mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

add support for rule prefixes to change_profile rules

Browse source 
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
John Johansen 2015-06-06 01:28:43 -07:00
parent df568c979a
commit 4ed04c8ada
93 changed files with 2529 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
parser/parser_regex.c
View file

@ -492,6 +492,8 @@ static int process_profile_name_xmatch(Profile *prof)
return TRUE; return TRUE;
} }
static int warn_change_profile = 1;
static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry) static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
{ {
std::string tbuf; std::string tbuf;
@ -565,6 +567,14 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
std::string lbuf; std::string lbuf;
int index = 1; int index = 1;
if ((warnflags & WARN_RULE_DOWNGRADED) && entry->audit && warn_change_profile) {
/* don't have profile name here, so until this code
* gets refactored just throw out a generic warning
*/
fprintf(stderr, "Warning kernel does not support audit modifier for change_profile rule.\n");
warn_change_profile = 0;
}
/* allow change_profile for all execs */ /* allow change_profile for all execs */
vec[0] = "/[^\\x00]*"; vec[0] = "/[^\\x00]*";
@ -576,12 +586,12 @@ static int process_dfa_entry(aare_rules *dfarules, struct cod_entry *entry)
vec[index++] = tbuf.c_str(); vec[index++] = tbuf.c_str();
/* regular change_profile rule */ /* regular change_profile rule */
if (!dfarules->add_rule_vec(0, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags)) if (!dfarules->add_rule_vec(entry->deny, AA_CHANGE_PROFILE | AA_ONEXEC, 0, index - 1, &vec[1], dfaflags))
return FALSE; return FALSE;
/* onexec rules - both rules are needed for onexec */ /* onexec rules - both rules are needed for onexec */
if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, 1, vec, dfaflags)) if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, 1, vec, dfaflags))
return FALSE; return FALSE;
if (!dfarules->add_rule_vec(0, AA_ONEXEC, 0, index, vec, dfaflags)) if (!dfarules->add_rule_vec(entry->deny, AA_ONEXEC, 0, index, vec, dfaflags))
return FALSE; return FALSE;
} }
return TRUE; return TRUE;

18
parser/parser_yacc.y
View file

@ -785,13 +785,23 @@ rules: rules opt_prefix unix_rule
$$ = $1; $$ = $1;
} }
rules: rules change_profile rules: rules opt_prefix change_profile
{ {
PDEBUG("matched: rules change_profile\n"); PDEBUG("matched: rules change_profile\n");
PDEBUG("rules change_profile: (%s)\n", $2->name); PDEBUG("rules change_profile: (%s)\n", $3->name);
if (!$2) if (!$3)
yyerror(_("Assert: `change_profile' returned NULL.")); yyerror(_("Assert: `change_profile' returned NULL."));
add_entry_to_policy($1, $2); if ($2.owner)
yyerror(_("owner prefix not allowed on unix rules"));
if ($2.deny && $2.audit) {
$3->deny = 1;
} else if ($2.deny) {
$3->deny = 1;
$3->audit = $3->mode;
} else if ($2.audit) {
$3->audit = $3->mode;
}
add_entry_to_policy($1, $3);
$$ = $1; $$ = $1;
}; };

7
parser/tst/simple_tests/change_profile/a_bare_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile,
}

7
parser/tst/simple_tests/change_profile/a_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/a_ok_2.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> /bin/foo//bar,
}

7
parser/tst/simple_tests/change_profile/a_ok_3.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> :foo:/bin/foo,
}

10
parser/tst/simple_tests/change_profile/a_ok_4.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit change_profile -> @{LIBVIRT}-foo,
}

10
parser/tst/simple_tests/change_profile/a_ok_5.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit change_profile with variable+regex (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}

11
parser/tst/simple_tests/change_profile/a_ok_6.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
audit change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/a_ok_7.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
audit change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/a_ok_8.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
audit change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/a_re_ok_1.sd Normal file
View file

@ -0,0 +1,24 @@
#
#=DESCRIPTION audit change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> /bin/*,
}
/usr/bin/foo2 {
audit change_profile -> /bin/**,
}
/usr/bin/foo3 {
audit change_profile -> /bin/?,
}
/usr/bin/foo4 {
audit change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
audit change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/a_re_ok_2.sd Normal file
View file

@ -0,0 +1,69 @@
#
#=DESCRIPTION audit change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
audit change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
audit change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
audit change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
audit change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
audit change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
audit change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
audit change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
audit change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
audit change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
audit change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
audit change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
audit change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
audit change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
audit change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
audit change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/a_re_ok_3.sd Normal file
View file

@ -0,0 +1,67 @@
#
#=DESCRIPTION audit change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
audit change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
audit change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
audit change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
audit change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
audit change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
audit change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
audit change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
audit change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
audit change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
audit change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
audit change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
audit change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
audit change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
audit change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
audit change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/a_re_ok_4.sd Normal file
View file

@ -0,0 +1,51 @@
#
#=DESCRIPTION audit change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
audit change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
audit change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
audit change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
audit change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
audit change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
audit change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
audit change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
audit change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
audit change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
audit change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
audit change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/a_re_ok_5.sd Normal file
View file

@ -0,0 +1,25 @@
#
#=DESCRIPTION audit change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> *,
}
/usr/bin/foo2 {
audit change_profile -> **,
}
/usr/bin/foo3 {
audit change_profile -> ?,
}
/usr/bin/foo4 {
audit change_profile -> [ab],
}
/usr/bin/foo5 {
audit change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/a_re_ok_6.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> *//ab,
}
/usr/bin/foo2 {
audit change_profile -> **//ab,
}
/usr/bin/foo3 {
audit change_profile -> ?//ab,
}
/usr/bin/foo4 {
audit change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
audit change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
audit change_profile -> ab//*,
}
/usr/bin/foo7 {
audit change_profile -> ab//**,
}
/usr/bin/foo8 {
audit change_profile -> ab//?,
}
/usr/bin/foo9 {
audit change_profile -> ab//[ab],
}
/usr/bin/foo10 {
audit change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
audit change_profile -> *//*,
}
/usr/bin/foo12 {
audit change_profile -> **//*,
}
/usr/bin/foo13 {
audit change_profile -> ?//*,
}
/usr/bin/foo14 {
audit change_profile -> [ab]//*,
}
/usr/bin/foo15 {
audit change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/a_re_ok_7.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
audit change_profile -> :ab:*,
}
/usr/bin/foo2 {
audit change_profile -> :ab:**,
}
/usr/bin/foo3 {
audit change_profile -> :ab:?,
}
/usr/bin/foo4 {
audit change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
audit change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
audit change_profile -> :*:ab,
}
/usr/bin/foo7 {
audit change_profile -> :**:ab,
}
/usr/bin/foo8 {
audit change_profile -> :?:ab,
}
/usr/bin/foo9 {
audit change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
audit change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
audit change_profile -> :*:*,
}
/usr/bin/foo12 {
audit change_profile -> :**:**,
}
/usr/bin/foo13 {
audit change_profile -> :?:?,
}
/usr/bin/foo14 {
audit change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
audit change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/a_re_ok_8.sd Normal file
View file

@ -0,0 +1,45 @@
#
#=DESCRIPTION audit change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
audit change_profile -> "/bin/*",
}
/usr/bin/foo6 {
audit change_profile -> "/bin/**",
}
/usr/bin/foo7 {
audit change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
audit change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
audit change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
audit change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
audit change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
audit change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
audit change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
audit change_profile -> "/bin/ ?ab",
}

7
parser/tst/simple_tests/change_profile/aa_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit allow change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/aa_ok_2.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit allow change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> /bin/foo//bar,
}

7
parser/tst/simple_tests/change_profile/aa_ok_3.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit allow change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> :foo:/bin/foo,
}

10
parser/tst/simple_tests/change_profile/aa_ok_4.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit allow change_profile -> @{LIBVIRT}-foo,
}

10
parser/tst/simple_tests/change_profile/aa_ok_5.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit allow change_profile with variable+regex (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}

11
parser/tst/simple_tests/change_profile/aa_ok_6.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit allow change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
audit allow change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/aa_ok_7.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit allow change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
audit allow change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/aa_ok_8.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit allow change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
audit allow change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/aa_re_ok_1.sd Normal file
View file

@ -0,0 +1,24 @@
#
#=DESCRIPTION audit allow change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> /bin/*,
}
/usr/bin/foo2 {
audit allow change_profile -> /bin/**,
}
/usr/bin/foo3 {
audit allow change_profile -> /bin/?,
}
/usr/bin/foo4 {
audit allow change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
audit allow change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/aa_re_ok_2.sd Normal file
View file

@ -0,0 +1,69 @@
#
#=DESCRIPTION audit allow change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
audit allow change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
audit allow change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
audit allow change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
audit allow change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
audit allow change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
audit allow change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
audit allow change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
audit allow change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
audit allow change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
audit allow change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
audit allow change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
audit allow change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
audit allow change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
audit allow change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
audit allow change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/aa_re_ok_3.sd Normal file
View file

@ -0,0 +1,67 @@
#
#=DESCRIPTION audit allow change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
audit allow change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
audit allow change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
audit allow change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
audit allow change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
audit allow change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
audit allow change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
audit allow change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
audit allow change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
audit allow change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
audit allow change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
audit allow change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
audit allow change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
audit allow change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
audit allow change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
audit allow change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/aa_re_ok_4.sd Normal file
View file

@ -0,0 +1,51 @@
#
#=DESCRIPTION audit allow change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
audit allow change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
audit allow change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
audit allow change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
audit allow change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
audit allow change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
audit allow change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
audit allow change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
audit allow change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
audit allow change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
audit allow change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
audit allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/aa_re_ok_5.sd Normal file
View file

@ -0,0 +1,25 @@
#
#=DESCRIPTION audit allow change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> *,
}
/usr/bin/foo2 {
audit allow change_profile -> **,
}
/usr/bin/foo3 {
audit allow change_profile -> ?,
}
/usr/bin/foo4 {
audit allow change_profile -> [ab],
}
/usr/bin/foo5 {
audit allow change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/aa_re_ok_6.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit allow change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> *//ab,
}
/usr/bin/foo2 {
audit allow change_profile -> **//ab,
}
/usr/bin/foo3 {
audit allow change_profile -> ?//ab,
}
/usr/bin/foo4 {
audit allow change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
audit allow change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
audit allow change_profile -> ab//*,
}
/usr/bin/foo7 {
audit allow change_profile -> ab//**,
}
/usr/bin/foo8 {
audit allow change_profile -> ab//?,
}
/usr/bin/foo9 {
audit allow change_profile -> ab//[ab],
}
/usr/bin/foo10 {
audit allow change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
audit allow change_profile -> *//*,
}
/usr/bin/foo12 {
audit allow change_profile -> **//*,
}
/usr/bin/foo13 {
audit allow change_profile -> ?//*,
}
/usr/bin/foo14 {
audit allow change_profile -> [ab]//*,
}
/usr/bin/foo15 {
audit allow change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/aa_re_ok_7.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit allow change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
audit allow change_profile -> :ab:*,
}
/usr/bin/foo2 {
audit allow change_profile -> :ab:**,
}
/usr/bin/foo3 {
audit allow change_profile -> :ab:?,
}
/usr/bin/foo4 {
audit allow change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
audit allow change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
audit allow change_profile -> :*:ab,
}
/usr/bin/foo7 {
audit allow change_profile -> :**:ab,
}
/usr/bin/foo8 {
audit allow change_profile -> :?:ab,
}
/usr/bin/foo9 {
audit allow change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
audit allow change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
audit allow change_profile -> :*:*,
}
/usr/bin/foo12 {
audit allow change_profile -> :**:**,
}
/usr/bin/foo13 {
audit allow change_profile -> :?:?,
}
/usr/bin/foo14 {
audit allow change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
audit allow change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/aa_re_ok_8.sd Normal file
View file

@ -0,0 +1,45 @@
#
#=DESCRIPTION audit allow change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
audit allow change_profile -> "/bin/*",
}
/usr/bin/foo6 {
audit allow change_profile -> "/bin/**",
}
/usr/bin/foo7 {
audit allow change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
audit allow change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
audit allow change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
audit allow change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
audit allow change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
audit allow change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
audit allow change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
audit allow change_profile -> "/bin/ ?ab",
}

7
parser/tst/simple_tests/change_profile/aao_bad_6.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed on change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
audit allow owner change_profile -> "/bin/foo",
}

7
parser/tst/simple_tests/change_profile/ad_bare_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile,
}

7
parser/tst/simple_tests/change_profile/ad_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/ad_ok_2.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit deny change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> /bin/foo//bar,
}

7
parser/tst/simple_tests/change_profile/ad_ok_3.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION audit deny change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> :foo:/bin/foo,
}

10
parser/tst/simple_tests/change_profile/ad_ok_4.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit deny change_profile -> @{LIBVIRT}-foo,
}

10
parser/tst/simple_tests/change_profile/ad_ok_5.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION audit deny change_profile with variable+regex (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
audit deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}

11
parser/tst/simple_tests/change_profile/ad_ok_6.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit deny change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
audit deny change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/ad_ok_7.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit deny change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
audit deny change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/ad_ok_8.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION audit deny change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
audit deny change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/ad_re_ok_1.sd Normal file
View file

@ -0,0 +1,24 @@
#
#=DESCRIPTION audit deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> /bin/*,
}
/usr/bin/foo2 {
audit deny change_profile -> /bin/**,
}
/usr/bin/foo3 {
audit deny change_profile -> /bin/?,
}
/usr/bin/foo4 {
audit deny change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
audit deny change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/ad_re_ok_2.sd Normal file
View file

@ -0,0 +1,69 @@
#
#=DESCRIPTION audit deny change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
audit deny change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
audit deny change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
audit deny change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
audit deny change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
audit deny change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
audit deny change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
audit deny change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
audit deny change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
audit deny change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
audit deny change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
audit deny change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
audit deny change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
audit deny change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
audit deny change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
audit deny change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/ad_re_ok_3.sd Normal file
View file

@ -0,0 +1,67 @@
#
#=DESCRIPTION audit deny change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
audit deny change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
audit deny change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
audit deny change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
audit deny change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
audit deny change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
audit deny change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
audit deny change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
audit deny change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
audit deny change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
audit deny change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
audit deny change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
audit deny change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
audit deny change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
audit deny change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
audit deny change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/ad_re_ok_4.sd Normal file
View file

@ -0,0 +1,51 @@
#
#=DESCRIPTION audit deny change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
audit deny change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
audit deny change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
audit deny change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
audit deny change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
audit deny change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
audit deny change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
audit deny change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
audit deny change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
audit deny change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
audit deny change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
audit deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/ad_re_ok_5.sd Normal file
View file

@ -0,0 +1,25 @@
#
#=DESCRIPTION audit deny change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> *,
}
/usr/bin/foo2 {
audit deny change_profile -> **,
}
/usr/bin/foo3 {
audit deny change_profile -> ?,
}
/usr/bin/foo4 {
audit deny change_profile -> [ab],
}
/usr/bin/foo5 {
audit deny change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/ad_re_ok_6.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit deny change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> *//ab,
}
/usr/bin/foo2 {
audit deny change_profile -> **//ab,
}
/usr/bin/foo3 {
audit deny change_profile -> ?//ab,
}
/usr/bin/foo4 {
audit deny change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
audit deny change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
audit deny change_profile -> ab//*,
}
/usr/bin/foo7 {
audit deny change_profile -> ab//**,
}
/usr/bin/foo8 {
audit deny change_profile -> ab//?,
}
/usr/bin/foo9 {
audit deny change_profile -> ab//[ab],
}
/usr/bin/foo10 {
audit deny change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
audit deny change_profile -> *//*,
}
/usr/bin/foo12 {
audit deny change_profile -> **//*,
}
/usr/bin/foo13 {
audit deny change_profile -> ?//*,
}
/usr/bin/foo14 {
audit deny change_profile -> [ab]//*,
}
/usr/bin/foo15 {
audit deny change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/ad_re_ok_7.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION audit deny change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
audit deny change_profile -> :ab:*,
}
/usr/bin/foo2 {
audit deny change_profile -> :ab:**,
}
/usr/bin/foo3 {
audit deny change_profile -> :ab:?,
}
/usr/bin/foo4 {
audit deny change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
audit deny change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
audit deny change_profile -> :*:ab,
}
/usr/bin/foo7 {
audit deny change_profile -> :**:ab,
}
/usr/bin/foo8 {
audit deny change_profile -> :?:ab,
}
/usr/bin/foo9 {
audit deny change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
audit deny change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
audit deny change_profile -> :*:*,
}
/usr/bin/foo12 {
audit deny change_profile -> :**:**,
}
/usr/bin/foo13 {
audit deny change_profile -> :?:?,
}
/usr/bin/foo14 {
audit deny change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
audit deny change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/ad_re_ok_8.sd Normal file
View file

@ -0,0 +1,45 @@
#
#=DESCRIPTION audit deny change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
audit deny change_profile -> "/bin/*",
}
/usr/bin/foo6 {
audit deny change_profile -> "/bin/**",
}
/usr/bin/foo7 {
audit deny change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
audit deny change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
audit deny change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
audit deny change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
audit deny change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
audit deny change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
audit deny change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
audit deny change_profile -> "/bin/ ?ab",
}

7
parser/tst/simple_tests/change_profile/ado_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed on change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
audit deny owner change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/ado_bare_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed in change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
audit deny owner change_profile,
}

7
parser/tst/simple_tests/change_profile/allow_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION allow change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/allow_ok_2.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION allow change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> /bin/foo//bar,
}

7
parser/tst/simple_tests/change_profile/allow_ok_3.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION allow change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> :foo:/bin/foo,
}

10
parser/tst/simple_tests/change_profile/allow_ok_4.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION allow change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
allow change_profile -> @{LIBVIRT}-foo,
}

10
parser/tst/simple_tests/change_profile/allow_ok_5.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION allow change_profile with variable+regex (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
allow change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}

11
parser/tst/simple_tests/change_profile/allow_ok_6.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION allow change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
allow change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/allow_ok_7.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION allow change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
allow change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/allow_ok_8.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION allow change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
allow change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/allow_re_ok_1.sd Normal file
View file

@ -0,0 +1,24 @@
#
#=DESCRIPTION allow change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> /bin/*,
}
/usr/bin/foo2 {
allow change_profile -> /bin/**,
}
/usr/bin/foo3 {
allow change_profile -> /bin/?,
}
/usr/bin/foo4 {
allow change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
allow change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/allow_re_ok_2.sd Normal file
View file

@ -0,0 +1,69 @@
#
#=DESCRIPTION allow change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
allow change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
allow change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
allow change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
allow change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
allow change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
allow change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
allow change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
allow change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
allow change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
allow change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
allow change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
allow change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
allow change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
allow change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
allow change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/allow_re_ok_3.sd Normal file
View file

@ -0,0 +1,67 @@
#
#=DESCRIPTION allow change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
allow change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
allow change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
allow change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
allow change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
allow change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
allow change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
allow change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
allow change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
allow change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
allow change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
allow change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
allow change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
allow change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
allow change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
allow change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/allow_re_ok_4.sd Normal file
View file

@ -0,0 +1,51 @@
#
#=DESCRIPTION allow change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
allow change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
allow change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
allow change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
allow change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
allow change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
allow change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
allow change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
allow change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
allow change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
allow change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
allow change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/allow_re_ok_5.sd Normal file
View file

@ -0,0 +1,25 @@
#
#=DESCRIPTION allow change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> *,
}
/usr/bin/foo2 {
allow change_profile -> **,
}
/usr/bin/foo3 {
allow change_profile -> ?,
}
/usr/bin/foo4 {
allow change_profile -> [ab],
}
/usr/bin/foo5 {
allow change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/allow_re_ok_6.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION allow change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> *//ab,
}
/usr/bin/foo2 {
allow change_profile -> **//ab,
}
/usr/bin/foo3 {
allow change_profile -> ?//ab,
}
/usr/bin/foo4 {
allow change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
allow change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
allow change_profile -> ab//*,
}
/usr/bin/foo7 {
allow change_profile -> ab//**,
}
/usr/bin/foo8 {
allow change_profile -> ab//?,
}
/usr/bin/foo9 {
allow change_profile -> ab//[ab],
}
/usr/bin/foo10 {
allow change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
allow change_profile -> *//*,
}
/usr/bin/foo12 {
allow change_profile -> **//*,
}
/usr/bin/foo13 {
allow change_profile -> ?//*,
}
/usr/bin/foo14 {
allow change_profile -> [ab]//*,
}
/usr/bin/foo15 {
allow change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/allow_re_ok_7.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION allow change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
allow change_profile -> :ab:*,
}
/usr/bin/foo2 {
allow change_profile -> :ab:**,
}
/usr/bin/foo3 {
allow change_profile -> :ab:?,
}
/usr/bin/foo4 {
allow change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
allow change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
allow change_profile -> :*:ab,
}
/usr/bin/foo7 {
allow change_profile -> :**:ab,
}
/usr/bin/foo8 {
allow change_profile -> :?:ab,
}
/usr/bin/foo9 {
allow change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
allow change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
allow change_profile -> :*:*,
}
/usr/bin/foo12 {
allow change_profile -> :**:**,
}
/usr/bin/foo13 {
allow change_profile -> :?:?,
}
/usr/bin/foo14 {
allow change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
allow change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/allow_re_ok_8.sd Normal file
View file

@ -0,0 +1,45 @@
#
#=DESCRIPTION allow change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
allow change_profile -> "/bin/*",
}
/usr/bin/foo6 {
allow change_profile -> "/bin/**",
}
/usr/bin/foo7 {
allow change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
allow change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
allow change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
allow change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
allow change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
allow change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
allow change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
allow change_profile -> "/bin/ ?ab",
}

7
parser/tst/simple_tests/change_profile/allowo_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allow in change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
allow owner change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/ao_badh_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed in change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
audit owner change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/d_bare_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile,
}

7
parser/tst/simple_tests/change_profile/d_ok_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> /bin/foo,
}

7
parser/tst/simple_tests/change_profile/d_ok_2.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION deny change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> /bin/foo//bar,
}

7
parser/tst/simple_tests/change_profile/d_ok_3.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION deny change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> :foo:/bin/foo,
}

10
parser/tst/simple_tests/change_profile/d_ok_4.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION deny change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
deny change_profile -> @{LIBVIRT}-foo,
}

10
parser/tst/simple_tests/change_profile/d_ok_5.sd Normal file
View file

@ -0,0 +1,10 @@
#
#=DESCRIPTION deny change_profile with variable+regex (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
/usr/bin/foo {
deny change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
}

11
parser/tst/simple_tests/change_profile/d_ok_6.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION deny change_profile with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> "/bin/foo",
}
/usr/bin/foo2 {
deny change_profile -> "/bin/ foo",
}

11
parser/tst/simple_tests/change_profile/d_ok_7.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION deny change_profile to a hat with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> "/bin/foo//bar",
}
/usr/bin/foo2 {
deny change_profile -> "/bin/foo// bar",
}

11
parser/tst/simple_tests/change_profile/d_ok_8.sd Normal file
View file

@ -0,0 +1,11 @@
#
#=DESCRIPTION deny change_profile with name space with quotes
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> ":foo:/bin/foo",
}
/usr/bin/foo2 {
deny change_profile -> ":foo:/bin/ foo",
}

24
parser/tst/simple_tests/change_profile/d_re_ok_1.sd Normal file
View file

@ -0,0 +1,24 @@
#
#=DESCRIPTION deny change_profile
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> /bin/*,
}
/usr/bin/foo2 {
deny change_profile -> /bin/**,
}
/usr/bin/foo3 {
deny change_profile -> /bin/?,
}
/usr/bin/foo4 {
deny change_profile -> /bin/[ab],
}
/usr/bin/foo5 {
deny change_profile -> /bin/[^ab],
}

69
parser/tst/simple_tests/change_profile/d_re_ok_2.sd Normal file
View file

@ -0,0 +1,69 @@
#
#=DESCRIPTION deny change_profile to a hat
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> /bin/foo//bar,
}
/usr/bin/foo2 {
deny change_profile -> /bin/foo//ba*,
}
/usr/bin/foo3 {
deny change_profile -> /bin/foo//ba**,
}
/usr/bin/foo4 {
deny change_profile -> /bin/foo//ba?,
}
/usr/bin/foo5 {
deny change_profile -> /bin/foo//ba[ab],
}
/usr/bin/foo6 {
deny change_profile -> /bin/foo//ba[^ab],
}
/usr/bin/foo7 {
deny change_profile -> /bin/fo*//bar,
}
/usr/bin/foo8 {
deny change_profile -> /bin/fo**//bar,
}
/usr/bin/foo9 {
deny change_profile -> /bin/fo?//bar,
}
/usr/bin/foo10 {
deny change_profile -> /bin/fo[ab]//bar,
}
/usr/bin/foo11 {
deny change_profile -> /bin/fo[^ab]//bar,
}
/usr/bin/foo12 {
deny change_profile -> /bin/fo*//ba*,
}
/usr/bin/foo13 {
deny change_profile -> /bin/fo**//ba**,
}
/usr/bin/foo14 {
deny change_profile -> /bin/fo?//ba?,
}
/usr/bin/foo15 {
deny change_profile -> /bin/fo[ab]//ba[ab],
}
/usr/bin/foo16 {
deny change_profile -> /bin/fo[^ab]//ba[^ab],
}

67
parser/tst/simple_tests/change_profile/d_re_ok_3.sd Normal file
View file

@ -0,0 +1,67 @@
#
#=DESCRIPTION deny change_profile with name space
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> :foo:/bin/foo,
}
/usr/bin/foo2 {
deny change_profile -> :foo:/bin/fo*,
}
/usr/bin/foo3 {
deny change_profile -> :foo:/bin/fo**,
}
/usr/bin/foo4 {
deny change_profile -> :foo:/bin/fo?,
}
/usr/bin/foo5 {
deny change_profile -> :foo:/bin/fo[ab],
}
/usr/bin/foo6 {
deny change_profile -> :foo:/bin/fo[^ab],
}
/usr/bin/foo7 {
deny change_profile -> :fo*:/bin/foo,
}
/usr/bin/foo8 {
deny change_profile -> :fo**:/bin/foo,
}
/usr/bin/foo9 {
deny change_profile -> :fo?:/bin/foo,
}
/usr/bin/foo10 {
deny change_profile -> :fo[ab]:/bin/foo,
}
/usr/bin/foo11 {
deny change_profile -> :fo[^ab]:/bin/foo,
}
/usr/bin/foo12 {
deny change_profile -> :fo*:/bin/fo*,
}
/usr/bin/foo13 {
deny change_profile -> :fo**:/bin/fo**,
}
/usr/bin/foo14 {
deny change_profile -> :fo?:/bin/fo?,
}
/usr/bin/foo15 {
deny change_profile -> :fo[ab]:/bin/fo[ab],
}
/usr/bin/foo16 {
deny change_profile -> :fo[^ab]:/bin/fo[^ab],
}

51
parser/tst/simple_tests/change_profile/d_re_ok_4.sd Normal file
View file

@ -0,0 +1,51 @@
#
#=DESCRIPTION deny change_profile with a variable (LP: #390810)
#=EXRESULT PASS
#
@{LIBVIRT}="libvirt"
@{LIBVIRT_RE}="libvirt*"
/usr/bin/foo {
deny change_profile -> @{LIBVIRT}-fo*,
}
/usr/bin/foo2 {
deny change_profile -> @{LIBVIRT}-fo**,
}
/usr/bin/foo3 {
deny change_profile -> @{LIBVIRT}-fo[ab],
}
/usr/bin/foo4 {
deny change_profile -> @{LIBVIRT}-fo[^ab],
}
/usr/bin/foo5 {
deny change_profile -> @{LIBVIRT}-fo?,
}
/usr/bin/foo6 {
deny change_profile -> @{LIBVIRT_RE}-foo,
}
/usr/bin/foo7 {
deny change_profile -> @{LIBVIRT_RE}-fo*,
}
/usr/bin/foo8 {
deny change_profile -> @{LIBVIRT_RE}-fo**,
}
/usr/bin/foo9 {
deny change_profile -> @{LIBVIRT_RE}-fo?,
}
/usr/bin/foo10 {
deny change_profile -> @{LIBVIRT_RE}-fo[ab],
}
/usr/bin/foo11 {
deny change_profile -> @{LIBVIRT_RE}-fo[^ab],
}

25
parser/tst/simple_tests/change_profile/d_re_ok_5.sd Normal file
View file

@ -0,0 +1,25 @@
#
#=DESCRIPTION deny change_profile with just res
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> *,
}
/usr/bin/foo2 {
deny change_profile -> **,
}
/usr/bin/foo3 {
deny change_profile -> ?,
}
/usr/bin/foo4 {
deny change_profile -> [ab],
}
/usr/bin/foo5 {
deny change_profile -> [^ab],
}

65
parser/tst/simple_tests/change_profile/d_re_ok_6.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION deny change_profile with just res, child profile
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> *//ab,
}
/usr/bin/foo2 {
deny change_profile -> **//ab,
}
/usr/bin/foo3 {
deny change_profile -> ?//ab,
}
/usr/bin/foo4 {
deny change_profile -> [ab]//ab,
}
/usr/bin/foo5 {
deny change_profile -> [^ab]//ab,
}
/usr/bin/foo6 {
deny change_profile -> ab//*,
}
/usr/bin/foo7 {
deny change_profile -> ab//**,
}
/usr/bin/foo8 {
deny change_profile -> ab//?,
}
/usr/bin/foo9 {
deny change_profile -> ab//[ab],
}
/usr/bin/foo10 {
deny change_profile -> ab//[^ab],
}
/usr/bin/foo11 {
deny change_profile -> *//*,
}
/usr/bin/foo12 {
deny change_profile -> **//*,
}
/usr/bin/foo13 {
deny change_profile -> ?//*,
}
/usr/bin/foo14 {
deny change_profile -> [ab]//*,
}
/usr/bin/foo15 {
deny change_profile -> [^ab]//*,
}

65
parser/tst/simple_tests/change_profile/d_re_ok_7.sd Normal file
View file

@ -0,0 +1,65 @@
#
#=DESCRIPTION deny change_profile with just re, namespace
#=EXRESULT PASS
#
/usr/bin/foo {
deny change_profile -> :ab:*,
}
/usr/bin/foo2 {
deny change_profile -> :ab:**,
}
/usr/bin/foo3 {
deny change_profile -> :ab:?,
}
/usr/bin/foo4 {
deny change_profile -> :ab:[ab],
}
/usr/bin/foo5 {
deny change_profile -> :ab:[^ab],
}
/usr/bin/foo6 {
deny change_profile -> :*:ab,
}
/usr/bin/foo7 {
deny change_profile -> :**:ab,
}
/usr/bin/foo8 {
deny change_profile -> :?:ab,
}
/usr/bin/foo9 {
deny change_profile -> :[ab]:ab,
}
/usr/bin/foo10 {
deny change_profile -> :[^ab]:ab,
}
/usr/bin/foo11 {
deny change_profile -> :*:*,
}
/usr/bin/foo12 {
deny change_profile -> :**:**,
}
/usr/bin/foo13 {
deny change_profile -> :?:?,
}
/usr/bin/foo14 {
deny change_profile -> :[ab]:[ab],
}
/usr/bin/foo15 {
deny change_profile -> :[^ab]:[^ab],
}

45
parser/tst/simple_tests/change_profile/d_re_ok_8.sd Normal file
View file

@ -0,0 +1,45 @@
#
#=DESCRIPTION deny change_profile re with quotes
#=EXRESULT PASS
#
/usr/bin/foo5 {
deny change_profile -> "/bin/*",
}
/usr/bin/foo6 {
deny change_profile -> "/bin/**",
}
/usr/bin/foo7 {
deny change_profile -> "/bin/[ab]",
}
/usr/bin/foo8 {
deny change_profile -> "/bin/[^ab]",
}
/usr/bin/foo10 {
deny change_profile -> "/bin/?ab",
}
/usr/bin/foo11 {
deny change_profile -> "/bin/ *",
}
/usr/bin/foo12 {
deny change_profile -> "/bin/ **",
}
/usr/bin/foo13 {
deny change_profile -> "/bin/ [ab]",
}
/usr/bin/foo14 {
deny change_profile -> "/bin/ [^ab]",
}
/usr/bin/foo15 {
deny change_profile -> "/bin/ ?ab",
}

7
parser/tst/simple_tests/change_profile/da_bare_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION deny audit in wrong order
#=EXRESULT FAIL
#
/usr/bin/foo {
deny audit change_profile,
}

7
parser/tst/simple_tests/change_profile/do_bare_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed in change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
deny owner change_profile,
}

7
parser/tst/simple_tests/change_profile/o_bad_1.sd Normal file
View file

@ -0,0 +1,7 @@
#
#=DESCRIPTION owner not allowed in change_profile
#=EXRESULT FAIL
#
/usr/bin/foo {
owner change_profile -> /bin/foo,
}