} + +/usr/bin/foo8 { + audit deny change_profile -> :?:ab, +} + +/usr/bin/foo9 { + audit deny change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + audit deny change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + audit deny change_profile -> :*:*, +} + +/usr/bin/foo12 { + audit deny change_profile -> :**:**, +} + +/usr/bin/foo13 { + audit deny change_profile -> :?:?, +} + +/usr/bin/foo14 { + audit deny change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + audit deny change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd new file mode 100644 index 000000000..dd8aca3d7 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ad_re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION audit deny change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + audit deny change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + audit deny change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + audit deny change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + audit deny change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + audit deny change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + audit deny change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + audit deny change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + audit deny change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + audit deny change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + audit deny change_profile -> "/bin/ ?ab", +} + diff --git a/parser/tst/simple_tests/change_profile/ado_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bad_1.sd new file mode 100644 index 000000000..535c15c71 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ado_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed on change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + audit deny owner change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd new file mode 100644 index 000000000..116f3c3ab --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed in change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + audit deny owner change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_ok_1.sd new file mode 100644 index 000000000..77bec70b6 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION allow change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_ok_2.sd new file mode 100644 index 000000000..afa79e73e --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION allow change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> /bin/foo//bar, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_ok_3.sd new file mode 100644 index 000000000..3a96d7f7c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION allow change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> :foo:/bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_ok_4.sd new file mode 100644 index 000000000..668d422fa --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION allow change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + allow change_profile -> @{LIBVIRT}-foo, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_ok_5.sd new file mode 100644 index 000000000..bd8aa5bdf --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_5.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION allow change_profile with variable+regex (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_ok_6.sd new file mode 100644 index 000000000..7ad9c5a56 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION allow change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + allow change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_ok_7.sd new file mode 100644 index 000000000..9e233020f --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION allow change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + allow change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/allow_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_ok_8.sd new file mode 100644 index 000000000..ee57c06fe --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION allow change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + allow change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd new file mode 100644 index 000000000..268cba2b3 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION allow change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> /bin/*, +} + +/usr/bin/foo2 { + allow change_profile -> /bin/**, +} + +/usr/bin/foo3 { + allow change_profile -> /bin/?, +} + +/usr/bin/foo4 { + allow change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + allow change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd new file mode 100644 index 000000000..76a5adb0e --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION allow change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + allow change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + allow change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + allow change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + allow change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + allow change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + allow change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + allow change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + allow change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + allow change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + allow change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + allow change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + allow change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + allow change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + allow change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + allow change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd new file mode 100644 index 000000000..b1dc55799 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION allow change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + allow change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + allow change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + allow change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + allow change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + allow change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + allow change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + allow change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + allow change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + allow change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + allow change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + allow change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + allow change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + allow change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + allow change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + allow change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + allow change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd new file mode 100644 index 000000000..b656b2f65 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION allow change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + allow change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + allow change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + allow change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + allow change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + allow change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + allow change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + allow change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + allow change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + allow change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + allow change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + allow change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd new file mode 100644 index 000000000..0a4a6e5d5 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION allow change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + allow change_profile -> *, +} + +/usr/bin/foo2 { + allow change_profile -> **, +} + +/usr/bin/foo3 { + allow change_profile -> ?, +} + +/usr/bin/foo4 { + allow change_profile -> [ab], +} + +/usr/bin/foo5 { + allow change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd new file mode 100644 index 000000000..1ca41341d --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION allow change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + allow change_profile -> *//ab, +} + +/usr/bin/foo2 { + allow change_profile -> **//ab, +} + +/usr/bin/foo3 { + allow change_profile -> ?//ab, +} + +/usr/bin/foo4 { + allow change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + allow change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + allow change_profile -> ab//*, +} + +/usr/bin/foo7 { + allow change_profile -> ab//**, +} + +/usr/bin/foo8 { + allow change_profile -> ab//?, +} + +/usr/bin/foo9 { + allow change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + allow change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + allow change_profile -> *//*, +} + +/usr/bin/foo12 { + allow change_profile -> **//*, +} + +/usr/bin/foo13 { + allow change_profile -> ?//*, +} + +/usr/bin/foo14 { + allow change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + allow change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd new file mode 100644 index 000000000..6c6ee92c8 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION allow change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + allow change_profile -> :ab:*, +} + +/usr/bin/foo2 { + allow change_profile -> :ab:**, +} + +/usr/bin/foo3 { + allow change_profile -> :ab:?, +} + +/usr/bin/foo4 { + allow change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + allow change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + allow change_profile -> :*:ab, +} + +/usr/bin/foo7 { + allow change_profile -> :**:ab, +} + +/usr/bin/foo8 { + allow change_profile -> :?:ab, +} + +/usr/bin/foo9 { + allow change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + allow change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + allow change_profile -> :*:*, +} + +/usr/bin/foo12 { + allow change_profile -> :**:**, +} + +/usr/bin/foo13 { + allow change_profile -> :?:?, +} + +/usr/bin/foo14 { + allow change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + allow change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd new file mode 100644 index 000000000..985e7f240 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allow_re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION allow change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + allow change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + allow change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + allow change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + allow change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + allow change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + allow change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + allow change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + allow change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + allow change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + allow change_profile -> "/bin/ ?ab", +} + diff --git a/parser/tst/simple_tests/change_profile/allowo_bad_1.sd b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd new file mode 100644 index 000000000..fde8f4987 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/allowo_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allow in change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + allow owner change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/ao_badh_1.sd b/parser/tst/simple_tests/change_profile/ao_badh_1.sd new file mode 100644 index 000000000..090ba9963 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/ao_badh_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed in change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + audit owner change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd new file mode 100644 index 000000000..fcb0b5e75 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_bare_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_1.sd b/parser/tst/simple_tests/change_profile/d_ok_1.sd new file mode 100644 index 000000000..be02edef8 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> /bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_2.sd b/parser/tst/simple_tests/change_profile/d_ok_2.sd new file mode 100644 index 000000000..8004d8834 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION deny change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> /bin/foo//bar, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_3.sd b/parser/tst/simple_tests/change_profile/d_ok_3.sd new file mode 100644 index 000000000..1ce12ad85 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION deny change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> :foo:/bin/foo, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_4.sd b/parser/tst/simple_tests/change_profile/d_ok_4.sd new file mode 100644 index 000000000..84269dcb9 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION deny change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + deny change_profile -> @{LIBVIRT}-foo, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_5.sd b/parser/tst/simple_tests/change_profile/d_ok_5.sd new file mode 100644 index 000000000..a443277cf --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_5.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION deny change_profile with variable+regex (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" + +/usr/bin/foo { + deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_6.sd b/parser/tst/simple_tests/change_profile/d_ok_6.sd new file mode 100644 index 000000000..ef71d781a --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_6.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION deny change_profile with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> "/bin/foo", +} + +/usr/bin/foo2 { + deny change_profile -> "/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_7.sd b/parser/tst/simple_tests/change_profile/d_ok_7.sd new file mode 100644 index 000000000..4030e95c5 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_7.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION deny change_profile to a hat with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> "/bin/foo//bar", +} + +/usr/bin/foo2 { + deny change_profile -> "/bin/foo// bar", +} diff --git a/parser/tst/simple_tests/change_profile/d_ok_8.sd b/parser/tst/simple_tests/change_profile/d_ok_8.sd new file mode 100644 index 000000000..cce3b32d3 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_ok_8.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION deny change_profile with name space with quotes +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> ":foo:/bin/foo", +} + +/usr/bin/foo2 { + deny change_profile -> ":foo:/bin/ foo", +} diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_1.sd b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd new file mode 100644 index 000000000..975b9b4c6 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION deny change_profile +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> /bin/*, +} + +/usr/bin/foo2 { + deny change_profile -> /bin/**, +} + +/usr/bin/foo3 { + deny change_profile -> /bin/?, +} + +/usr/bin/foo4 { + deny change_profile -> /bin/[ab], +} + +/usr/bin/foo5 { + deny change_profile -> /bin/[^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_2.sd b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd new file mode 100644 index 000000000..8d7f69526 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_2.sd @@ -0,0 +1,69 @@ +# +#=DESCRIPTION deny change_profile to a hat +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> /bin/foo//bar, +} + +/usr/bin/foo2 { + deny change_profile -> /bin/foo//ba*, +} + +/usr/bin/foo3 { + deny change_profile -> /bin/foo//ba**, +} + +/usr/bin/foo4 { + deny change_profile -> /bin/foo//ba?, +} + +/usr/bin/foo5 { + deny change_profile -> /bin/foo//ba[ab], +} + +/usr/bin/foo6 { + deny change_profile -> /bin/foo//ba[^ab], +} + +/usr/bin/foo7 { + deny change_profile -> /bin/fo*//bar, +} + +/usr/bin/foo8 { + deny change_profile -> /bin/fo**//bar, +} + +/usr/bin/foo9 { + deny change_profile -> /bin/fo?//bar, +} + +/usr/bin/foo10 { + deny change_profile -> /bin/fo[ab]//bar, +} + +/usr/bin/foo11 { + deny change_profile -> /bin/fo[^ab]//bar, +} + +/usr/bin/foo12 { + deny change_profile -> /bin/fo*//ba*, +} + +/usr/bin/foo13 { + deny change_profile -> /bin/fo**//ba**, +} + +/usr/bin/foo14 { + deny change_profile -> /bin/fo?//ba?, +} + +/usr/bin/foo15 { + deny change_profile -> /bin/fo[ab]//ba[ab], +} + +/usr/bin/foo16 { + deny change_profile -> /bin/fo[^ab]//ba[^ab], +} + + diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_3.sd b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd new file mode 100644 index 000000000..0cfd4b1e1 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_3.sd @@ -0,0 +1,67 @@ +# +#=DESCRIPTION deny change_profile with name space +#=EXRESULT PASS +# +/usr/bin/foo { + deny change_profile -> :foo:/bin/foo, +} + +/usr/bin/foo2 { + deny change_profile -> :foo:/bin/fo*, +} + +/usr/bin/foo3 { + deny change_profile -> :foo:/bin/fo**, +} + +/usr/bin/foo4 { + deny change_profile -> :foo:/bin/fo?, +} + +/usr/bin/foo5 { + deny change_profile -> :foo:/bin/fo[ab], +} + +/usr/bin/foo6 { + deny change_profile -> :foo:/bin/fo[^ab], +} + +/usr/bin/foo7 { + deny change_profile -> :fo*:/bin/foo, +} + +/usr/bin/foo8 { + deny change_profile -> :fo**:/bin/foo, +} + +/usr/bin/foo9 { + deny change_profile -> :fo?:/bin/foo, +} + +/usr/bin/foo10 { + deny change_profile -> :fo[ab]:/bin/foo, +} + +/usr/bin/foo11 { + deny change_profile -> :fo[^ab]:/bin/foo, +} + +/usr/bin/foo12 { + deny change_profile -> :fo*:/bin/fo*, +} + +/usr/bin/foo13 { + deny change_profile -> :fo**:/bin/fo**, +} + +/usr/bin/foo14 { + deny change_profile -> :fo?:/bin/fo?, +} + +/usr/bin/foo15 { + deny change_profile -> :fo[ab]:/bin/fo[ab], +} + +/usr/bin/foo16 { + deny change_profile -> :fo[^ab]:/bin/fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_4.sd b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd new file mode 100644 index 000000000..5dcdd8833 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_4.sd @@ -0,0 +1,51 @@ +# +#=DESCRIPTION deny change_profile with a variable (LP: #390810) +#=EXRESULT PASS +# + +@{LIBVIRT}="libvirt" +@{LIBVIRT_RE}="libvirt*" + +/usr/bin/foo { + deny change_profile -> @{LIBVIRT}-fo*, +} + +/usr/bin/foo2 { + deny change_profile -> @{LIBVIRT}-fo**, +} + +/usr/bin/foo3 { + deny change_profile -> @{LIBVIRT}-fo[ab], +} + +/usr/bin/foo4 { + deny change_profile -> @{LIBVIRT}-fo[^ab], +} + +/usr/bin/foo5 { + deny change_profile -> @{LIBVIRT}-fo?, +} + +/usr/bin/foo6 { + deny change_profile -> @{LIBVIRT_RE}-foo, +} + +/usr/bin/foo7 { + deny change_profile -> @{LIBVIRT_RE}-fo*, +} + +/usr/bin/foo8 { + deny change_profile -> @{LIBVIRT_RE}-fo**, +} + +/usr/bin/foo9 { + deny change_profile -> @{LIBVIRT_RE}-fo?, +} + +/usr/bin/foo10 { + deny change_profile -> @{LIBVIRT_RE}-fo[ab], +} + +/usr/bin/foo11 { + deny change_profile -> @{LIBVIRT_RE}-fo[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_5.sd b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd new file mode 100644 index 000000000..0972013a3 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_5.sd @@ -0,0 +1,25 @@ +# +#=DESCRIPTION deny change_profile with just res +#=EXRESULT PASS +# + +/usr/bin/foo { + deny change_profile -> *, +} + +/usr/bin/foo2 { + deny change_profile -> **, +} + +/usr/bin/foo3 { + deny change_profile -> ?, +} + +/usr/bin/foo4 { + deny change_profile -> [ab], +} + +/usr/bin/foo5 { + deny change_profile -> [^ab], +} + diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_6.sd b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd new file mode 100644 index 000000000..970ea0a4c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_6.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION deny change_profile with just res, child profile +#=EXRESULT PASS +# + +/usr/bin/foo { + deny change_profile -> *//ab, +} + +/usr/bin/foo2 { + deny change_profile -> **//ab, +} + +/usr/bin/foo3 { + deny change_profile -> ?//ab, +} + +/usr/bin/foo4 { + deny change_profile -> [ab]//ab, +} + +/usr/bin/foo5 { + deny change_profile -> [^ab]//ab, +} + +/usr/bin/foo6 { + deny change_profile -> ab//*, +} + +/usr/bin/foo7 { + deny change_profile -> ab//**, +} + +/usr/bin/foo8 { + deny change_profile -> ab//?, +} + +/usr/bin/foo9 { + deny change_profile -> ab//[ab], +} + +/usr/bin/foo10 { + deny change_profile -> ab//[^ab], +} + +/usr/bin/foo11 { + deny change_profile -> *//*, +} + +/usr/bin/foo12 { + deny change_profile -> **//*, +} + +/usr/bin/foo13 { + deny change_profile -> ?//*, +} + +/usr/bin/foo14 { + deny change_profile -> [ab]//*, +} + +/usr/bin/foo15 { + deny change_profile -> [^ab]//*, +} + diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_7.sd b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd new file mode 100644 index 000000000..5a2319ade --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_7.sd @@ -0,0 +1,65 @@ +# +#=DESCRIPTION deny change_profile with just re, namespace +#=EXRESULT PASS +# + + +/usr/bin/foo { + deny change_profile -> :ab:*, +} + +/usr/bin/foo2 { + deny change_profile -> :ab:**, +} + +/usr/bin/foo3 { + deny change_profile -> :ab:?, +} + +/usr/bin/foo4 { + deny change_profile -> :ab:[ab], +} + +/usr/bin/foo5 { + deny change_profile -> :ab:[^ab], +} + +/usr/bin/foo6 { + deny change_profile -> :*:ab, +} + +/usr/bin/foo7 { + deny change_profile -> :**:ab, +} + +/usr/bin/foo8 { + deny change_profile -> :?:ab, +} + +/usr/bin/foo9 { + deny change_profile -> :[ab]:ab, +} + +/usr/bin/foo10 { + deny change_profile -> :[^ab]:ab, +} + +/usr/bin/foo11 { + deny change_profile -> :*:*, +} + +/usr/bin/foo12 { + deny change_profile -> :**:**, +} + +/usr/bin/foo13 { + deny change_profile -> :?:?, +} + +/usr/bin/foo14 { + deny change_profile -> :[ab]:[ab], +} + +/usr/bin/foo15 { + deny change_profile -> :[^ab]:[^ab], +} diff --git a/parser/tst/simple_tests/change_profile/d_re_ok_8.sd b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd new file mode 100644 index 000000000..cda4bedea --- /dev/null +++ b/parser/tst/simple_tests/change_profile/d_re_ok_8.sd @@ -0,0 +1,45 @@ +# +#=DESCRIPTION deny change_profile re with quotes +#=EXRESULT PASS +# + +/usr/bin/foo5 { + deny change_profile -> "/bin/*", +} + +/usr/bin/foo6 { + deny change_profile -> "/bin/**", +} + +/usr/bin/foo7 { + deny change_profile -> "/bin/[ab]", +} + +/usr/bin/foo8 { + deny change_profile -> "/bin/[^ab]", +} + +/usr/bin/foo10 { + deny change_profile -> "/bin/?ab", +} + +/usr/bin/foo11 { + deny change_profile -> "/bin/ *", +} + +/usr/bin/foo12 { + deny change_profile -> "/bin/ **", +} + +/usr/bin/foo13 { + deny change_profile -> "/bin/ [ab]", +} + +/usr/bin/foo14 { + deny change_profile -> "/bin/ [^ab]", +} + +/usr/bin/foo15 { + deny change_profile -> "/bin/ ?ab", +} + diff --git a/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd new file mode 100644 index 000000000..40d77709d --- /dev/null +++ b/parser/tst/simple_tests/change_profile/da_bare_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION deny audit in wrong order +#=EXRESULT FAIL +# +/usr/bin/foo { + deny audit change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd new file mode 100644 index 000000000..e8fa9ea63 --- /dev/null +++ b/parser/tst/simple_tests/change_profile/do_bare_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed in change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + deny owner change_profile, +} diff --git a/parser/tst/simple_tests/change_profile/o_bad_1.sd b/parser/tst/simple_tests/change_profile/o_bad_1.sd new file mode 100644 index 000000000..36a7f842c --- /dev/null +++ b/parser/tst/simple_tests/change_profile/o_bad_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION owner not allowed in change_profile +#=EXRESULT FAIL +# +/usr/bin/foo { + owner change_profile -> /bin/foo, +}