Merge Add support for new profile flags

This adds two new profile flags
* `interruptible` which can be used with prompt
* `kill.signal=XXX` which can be used to set the signal used by kill mode or the kill rule prefix

In addition it adds a few cleanups and fixes around profile flag handling

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1096
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>

parser/apparmor.d.pod

@@ -115,7 +115,7 @@ B<PROFILE FLAG CONDS> =  [ 'flags=' ] '(' comma or white space separated list of
 
 B<PROFILE FLAGS> = I<PROFILE MODE> | I<AUDIT_MODE> | 'mediate_deleted'
 | 'attach_disconnected' | 'attach_disconneced.path='I<ABS PATH> | 'chroot_relative'
-| 'debug'
+| 'debug' | 'interruptible' | 'kill.signal='I<SIGNAL>
 
 B<PROFILE MODE> = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt'
 
@@ -506,6 +506,11 @@ flags to control what messages will be output. Its effect is kernel
 dependent, and it should never appear in policy except when trying
 to debug kernel or policy problems.
 
+=item B<interruptible> Enables interrupts for prompt upcall to userspace.
+
+=item B<kill.signal>=I<SIGNALS> This changes the signal that will be
+sent by AppArmor when in kill mode or a kill rule has been violated.
+
 =back
 
 =head2 Access Modes

parser/parser.h

@@ -353,6 +353,8 @@ extern int features_supports_userns;
 extern int features_supports_posix_mqueue;
 extern int features_supports_sysv_mqueue;
 extern int features_supports_io_uring;
+extern int features_supports_flag_interruptible;
+extern int features_supports_flag_signal;
 extern int kernel_supports_oob;
 extern int conf_verbose;
 extern int conf_quiet;

parser/parser_common.c

@@ -82,6 +82,8 @@ int features_supports_userns = 0;	/* kernel supports user namespace */
 int features_supports_posix_mqueue = 0;	/* kernel supports mqueue rules */
 int features_supports_sysv_mqueue = 0;	/* kernel supports mqueue rules */
 int features_supports_io_uring = 0;	/* kernel supports io_uring rules */
+int features_supports_flag_interruptible = 0;
+int features_supports_flag_signal = 0;
 int kernel_supports_oob = 0;		/* out of band transitions */
 int conf_verbose = 0;
 int conf_quiet = 0;

parser/parser_interface.c

@@ -426,6 +426,10 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,
 				"disconnected");
 	}
 
+	if (profile->flags.signal && features_supports_flag_signal) {
+		sd_write_name(buf, "kill");
+		sd_write_uint32(buf, profile->flags.signal);
+	}
 	sd_write_struct(buf, "flags");
 	/* used to be flags.debug, but that's no longer supported */
 	sd_write_uint32(buf, profile->flags.flags);

parser/parser_main.c

@@ -951,6 +951,12 @@ void set_supported_features()
 	features_supports_io_uring = features_intersect(kernel_features,
 							policy_features,
 							"io_uring");
+	features_supports_flag_interruptible = features_intersect(kernel_features,
+						policy_features,
+						"policy/profile/interruptible");
+	features_supports_flag_signal = features_intersect(kernel_features,
+							   policy_features,
+				      "policy/profile/kill.signal");
 }
 
 static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path)

parser/parser_yacc.y

@@ -575,8 +575,9 @@ valuelist:	valuelist TOK_VALUE
 	}
 
 flags:	{ /* nothing */
-	flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
+		flagvals fv;
 
+		fv.init();
 		$$ = fv;
 	};
 
@@ -596,27 +597,7 @@ flags:	opt_flags TOK_OPENPAREN flagvals TOK_CLOSEPAREN
 
 flagvals:	flagvals flagval
 	{
-		if (merge_profile_mode($1.mode, $2.mode) == MODE_CONFLICT)
-			yyerror(_("Profile flag '%s' conflicts with '%s'"),
-				profile_mode_table[$1.mode],
-				profile_mode_table[$2.mode]);
-		$1.mode = merge_profile_mode($1.mode, $2.mode);
-		$1.audit = $1.audit || $2.audit;
-		$1.path = $1.path | $2.path;
-		if (($1.path & (PATH_CHROOT_REL | PATH_NS_REL)) ==
-		    (PATH_CHROOT_REL | PATH_NS_REL))
-			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));
-
-		if (($1.path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) ==
-		    (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))
-			yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted"));
-		if (($1.path & (PATH_ATTACH | PATH_NO_ATTACH)) ==
-		    (PATH_ATTACH | PATH_NO_ATTACH))
-			yyerror(_("Profile flag attach_disconnected conflicts with no_attach_disconnected"));
-		if (($1.path & (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) ==
-		    (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH))
-			yyerror(_("Profile flag chroot_attach conflicts with chroot_no_attach"));
-
+		$1.merge($2);
 		$$ = $1;
 	};
 
@@ -627,39 +608,9 @@ flagvals:	flagval
 
 flagval:	TOK_VALUE
 	{
-		flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
-		enum profile_mode mode;
+		flagvals fv;
 
-		if (strcmp($1, "debug") == 0) {
-			/* DEBUG2 is left for internal compiler use atm */
-			fv.flags |= FLAG_DEBUG1;
-		} else if ((mode = str_to_mode($1))) {
-			fv.mode = mode;
-		} else if (strcmp($1, "audit") == 0) {
-			fv.audit = 1;
-		} else if (strcmp($1, "chroot_relative") == 0) {
-			fv.path |= PATH_CHROOT_REL;
-		} else if (strcmp($1, "namespace_relative") == 0) {
-			fv.path |= PATH_NS_REL;
-		} else if (strcmp($1, "mediate_deleted") == 0) {
-			fv.path |= PATH_MEDIATE_DELETED;
-		} else if (strcmp($1, "delegate_deleted") == 0) {
-			fv.path |= PATH_DELEGATE_DELETED;
-		} else if (strcmp($1, "attach_disconnected") == 0) {
-			fv.path |= PATH_ATTACH;
-		} else if (strcmp($1, "no_attach_disconnected") == 0) {
-			fv.path |= PATH_NO_ATTACH;
-		} else if (strcmp($1, "chroot_attach") == 0) {
-			fv.path |= PATH_CHROOT_NSATTACH;
-		} else if (strcmp($1, "chroot_no_attach") == 0) {
-			fv.path |= PATH_CHROOT_NO_ATTACH;
-		} else if (strncmp($1, "attach_disconnected.path=", 25) == 0) {
-			/* TODO: make this a proper parse */
-			fv.path |= PATH_ATTACH;
-			fv.disconnected_path = strdup($1 + 25);
-		} else {
-			yyerror(_("Invalid profile flag: %s."), $1);
-		}
+		fv.init($1);
 		free($1);
 		$$ = fv;
 	};

parser/profile.cc

@@ -347,6 +347,19 @@ static int profile_add_hat_rules(Profile *prof)
 
 void Profile::post_parse_profile(void)
 {
+	/* semantic check stuff that can't be done in parse, like flags */
+	if (flags.flags & FLAG_INTERRUPTIBLE) {
+		if (!features_supports_flag_interruptible) {
+			warn_once(name, "flag interruptible not supported. Ignoring");
+			/* TODO: don't clear in parse data, only at encode */
+			flags.flags &= ~FLAG_INTERRUPTIBLE;
+		}
+	}
+	if (flags.signal) {
+		if (!features_supports_flag_signal) {
+			warn_once(name, "kill.signal not supported. Ignoring");
+		}
+	}
 	post_process_file_entries(this);
 	post_process_rule_entries(this);
 }
@@ -363,3 +376,9 @@ void Profile::add_implied_rules(void)
 	}
 
 }
+
+/* do we want to warn once/profile or just once per compile?? */
+void Profile::warn_once(const char *name, const char *msg)
+{
+	common_warn_once(name, msg, &warned_name);
+}

parser/profile.h

@@ -23,6 +23,7 @@
 #include "rule.h"
 #include "libapparmor_re/aare_rules.h"
 #include "network.h"
+#include "signal.h"
 
 class Profile;
 
@@ -114,7 +115,9 @@ static inline enum profile_mode str_to_mode(const char *str)
 #define FLAG_HAT 1
 #define FLAG_DEBUG1 2
 #define FLAG_DEBUG2 4
+#define FLAG_INTERRUPTIBLE 8
 
+/* sigh, used in parse union so needs trivial constructors. */
 class flagvals {
 public:
 	int flags;
@@ -122,6 +125,61 @@ public:
 	int audit;
 	int path;
 	char *disconnected_path;
+	int signal;
+
+	// stupid not constructor constructors
+	void init(void)
+	{
+		flags = 0;
+		mode = MODE_UNSPECIFIED;
+		audit = 0;
+		path = 0;
+		disconnected_path = NULL;
+		signal = 0;
+	}
+	void init(const char *str)
+	{
+		init();
+		enum profile_mode pmode = str_to_mode(str);
+
+		if (strcmp(str, "debug") == 0) {
+			/* DEBUG2 is left for internal compiler use atm */
+			flags |= FLAG_DEBUG1;
+		} else if (pmode) {
+			mode = pmode;
+		} else if (strcmp(str, "audit") == 0) {
+			audit = 1;
+		} else if (strcmp(str, "chroot_relative") == 0) {
+			path |= PATH_CHROOT_REL;
+		} else if (strcmp(str, "namespace_relative") == 0) {
+			path |= PATH_NS_REL;
+		} else if (strcmp(str, "mediate_deleted") == 0) {
+			path |= PATH_MEDIATE_DELETED;
+		} else if (strcmp(str, "delegate_deleted") == 0) {
+			path |= PATH_DELEGATE_DELETED;
+		} else if (strcmp(str, "attach_disconnected") == 0) {
+			path |= PATH_ATTACH;
+		} else if (strcmp(str, "no_attach_disconnected") == 0) {
+			path |= PATH_NO_ATTACH;
+		} else if (strcmp(str, "chroot_attach") == 0) {
+			path |= PATH_CHROOT_NSATTACH;
+		} else if (strcmp(str, "chroot_no_attach") == 0) {
+			path |= PATH_CHROOT_NO_ATTACH;
+		} else if (strncmp(str, "attach_disconnected.path=", 25) == 0) {
+			/* TODO: make this a proper parse */
+			path |= PATH_ATTACH;
+			disconnected_path = strdup(str + 25);
+		} else if (strncmp(str, "kill.signal=", 12) == 0) {
+			/* TODO: make this a proper parse */
+			signal = find_signal_mapping(str + 12);
+			if (signal == -1)
+				yyerror("unknown signal specified for kill.signal=\'%s\'\n", str + 12);
+		} else if (strcmp(str, "interruptible") == 0) {
+				flags |= FLAG_INTERRUPTIBLE;
+		} else {
+			yyerror(_("Invalid profile flag: %s."), str);
+		}
+	}
 
 	ostream &dump(ostream &os)
 	{
@@ -135,6 +193,8 @@ public:
 
 		if (disconnected_path)
 			os << ", attach_disconnected.path=" << disconnected_path;
+		if (signal)
+			os << ", kill.signal=" << signal;
 		os << "\n";
 
 		return os;
@@ -148,6 +208,58 @@ public:
 #endif
 	}
 
+	/* warning for now disconnected_path is just passed on (not copied),
+	 * or leaked on error. It is not freed here, It is freed when the
+	 * profile destroys it self.
+	 */
+	void merge(const flagvals &rhs)
+	{
+		if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT)
+			yyerror(_("Profile flag '%s' conflicts with '%s'"),
+				profile_mode_table[mode],
+				profile_mode_table[rhs.mode]);
+		mode = merge_profile_mode(mode, rhs.mode);
+		audit = audit || rhs.audit;
+		path = path | rhs.path;
+		if ((path & (PATH_CHROOT_REL | PATH_NS_REL)) ==
+		    (PATH_CHROOT_REL | PATH_NS_REL))
+			yyerror(_("Profile flag chroot_relative conflicts with namespace_relative"));
+
+		if ((path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) ==
+		    (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))
+			yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted"));
+		if ((path & (PATH_ATTACH | PATH_NO_ATTACH)) ==
+		    (PATH_ATTACH | PATH_NO_ATTACH))
+			yyerror(_("Profile flag attach_disconnected conflicts with no_attach_disconnected"));
+		if ((path & (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) ==
+		    (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH))
+			yyerror(_("Profile flag chroot_attach conflicts with chroot_no_attach"));
+
+		if (rhs.disconnected_path) {
+			if (disconnected_path) {
+				if (strcmp(disconnected_path, rhs.disconnected_path) != 0) {
+					yyerror(_("Profile flag attach_disconnected set to conflicting values: '%s' and '%s'"), disconnected_path, rhs.disconnected_path);
+				}
+				// same ignore rhs.disconnect_path
+			} else {
+				disconnected_path = rhs.disconnected_path;
+			}
+		}
+		if (rhs.signal) {
+			if (signal) {
+				if (signal != rhs.signal) {
+					yyerror(_("Profile flag kill.signal set to conflicting values: '%d' and '%d'"), signal, rhs.signal);
+				}
+				// same so do nothing
+			} else {
+				signal = rhs.signal;
+			}
+		}
+
+		/* if we move to dupping disconnected_path will need to have
+		 * an assignment and copy constructor and a destructor
+		 */
+	}
 };
 
 struct capabilities {
@@ -225,7 +337,7 @@ public:
 
 		parent = NULL;
 
-		flags = { 0, MODE_UNSPECIFIED, 0, 0, NULL };
+		flags.init();
 		rlimits = {0, {}};
 
 		std::fill(exec_table, exec_table + AA_EXEC_COUNT, (char *)NULL);
@@ -319,6 +431,10 @@ public:
 
 	void post_parse_profile(void);
 	void add_implied_rules(void);
+
+protected:
+	const char *warned_name = NULL;
+	virtual void warn_once(const char *name, const char *msg);
 };
 
 

parser/signal.cc

@@ -121,7 +121,7 @@ int parse_signal_perms(const char *str_perms, perms_t *perms, int fail)
 	return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail);
 }
 
-static int find_signal_mapping(const char *sig)
+int find_signal_mapping(const char *sig)
 {
 	if (strncmp("rtmin+", sig, 6) == 0) {
 		char *end;

parser/signal.h

@@ -31,6 +31,7 @@
 
 typedef set<int> Signals;
 
+int find_signal_mapping(const char *sig);
 int parse_signal_perms(const char *str_perms, perms_t *perms, int fail);
 
 class signal_rule: public perms_rule_t {

parser/tst/simple_tests/profile/flags/flags_bad64.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad65.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, kill, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad66.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, complain, kill, unconfined, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad67.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure bad signal value
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=0) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad68.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure bad signal value
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=foo) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_bad69.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure bad signal value
+#=EXRESULT FAIL
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=hup.) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok29.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok30.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION validate some uses of the profile flags.
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible audit) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok31.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok32.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok33.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok34.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible, enforce) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok35.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible, complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok36.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible, kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok37.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(interruptible, unconfined) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok38.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok39.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION ensure flag does not conflict with other mdes, and flags
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, interruptible) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok40.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure conflicting mode flags cause an error
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(prompt, kill.signal=hup) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok41.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure signal.kill works with different flags and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill.signal=kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok42.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different flags and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=int, unconfined) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok43.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different modes and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=quit, kill) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok44.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different modes and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=hup, complain) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok45.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different modes and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=ill, enforce) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok46.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different modes and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill, kill.signal=trap) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok47.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different modes and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(complain, kill.signal=bus) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok48.sd

@@ -0,0 +1,10 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different flags and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(enforce, kill.signal=usr1) {
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok49.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION Ensure kill.signals works with different flags and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=stop audit) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

parser/tst/simple_tests/profile/flags/flags_ok50.sd

@@ -0,0 +1,12 @@
+#
+#=DESCRIPTION Ensure kill.signal works with different flags and signals
+#=EXRESULT PASS
+# vim:syntax=subdomain
+# Last Modified: Sun Apr 17 19:44:44 2005
+#
+/does/not/exist flags=(kill.signal=emt) {
+  #include <includes/base>
+
+  /usr/X11R6/lib/lib*so* r,
+  /does/not/exist r,
+}

utils/test/test-parser-simple-tests.py

@@ -164,6 +164,12 @@ exception_not_raised = (
     'profile/flags/flags_bad54.sd',
     'profile/flags/flags_bad55.sd',
     'profile/flags/flags_bad56.sd',
+    'profile/flags/flags_bad64.sd',
+    'profile/flags/flags_bad65.sd',
+    'profile/flags/flags_bad66.sd',
+    'profile/flags/flags_bad67.sd',
+    'profile/flags/flags_bad68.sd',
+    'profile/flags/flags_bad69.sd',
     'profile/flags/flags_bad_disconnected_path1.sd',
     'profile/flags/flags_bad_disconnected_path2.sd',
     'profile/flags/flags_bad_disconnected_path3.sd',