diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 95b7e9691..d13a46371 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -115,7 +115,7 @@ B = [ 'flags=' ] '(' comma or white space separated list of B = I | I | 'mediate_deleted' | 'attach_disconnected' | 'attach_disconneced.path='I | 'chroot_relative' -| 'debug' +| 'debug' | 'interruptible' | 'kill.signal='I B = 'enforce' | 'complain' | 'kill' | 'unconfined' | 'prompt' @@ -506,6 +506,11 @@ flags to control what messages will be output. Its effect is kernel dependent, and it should never appear in policy except when trying to debug kernel or policy problems. +=item B Enables interrupts for prompt upcall to userspace. + +=item B=I This changes the signal that will be +sent by AppArmor when in kill mode or a kill rule has been violated. + =back =head2 Access Modes diff --git a/parser/parser.h b/parser/parser.h index 95b177060..7cb89a139 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -353,6 +353,8 @@ extern int features_supports_userns; extern int features_supports_posix_mqueue; extern int features_supports_sysv_mqueue; extern int features_supports_io_uring; +extern int features_supports_flag_interruptible; +extern int features_supports_flag_signal; extern int kernel_supports_oob; extern int conf_verbose; extern int conf_quiet; diff --git a/parser/parser_common.c b/parser/parser_common.c index f117d2ffa..ff245d057 100644 --- a/parser/parser_common.c +++ b/parser/parser_common.c @@ -82,6 +82,8 @@ int features_supports_userns = 0; /* kernel supports user namespace */ int features_supports_posix_mqueue = 0; /* kernel supports mqueue rules */ int features_supports_sysv_mqueue = 0; /* kernel supports mqueue rules */ int features_supports_io_uring = 0; /* kernel supports io_uring rules */ +int features_supports_flag_interruptible = 0; +int features_supports_flag_signal = 0; int kernel_supports_oob = 0; /* out of band transitions */ int conf_verbose = 0; int conf_quiet = 0; diff --git a/parser/parser_interface.c b/parser/parser_interface.c index c7e478f92..8dc65923a 100644 --- a/parser/parser_interface.c +++ b/parser/parser_interface.c @@ -426,6 +426,10 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile, "disconnected"); } + if (profile->flags.signal && features_supports_flag_signal) { + sd_write_name(buf, "kill"); + sd_write_uint32(buf, profile->flags.signal); + } sd_write_struct(buf, "flags"); /* used to be flags.debug, but that's no longer supported */ sd_write_uint32(buf, profile->flags.flags); diff --git a/parser/parser_main.c b/parser/parser_main.c index d46eb8ef2..936017c12 100644 --- a/parser/parser_main.c +++ b/parser/parser_main.c @@ -951,6 +951,12 @@ void set_supported_features() features_supports_io_uring = features_intersect(kernel_features, policy_features, "io_uring"); + features_supports_flag_interruptible = features_intersect(kernel_features, + policy_features, + "policy/profile/interruptible"); + features_supports_flag_signal = features_intersect(kernel_features, + policy_features, + "policy/profile/kill.signal"); } static bool do_print_cache_dir(aa_features *features, int dirfd, const char *path) diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index 688edd5c9..aef59e731 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -575,8 +575,9 @@ valuelist: valuelist TOK_VALUE } flags: { /* nothing */ - flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL }; + flagvals fv; + fv.init(); $$ = fv; }; @@ -596,27 +597,7 @@ flags: opt_flags TOK_OPENPAREN flagvals TOK_CLOSEPAREN flagvals: flagvals flagval { - if (merge_profile_mode($1.mode, $2.mode) == MODE_CONFLICT) - yyerror(_("Profile flag '%s' conflicts with '%s'"), - profile_mode_table[$1.mode], - profile_mode_table[$2.mode]); - $1.mode = merge_profile_mode($1.mode, $2.mode); - $1.audit = $1.audit || $2.audit; - $1.path = $1.path | $2.path; - if (($1.path & (PATH_CHROOT_REL | PATH_NS_REL)) == - (PATH_CHROOT_REL | PATH_NS_REL)) - yyerror(_("Profile flag chroot_relative conflicts with namespace_relative")); - - if (($1.path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) == - (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) - yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted")); - if (($1.path & (PATH_ATTACH | PATH_NO_ATTACH)) == - (PATH_ATTACH | PATH_NO_ATTACH)) - yyerror(_("Profile flag attach_disconnected conflicts with no_attach_disconnected")); - if (($1.path & (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) == - (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) - yyerror(_("Profile flag chroot_attach conflicts with chroot_no_attach")); - + $1.merge($2); $$ = $1; }; @@ -627,39 +608,9 @@ flagvals: flagval flagval: TOK_VALUE { - flagvals fv = { 0, MODE_UNSPECIFIED, 0, 0, NULL }; - enum profile_mode mode; + flagvals fv; - if (strcmp($1, "debug") == 0) { - /* DEBUG2 is left for internal compiler use atm */ - fv.flags |= FLAG_DEBUG1; - } else if ((mode = str_to_mode($1))) { - fv.mode = mode; - } else if (strcmp($1, "audit") == 0) { - fv.audit = 1; - } else if (strcmp($1, "chroot_relative") == 0) { - fv.path |= PATH_CHROOT_REL; - } else if (strcmp($1, "namespace_relative") == 0) { - fv.path |= PATH_NS_REL; - } else if (strcmp($1, "mediate_deleted") == 0) { - fv.path |= PATH_MEDIATE_DELETED; - } else if (strcmp($1, "delegate_deleted") == 0) { - fv.path |= PATH_DELEGATE_DELETED; - } else if (strcmp($1, "attach_disconnected") == 0) { - fv.path |= PATH_ATTACH; - } else if (strcmp($1, "no_attach_disconnected") == 0) { - fv.path |= PATH_NO_ATTACH; - } else if (strcmp($1, "chroot_attach") == 0) { - fv.path |= PATH_CHROOT_NSATTACH; - } else if (strcmp($1, "chroot_no_attach") == 0) { - fv.path |= PATH_CHROOT_NO_ATTACH; - } else if (strncmp($1, "attach_disconnected.path=", 25) == 0) { - /* TODO: make this a proper parse */ - fv.path |= PATH_ATTACH; - fv.disconnected_path = strdup($1 + 25); - } else { - yyerror(_("Invalid profile flag: %s."), $1); - } + fv.init($1); free($1); $$ = fv; }; diff --git a/parser/profile.cc b/parser/profile.cc index 394099a0e..d82330f15 100644 --- a/parser/profile.cc +++ b/parser/profile.cc @@ -347,6 +347,19 @@ static int profile_add_hat_rules(Profile *prof) void Profile::post_parse_profile(void) { + /* semantic check stuff that can't be done in parse, like flags */ + if (flags.flags & FLAG_INTERRUPTIBLE) { + if (!features_supports_flag_interruptible) { + warn_once(name, "flag interruptible not supported. Ignoring"); + /* TODO: don't clear in parse data, only at encode */ + flags.flags &= ~FLAG_INTERRUPTIBLE; + } + } + if (flags.signal) { + if (!features_supports_flag_signal) { + warn_once(name, "kill.signal not supported. Ignoring"); + } + } post_process_file_entries(this); post_process_rule_entries(this); } @@ -363,3 +376,9 @@ void Profile::add_implied_rules(void) } } + +/* do we want to warn once/profile or just once per compile?? */ +void Profile::warn_once(const char *name, const char *msg) +{ + common_warn_once(name, msg, &warned_name); +} diff --git a/parser/profile.h b/parser/profile.h index a81b41eba..3c8f2c1e3 100644 --- a/parser/profile.h +++ b/parser/profile.h @@ -23,6 +23,7 @@ #include "rule.h" #include "libapparmor_re/aare_rules.h" #include "network.h" +#include "signal.h" class Profile; @@ -114,7 +115,9 @@ static inline enum profile_mode str_to_mode(const char *str) #define FLAG_HAT 1 #define FLAG_DEBUG1 2 #define FLAG_DEBUG2 4 +#define FLAG_INTERRUPTIBLE 8 +/* sigh, used in parse union so needs trivial constructors. */ class flagvals { public: int flags; @@ -122,6 +125,61 @@ public: int audit; int path; char *disconnected_path; + int signal; + + // stupid not constructor constructors + void init(void) + { + flags = 0; + mode = MODE_UNSPECIFIED; + audit = 0; + path = 0; + disconnected_path = NULL; + signal = 0; + } + void init(const char *str) + { + init(); + enum profile_mode pmode = str_to_mode(str); + + if (strcmp(str, "debug") == 0) { + /* DEBUG2 is left for internal compiler use atm */ + flags |= FLAG_DEBUG1; + } else if (pmode) { + mode = pmode; + } else if (strcmp(str, "audit") == 0) { + audit = 1; + } else if (strcmp(str, "chroot_relative") == 0) { + path |= PATH_CHROOT_REL; + } else if (strcmp(str, "namespace_relative") == 0) { + path |= PATH_NS_REL; + } else if (strcmp(str, "mediate_deleted") == 0) { + path |= PATH_MEDIATE_DELETED; + } else if (strcmp(str, "delegate_deleted") == 0) { + path |= PATH_DELEGATE_DELETED; + } else if (strcmp(str, "attach_disconnected") == 0) { + path |= PATH_ATTACH; + } else if (strcmp(str, "no_attach_disconnected") == 0) { + path |= PATH_NO_ATTACH; + } else if (strcmp(str, "chroot_attach") == 0) { + path |= PATH_CHROOT_NSATTACH; + } else if (strcmp(str, "chroot_no_attach") == 0) { + path |= PATH_CHROOT_NO_ATTACH; + } else if (strncmp(str, "attach_disconnected.path=", 25) == 0) { + /* TODO: make this a proper parse */ + path |= PATH_ATTACH; + disconnected_path = strdup(str + 25); + } else if (strncmp(str, "kill.signal=", 12) == 0) { + /* TODO: make this a proper parse */ + signal = find_signal_mapping(str + 12); + if (signal == -1) + yyerror("unknown signal specified for kill.signal=\'%s\'\n", str + 12); + } else if (strcmp(str, "interruptible") == 0) { + flags |= FLAG_INTERRUPTIBLE; + } else { + yyerror(_("Invalid profile flag: %s."), str); + } + } ostream &dump(ostream &os) { @@ -135,6 +193,8 @@ public: if (disconnected_path) os << ", attach_disconnected.path=" << disconnected_path; + if (signal) + os << ", kill.signal=" << signal; os << "\n"; return os; @@ -148,6 +208,58 @@ public: #endif } + /* warning for now disconnected_path is just passed on (not copied), + * or leaked on error. It is not freed here, It is freed when the + * profile destroys it self. + */ + void merge(const flagvals &rhs) + { + if (merge_profile_mode(mode, rhs.mode) == MODE_CONFLICT) + yyerror(_("Profile flag '%s' conflicts with '%s'"), + profile_mode_table[mode], + profile_mode_table[rhs.mode]); + mode = merge_profile_mode(mode, rhs.mode); + audit = audit || rhs.audit; + path = path | rhs.path; + if ((path & (PATH_CHROOT_REL | PATH_NS_REL)) == + (PATH_CHROOT_REL | PATH_NS_REL)) + yyerror(_("Profile flag chroot_relative conflicts with namespace_relative")); + + if ((path & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) == + (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED)) + yyerror(_("Profile flag mediate_deleted conflicts with delegate_deleted")); + if ((path & (PATH_ATTACH | PATH_NO_ATTACH)) == + (PATH_ATTACH | PATH_NO_ATTACH)) + yyerror(_("Profile flag attach_disconnected conflicts with no_attach_disconnected")); + if ((path & (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) == + (PATH_CHROOT_NSATTACH | PATH_CHROOT_NO_ATTACH)) + yyerror(_("Profile flag chroot_attach conflicts with chroot_no_attach")); + + if (rhs.disconnected_path) { + if (disconnected_path) { + if (strcmp(disconnected_path, rhs.disconnected_path) != 0) { + yyerror(_("Profile flag attach_disconnected set to conflicting values: '%s' and '%s'"), disconnected_path, rhs.disconnected_path); + } + // same ignore rhs.disconnect_path + } else { + disconnected_path = rhs.disconnected_path; + } + } + if (rhs.signal) { + if (signal) { + if (signal != rhs.signal) { + yyerror(_("Profile flag kill.signal set to conflicting values: '%d' and '%d'"), signal, rhs.signal); + } + // same so do nothing + } else { + signal = rhs.signal; + } + } + + /* if we move to dupping disconnected_path will need to have + * an assignment and copy constructor and a destructor + */ + } }; struct capabilities { @@ -225,7 +337,7 @@ public: parent = NULL; - flags = { 0, MODE_UNSPECIFIED, 0, 0, NULL }; + flags.init(); rlimits = {0, {}}; std::fill(exec_table, exec_table + AA_EXEC_COUNT, (char *)NULL); @@ -319,6 +431,10 @@ public: void post_parse_profile(void); void add_implied_rules(void); + +protected: + const char *warned_name = NULL; + virtual void warn_once(const char *name, const char *msg); }; diff --git a/parser/signal.cc b/parser/signal.cc index 09e144ba0..15fc5a17a 100644 --- a/parser/signal.cc +++ b/parser/signal.cc @@ -121,7 +121,7 @@ int parse_signal_perms(const char *str_perms, perms_t *perms, int fail) return parse_X_perms("signal", AA_VALID_SIGNAL_PERMS, str_perms, perms, fail); } -static int find_signal_mapping(const char *sig) +int find_signal_mapping(const char *sig) { if (strncmp("rtmin+", sig, 6) == 0) { char *end; diff --git a/parser/signal.h b/parser/signal.h index e5df3d2a7..4cb4411f9 100644 --- a/parser/signal.h +++ b/parser/signal.h @@ -31,6 +31,7 @@ typedef set Signals; +int find_signal_mapping(const char *sig); int parse_signal_perms(const char *str_perms, perms_t *perms, int fail); class signal_rule: public perms_rule_t { diff --git a/parser/tst/simple_tests/profile/flags/flags_bad64.sd b/parser/tst/simple_tests/profile/flags/flags_bad64.sd new file mode 100644 index 000000000..b92cabef8 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad64.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, kill, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad65.sd b/parser/tst/simple_tests/profile/flags/flags_bad65.sd new file mode 100644 index 000000000..63d6b9d3c --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad65.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(complain, kill, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad66.sd b/parser/tst/simple_tests/profile/flags/flags_bad66.sd new file mode 100644 index 000000000..4e303ed31 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad66.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, complain, kill, unconfined, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad67.sd b/parser/tst/simple_tests/profile/flags/flags_bad67.sd new file mode 100644 index 000000000..163f30bc1 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad67.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure bad signal value +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=0) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad68.sd b/parser/tst/simple_tests/profile/flags/flags_bad68.sd new file mode 100644 index 000000000..03a617a1a --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad68.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure bad signal value +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=foo) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_bad69.sd b/parser/tst/simple_tests/profile/flags/flags_bad69.sd new file mode 100644 index 000000000..cb5a8a81d --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_bad69.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure bad signal value +#=EXRESULT FAIL +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=hup.) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok29.sd b/parser/tst/simple_tests/profile/flags/flags_ok29.sd new file mode 100644 index 000000000..962ad131a --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok29.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok30.sd b/parser/tst/simple_tests/profile/flags/flags_ok30.sd new file mode 100644 index 000000000..c4cd9e0cf --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok30.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION validate some uses of the profile flags. +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok31.sd b/parser/tst/simple_tests/profile/flags/flags_ok31.sd new file mode 100644 index 000000000..8657e04b1 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok31.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok32.sd b/parser/tst/simple_tests/profile/flags/flags_ok32.sd new file mode 100644 index 000000000..1ddfdf2f5 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok32.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(complain, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok33.sd b/parser/tst/simple_tests/profile/flags/flags_ok33.sd new file mode 100644 index 000000000..b8e3e8b20 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok33.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok34.sd b/parser/tst/simple_tests/profile/flags/flags_ok34.sd new file mode 100644 index 000000000..50af6e471 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok34.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible, enforce) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok35.sd b/parser/tst/simple_tests/profile/flags/flags_ok35.sd new file mode 100644 index 000000000..a1b7b68a5 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok35.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok36.sd b/parser/tst/simple_tests/profile/flags/flags_ok36.sd new file mode 100644 index 000000000..1dc0278e8 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok36.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok37.sd b/parser/tst/simple_tests/profile/flags/flags_ok37.sd new file mode 100644 index 000000000..25068df2d --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok37.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(interruptible, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok38.sd b/parser/tst/simple_tests/profile/flags/flags_ok38.sd new file mode 100644 index 000000000..8657e04b1 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok38.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok39.sd b/parser/tst/simple_tests/profile/flags/flags_ok39.sd new file mode 100644 index 000000000..2980edd11 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok39.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION ensure flag does not conflict with other mdes, and flags +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(prompt, interruptible) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok40.sd b/parser/tst/simple_tests/profile/flags/flags_ok40.sd new file mode 100644 index 000000000..6706655b2 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok40.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure conflicting mode flags cause an error +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(prompt, kill.signal=hup) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok41.sd b/parser/tst/simple_tests/profile/flags/flags_ok41.sd new file mode 100644 index 000000000..8f1115468 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok41.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure signal.kill works with different flags and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, kill.signal=kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok42.sd b/parser/tst/simple_tests/profile/flags/flags_ok42.sd new file mode 100644 index 000000000..3631b500e --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok42.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different flags and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=int, unconfined) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok43.sd b/parser/tst/simple_tests/profile/flags/flags_ok43.sd new file mode 100644 index 000000000..daf788f4b --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok43.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different modes and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=quit, kill) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok44.sd b/parser/tst/simple_tests/profile/flags/flags_ok44.sd new file mode 100644 index 000000000..4dae342a8 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok44.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different modes and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=hup, complain) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok45.sd b/parser/tst/simple_tests/profile/flags/flags_ok45.sd new file mode 100644 index 000000000..507d612db --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok45.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different modes and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=ill, enforce) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok46.sd b/parser/tst/simple_tests/profile/flags/flags_ok46.sd new file mode 100644 index 000000000..d3bf3f40b --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok46.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different modes and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill, kill.signal=trap) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok47.sd b/parser/tst/simple_tests/profile/flags/flags_ok47.sd new file mode 100644 index 000000000..55fc7341f --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok47.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different modes and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(complain, kill.signal=bus) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok48.sd b/parser/tst/simple_tests/profile/flags/flags_ok48.sd new file mode 100644 index 000000000..f54c492eb --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok48.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION Ensure kill.signal works with different flags and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(enforce, kill.signal=usr1) { + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok49.sd b/parser/tst/simple_tests/profile/flags/flags_ok49.sd new file mode 100644 index 000000000..dec0314b3 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok49.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION Ensure kill.signals works with different flags and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=stop audit) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/parser/tst/simple_tests/profile/flags/flags_ok50.sd b/parser/tst/simple_tests/profile/flags/flags_ok50.sd new file mode 100644 index 000000000..aa5629823 --- /dev/null +++ b/parser/tst/simple_tests/profile/flags/flags_ok50.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION Ensure kill.signal works with different flags and signals +#=EXRESULT PASS +# vim:syntax=subdomain +# Last Modified: Sun Apr 17 19:44:44 2005 +# +/does/not/exist flags=(kill.signal=emt) { + #include + + /usr/X11R6/lib/lib*so* r, + /does/not/exist r, +} diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 3df48bb24..33eec798c 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -164,6 +164,12 @@ exception_not_raised = ( 'profile/flags/flags_bad54.sd', 'profile/flags/flags_bad55.sd', 'profile/flags/flags_bad56.sd', + 'profile/flags/flags_bad64.sd', + 'profile/flags/flags_bad65.sd', + 'profile/flags/flags_bad66.sd', + 'profile/flags/flags_bad67.sd', + 'profile/flags/flags_bad68.sd', + 'profile/flags/flags_bad69.sd', 'profile/flags/flags_bad_disconnected_path1.sd', 'profile/flags/flags_bad_disconnected_path2.sd', 'profile/flags/flags_bad_disconnected_path3.sd',