From e3fca60d1121d3a081c36831b90c5830bff8b777 Mon Sep 17 00:00:00 2001 From: John Johansen Date: Sat, 11 May 2024 23:33:42 -0700 Subject: [PATCH] parser: add the ability to specify a priority prefix to rules This enables adding a priority to a rules in policy, finishing out the priority work done to plumb priority support through the internals in the previous patch. Rules have a default priority of 0. The priority prefix can be added before the other currently support rule prefixes, ie. [priority prefix][audit qualifier][rule mode][owner] If present a numerical priority can be assigned to the rule, where the greater the number the higher the priority. Eg. priority=1 audit file r /etc/passwd, priority=-1 deny file w /etc/**, Rule priority allows the rule with the highest priority to completely override lower priority rules where they overlap. Within a given priority level rules will accumulate in standard apparmor fashion. Eg. given priority=1 w /*c, priority=0 r /a*, priority=-1 k /*b*, /abc, /bc, /ac .. will have permissions of w /ab, /abb, /aaa, .. will have permissions of r /b, /bcb, /bab, .. will have permissions of k User specified rule priorities are currently capped at the arbitrary values of 1000, and -1000. Notes: * not all rule types support the priority prefix. Rukes like - network - capability - rlimits need to be reworked need to be reworked to properly preserve the policy rule structure. * this patch does not support priority on rule blocks * this patch does not support using a variable in the priority value. Signed-off-by: John Johansen --- parser/af_unix.cc | 2 +- parser/af_unix.h | 3 + parser/all_rule.h | 4 + parser/apparmor.d.pod | 15 +- parser/network.h | 5 + parser/parser.h | 6 + parser/parser_lex.l | 20 +- parser/parser_misc.c | 2 +- parser/parser_yacc.y | 32 +- parser/rule.h | 26 +- parser/tst/equality.sh | 683 +++++++++++------- .../file/priority/front_perms_ok_1.sd | 24 + .../file/priority/front_perms_ok_2.sd | 24 + parser/tst/simple_tests/file/priority/ok_1.sd | 7 + parser/tst/simple_tests/file/priority/ok_2.sd | 7 + parser/tst/simple_tests/file/priority/ok_3.sd | 9 + parser/tst/simple_tests/file/priority/ok_4.sd | 7 + parser/tst/simple_tests/file/priority/ok_5.sd | 7 + .../file/priority/ok_alternations_1.sd | 7 + .../file/priority/ok_alternations_2.sd | 7 + .../file/priority/ok_alternations_3.sd | 8 + .../simple_tests/file/priority/ok_append_1.sd | 13 + .../file/priority/ok_audit_deny_link.sd | 9 + .../simple_tests/file/priority/ok_bare_1.sd | 8 + .../simple_tests/file/priority/ok_carat_1.sd | 7 + .../simple_tests/file/priority/ok_carat_2.sd | 7 + .../simple_tests/file/priority/ok_comma_1.sd | 7 + .../simple_tests/file/priority/ok_comma_2.sd | 7 + .../simple_tests/file/priority/ok_deny_1.sd | 9 + .../simple_tests/file/priority/ok_deny_2.sd | 9 + .../simple_tests/file/priority/ok_deny_3.sd | 10 + .../simple_tests/file/priority/ok_deny_4.sd | 10 + .../file/priority/ok_deny_link.sd | 9 + .../file/priority/ok_embedded_spaces_1.sd | 6 + .../file/priority/ok_embedded_spaces_2.sd | 6 + .../file/priority/ok_embedded_spaces_3.sd | 6 + .../file/priority/ok_embedded_spaces_4.sd | 6 + .../file/priority/ok_inv_char_class.sd | 7 + .../simple_tests/file/priority/ok_link_1.sd | 10 + .../simple_tests/file/priority/ok_link_2.sd | 10 + .../simple_tests/file/priority/ok_link_3.sd | 10 + .../ok_link_audit_deny_owner_subset.sd | 10 + .../file/priority/ok_link_owner.sd | 10 + .../simple_tests/file/priority/ok_lock_1.sd | 17 + .../simple_tests/file/priority/ok_mmap_1.sd | 12 + .../simple_tests/file/priority/ok_mmap_2.sd | 14 + .../simple_tests/file/priority/ok_octal_1.sd | 8 + .../simple_tests/file/priority/ok_octal_2.sd | 8 + .../simple_tests/file/priority/ok_other_1.sd | 7 + .../simple_tests/file/priority/ok_other_2.sd | 7 + .../simple_tests/file/priority/ok_other_3.sd | 7 + .../simple_tests/file/priority/ok_quoted_1.sd | 9 + .../simple_tests/file/priority/ok_quoted_2.sd | 9 + .../simple_tests/file/priority/ok_quoted_3.sd | 9 + .../simple_tests/file/priority/ok_quoted_4.sd | 9 + .../simple_tests/file/priority/ok_quoted_5.sd | 9 + .../file/priority/ok_slashquote_1.sd | 8 + .../file/priority/stacking_ok_1.sd | 7 + .../file/priority/var1_ok_audit_deny_link.sd | 10 + .../file/priority/var1_ok_deny_link.sd | 10 + .../file/priority/var1_ok_link_1.sd | 11 + .../file/priority/var1_ok_link_2.sd | 11 + .../file/priority/var1_ok_link_3.sd | 11 + .../priority/var1_src_ok_audit_deny_link.sd | 10 + .../file/priority/var1_src_ok_deny_link.sd | 10 + .../file/priority/var1_src_ok_link_1.sd | 11 + .../file/priority/var1_src_ok_link_2.sd | 11 + .../file/priority/var1_src_ok_link_3.sd | 11 + .../var1_target_ok_audit_deny_link.sd | 10 + .../file/priority/var1_target_ok_deny_link.sd | 10 + .../file/priority/var1_target_ok_link_1.sd | 11 + .../file/priority/var1_target_ok_link_2.sd | 11 + .../file/priority/var1_target_ok_link_3.sd | 11 + .../file/priority/var2_ok_audit_deny_link.sd | 10 + .../file/priority/var2_ok_deny_link.sd | 10 + .../file/priority/var2_ok_link_1.sd | 11 + .../file/priority/var2_ok_link_2.sd | 11 + .../file/priority/var2_ok_link_3.sd | 11 + .../priority/var2_src_ok_audit_deny_link.sd | 10 + .../file/priority/var2_src_ok_deny_link.sd | 10 + .../file/priority/var2_src_ok_link_1.sd | 11 + .../file/priority/var2_src_ok_link_2.sd | 11 + .../file/priority/var2_src_ok_link_3.sd | 11 + .../var2_target_ok_audit_deny_link.sd | 10 + .../file/priority/var2_target_ok_deny_link.sd | 10 + .../file/priority/var2_target_ok_link_1.sd | 11 + .../file/priority/var2_target_ok_link_2.sd | 11 + .../file/priority/var2_target_ok_link_3.sd | 11 + utils/test/test-parser-simple-tests.py | 3 + 89 files changed, 1267 insertions(+), 285 deletions(-) create mode 100644 parser/tst/simple_tests/file/priority/front_perms_ok_1.sd create mode 100644 parser/tst/simple_tests/file/priority/front_perms_ok_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_4.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_5.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_alternations_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_alternations_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_alternations_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_append_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_bare_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_carat_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_carat_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_comma_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_comma_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_deny_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_deny_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_deny_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_deny_4.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_embedded_spaces_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_embedded_spaces_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_embedded_spaces_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_embedded_spaces_4.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_inv_char_class.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_link_audit_deny_owner_subset.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_link_owner.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_lock_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_mmap_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_mmap_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_octal_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_octal_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_other_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_other_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_other_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_quoted_1.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_quoted_2.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_quoted_3.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_quoted_4.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_quoted_5.sd create mode 100644 parser/tst/simple_tests/file/priority/ok_slashquote_1.sd create mode 100644 parser/tst/simple_tests/file/priority/stacking_ok_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_src_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_src_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_src_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_src_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_src_ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_target_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_target_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_target_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_target_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var1_target_ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_src_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_src_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_src_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_src_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_src_ok_link_3.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_target_ok_audit_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_target_ok_deny_link.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_target_ok_link_1.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_target_ok_link_2.sd create mode 100644 parser/tst/simple_tests/file/priority/var2_target_ok_link_3.sd diff --git a/parser/af_unix.cc b/parser/af_unix.cc index 29724cd18..f9b977a49 100644 --- a/parser/af_unix.cc +++ b/parser/af_unix.cc @@ -203,7 +203,7 @@ void unix_rule::downgrade_rule(Profile &prof) { prof.net.audit[AF_UNIX] |= mask; const char *error; network_rule *netv8 = new network_rule(perms, AF_UNIX, sock_type_n); - if(!netv8->add_prefix({audit, rule_mode, owner}, error)) + if(!netv8->add_prefix({0, audit, rule_mode, owner}, error)) yyerror(error); prof.rule_ents.push_back(netv8); } else { diff --git a/parser/af_unix.h b/parser/af_unix.h index 3441263e9..70685380c 100644 --- a/parser/af_unix.h +++ b/parser/af_unix.h @@ -48,6 +48,9 @@ public: }; virtual bool valid_prefix(const prefixes &p, const char *&error) { + // priority is partially supported for unix rules + // rules that get downgraded to just network socket + // won't support them but the fine grained do. if (p.owner) { error = "owner prefix not allowed on unix rules"; return false; diff --git a/parser/all_rule.h b/parser/all_rule.h index d72020ab4..eb936d520 100644 --- a/parser/all_rule.h +++ b/parser/all_rule.h @@ -32,6 +32,10 @@ public: all_rule(void): prefix_rule_t(RULE_TYPE_ALL) { } virtual bool valid_prefix(const prefixes &p, const char *&error) { + if (p.priority != 0) { + error = _("priority prefix not allowed on all rules"); + return false; + } if (p.owner) { error = _("owner prefix not allowed on all rules"); return false; diff --git a/parser/apparmor.d.pod b/parser/apparmor.d.pod index 4b03295f1..6624bb587 100644 --- a/parser/apparmor.d.pod +++ b/parser/apparmor.d.pod @@ -139,9 +139,11 @@ B = (must start with alphanumeric character. See aa_change_hat(2) for a B = I I +B = (+ | -)? [[:digit:]]+ + B = ( 'allow' | 'deny' ) -B = [ 'audit' ] [ I ] +B = [ 'priority' '=' ] [ 'audit' ] [ I ] B = [ I ] 'capability' [ I ] @@ -1878,6 +1880,17 @@ Rule qualifiers can modify the rule and/or permissions within the rule. =over 4 +=item B + +Specifies the priority of the rule. Currently the allowed range is +-1000 to 1000 with the default priority of rule is 0. Rules with +higher priority are given preferences and will completely override +permissions of lower priority rules where they overlap. When rules +partially overlap the permissions of the higher priority rule will +completely override lower priority rules within in overlap. Within a +given priority level rules that overlap will accumulate permissions in +the standard apparmor fashion. + =item B Specifies that permissions requests that match the rule are allowed. This diff --git a/parser/network.h b/parser/network.h index cb396c9f1..5298ce6a5 100644 --- a/parser/network.h +++ b/parser/network.h @@ -194,7 +194,12 @@ public: bool parse_address(ip_conds &entry); bool parse_port(ip_conds &entry); + // update TODO: in equality.sh when priority is a valid prefix virtual bool valid_prefix(const prefixes &p, const char *&error) { + if (p.priority != 0) { + error = _("priority prefix not allowed on network rules"); + return false; + } if (p.owner) { error = _("owner prefix not allowed on network rules"); return false; diff --git a/parser/parser.h b/parser/parser.h index ca7274f25..6f0425c81 100644 --- a/parser/parser.h +++ b/parser/parser.h @@ -53,6 +53,12 @@ using namespace std; */ extern int parser_token; +/* Arbitrary max and minimum priority that userspace can specify, internally + * we handle up to INT_MAX and INT_MIN. Do not ever allow INT_MAX, see + * note on mediates_priority + */ +#define MAX_PRIORITY 1000 +#define MIN_PRIORITY -1000 #define WARN_RULE_NOT_ENFORCED 0x1 #define WARN_RULE_DOWNGRADED 0x2 diff --git a/parser/parser_lex.l b/parser/parser_lex.l index 62303fa39..15f0bccd2 100644 --- a/parser/parser_lex.l +++ b/parser/parser_lex.l @@ -277,6 +277,7 @@ QUOTED_ID \"{ALLOWED_QUOTED_ID}*\" IP {NUMBER}\.{NUMBER}\.{NUMBER}\.{NUMBER} +INTEGER [+-]?{NUMBER} HAT hat{WS}* PROFILE profile{WS}* KEYWORD [[:alpha:]_]+ @@ -332,7 +333,7 @@ GT > %x USERNS_MODE %x MQUEUE_MODE %x IOURING_MODE - +%x INTEGER_MODE %% %{ @@ -344,7 +345,7 @@ GT > } %} -{ +{ {WS}+ { DUMP_PREPROCESS; /* Ignoring whitespace */ } } @@ -389,6 +390,11 @@ GT > yylval.id = processid(yytext, yyleng); PUSH_AND_RETURN(EXTCONDLIST_MODE, TOK_CONDLISTID); } + priority/{WS}*= { + /* has to be before {VARIABLE_NAME} matches below */ + PUSH_AND_RETURN(INTEGER_MODE, TOK_PRIORITY); + + } {VARIABLE_NAME}/{WS}*= { /* we match to the = in the lexer so that we can switch scanner * state. By the time the parser see the = it may be too late @@ -630,6 +636,15 @@ GT > } } +{ + {EQUALS} { RETURN_TOKEN(TOK_EQUALS); } + + {INTEGER} { + yylval.mode = strdup(yytext); + POP_AND_RETURN(TOK_VALUE); + } +} + #include{WS}+if{WS}+exists/{WS}.*\r?\n { /* Don't use PUSH() macro here as we don't want #include echoed out. * It needs to be handled specially @@ -814,4 +829,5 @@ unordered_map state_names = { STATE_TABLE_ENT(USERNS_MODE), STATE_TABLE_ENT(MQUEUE_MODE), STATE_TABLE_ENT(IOURING_MODE), + STATE_TABLE_ENT(INTEGER_MODE), }; diff --git a/parser/parser_misc.c b/parser/parser_misc.c index 9664c120b..bdbe4bb65 100644 --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -131,7 +131,7 @@ static struct keyword_table keyword_table[] = { {"override_creds", TOK_OVERRIDE_CREDS}, {"sqpoll", TOK_SQPOLL}, {"all", TOK_ALL}, - + {"priority", TOK_PRIORITY}, /* terminate */ {NULL, 0} }; diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y index c8fa67df5..532ddb55a 100644 --- a/parser/parser_yacc.y +++ b/parser/parser_yacc.y @@ -19,6 +19,7 @@ */ #define YYERROR_VERBOSE 1 +#include #include #include #include @@ -149,6 +150,7 @@ static void abi_features(char *filename, bool search); %token TOK_OVERRIDE_CREDS %token TOK_SQPOLL %token TOK_ALL +%token TOK_PRIORITY /* rlimits */ %token TOK_RLIMIT @@ -269,6 +271,7 @@ static void abi_features(char *filename, bool search); %type id_or_var %type opt_id_or_var %type opt_subset_flag +%type opt_priority %type opt_audit_flag %type opt_owner_flag %type opt_profile_flag @@ -627,6 +630,23 @@ opt_subset_flag: { /* nothing */ $$ = false; } | TOK_SUBSET { $$ = true; } | TOK_LE { $$ = true; } + +opt_priority: { $$ = 0; } + | TOK_PRIORITY TOK_EQUALS TOK_VALUE + { + char *end; + long tmp = strtol($3, &end, 10); + if (end == $3 || *end != '\0') + yyerror("invalid priority %s", $3); + free($3); + /* see note on mediates_priority */ + if (tmp > MAX_PRIORITY) + yyerror("invalid priority %l > %d", tmp, MAX_PRIORITY); + if (tmp < MIN_PRIORITY) + yyerror("invalid priority %l > %d", tmp, MIN_PRIORITY); + $$ = tmp; + } + opt_audit_flag: { /* nothing */ $$ = AUDIT_UNSPECIFIED; } | TOK_AUDIT { $$ = AUDIT_FORCE; }; @@ -639,11 +659,12 @@ opt_rule_mode: { /* nothing */ $$ = RULE_UNSPECIFIED; } | TOK_DENY { $$ = RULE_DENY; } | TOK_PROMPT { $$ = RULE_PROMPT; } -opt_prefix: opt_audit_flag opt_rule_mode opt_owner_flag +opt_prefix: opt_priority opt_audit_flag opt_rule_mode opt_owner_flag { - $$.audit = $1; - $$.rule_mode = $2; - $$.owner = $3; + $$.priority = $1; + $$.audit = $2; + $$.rule_mode = $3; + $$.owner = $4; } rules: { /* nothing */ @@ -680,6 +701,9 @@ rules: rules opt_prefix block { struct cod_entry *entry, *tmp; + if (($2).priority != 0) { + yyerror(_("priority is not allowed on rule blocks")); + } PDEBUG("matched: %s%s%sblock\n", $2.audit == AUDIT_FORCE ? "audit " : "", $2.rule_mode == RULE_DENY ? "deny " : "", diff --git a/parser/rule.h b/parser/rule.h index ec4664755..e48089d3b 100644 --- a/parser/rule.h +++ b/parser/rule.h @@ -82,11 +82,10 @@ class rule_t { public: int rule_type; rule_flags_t flags; - int priority; rule_t *removed_by; - rule_t(int t): rule_type(t), flags(RULE_FLAG_NONE), priority(0), removed_by(NULL) { } + rule_t(int t): rule_type(t), flags(RULE_FLAG_NONE), removed_by(NULL) { } virtual ~rule_t() { }; bool is_type(int type) { return rule_type == type; } @@ -114,9 +113,6 @@ public: virtual int expand_variables(void) = 0; virtual int cmp(rule_t const &rhs) const { - int tmp = priority - rhs.priority; - if (tmp != 0) - return tmp; return rule_type - rhs.rule_type; } virtual bool operator<(rule_t const &rhs) const { @@ -177,6 +173,7 @@ typedef enum { OWNER_UNSPECIFIED, OWNER_SPECIFIED, OWNER_NOT } owner_t; */ class prefixes { public: + int priority; audit_t audit; rule_mode_t rule_mode; owner_t owner; @@ -246,7 +243,10 @@ public: } int cmp(prefixes const &rhs) const { - int tmp = (int) audit - (int) rhs.audit; + int tmp = priority - rhs.priority; + if (tmp != 0) + return tmp; + tmp = (int) audit - (int) rhs.audit; if (tmp != 0) return tmp; tmp = (int) rule_mode - (int) rhs.rule_mode; @@ -271,6 +271,7 @@ public: prefix_rule_t(int t = RULE_TYPE_PREFIX) : rule_t(t) { /* Must construct prefix here see note on prefixes */ + priority = 0; audit = AUDIT_UNSPECIFIED; rule_mode = RULE_UNSPECIFIED; owner = OWNER_UNSPECIFIED; @@ -281,6 +282,19 @@ public: virtual bool add_prefix(const prefixes &p, const char *&error) { if (!valid_prefix(p, error)) return false; + + // priority does NOT conflict but allowed at the block + // level yet. priority at the block level applies to + // the entire block, but only for the level of rules + // it is at. + // priority within the block arranges order of rules + // within the block. + if (priority != 0) { + error = "priority levels not supported"; + return false; + } + priority = p.priority; + /* audit conflicts */ if (p.audit != AUDIT_UNSPECIFIED) { if (audit != AUDIT_UNSPECIFIED && diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh index 082b68f7c..8c68a2854 100755 --- a/parser/tst/equality.sh +++ b/parser/tst/equality.sh @@ -122,169 +122,175 @@ verify_binary_inequality() verify_binary "inequality" "$@" } -printf "Equality Tests:\n" -verify_binary_equality "dbus send" \ - "/t { dbus send, }" \ - "/t { dbus write, }" \ - "/t { dbus w, }" +########################################################################## +### wrapper fn, should be indented but isn't to reduce wrap +verify_set() +{ + local p1="$1" + local p2="$2" + echo -e "\n equality $e of '$p1' vs '$p2'\n" -verify_binary_equality "dbus receive" \ - "/t { dbus receive, }" \ - "/t { dbus read, }" \ - "/t { dbus r, }" +verify_binary_equality "'$p1'x'$p2' dbus send" \ + "/t { $p1 dbus send, }" \ + "/t { $p2 dbus write, }" \ + "/t { $p2 dbus w, }" -verify_binary_equality "dbus send + receive" \ - "/t { dbus (send, receive), }" \ - "/t { dbus (read, write), }" \ - "/t { dbus (r, w), }" \ - "/t { dbus (rw), }" \ - "/t { dbus rw, }" \ +verify_binary_equality "'$p1'x'$p2' dbus receive" \ + "/t { $p1 dbus receive, }" \ + "/t { $p2 dbus read, }" \ + "/t { $p2 dbus r, }" -verify_binary_equality "dbus all accesses" \ - "/t { dbus (send, receive, bind, eavesdrop), }" \ - "/t { dbus (read, write, bind, eavesdrop), }" \ - "/t { dbus (r, w, bind, eavesdrop), }" \ - "/t { dbus (rw, bind, eavesdrop), }" \ - "/t { dbus (), }" \ - "/t { dbus, }" \ +verify_binary_equality "'$p1'x'$p2' dbus send + receive" \ + "/t { $p1 dbus (send, receive), }" \ + "/t { $p2 dbus (read, write), }" \ + "/t { $p2 dbus (r, w), }" \ + "/t { $p2 dbus (rw), }" \ + "/t { $p2 dbus rw, }" \ -verify_binary_equality "dbus implied accesses with a bus conditional" \ - "/t { dbus (send, receive, bind, eavesdrop) bus=session, }" \ - "/t { dbus (read, write, bind, eavesdrop) bus=session, }" \ - "/t { dbus (r, w, bind, eavesdrop) bus=session, }" \ - "/t { dbus (rw, bind, eavesdrop) bus=session, }" \ - "/t { dbus () bus=session, }" \ - "/t { dbus bus=session, }" \ +verify_binary_equality "'$p1'x'$p2' dbus all accesses" \ + "/t { $p1 dbus (send, receive, bind, eavesdrop), }" \ + "/t { $p2 dbus (read, write, bind, eavesdrop), }" \ + "/t { $p2 dbus (r, w, bind, eavesdrop), }" \ + "/t { $p2 dbus (rw, bind, eavesdrop), }" \ + "/t { $p2 dbus (), }" \ + "/t { $p2 dbus, }" \ -verify_binary_equality "dbus implied accesses for services" \ - "/t { dbus bind name=com.foo, }" \ - "/t { dbus name=com.foo, }" +verify_binary_equality "'$p1'x'$p2' dbus implied accesses with a bus conditional" \ + "/t { $p1 dbus (send, receive, bind, eavesdrop) bus=session, }" \ + "/t { $p2 dbus (read, write, bind, eavesdrop) bus=session, }" \ + "/t { $p2 dbus (r, w, bind, eavesdrop) bus=session, }" \ + "/t { $p2 dbus (rw, bind, eavesdrop) bus=session, }" \ + "/t { $p2 dbus () bus=session, }" \ + "/t { $p2 dbus bus=session, }" \ -verify_binary_equality "dbus implied accesses for messages" \ - "/t { dbus (send, receive) path=/com/foo interface=org.foo, }" \ - "/t { dbus path=/com/foo interface=org.foo, }" +verify_binary_equality "'$p1'x'$p2' dbus implied accesses for services" \ + "/t { $p1 dbus bind name=com.foo, }" \ + "/t { $p2 dbus name=com.foo, }" -verify_binary_equality "dbus implied accesses for messages with peer names" \ - "/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(name=com.foo), }" \ - "/t { dbus path=/com/foo interface=org.foo peer=(name=com.foo), }" \ - "/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(name=(com.foo)), }" \ - "/t { dbus path=/com/foo interface=org.foo peer=(name=(com.foo)), }" +verify_binary_equality "'$p1'x'$p2' dbus implied accesses for messages" \ + "/t { $p1 dbus (send, receive) path=/com/foo interface=org.foo, }" \ + "/t { $p2 dbus path=/com/foo interface=org.foo, }" -verify_binary_equality "dbus implied accesses for messages with peer labels" \ - "/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }" \ - "/t { dbus path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }" +verify_binary_equality "'$p1'x'$p2' dbus implied accesses for messages with peer names" \ + "/t { $p1 dbus (send, receive) path=/com/foo interface=org.foo peer=(name=com.foo), }" \ + "/t { $p2 dbus path=/com/foo interface=org.foo peer=(name=com.foo), }" \ + "/t { $p2 dbus (send, receive) path=/com/foo interface=org.foo peer=(name=(com.foo)), }" \ + "/t { $p2 dbus path=/com/foo interface=org.foo peer=(name=(com.foo)), }" -verify_binary_equality "dbus element parsing" \ - "/t { dbus bus=b path=/ interface=i member=m peer=(name=n label=l), }" \ - "/t { dbus bus=\"b\" path=\"/\" interface=\"i\" member=\"m\" peer=(name=\"n\" label=\"l\"), }" \ - "/t { dbus bus=(b) path=(/) interface=(i) member=(m) peer=(name=(n) label=(l)), }" \ - "/t { dbus bus=(\"b\") path=(\"/\") interface=(\"i\") member=(\"m\") peer=(name=(\"n\") label=(\"l\")), }" \ - "/t { dbus bus =b path =/ interface =i member =m peer =(name =n label =l), }" \ - "/t { dbus bus= b path= / interface= i member= m peer= (name= n label= l), }" \ - "/t { dbus bus = b path = / interface = i member = m peer = ( name = n label = l ), }" +verify_binary_equality "'$p1'x'$p2' dbus implied accesses for messages with peer labels" \ + "/t { $p1 dbus (send, receive) path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }" \ + "/t { $p2 dbus path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }" -verify_binary_equality "dbus access parsing" \ - "/t { dbus, }" \ - "/t { dbus (), }" \ - "/t { dbus (send, receive, bind, eavesdrop), }" \ - "/t { dbus (send receive bind eavesdrop), }" \ - "/t { dbus (send, receive bind, eavesdrop), }" \ - "/t { dbus (send,receive,bind,eavesdrop), }" \ - "/t { dbus (send,receive,,,,,,,,,,,,,,,,bind,eavesdrop), }" \ - "/t { dbus (send,send,send,send send receive,bind eavesdrop), }" \ +verify_binary_equality "'$p1'x'$p2' dbus element parsing" \ + "/t { $p1 dbus bus=b path=/ interface=i member=m peer=(name=n label=l), }" \ + "/t { $p2 dbus bus=\"b\" path=\"/\" interface=\"i\" member=\"m\" peer=(name=\"n\" label=\"l\"), }" \ + "/t { $p2 dbus bus=(b) path=(/) interface=(i) member=(m) peer=(name=(n) label=(l)), }" \ + "/t { $p2 dbus bus=(\"b\") path=(\"/\") interface=(\"i\") member=(\"m\") peer=(name=(\"n\") label=(\"l\")), }" \ + "/t { $p2 dbus bus =b path =/ interface =i member =m peer =(name =n label =l), }" \ + "/t { $p2 dbus bus= b path= / interface= i member= m peer= (name= n label= l), }" \ + "/t { $p2 dbus bus = b path = / interface = i member = m peer = ( name = n label = l ), }" -verify_binary_equality "dbus variable expansion" \ - "/t { dbus (send, receive) path=/com/foo member=spork interface=org.foo peer=(name=com.foo label=/com/foo), }" \ +verify_binary_equality "'$p1'x'$p2' dbus access parsing" \ + "/t { $p1 dbus, }" \ + "/t { $p2 dbus (), }" \ + "/t { $p2 dbus (send, receive, bind, eavesdrop), }" \ + "/t { $p2 dbus (send receive bind eavesdrop), }" \ + "/t { $p2 dbus (send, receive bind, eavesdrop), }" \ + "/t { $p2 dbus (send,receive,bind,eavesdrop), }" \ + "/t { $p2 dbus (send,receive,,,,,,,,,,,,,,,,bind,eavesdrop), }" \ + "/t { $p2 dbus (send,send,send,send send receive,bind eavesdrop), }" \ + +verify_binary_equality "'$p1'x'$p2' dbus variable expansion" \ + "/t { $p1 dbus (send, receive) path=/com/foo member=spork interface=org.foo peer=(name=com.foo label=/com/foo), }" \ "@{FOO}=foo - /t { dbus (send, receive) path=/com/@{FOO} member=spork interface=org.@{FOO} peer=(name=com.@{FOO} label=/com/@{FOO}), }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO} member=spork interface=org.@{FOO} peer=(name=com.@{FOO} label=/com/@{FOO}), }" \ "@{FOO}=foo @{SPORK}=spork - /t { dbus (send, receive) path=/com/@{FOO} member=@{SPORK} interface=org.@{FOO} peer=(name=com.@{FOO} label=/com/@{FOO}), }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO} member=@{SPORK} interface=org.@{FOO} peer=(name=com.@{FOO} label=/com/@{FOO}), }" \ "@{FOO}=/com/foo - /t { dbus (send, receive) path=@{FOO} member=spork interface=org.foo peer=(name=com.foo label=@{FOO}), }" \ + /t { $p2 dbus (send, receive) path=@{FOO} member=spork interface=org.foo peer=(name=com.foo label=@{FOO}), }" \ "@{FOO}=com - /t { dbus (send, receive) path=/@{FOO}/foo member=spork interface=org.foo peer=(name=@{FOO}.foo label=/@{FOO}/foo), }" + /t { $p2 dbus (send, receive) path=/@{FOO}/foo member=spork interface=org.foo peer=(name=@{FOO}.foo label=/@{FOO}/foo), }" -verify_binary_equality "dbus variable expansion, multiple values/rules" \ - "/t { dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, }" \ - "/t { dbus (send, receive) path=/com/{foo,bar}, }" \ - "/t { dbus (send, receive) path={/com/foo,/com/bar}, }" \ +verify_binary_equality "'$p1'x'$p2' dbus variable expansion, multiple values/rules" \ + "/t { $p1 dbus (send, receive) path=/com/foo, $p1 dbus (send, receive) path=/com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com/{foo,bar}, }" \ + "/t { $p2 dbus (send, receive) path={/com/foo,/com/bar}, }" \ "@{FOO}=foo - /t { dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com/bar, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com/bar, }" \ "@{FOO}=foo bar - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=bar foo - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}={bar,foo} - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=foo @{BAR}=bar - /t { dbus (send, receive) path=/com/{@{FOO},@{BAR}}, }" \ + /t { $p2 dbus (send, receive) path=/com/{@{FOO},@{BAR}}, }" \ -verify_binary_equality "dbus variable expansion, ensure rule de-duping occurs" \ - "/t { dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, }" \ - "/t { dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, dbus (send, receive) path=/com/bar, }" \ +verify_binary_equality "'$p1'x'$p2' dbus variable expansion, ensure rule de-duping occurs" \ + "/t { $p1 dbus (send, receive) path=/com/foo, $p1 dbus (send, receive) path=/com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com/foo, $p2 dbus (send, receive) path=/com/bar, dbus (send, receive) path=/com/bar, }" \ "@{FOO}=bar foo bar foo - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=bar foo bar foo - /t { dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com/@{FOO}, }" + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com/@{FOO}, }" -verify_binary_equality "dbus minimization with all perms" \ - "/t { dbus, }" \ - "/t { dbus bus=session, dbus, }" \ - "/t { dbus (send, receive, bind, eavesdrop), dbus, }" +verify_binary_equality "'$p1'x'$p2' dbus minimization with all perms" \ + "/t { $p1 dbus, }" \ + "/t { $p2 dbus bus=session, $p2 dbus, }" \ + "/t { $p2 dbus (send, receive, bind, eavesdrop), $p2 dbus, }" -verify_binary_equality "dbus minimization with bind" \ - "/t { dbus bind, }" \ - "/t { dbus bind bus=session, dbus bind, }" \ - "/t { dbus bind bus=system name=com.foo, dbus bind, }" +verify_binary_equality "'$p1'x'$p2' dbus minimization with bind" \ + "/t { $p1 dbus bind, }" \ + "/t { $p2 dbus bind bus=session, $p2 dbus bind, }" \ + "/t { $p2 dbus bind bus=system name=com.foo, $p2 dbus bind, }" -verify_binary_equality "dbus minimization with send and a bus conditional" \ - "/t { dbus send bus=system, }" \ - "/t { dbus send bus=system path=/com/foo interface=com.foo member=bar, dbus send bus=system, }" \ - "/t { dbus send bus=system peer=(label=/usr/bin/foo), dbus send bus=system, }" +verify_binary_equality "'$p1'x'$p2' dbus minimization with send and a bus conditional" \ + "/t { $p1 dbus send bus=system, }" \ + "/t { $p2 dbus send bus=system path=/com/foo interface=com.foo member=bar, dbus send bus=system, }" \ + "/t { $p2 dbus send bus=system peer=(label=/usr/bin/foo), $p2 dbus send bus=system, }" -verify_binary_equality "dbus minimization with an audit modifier" \ - "/t { audit dbus eavesdrop, }" \ - "/t { audit dbus eavesdrop bus=session, audit dbus eavesdrop, }" +verify_binary_equality "'$p1'x'$p2' dbus minimization with an audit modifier" \ + "/t { $p1 audit dbus eavesdrop, }" \ + "/t { $p2 audit dbus eavesdrop bus=session, $p2 audit dbus eavesdrop, }" -verify_binary_equality "dbus minimization with a deny modifier" \ - "/t { deny dbus send bus=system peer=(name=com.foo), }" \ - "/t { deny dbus send bus=system peer=(name=com.foo label=/usr/bin/foo), deny dbus send bus=system peer=(name=com.foo), }" \ +verify_binary_equality "'$p1'x'$p2' dbus minimization with a deny modifier" \ + "/t { $p1 deny dbus send bus=system peer=(name=com.foo), }" \ + "/t { $p2 deny dbus send bus=system peer=(name=com.foo label=/usr/bin/foo), $p2 deny dbus send bus=system peer=(name=com.foo), }" \ -verify_binary_equality "dbus minimization found in dbus abstractions" \ - "/t { dbus send bus=session, }" \ - "/t { dbus send +verify_binary_equality "'$p1'x'$p2' dbus minimization found in dbus abstractions" \ + "/t { $p1 dbus send bus=session, }" \ + "/t { $p2 dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus), - dbus send bus=session, }" + $p2 dbus send bus=session, }" # verify slash filtering for dbus paths. -verify_binary_equality "dbus slash filtering for paths" \ - "/t { dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, }" \ - "/t { dbus (send, receive) path=/com///foo, dbus (send, receive) path=///com/bar, }" \ - "/t { dbus (send, receive) path=/com//{foo,bar}, }" \ - "/t { dbus (send, receive) path={//com/foo,/com//bar}, }" \ +verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \ + "/t { $p1 dbus (send, receive) path=/com/foo, $p1 dbus (send, receive) path=/com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com///foo, $p2 dbus (send, receive) path=///com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com//{foo,bar}, }" \ + "/t { $p2 dbus (send, receive) path={//com/foo,/com//bar}, }" \ "@{FOO}=/foo - /t { dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com/bar, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com/bar, }" \ "@{FOO}=/foo /bar - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=/bar //foo - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=//{bar,foo} - /t { dbus (send, receive) path=/com/@{FOO}, }" \ + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ "@{FOO}=/foo @{BAR}=bar - /t { dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com//@{BAR}, }" + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com//@{BAR}, }" # Rules compatible with audit, deny, and audit deny # note: change_profile does not support audit/allow/deny atm for rule in "capability" "capability mac_admin" \ - "network" "network tcp" "network inet6 tcp"\ "mount" "mount /a" "mount /a -> /b" "mount options in (ro) /a -> b" \ "remount" "remount /a" \ "umount" "umount /a" \ @@ -302,6 +308,35 @@ for rule in "capability" "capability mac_admin" \ "link /a -> /b" "link subset /a -> /b" \ "l /a -> /b" "l subset /a -> /b" \ "file l /a -> /b" "l subset /a -> /b" +do + verify_binary_equality "'$p1'x'$p2' allow modifier for \"${rule}\"" \ + "/t { $p1 ${rule}, }" \ + "/t { $p2 allow ${rule}, }" + + verify_binary_equality "'$p1'x'$p2' audit allow modifier for \"${rule}\"" \ + "/t { $p1 audit ${rule}, }" \ + "/t { $p2 audit allow ${rule}, }" + + verify_binary_inequality "'$p1'x'$p2' audit, deny, and audit deny modifiers for \"${rule}\"" \ + "/t { $p1 ${rule}, }" \ + "/t { $p2 audit ${rule}, }" \ + "/t { $p2 audit allow ${rule}, }" \ + "/t { $p2 deny ${rule}, }" \ + "/t { $p2 audit deny ${rule}, }" + + verify_binary_inequality "'$p1'x'$p2' audit vs deny and audit deny modifiers for \"${rule}\"" \ + "/t { $p1 audit ${rule}, }" \ + "/t { $p2 deny ${rule}, }" \ + "/t { $p2 audit deny ${rule}, }" + + verify_binary_inequality "'$p1'x'$p2' deny and audit deny modifiers for \"${rule}\"" \ + "/t { $p1 deny ${rule}, }" \ + "/t { $p2 audit deny ${rule}, }" +done + +####### special case for network TODO: for network above when network +####### rules fixed +for rule in "network" "network tcp" "network inet6 tcp" do verify_binary_equality "allow modifier for \"${rule}\"" \ "/t { ${rule}, }" \ @@ -357,36 +392,36 @@ for rule in "/f ux" "/f Ux" "/f px" "/f Px" "/f cx" "/f Cx" "/f ix" \ "file /* cux -> b" "file /* Cux -> b" "file /* cix -> b" "file /* Cix -> b" do - verify_binary_equality "allow modifier for \"${rule}\"" \ - "/t { ${rule}, }" \ - "/t { allow ${rule}, }" + verify_binary_equality "'$p1'x'$p2' allow modifier for \"${rule}\"" \ + "/t { $p1 ${rule}, }" \ + "/t { $p2 allow ${rule}, }" - verify_binary_equality "audit allow modifier for \"${rule}\"" \ - "/t { audit ${rule}, }" \ - "/t { audit allow ${rule}, }" + verify_binary_equality "'$p1'x'$p2' audit allow modifier for \"${rule}\"" \ + "/t { $p1 audit ${rule}, }" \ + "/t { $p2 audit allow ${rule}, }" # skip rules that don't end with x perm if [ -n "${rule##*x}" ] ; then continue ; fi - verify_binary_inequality "deny, audit deny modifier for \"${rule}\"" \ - "/t { ${rule}, }" \ - "/t { audit ${rule}, }" \ - "/t { audit allow ${rule}, }" \ - "/t { deny ${rule% *} x, }" \ - "/t { audit deny ${rule% *} x, }" + verify_binary_inequality "'$p1'x'$p2' deny, audit deny modifier for \"${rule}\"" \ + "/t { $p1 ${rule}, }" \ + "/t { $p2 audit ${rule}, }" \ + "/t { $p2 audit allow ${rule}, }" \ + "/t { $p2 deny ${rule% *} x, }" \ + "/t { $p2 audit deny ${rule% *} x, }" - verify_binary_inequality "audit vs deny and audit deny modifiers for \"${rule}\"" \ - "/t { audit ${rule}, }" \ - "/t { deny ${rule% *} x, }" \ - "/t { audit deny ${rule% *} x, }" + verify_binary_inequality "'$p1'x'$p2' audit vs deny and audit deny modifiers for \"${rule}\"" \ + "/t { $p1 audit ${rule}, }" \ + "/t { $p2 deny ${rule% *} x, }" \ + "/t { $p2 audit deny ${rule% *} x, }" done # verify deny and audit deny differ for x perms for prefix in "/f" "/*" "file /f" "file /*" ; do - verify_binary_inequality "deny and audit deny x modifiers for \"${prefix}\"" \ - "/t { deny ${prefix} x, }" \ - "/t { audit deny ${prefix} x, }" + verify_binary_inequality "'$p1'x'$p2' deny and audit deny x modifiers for \"${prefix}\"" \ + "/t { $p1 deny ${prefix} x, }" \ + "/t { $p2 audit deny ${prefix} x, }" done #Test equality of leading and trailing file permissions @@ -403,26 +438,26 @@ for audit in "" "audit" ; do "lkm" "rwlk" "rwlm" "rwkm" \ "ralk" "ralm" "wlkm" "alkm" \ "rwlkm" "ralkm" ; do - verify_binary_equality "leading and trailing perms for \"${perm}\"" \ - "/t { ${prefix} /f ${perm}, }" \ - "/t { ${prefix} ${perm} /f, }" + verify_binary_equality "'$p1'x'$p2' leading and trailing perms for \"${perm}\"" \ + "/t { $p1 ${prefix} /f ${perm}, }" \ + "/t { $p2 ${prefix} ${perm} /f, }" done if [ "$allow" == "deny" ] ; then continue ; fi for perm in "ux" "Ux" "px" "Px" "cx" "Cx" \ "ix" "pux" "Pux" "pix" "Pix" \ "cux" "Cux" "cix" "Cix" do - verify_binary_equality "leading and trailing perms for \"${perm}\"" \ - "/t { ${prefix} /f ${perm}, }" \ - "/t { ${prefix} ${perm} /f, }" + verify_binary_equality "'$p1'x'$p2' leading and trailing perms for \"${perm}\"" \ + "/t { $p1 ${prefix} /f ${perm}, }" \ + "/t { $p2 ${prefix} ${perm} /f, }" done for perm in "px" "Px" "cx" "Cx" \ "pux" "Pux" "pix" "Pix" \ "cux" "Cux" "cix" "Cix" do - verify_binary_equality "leading and trailing perms for x-transition \"${perm}\"" \ - "/t { ${prefix} /f ${perm} -> b, }" \ - "/t { ${prefix} ${perm} /f -> b, }" + verify_binary_equality "'$p1'x'$p2' leading and trailing perms for x-transition \"${perm}\"" \ + "/t { $p1 ${prefix} /f ${perm} -> b, }" \ + "/t { $p2 ${prefix} ${perm} /f -> b, }" done done done @@ -443,128 +478,103 @@ do "cix -> b" "Cix -> b" do if [ "$perm1" == "$perm2" ] ; then - verify_binary_equality "Exec perm \"${perm1}\" - most specific match: same as glob" \ - "/t { /* ${perm1}, /f ${perm2}, }" \ - "/t { /* ${perm1}, }" + verify_binary_equality "'$p1'x'$p2' Exec perm \"${perm1}\" - most specific match: same as glob" \ + "/t { $p1 /* ${perm1}, /f ${perm2}, }" \ + "/t { $p2 /* ${perm1}, }" else - verify_binary_inequality "Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \ - "/t { /* ${perm1}, /f ${perm2}, }" \ - "/t { /* ${perm1}, }" + verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs \"${perm2}\" - most specific match: different from glob" \ + "/t { $p1 /* ${perm1}, /f ${perm2}, }" \ + "/t { $p2 /* ${perm1}, }" fi done - verify_binary_inequality "Exec \"${perm1}\" vs deny x - most specific match: different from glob" \ - "/t { /* ${perm1}, audit deny /f x, }" \ - "/t { /* ${perm1}, }" + verify_binary_inequality "'$p1'x'$p2' Exec \"${perm1}\" vs deny x - most specific match: different from glob" \ + "/t { $p1 /* ${perm1}, audit deny /f x, }" \ + "/t { $p2 /* ${perm1}, }" done #Test deny carves out permission -verify_binary_inequality "Deny removes r perm" \ - "/t { /foo/[abc] r, audit deny /foo/b r, }" \ - "/t { /foo/[abc] r, }" +verify_binary_inequality "'$p1'x'$p2' Deny removes r perm" \ + "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \ + "/t { $p2 /foo/[abc] r, }" -verify_binary_equality "Deny removes r perm" \ - "/t { /foo/[abc] r, audit deny /foo/b r, }" \ - "/t { /foo/[ac] r, }" +verify_binary_equality "'$p1'x'$p2' Deny removes r perm" \ + "/t { $p1 /foo/[abc] r, audit deny /foo/b r, }" \ + "/t { $p2 /foo/[ac] r, }" #this one may not be true in the future depending on if the compiled profile #is explicitly including deny permissions for dynamic composition -verify_binary_equality "Deny of ungranted perm" \ - "/t { /foo/[abc] r, audit deny /foo/b w, }" \ - "/t { /foo/[abc] r, }" +verify_binary_equality "'$p1'x'$p2' Deny of ungranted perm" \ + "/t { $p1 /foo/[abc] r, audit deny /foo/b w, }" \ + "/t { $p2 /foo/[abc] r, }" -verify_binary_equality "change_profile == change_profile -> **" \ - "/t { change_profile, }" \ - "/t { change_profile -> **, }" +verify_binary_equality "'$p1'x'$p2' change_profile == change_profile -> **" \ + "/t { $p1 change_profile, }" \ + "/t { $p2 change_profile -> **, }" -verify_binary_equality "change_profile /** == change_profile /** -> **" \ - "/t { change_profile /**, }" \ - "/t { change_profile /** -> **, }" +verify_binary_equality "'$p1'x'$p2' change_profile /** == change_profile /** -> **" \ + "/t { $p1 change_profile /**, }" \ + "/t { $p2 change_profile /** -> **, }" -verify_binary_equality "change_profile /** == change_profile /** -> **" \ - "/t { change_profile unsafe /**, }" \ - "/t { change_profile unsafe /** -> **, }" +verify_binary_equality "'$p1'x'$p2' change_profile /** == change_profile /** -> **" \ + "/t { $p1 change_profile unsafe /**, }" \ + "/t { $p2 change_profile unsafe /** -> **, }" -verify_binary_equality "change_profile /** == change_profile /** -> **" \ - "/t { change_profile /**, }" \ - "/t { change_profile safe /** -> **, }" +verify_binary_equality "'$p1'x'$p2' change_profile /** == change_profile /** -> **" \ + "/t { $p1 change_profile /**, }" \ + "/t { $p2 change_profile safe /** -> **, }" -verify_binary_inequality "change_profile /** == change_profile /** -> **" \ - "/t { change_profile /**, }" \ - "/t { change_profile unsafe /**, }" +verify_binary_inequality "'$p1'x'$p2' change_profile /** == change_profile /** -> **" \ + "/t { $p1 change_profile /**, }" \ + "/t { $p2 change_profile unsafe /**, }" -verify_binary_equality "profile name is hname in rule" \ - ":ns:/hname { signal peer=/hname, }" \ - ":ns:/hname { signal peer=@{profile_name}, }" +verify_binary_equality "'$p1'x'$p2' profile name is hname in rule" \ + ":ns:/hname { $p1 signal peer=/hname, }" \ + ":ns:/hname { $p2 signal peer=@{profile_name}, }" -verify_binary_inequality "profile name is NOT fq name in rule" \ - ":ns:/hname { signal peer=:ns:/hname, }" \ - ":ns:/hname { signal peer=@{profile_name}, }" +verify_binary_inequality "'$p1'x'$p2' profile name is NOT fq name in rule" \ + ":ns:/hname { $p1 signal peer=:ns:/hname, }" \ + ":ns:/hname { $p2 signal peer=@{profile_name}, }" -verify_binary_equality "profile name is hname in sub pofile rule" \ - ":ns:/hname { profile child { signal peer=/hname//child, } }" \ - ":ns:/hname { profile child { signal peer=@{profile_name}, } }" +verify_binary_equality "'$p1'x'$p2' profile name is hname in sub pofile rule" \ + ":ns:/hname { profile child { $p1 signal peer=/hname//child, } }" \ + ":ns:/hname { profile child { $p2 signal peer=@{profile_name}, } }" -verify_binary_inequality "profile name is NOT fq name in sub profile rule" \ - ":ns:/hname { profile child { signal peer=:ns:/hname//child, } }" \ - ":ns:/hname { profile child { signal peer=@{profile_name}, } }" +verify_binary_inequality "'$p1'x'$p2' profile name is NOT fq name in sub profile rule" \ + ":ns:/hname { profile child { $p1 signal peer=:ns:/hname//child, } }" \ + ":ns:/hname { profile child { $p2 signal peer=@{profile_name}, } }" -verify_binary_equality "profile name is hname in hat rule" \ - ":ns:/hname { ^child { signal peer=/hname//child, } }" \ - ":ns:/hname { ^child { signal peer=@{profile_name}, } }" +verify_binary_equality "'$p1'x'$p2' profile name is hname in hat rule" \ + ":ns:/hname { ^child { $p1 signal peer=/hname//child, } }" \ + ":ns:/hname { ^child { $p2 signal peer=@{profile_name}, } }" -verify_binary_inequality "profile name is NOT fq name in hat rule" \ - ":ns:/hname { ^child { signal peer=:ns:/hname//child, } }" \ - ":ns:/hname { ^child { signal peer=@{profile_name}, } }" +verify_binary_inequality "'$p1'x'$p2' profile name is NOT fq name in hat rule" \ + ":ns:/hname { ^child { $p1 signal peer=:ns:/hname//child, } }" \ + ":ns:/hname { ^child { $p2 signal peer=@{profile_name}, } }" -verify_binary_equality "@{profile_name} is literal in peer" \ - "/{a,b} { signal peer=/\{a,b\}, }" \ - "/{a,b} { signal peer=@{profile_name}, }" +verify_binary_equality "'$p1'x'$p2' @{profile_name} is literal in peer" \ + "/{a,b} { $p1 signal peer=/\{a,b\}, }" \ + "/{a,b} { $p2 signal peer=@{profile_name}, }" -verify_binary_equality "@{profile_name} is literal in peer with pattern" \ - "/{a,b} { signal peer={/\{a,b\},c}, }" \ - "/{a,b} { signal peer={@{profile_name},c}, }" +verify_binary_equality "'$p1'x'$p2' @{profile_name} is literal in peer with pattern" \ + "/{a,b} { $p1 signal peer={/\{a,b\},c}, }" \ + "/{a,b} { $p2 signal peer={@{profile_name},c}, }" -verify_binary_inequality "@{profile_name} is not pattern in peer" \ - "/{a,b} { signal peer=/{a,b}, }" \ - "/{a,b} { signal peer=@{profile_name}, }" +verify_binary_inequality "'$p1'x'$p2' @{profile_name} is not pattern in peer" \ + "/{a,b} { $p1 signal peer=/{a,b}, }" \ + "/{a,b} { $p2 signal peer=@{profile_name}, }" -verify_binary_equality "@{profile_name} is literal in peer with esc sequence" \ - "/\\\\a { signal peer=/\\\\a, }" \ - "/\\\\a { signal peer=@{profile_name}, }" +verify_binary_equality "'$p1'x'$p2' @{profile_name} is literal in peer with esc sequence" \ + "/\\\\a { $p1 signal peer=/\\\\a, }" \ + "/\\\\a { $p2 signal peer=@{profile_name}, }" -verify_binary_equality "@{profile_name} is literal in peer with esc alt sequence" \ - "/\\{a,b\\},c { signal peer=/\\{a,b\\},c, }" \ - "/\\{a,b\\},c { signal peer=@{profile_name}, }" +verify_binary_equality "'$p1'x'$p2' @{profile_name} is literal in peer with esc alt sequence" \ + "/\\{a,b\\},c { $p1 signal peer=/\\{a,b\\},c, }" \ + "/\\{a,b\\},c { $p2 signal peer=@{profile_name}, }" -# verify rlimit data conversions -verify_binary_equality "set rlimit rttime <= 12 weeks" \ - "/t { set rlimit rttime <= 12 weeks, }" \ - "/t { set rlimit rttime <= $((12 * 7)) days, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24)) hours, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24 * 60)) minutes, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60)) seconds, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000)) ms, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)) us, }" \ - "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)), }" - -verify_binary_equality "set rlimit cpu <= 42 weeks" \ - "/t { set rlimit cpu <= 42 weeks, }" \ - "/t { set rlimit cpu <= $((42 * 7)) days, }" \ - "/t { set rlimit cpu <= $((42 * 7 * 24)) hours, }" \ - "/t { set rlimit cpu <= $((42 * 7 * 24 * 60)) minutes, }" \ - "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)) seconds, }" \ - "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)), }" - -verify_binary_equality "set rlimit memlock <= 2GB" \ - "/t { set rlimit memlock <= 2GB, }" \ - "/t { set rlimit memlock <= $((2 * 1024)) MB, }" \ - "/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \ - "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }" - # Unfortunately we can not just compare an empty profile and hat to a # ie. "/t { ^test { /f r, }}" # to the second profile with the equivalent rule inserted manually @@ -577,62 +587,62 @@ verify_binary_equality "set rlimit memlock <= 2GB" \ # the "write" permission in the second profile and the test will fail. # If the parser is adding the change_hat proc attr rules then the # rules should merge and be equivalent. -verify_binary_equality "change_hat rules automatically inserted"\ - "/t { owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \ - "/t { owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}" +verify_binary_equality "'$p1'x'$p2' change_hat rules automatically inserted"\ + "/t { $p1 owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \ + "/t { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { $p2 owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}" # verify slash filtering for unix socket address paths. # see https://bugs.launchpad.net/apparmor/+bug/1856738 -verify_binary_equality "unix rules addr conditional" \ - "/t { unix bind addr=@/a/bar, }" \ - "/t { unix bind addr=@/a//bar, }" \ - "/t { unix bind addr=@//a/bar, }" \ - "/t { unix bind addr=@/a///bar, }" \ +verify_binary_equality "'$p1'x'$p2' unix rules addr conditional" \ + "/t { $p1 unix bind addr=@/a/bar, }" \ + "/t { $p2 unix bind addr=@/a//bar, }" \ + "/t { $p2 unix bind addr=@//a/bar, }" \ + "/t { $p2 unix bind addr=@/a///bar, }" \ "@{HOME}=/a/ - /t { unix bind addr=@@{HOME}/bar, }" \ + /t { $p2 unix bind addr=@@{HOME}/bar, }" \ "@{HOME}=/a/ - /t { unix bind addr=@//@{HOME}bar, }" \ + /t { $p2 unix bind addr=@//@{HOME}bar, }" \ "@{HOME}=/a/ - /t { unix bind addr=@/@{HOME}/bar, }" + /t { $p2 unix bind addr=@/@{HOME}/bar, }" -verify_binary_equality "unix rules peer addr conditional" \ - "/t { unix peer=(addr=@/a/bar), }" \ - "/t { unix peer=(addr=@/a//bar), }" \ - "/t { unix peer=(addr=@//a/bar), }" \ - "/t { unix peer=(addr=@/a///bar), }" \ +verify_binary_equality "'$p1'x'$p2' unix rules peer addr conditional" \ + "/t { $p1 unix peer=(addr=@/a/bar), }" \ + "/t { $p2 unix peer=(addr=@/a//bar), }" \ + "/t { $p2 unix peer=(addr=@//a/bar), }" \ + "/t { $p2 unix peer=(addr=@/a///bar), }" \ "@{HOME}=/a/ - /t { unix peer=(addr=@@{HOME}/bar), }" \ + /t { $p2 unix peer=(addr=@@{HOME}/bar), }" \ "@{HOME}=/a/ - /t { unix peer=(addr=@//@{HOME}bar), }" \ + /t { $p2 unix peer=(addr=@//@{HOME}bar), }" \ "@{HOME}=/a/ - /t { unix peer=(addr=@/@{HOME}/bar), }" + /t { $p2 unix peer=(addr=@/@{HOME}/bar), }" # verify slash filtering for mount rules -verify_binary_equality "mount rules slash filtering" \ - "/t { mount /dev/foo -> /mnt/bar, }" \ - "/t { mount ///dev/foo -> /mnt/bar, }" \ - "/t { mount /dev/foo -> /mnt//bar, }" \ - "/t { mount /dev///foo -> ////mnt/bar, }" \ +verify_binary_equality "'$p1'x'$p2' mount rules slash filtering" \ + "/t { $p1 mount /dev/foo -> /mnt/bar, }" \ + "/t { $p2 mount ///dev/foo -> /mnt/bar, }" \ + "/t { $p2 mount /dev/foo -> /mnt//bar, }" \ + "/t { $p2 mount /dev///foo -> ////mnt/bar, }" \ "@{MNT}=/mnt/ - /t { mount /dev///foo -> @{MNT}/bar, }" \ + /t { $p2 mount /dev///foo -> @{MNT}/bar, }" \ "@{FOO}=/foo - /t { mount /dev//@{FOO} -> /mnt/bar, }" + /t { $p2 mount /dev//@{FOO} -> /mnt/bar, }" # verify slash filtering for link rules -verify_binary_equality "link rules slash filtering" \ - "/t { link /dev/foo -> /mnt/bar, }" \ - "/t { link ///dev/foo -> /mnt/bar, }" \ - "/t { link /dev/foo -> /mnt//bar, }" \ - "/t { link /dev///foo -> ////mnt/bar, }" \ +verify_binary_equality "'$p1'x'$p2' link rules slash filtering" \ + "/t { $p1 link /dev/foo -> /mnt/bar, }" \ + "/t { $p2 link ///dev/foo -> /mnt/bar, }" \ + "/t { $p2 link /dev/foo -> /mnt//bar, }" \ + "/t { $p2 link /dev///foo -> ////mnt/bar, }" \ "@{BAR}=/mnt/ - /t { link /dev///foo -> @{BAR}/bar, }" \ + /t { $p2 link /dev///foo -> @{BAR}/bar, }" \ "@{FOO}=/dev/ - /t { link @{FOO}//foo -> /mnt/bar, }" \ + /t { $p2 link @{FOO}//foo -> /mnt/bar, }" \ "@{FOO}=/dev/ @{BAR}=/mnt/ - /t { link @{FOO}/foo -> @{BAR}/bar, }" + /t { $p2 link @{FOO}/foo -> @{BAR}/bar, }" -verify_binary_equality "attachment slash filtering" \ +verify_binary_equality "'$p1'x'$p2' attachment slash filtering" \ "/t /bin/foo { }" \ "/t /bin//foo { }" \ "@{BAR}=/bin/ @@ -660,9 +670,9 @@ verify_binary_equality "value like comment at end of set var" \ # dfas dumped will be different, even if the binary is the same # Note: this test in the future will require -O filter-deny and # -O minimize and -O remove-unreachable. -verify_binary_equality "mount specific deny doesn't affect non-overlapping" \ - "/t { mount options=bind /e/ -> /**, }" \ - "/t { audit deny mount /s/** -> /**, +verify_binary_equality "'$p1'x'$p2' mount specific deny doesn't affect non-overlapping" \ + "/t { $p1 mount options=bind /e/ -> /**, }" \ + "/t { $p2 audit deny mount /s/** -> /**, mount options=bind /e/ -> /**, }" if [ $fails -ne 0 ] || [ $errors -ne 0 ] @@ -671,6 +681,139 @@ then exit $((fails + errors)) fi + +## priority override equivalence tests +## compare single rule, to multi-rule profile where one rule overrides +## the other rule via priority. + + +verify_binary_equality "'$p1'x'$p2' dbus variable expansion, multiple values/rules" \ + "/t { dbus (send, receive) path=/com/foo, }" \ + "/t { $p1 dbus (send, receive) path=/com/foo, $p2 dbus (send, receive) path=/com/foo, }" \ + "@{FOO}=foo + /t { $p1 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com/foo, }" \ + +verify_binary_equality "'$p1'x'$p2' dbus variable expansion, ensure rule de-duping occurs" \ + "/t { $p1 dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, dbus (send, receive) path=/com/bar, }" \ + "@{FOO}=bar foo bar foo + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ + "@{FOO}=bar foo bar foo + /t { $p2 dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com/@{FOO}, }" + +verify_binary_equality "'$p1'x'$p2' dbus minimization with all perms" \ + "/t { $p1 dbus, }" \ + "/t { $p2 dbus bus=session, $p2 dbus, }" \ + "/t { $p2 dbus (send, receive, bind, eavesdrop), $p2 dbus, }" + +verify_binary_equality "'$p1'x'$p2' dbus minimization with bind" \ + "/t { $p1 dbus bind, }" \ + "/t { $p2 dbus bind bus=session, $p2 dbus bind, }" \ + "/t { $p2 dbus bind bus=system name=com.foo, $p2 dbus bind, }" + +verify_binary_equality "'$p1'x'$p2' dbus minimization with send and a bus conditional" \ + "/t { $p1 dbus send bus=system, }" \ + "/t { $p2 dbus send bus=system path=/com/foo interface=com.foo member=bar, dbus send bus=system, }" \ + "/t { $p2 dbus send bus=system peer=(label=/usr/bin/foo), $p2 dbus send bus=system, }" + +verify_binary_equality "'$p1'x'$p2' dbus minimization with an audit modifier" \ + "/t { $p1 audit dbus eavesdrop, }" \ + "/t { $p2 audit dbus eavesdrop bus=session, $p2 audit dbus eavesdrop, }" + +verify_binary_equality "'$p1'x'$p2' dbus minimization with a deny modifier" \ + "/t { $p1 deny dbus send bus=system peer=(name=com.foo), }" \ + "/t { $p2 deny dbus send bus=system peer=(name=com.foo label=/usr/bin/foo), $p2 deny dbus send bus=system peer=(name=com.foo), }" \ + +verify_binary_equality "'$p1'x'$p2' dbus minimization found in dbus abstractions" \ + "/t { $p1 dbus send bus=session, }" \ + "/t { $p2 dbus send + bus=session + path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus), + $p2 dbus send bus=session, }" + +# verify slash filtering for dbus paths. +verify_binary_equality "'$p1'x'$p2' dbus slash filtering for paths" \ + "/t { $p1 dbus (send, receive) path=/com/foo, dbus (send, receive) path=/com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com///foo, dbus (send, receive) path=///com/bar, }" \ + "/t { $p2 dbus (send, receive) path=/com//{foo,bar}, }" \ + "/t { $p2 dbus (send, receive) path={//com/foo,/com//bar}, }" \ + "@{FOO}=/foo + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com/bar, }" \ + "@{FOO}=/foo /bar + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ + "@{FOO}=/bar //foo + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ + "@{FOO}=//{bar,foo} + /t { $p2 dbus (send, receive) path=/com/@{FOO}, }" \ + "@{FOO}=/foo + @{BAR}=bar + /t { $p2 dbus (send, receive) path=/com/@{FOO}, $p2 dbus (send, receive) path=/com//@{BAR}, }" + + + +#### end of wrapper fn +} + + +printf "Equality Tests:\n" + +#rules that don't support priority + +# verify rlimit data conversions +verify_binary_equality "set rlimit rttime <= 12 weeks" \ + "/t { set rlimit rttime <= 12 weeks, }" \ + "/t { set rlimit rttime <= $((12 * 7)) days, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24)) hours, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24 * 60)) minutes, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60)) seconds, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000)) ms, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)) us, }" \ + "/t { set rlimit rttime <= $((12 * 7 * 24 * 60 * 60 * 1000 * 1000)), }" + +verify_binary_equality "set rlimit cpu <= 42 weeks" \ + "/t { set rlimit cpu <= 42 weeks, }" \ + "/t { set rlimit cpu <= $((42 * 7)) days, }" \ + "/t { set rlimit cpu <= $((42 * 7 * 24)) hours, }" \ + "/t { set rlimit cpu <= $((42 * 7 * 24 * 60)) minutes, }" \ + "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)) seconds, }" \ + "/t { set rlimit cpu <= $((42 * 7 * 24 * 60 * 60)), }" + +verify_binary_equality "set rlimit memlock <= 2GB" \ + "/t { set rlimit memlock <= 2GB, }" \ + "/t { set rlimit memlock <= $((2 * 1024)) MB, }" \ + "/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \ + "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }" + + +# verify combinations of different priority levels +# for single rule comparisons, rules should keep same expected result +# even when the priorities are different. +# different priorities within a profile comparison resulting in +# different permission could affected expected results + + +priorities="none 0 1 -1" + +for pri1 in $priorities ; do + if [ "$pri1" = "none" ] ; then + priority1="" + else + priority1="priority=$pri1" + fi + for pri2 in $priorities ; do + if [ "$pri2" = "none" ] ; then + priority2="" + else + priority2="priority=$pri2" + fi + + verify_set "$priority1" "$priority2" + done +done + [ -z "${verbose}" ] && printf "\n" printf "PASS\n" exit 0 diff --git a/parser/tst/simple_tests/file/priority/front_perms_ok_1.sd b/parser/tst/simple_tests/file/priority/front_perms_ok_1.sd new file mode 100644 index 000000000..2375fd1dc --- /dev/null +++ b/parser/tst/simple_tests/file/priority/front_perms_ok_1.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION perms before pathname +#=EXRESULT PASS +# +/usr/bin/foo { + + priority=-1 file r /foo1, + priority=-1 file w /foo1, + priority=-1 file a /foo1, + priority=-1 file k /foo1, + priority=-1 file m /foo1, + priority=-1 file l /foo1, + priority=-1 file px /foo1, + priority=-1 file Px /foo2, + priority=-1 file ux /foo3, + priority=-1 file Ux /foo4, + priority=-1 file ix /foo5, + priority=-1 file unsafe px /foo6, + priority=-1 file unsafe Px /foo7, + priority=-1 file unsafe ux /foo8, + priority=-1 file unsafe Ux /foo9, + priority=-1 file unsafe ix /foo10, + +} diff --git a/parser/tst/simple_tests/file/priority/front_perms_ok_2.sd b/parser/tst/simple_tests/file/priority/front_perms_ok_2.sd new file mode 100644 index 000000000..f1ee0837a --- /dev/null +++ b/parser/tst/simple_tests/file/priority/front_perms_ok_2.sd @@ -0,0 +1,24 @@ +# +#=DESCRIPTION perms before pathname +#=EXRESULT PASS +# +/usr/bin/foo { + + priority=-1 r /foo1, + priority=-1 w /foo1, + priority=-1 a /foo1, + priority=-1 k /foo1, + priority=-1 m /foo1, + priority=-1 l /foo1, + priority=-1 px /foo1, + priority=-1 Px /foo2, + priority=-1 ux /foo3, + priority=-1 Ux /foo4, + priority=-1 ix /foo5, + priority=-1 unsafe px /foo6, + priority=-1 unsafe Px /foo7, + priority=-1 unsafe ux /foo8, + priority=-1 unsafe Ux /foo9, + priority=-1 unsafe ix /foo10, + +} diff --git a/parser/tst/simple_tests/file/priority/ok_1.sd b/parser/tst/simple_tests/file/priority/ok_1.sd new file mode 100644 index 000000000..a20946456 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /usr/bin/foo r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_2.sd b/parser/tst/simple_tests/file/priority/ok_2.sd new file mode 100644 index 000000000..563202e5e --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_2.sd @@ -0,0 +1,7 @@ +# +#=Description basic uppercase permission file rule (should emit warning) +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /usr/bin/foo RWM, +} diff --git a/parser/tst/simple_tests/file/priority/ok_3.sd b/parser/tst/simple_tests/file/priority/ok_3.sd new file mode 100644 index 000000000..377c24834 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION A simple successful profile +#=EXRESULT PASS +# +/usr/bin/foo { + /usr/bin/foo r, + priority=-1 /usr/bin/blah rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_4.sd b/parser/tst/simple_tests/file/priority/ok_4.sd new file mode 100644 index 000000000..0078ba94f --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_4.sd @@ -0,0 +1,7 @@ +# +#=Description basic inherit uppercase exec permission (should emit warning) +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /usr/bin/foo iX, +} diff --git a/parser/tst/simple_tests/file/priority/ok_5.sd b/parser/tst/simple_tests/file/priority/ok_5.sd new file mode 100644 index 000000000..1ca876d28 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_5.sd @@ -0,0 +1,7 @@ +# +#=Description basic unconfined uppercase exec permission (should emit warning) +#=EXRESULT PASS +# +/usr/bin/foo { + priority=+5 /usr/bin/foo UX, +} diff --git a/parser/tst/simple_tests/file/priority/ok_alternations_1.sd b/parser/tst/simple_tests/file/priority/ok_alternations_1.sd new file mode 100644 index 000000000..1fc60fde5 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_alternations_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule w/alternations +#=EXRESULT PASS +# +/usr/bin/foo { + priority=0 /a/b/c/**{cache,data,download,/ext,fileadmin,files,images,joomla,moodledata/sessions}/** rw, +} diff --git a/parser/tst/simple_tests/file/priority/ok_alternations_2.sd b/parser/tst/simple_tests/file/priority/ok_alternations_2.sd new file mode 100644 index 000000000..8e89eb113 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_alternations_2.sd @@ -0,0 +1,7 @@ +# +#=Description basic file rule w/nested alternations +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /a/b/c/**{cache,data,download,/ext,file{admin,s},images,joomla,moodledata/sessions}/** rw, +} diff --git a/parser/tst/simple_tests/file/priority/ok_alternations_3.sd b/parser/tst/simple_tests/file/priority/ok_alternations_3.sd new file mode 100644 index 000000000..42043afb2 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_alternations_3.sd @@ -0,0 +1,8 @@ +# +#=Description basic file rule w/large number of alternations +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /{a/a,a/b,a/c,a/d,a/e,a/f,a/g,a/h,a/i,a/j,a/k,a/l,a/m,a/n,a/o,a/p,a/q,a/r,a/s,a/t,a/u,a/v,a/w,a/x,a/y,a/z,a/A,a/B,a/C,a/D,a/E,a/F,a/G,a/H,a/I,a/J,a/K,a/L,a/M,a/N,a/O,a/P,a/Q,a/R,a/S,a/T,a/U,a/V,a/W,a/X,a/Y,a/Z,b/a,b/b,b/c,b/d,b/e,b/f,b/g,b/h,b/i,b/j,b/k,b/l,b/m,b/n,b/o,b/p,b/q,b/r,b/s,b/t,b/u,b/v,b/w,b/x,b/y,b/z,b/A,b/B,b/C,b/D,b/E,b/F,b/G,b/H,b/I,b/J,b/K,b/L,b/M,b/N,b/O,b/P,b/Q,b/R,b/S,b/T,b/U,b/V,b/W,b/X,b/Y,b/Z,c/a,c/b,c/c,c/d,c/e,c/f,c/g,c/h,c/i,c/j,c/k,c/l,c/m,c/n,c/o,c/p,c/q,c/r,c/s,c/t,c/u,c/v,c/w,c/x,c/y,c/z,c/A,c/B,c/C,c/D,c/E,c/F,c/G,c/H,c/I,c/J,c/K,c/L,c/M,c/N,c/O,c/P,c/Q,c/R,c/S,c/T,c/U,c/V,c/W,c/X,c/Y,c/Z,d/a,d/b,d/c,d/d,d/e,d/f,d/g,d/h,d/i,d/j,d/k,d/l,d/m,d/n,d/o,d/p,d/q,d/r,d/s,d/t,d/u,d/v,d/w,d/x,d/y,d/z,d/A,d/B,d/C,d/D,d/E,d/F,d/G,d/H,d/I,d/J,d/K,d/L,d/M,d/N,d/O,d/P,d/Q,d/R,d/S,d/T,d/U,d/V,d/W,d/X,d/Y,d/Z,e/a,e/b,e/c,e/d,e/e,e/f,e/g,e/h,e/i,e/j,e/k,e/l,e/m,e/n,e/o,e/p,e/q,e/r,e/s,e/t,e/u,e/v,e/w,e/x,e/y,e/z,e/A,e/B,e/C,e/D,e/E,e/F,e/G,e/H,e/I,e/J,e/K,e/L,e/M,e/N,e/O,e/P,e/Q,e/R,e/S,e/T,e/U,e/V,e/W,e/X,e/Y,e/Z,f/a,f/b,f/c,f/d,f/e,f/f,f/g,f/h,f/i,f/j,f/k,f/l,f/m,f/n,f/o,f/p,f/q,f/r,f/s,f/t,f/u,f/v,f/w,f/x,f/y,f/z,f/A,f/B,f/C,f/D,f/E,f/F,f/G,f/H,f/I,f/J,f/K,f/L,f/M,f/N,f/O,f/P,f/Q,f/R,f/S,f/T,f/U,f/V,f/W,f/X,f/Y,f/Z,g/a,g/b,g/c,g/d,g/e,g/f,g/g,g/h,g/i,g/j,g/k,g/l,g/m,g/n,g/o,g/p,g/q,g/r,g/s,g/t,g/u,g/v,g/w,g/x,g/y,g/z,g/A,g/B,g/C,g/D,g/E,g/F,g/G,g/H,g/I,g/J,g/K,g/L,g/M,g/N,g/O,g/P,g/Q,g/R,g/S,g/T,g/U,g/V,g/W,g/X,g/Y,g/Z,h/a,h/b,h/c,h/d,h/e,h/f,h/g,h/h,h/i,h/j,h/k,h/l,h/m,h/n,h/o,h/p,h/q,h/r,h/s,h/t,h/u,h/v,h/w,h/x,h/y,h/z,h/A,h/B,h/C,h/D,h/E,h/F,h/G,h/H,h/I,h/J,h/K,h/L,h/M,h/N,h/O,h/P,h/Q,h/R,h/S,h/T,h/U,h/V,h/W,h/X,h/Y,h/Z,i/a,i/b,i/c,i/d,i/e,i/f,i/g,i/h,i/i,i/j,i/k,i/l,i/m,i/n,i/o,i/p,i/q,i/r,i/s,i/t,i/u,i/v,i/w,i/x,i/y,i/z,i/A,i/B,i/C,i/D,i/E,i/F,i/G,i/H,i/I,i/J,i/K,i/L,i/M,i/N,i/O,i/P,i/Q,i/R,i/S,i/T,i/U,i/V,i/W,i/X,i/Y,i/Z,j/a,j/b,j/c,j/d,j/e,j/f,j/g,j/h,j/i,j/j,j/k,j/l,j/m,j/n,j/o,j/p,j/q,j/r,j/s,j/t,j/u,j/v,j/w,j/x,j/y,j/z,j/A,j/B,j/C,j/D,j/E,j/F,j/G,j/H,j/I,j/J,j/K,j/L,j/M,j/N,j/O,j/P,j/Q,j/R,j/S,j/T,j/U,j/V,j/W,j/X,j/Y,j/Z,k/a,k/b,k/c,k/d,k/e,k/f,k/g,k/h,k/i,k/j,k/k,k/l,k/m,k/n,k/o,k/p,k/q,k/r,k/s,k/t,k/u,k/v,k/w,k/x,k/y,k/z,k/A,k/B,k/C,k/D,k/E,k/F,k/G,k/H,k/I,k/J,k/K,k/L,k/M,k/N,k/O,k/P,k/Q,k/R,k/S,k/T,k/U,k/V,k/W,k/X,k/Y,k/Z,l/a,l/b,l/c,l/d,l/e,l/f,l/g,l/h,l/i,l/j,l/k,l/l,l/m,l/n,l/o,l/p,l/q,l/r,l/s,l/t,l/u,l/v,l/w,l/x,l/y,l/z,l/A,l/B,l/C,l/D,l/E,l/F,l/G,l/H,l/I,l/J,l/K,l/L,l/M,l/N,l/O,l/P,l/Q,l/R,l/S,l/T,l/U,l/V,l/W,l/X,l/Y,l/Z,m/a,m/b,m/c,m/d,m/e,m/f,m/g,m/h,m/i,m/j,m/k,m/l,m/m,m/n,m/o,m/p,m/q,m/r,m/s,m/t,m/u,m/v,m/w,m/x,m/y,m/z,m/A,m/B,m/C,m/D,m/E,m/F,m/G,m/H,m/I,m/J,m/K,m/L,m/M,m/N,m/O,m/P,m/Q,m/R,m/S,m/T,m/U,m/V,m/W,m/X,m/Y,m/Z,n/a,n/b,n/c,n/d,n/e,n/f,n/g,n/h,n/i,n/j,n/k,n/l,n/m,n/n,n/o,n/p,n/q,n/r,n/s,n/t,n/u,n/v,n/w,n/x,n/y,n/z,n/A,n/B,n/C,n/D,n/E,n/F,n/G,n/H,n/I,n/J,n/K,n/L,n/M,n/N,n/O,n/P,n/Q,n/R,n/S,n/T,n/U,n/V,n/W,n/X,n/Y,n/Z,o/a,o/b,o/c,o/d,o/e,o/f,o/g,o/h,o/i,o/j,o/k,o/l,o/m,o/n,o/o,o/p,o/q,o/r,o/s,o/t,o/u,o/v,o/w,o/x,o/y,o/z,o/A,o/B,o/C,o/D,o/E,o/F,o/G,o/H,o/I,o/J,o/K,o/L,o/M,o/N,o/O,o/P,o/Q,o/R,o/S,o/T,o/U,o/V,o/W,o/X,o/Y,o/Z,p/a,p/b,p/c,p/d,p/e,p/f,p/g,p/h,p/i,p/j,p/k,p/l,p/m,p/n,p/o,p/p,p/q,p/r,p/s,p/t,p/u,p/v,p/w,p/x,p/y,p/z,p/A,p/B,p/C,p/D,p/E,p/F,p/G,p/H,p/I,p/J,p/K,p/L,p/M,p/N,p/O,p/P,p/Q,p/R,p/S,p/T,p/U,p/V,p/W,p/X,p/Y,p/Z,q/a,q/b,q/c,q/d,q/e,q/f,q/g,q/h,q/i,q/j,q/k,q/l,q/m,q/n,q/o,q/p,q/q,q/r,q/s,q/t,q/u,q/v,q/w,q/x,q/y,q/z,q/A,q/B,q/C,q/D,q/E,q/F,q/G,q/H,q/I,q/J,q/K,q/L,q/M,q/N,q/O,q/P,q/Q,q/R,q/S,q/T,q/U,q/V,q/W,q/X,q/Y,q/Z,r/a,r/b,r/c,r/d,r/e,r/f,r/g,r/h,r/i,r/j,r/k,r/l,r/m,r/n,r/o,r/p,r/q,r/r,r/s,r/t,r/u,r/v,r/w,r/x,r/y,r/z,r/A,r/B,r/C,r/D,r/E,r/F,r/G,r/H,r/I,r/J,r/K,r/L,r/M,r/N,r/O,r/P,r/Q,r/R,r/S,r/T,r/U,r/V,r/W,r/X,r/Y,r/Z,s/a,s/b,s/c,s/d,s/e,s/f,s/g,s/h,s/i,s/j,s/k,s/l,s/m,s/n,s/o,s/p,s/q,s/r,s/s,s/t,s/u,s/v,s/w,s/x,s/y,s/z,s/A,s/B,s/C,s/D,s/E,s/F,s/G,s/H,s/I,s/J,s/K,s/L,s/M,s/N,s/O,s/P,s/Q,s/R,s/S,s/T,s/U,s/V,s/W,s/X,s/Y,s/Z,t/a,t/b,t/c,t/d,t/e,t/f,t/g,t/h,t/i,t/j,t/k,t/l,t/m,t/n,t/o,t/p,t/q,t/r,t/s,t/t,t/u,t/v,t/w,t/x,t/y,t/z,t/A,t/B,t/C,t/D,t/E,t/F,t/G,t/H,t/I,t/J,t/K,t/L,t/M,t/N,t/O,t/P,t/Q,t/R,t/S,t/T,t/U,t/V,t/W,t/X,t/Y,t/Z,u/a,u/b,u/c,u/d,u/e,u/f,u/g,u/h,u/i,u/j,u/k,u/l,u/m,u/n,u/o,u/p,u/q,u/r,u/s,u/t,u/u,u/v,u/w,u/x,u/y,u/z,u/A,u/B,u/C,u/D,u/E,u/F,u/G,u/H,u/I,u/J,u/K,u/L,u/M,u/N,u/O,u/P,u/Q,u/R,u/S,u/T,u/U,u/V,u/W,u/X,u/Y,u/Z,v/a,v/b,v/c,v/d,v/e,v/f,v/g,v/h,v/i,v/j,v/k,v/l,v/m,v/n,v/o,v/p,v/q,v/r,v/s,v/t,v/u,v/v,v/w,v/x,v/y,v/z,v/A,v/B,v/C,v/D,v/E,v/F,v/G,v/H,v/I,v/J,v/K,v/L,v/M,v/N,v/O,v/P,v/Q,v/R,v/S,v/T,v/U,v/V,v/W,v/X,v/Y,v/Z,w/a,w/b,w/c,w/d,w/e,w/f,w/g,w/h,w/i,w/j,w/k,w/l,w/m,w/n,w/o,w/p,w/q,w/r,w/s,w/t,w/u,w/v,w/w,w/x,w/y,w/z,w/A,w/B,w/C,w/D,w/E,w/F,w/G,w/H,w/I,w/J,w/K,w/L,w/M,w/N,w/O,w/P,w/Q,w/R,w/S,w/T,w/U,w/V,w/W,w/X,w/Y,w/Z,x/a,x/b,x/c,x/d,x/e,x/f,x/g,x/h,x/i,x/j,x/k,x/l,x/m,x/n,x/o,x/p,x/q,x/r,x/s,x/t,x/u,x/v,x/w,x/x,x/y,x/z,x/A,x/B,x/C,x/D,x/E,x/F,x/G,x/H,x/I,x/J,x/K,x/L,x/M,x/N,x/O,x/P,x/Q,x/R,x/S,x/T,x/U,x/V,x/W,x/X,x/Y,x/Z,y/a,y/b,y/c,y/d,y/e,y/f,y/g,y/h,y/i,y/j,y/k,y/l,y/m,y/n,y/o,y/p,y/q,y/r,y/s,y/t,y/u,y/v,y/w,y/x,y/y,y/z,y/A,y/B,y/C,y/D,y/E,y/F,y/G,y/H,y/I,y/J,y/K,y/L,y/M,y/N,y/O,y/P,y/Q,y/R,y/S,y/T,y/U,y/V,y/W,y/X,y/Y,y/Z,z/a,z/b,z/c,z/d,z/e,z/f,z/g,z/h,z/i,z/j,z/k,z/l,z/m,z/n,z/o,z/p,z/q,z/r,z/s,z/t,z/u,z/v,z/w,z/x,z/y,z/z} rw, + +} diff --git a/parser/tst/simple_tests/file/priority/ok_append_1.sd b/parser/tst/simple_tests/file/priority/ok_append_1.sd new file mode 100644 index 000000000..daa96daba --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_append_1.sd @@ -0,0 +1,13 @@ +# +#=DESCRIPTION test append +#=EXRESULT PASS +# +/usr/bin/foo { + /bin/cat a, + /bin/true ra, + /bin/false ma, + priority=-1 /lib/libc.so la, + /bin/less ixa, + /bin/more pxa, + /a uxa, +} diff --git a/parser/tst/simple_tests/file/priority/ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/ok_audit_deny_link.sd new file mode 100644 index 000000000..2e49f3de7 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_audit_deny_link.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +profile test { + priority=-1 audit deny link /alpha/beta -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_bare_1.sd b/parser/tst/simple_tests/file/priority/ok_bare_1.sd new file mode 100644 index 000000000..5993127cc --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_bare_1.sd @@ -0,0 +1,8 @@ +# +#=Description bare file rule +#=EXRESULT PASS +#=TODO https://launchpad.net/bugs/1215637 +# +/usr/bin/foo { + priority=19 deny file, +} diff --git a/parser/tst/simple_tests/file/priority/ok_carat_1.sd b/parser/tst/simple_tests/file/priority/ok_carat_1.sd new file mode 100644 index 000000000..bc25543bc --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_carat_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /foo^bar r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_carat_2.sd b/parser/tst/simple_tests/file/priority/ok_carat_2.sd new file mode 100644 index 000000000..6b13e0dc1 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_carat_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION trailing carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /foo/bar^ r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_comma_1.sd b/parser/tst/simple_tests/file/priority/ok_comma_1.sd new file mode 100644 index 000000000..4fbaa0bd6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_comma_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /foo,bar r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_comma_2.sd b/parser/tst/simple_tests/file/priority/ok_comma_2.sd new file mode 100644 index 000000000..4dc7b617c --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_comma_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION comma at end of pathname +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 "/foobar," r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_deny_1.sd b/parser/tst/simple_tests/file/priority/ok_deny_1.sd new file mode 100644 index 000000000..1fa3f802e --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_deny_1.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION A simple deny rule +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + priority=-1 deny /usr/bin/foo r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_deny_2.sd b/parser/tst/simple_tests/file/priority/ok_deny_2.sd new file mode 100644 index 000000000..1fa3f802e --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_deny_2.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION A simple deny rule +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + priority=-1 deny /usr/bin/foo r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_deny_3.sd b/parser/tst/simple_tests/file/priority/ok_deny_3.sd new file mode 100644 index 000000000..72fa5ddb5 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_deny_3.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION an overlapping deny rule +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + priority=-1 /usr/bin/** r, + priority=5 deny /usr/bin/foo r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_deny_4.sd b/parser/tst/simple_tests/file/priority/ok_deny_4.sd new file mode 100644 index 000000000..c5bb8a8da --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_deny_4.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION an exact overlapping deny rule +#=EXRESULT PASS +# vim:syntax=apparmor +# +/usr/bin/foo { + priority=-1 /usr/bin/foo r, + priority=-1 deny /usr/bin/foo r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_deny_link.sd b/parser/tst/simple_tests/file/priority/ok_deny_link.sd new file mode 100644 index 000000000..c9f126d26 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_deny_link.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +profile test { + priority=-1 deny link /alpha/beta -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_embedded_spaces_1.sd b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_1.sd new file mode 100644 index 000000000..3b5d5dd3b --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_1.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + priority=-1 "/abc\ def" r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_embedded_spaces_2.sd b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_2.sd new file mode 100644 index 000000000..bee05bf43 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_2.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + priority=-1 "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_embedded_spaces_3.sd b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_3.sd new file mode 100644 index 000000000..eef2b736a --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_3.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +"/bin/fo o" { + priority=-1 "/abc def" r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_embedded_spaces_4.sd b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_4.sd new file mode 100644 index 000000000..f49fc2de5 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_embedded_spaces_4.sd @@ -0,0 +1,6 @@ +#=DESCRIPTION Simple test case for embedded spaces +#=EXRESULT PASS + +/bin/foo { + priority=-1 /abc\ def r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_inv_char_class.sd b/parser/tst/simple_tests/file/priority/ok_inv_char_class.sd new file mode 100644 index 000000000..33f0bc309 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_inv_char_class.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION carat in pathname +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /foo[^me]bar r, +} diff --git a/parser/tst/simple_tests/file/priority/ok_link_1.sd b/parser/tst/simple_tests/file/priority/ok_link_1.sd new file mode 100644 index 000000000..bb227d6b3 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_link_1.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +profile test { + priority=-1 /alpha/beta rl, + /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_link_2.sd b/parser/tst/simple_tests/file/priority/ok_link_2.sd new file mode 100644 index 000000000..d9683fe79 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_link_2.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +profile test { + priority=-1 link /alpha/beta -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_link_3.sd b/parser/tst/simple_tests/file/priority/ok_link_3.sd new file mode 100644 index 000000000..7bf458aa5 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_link_3.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +profile test { + priority=-1 link subset /alpha/beta -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_link_audit_deny_owner_subset.sd b/parser/tst/simple_tests/file/priority/ok_link_audit_deny_owner_subset.sd new file mode 100644 index 000000000..67321d3e6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_link_audit_deny_owner_subset.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION link access test with audit deny and owner restriction +#=EXRESULT PASS +# + +profile test { + priority=-1 audit deny owner link subset /alpha/beta -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_link_owner.sd b/parser/tst/simple_tests/file/priority/ok_link_owner.sd new file mode 100644 index 000000000..975657a75 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_link_owner.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test with owner restriction +#=EXRESULT PASS +# + +profile test { + priority=-1 owner link subset /alpha/beta -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_lock_1.sd b/parser/tst/simple_tests/file/priority/ok_lock_1.sd new file mode 100644 index 000000000..8909cd45c --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_lock_1.sd @@ -0,0 +1,17 @@ +# +#=DESCRIPTION k and other perms do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + /bin/a k, + /bin/b rk, + /bin/c wk, + priority=-1 /bin/d ak, + /bin/e lk, + /bin/e mk, + /bin/f pxk, + /bin/g Pxk, + /bin/h ixk, + /bin/i uxk, + /bin/j Uxk, +} diff --git a/parser/tst/simple_tests/file/priority/ok_mmap_1.sd b/parser/tst/simple_tests/file/priority/ok_mmap_1.sd new file mode 100644 index 000000000..e7b12da37 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_mmap_1.sd @@ -0,0 +1,12 @@ +# +#=DESCRIPTION m and [uUpPi]x do not conflict +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /bin/cat mix, + /bin/true mpx, + priority=-1 /bin/false mux, + priority=-1 /lib/libc.so rwlm, + /bin/less mUx, + priority=10 /bin/more mPx, +} diff --git a/parser/tst/simple_tests/file/priority/ok_mmap_2.sd b/parser/tst/simple_tests/file/priority/ok_mmap_2.sd new file mode 100644 index 000000000..67212eacb --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_mmap_2.sd @@ -0,0 +1,14 @@ +# +#=DESCRIPTION m and [upi]x do not conflict, separate rules +#=EXRESULT PASS +# +/usr/bin/foo { + /bin/cat rm, + /bin/cat ix, + priority=-1 /bin/true px, + /bin/true m, + /bin/false m, + /bin/false ux, + priority=-1 /lib/libc.so rwl, + /lib/libc.so m, +} diff --git a/parser/tst/simple_tests/file/priority/ok_octal_1.sd b/parser/tst/simple_tests/file/priority/ok_octal_1.sd new file mode 100644 index 000000000..c09abb95a --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_octal_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION simple octal test +#=EXRESULT PASS +# + +profile ascii { + priority=-1 /bin/\141bcde rix, +} diff --git a/parser/tst/simple_tests/file/priority/ok_octal_2.sd b/parser/tst/simple_tests/file/priority/ok_octal_2.sd new file mode 100644 index 000000000..26530126a --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_octal_2.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION simple quoted octal expansion +#=EXRESULT PASS +# + +profile octal { + priority=-1 "/bin/a b \143 d e" rix, +} diff --git a/parser/tst/simple_tests/file/priority/ok_other_1.sd b/parser/tst/simple_tests/file/priority/ok_other_1.sd new file mode 100644 index 000000000..39d16cb83 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_other_1.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION simple other flag test +#=EXRESULT PASS + +profile test { + priority=-1 other /tmp/** rw, +} diff --git a/parser/tst/simple_tests/file/priority/ok_other_2.sd b/parser/tst/simple_tests/file/priority/ok_other_2.sd new file mode 100644 index 000000000..bbbbe43ee --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_other_2.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION simple deny other flag test +#=EXRESULT PASS + +profile test { + priority=-1 deny other /tmp/** rw, +} diff --git a/parser/tst/simple_tests/file/priority/ok_other_3.sd b/parser/tst/simple_tests/file/priority/ok_other_3.sd new file mode 100644 index 000000000..ac0e4be6b --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_other_3.sd @@ -0,0 +1,7 @@ +# +#=DESCRIPTION simple other flag test +#=EXRESULT PASS + +profile test { + priority=-1 audit other /tmp/** rw, +} diff --git a/parser/tst/simple_tests/file/priority/ok_quoted_1.sd b/parser/tst/simple_tests/file/priority/ok_quoted_1.sd new file mode 100644 index 000000000..d0844ad82 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_quoted_1.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple quoted tab expansion +#=EXRESULT PASS +# + +profile test { + priority=-1 "/bin/alpha\tbeta" rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_quoted_2.sd b/parser/tst/simple_tests/file/priority/ok_quoted_2.sd new file mode 100644 index 000000000..1bc317668 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_quoted_2.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple quoted newline expansion +#=EXRESULT PASS +# + +profile test { + priority=-1 "/bin/alpha\nbeta" rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_quoted_3.sd b/parser/tst/simple_tests/file/priority/ok_quoted_3.sd new file mode 100644 index 000000000..459e23f1e --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_quoted_3.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple quoted carriage return expansion +#=EXRESULT PASS +# + +profile test { + priority=-1 "/bin/alpha\rbeta" rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_quoted_4.sd b/parser/tst/simple_tests/file/priority/ok_quoted_4.sd new file mode 100644 index 000000000..4227a539b --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_quoted_4.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple quoted quote expansion +#=EXRESULT PASS +# + +profile test { + priority=-1 "/bin/alpha\"beta" rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_quoted_5.sd b/parser/tst/simple_tests/file/priority/ok_quoted_5.sd new file mode 100644 index 000000000..fd1836f8b --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_quoted_5.sd @@ -0,0 +1,9 @@ +# +#=DESCRIPTION simple quoted backslash expansion +#=EXRESULT PASS +# + +profile test { + priority=-1 "/bin/alpha\\beta" rix, +} + diff --git a/parser/tst/simple_tests/file/priority/ok_slashquote_1.sd b/parser/tst/simple_tests/file/priority/ok_slashquote_1.sd new file mode 100644 index 000000000..0924ceb9b --- /dev/null +++ b/parser/tst/simple_tests/file/priority/ok_slashquote_1.sd @@ -0,0 +1,8 @@ +# +#=DESCRIPTION unnecessary slash quotes are okay (should emit warning) +#=EXRESULT PASS +# + +profile blart { + priority=-1 /bingo/bang\o/bongo rw, +} diff --git a/parser/tst/simple_tests/file/priority/stacking_ok_1.sd b/parser/tst/simple_tests/file/priority/stacking_ok_1.sd new file mode 100644 index 000000000..56b399923 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/stacking_ok_1.sd @@ -0,0 +1,7 @@ +# +#=Description basic file exec rule with stacking target +#=EXRESULT PASS +# +/usr/bin/foo { + priority=-1 /bin/bar px -> &baz, +} diff --git a/parser/tst/simple_tests/file/priority/var1_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_ok_audit_deny_link.sd new file mode 100644 index 000000000..168999ff6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 audit deny link @{var} -> @{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_ok_deny_link.sd new file mode 100644 index 000000000..a4d55650a --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 deny link @{var} -> @{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var1_ok_link_1.sd new file mode 100644 index 000000000..5069fd4f6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 @{var} rl, + priority=-1 /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var1_ok_link_2.sd new file mode 100644 index 000000000..f074f9c85 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link @{var} -> @{var}, + priority=-1 @{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var1_ok_link_3.sd new file mode 100644 index 000000000..54b8e03e4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link subset @{var} -> @{var}, + priority=-1 @{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_src_ok_audit_deny_link.sd new file mode 100644 index 000000000..d05278fc4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_src_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 audit deny link @{var} -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_src_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_src_ok_deny_link.sd new file mode 100644 index 000000000..9fe80b0f4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_src_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 deny link @{var} -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_src_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var1_src_ok_link_1.sd new file mode 100644 index 000000000..5069fd4f6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_src_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 @{var} rl, + priority=-1 /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_src_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var1_src_ok_link_2.sd new file mode 100644 index 000000000..373508ec2 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_src_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link @{var} -> /tmp/**, + priority=-1 /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_src_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var1_src_ok_link_3.sd new file mode 100644 index 000000000..60b5b9b84 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_src_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link subset @{var} -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_target_ok_audit_deny_link.sd new file mode 100644 index 000000000..e0fc27a79 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_target_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 audit deny link /alpha/beta -> @{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_target_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var1_target_ok_deny_link.sd new file mode 100644 index 000000000..d52a0e71d --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_target_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 deny link /alpha/beta -> @{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_target_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var1_target_ok_link_1.sd new file mode 100644 index 000000000..6078a72c4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_target_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 /alpha/beta rl, + /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_target_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var1_target_ok_link_2.sd new file mode 100644 index 000000000..d0f735798 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_target_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link /alpha/beta -> @{var}, + priority=-1 @{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var1_target_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var1_target_ok_link_3.sd new file mode 100644 index 000000000..c561351c7 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var1_target_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link subset /alpha/beta -> @{var}, + priority=-1 @{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_ok_audit_deny_link.sd new file mode 100644 index 000000000..8547060d5 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 audit deny link /foo@{var} -> /foo@{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_ok_deny_link.sd new file mode 100644 index 000000000..4360476e8 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 deny link /foo@{var} -> /foo@{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var2_ok_link_1.sd new file mode 100644 index 000000000..3075c2fb6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=11 /foo@{var} rl, + /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var2_ok_link_2.sd new file mode 100644 index 000000000..69d59834c --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link /foo@{var} -> /foo@{var}, + /foo@{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var2_ok_link_3.sd new file mode 100644 index 000000000..81b44b024 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link subset /foo@{var} -> /foo@{var}, + /foo@{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_src_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_src_ok_audit_deny_link.sd new file mode 100644 index 000000000..2d880b19c --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_src_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + audit deny link /foo@{var} -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_src_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_src_ok_deny_link.sd new file mode 100644 index 000000000..a6c4bace6 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_src_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + deny link /foo@{var} -> /tmp/**, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_src_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var2_src_ok_link_1.sd new file mode 100644 index 000000000..fe1b2dcf8 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_src_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + /foo@{var} rl, + /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_src_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var2_src_ok_link_2.sd new file mode 100644 index 000000000..5bc6ef81c --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_src_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + link /foo@{var} -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_src_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var2_src_ok_link_3.sd new file mode 100644 index 000000000..0bdd95fc4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_src_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + link subset /foo@{var} -> /tmp/**, + /tmp/** r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_target_ok_audit_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_target_ok_audit_deny_link.sd new file mode 100644 index 000000000..9c83e7ea9 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_target_ok_audit_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 audit deny link /alpha/beta -> /foo@{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_target_ok_deny_link.sd b/parser/tst/simple_tests/file/priority/var2_target_ok_deny_link.sd new file mode 100644 index 000000000..83321243f --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_target_ok_deny_link.sd @@ -0,0 +1,10 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + deny link /alpha/beta -> /foo@{var}, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_target_ok_link_1.sd b/parser/tst/simple_tests/file/priority/var2_target_ok_link_1.sd new file mode 100644 index 000000000..6078a72c4 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_target_ok_link_1.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 /alpha/beta rl, + /gamma/* rwl, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_target_ok_link_2.sd b/parser/tst/simple_tests/file/priority/var2_target_ok_link_2.sd new file mode 100644 index 000000000..0b8ab3980 --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_target_ok_link_2.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link /alpha/beta -> /foo@{var}, + /foo@{var} r, +} + diff --git a/parser/tst/simple_tests/file/priority/var2_target_ok_link_3.sd b/parser/tst/simple_tests/file/priority/var2_target_ok_link_3.sd new file mode 100644 index 000000000..e5eb73cea --- /dev/null +++ b/parser/tst/simple_tests/file/priority/var2_target_ok_link_3.sd @@ -0,0 +1,11 @@ +# +#=DESCRIPTION simple link access test +#=EXRESULT PASS +# + +@{var}=/test +profile test { + priority=-1 link subset /alpha/beta -> /foo@{var}, + /foo@{var} r, +} + diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index c6c1a6e25..2e53ddf9b 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -35,6 +35,9 @@ skip_startswith = ( # Pux and Cux (which actually mean PUx and CUx) get rejected by the tools 'generated_x/exact-', + + # don't handle rule priorities yet + 'file/priority/', ) # testcases that should raise an exception, but don't