apparmor/tests/regression/subdomain/AppArmor.rtf

{\rtf1\ansi\deff1\adeflang1025
{\fonttbl{\f0\froman\fprq2\fcharset0 Nimbus Roman No9 L{\*\falt Times New Roman};}{\f1\froman\fprq2\fcharset0 Nimbus Roman No9 L{\*\falt Times New Roman};}{\f2\froman\fprq2\fcharset0 Times New Roman;}{\f3\froman\fprq2\fcharset0 Nimbus Roman No9 L{\*\falt Times New Roman};}{\f4\fswiss\fprq2\fcharset0 Nimbus Sans L{\*\falt Arial};}{\f5\fswiss\fprq2\fcharset0 Arial;}{\f6\fmodern\fprq0\fcharset0 Courier New;}{\f7\fnil\fprq0\fcharset2 StarSymbol;}{\f8\froman\fprq2\fcharset2 Symbol;}{\f9\fnil\fprq2\fcharset2 Wingdings;}{\f10\fmodern\fprq0\fcharset0 Courier;}{\f11\fnil\fprq2\fcharset0 Andale Sans UI{\*\falt Arial Unicode MS};}{\f12\froman\fprq0\fcharset0 MS Mincho{\*\falt \u65325 ?\u65331 ? \u26126 ?\u26397 ?};}{\f13\fnil\fprq2\fcharset0 Lucidasans;}{\f14\fnil\fprq0\fcharset0 Lucidasans;}}
{\colortbl;\red0\green0\blue0;\red128\green128\blue128;}
{\stylesheet{\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033\snext1 Default;}
{\s2\sa120\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033\sbasedon1\snext2 Text body;}
{\s3{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\rtlch\af14\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033\sbasedon2\snext3 List;}
{\s4\sb120\sa120\rtlch\af14\afs20\lang255\ai\ltrch\dbch\af11\afs20\langfe255\ai\loch\fs20\lang1033\i\sbasedon1\snext4 Caption;}
{\s5\rtlch\af14\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033\sbasedon1\snext5 Index;}
{\s6\sb240\sa120\keepn\rtlch\afs28\lang255\ltrch\dbch\afs28\langfe255\loch\f4\fs28\lang1033\sbasedon1\snext2 Heading;}
{\s7\sb240\sa60\keepn\rtlch\af5\afs32\lang255\ab\ltrch\dbch\af11\afs32\langfe255\ab\loch\f5\fs32\lang1033\b\sbasedon1\snext1{\*\soutlvl0} Heading 1;}
{\s8\sb240\sa60\keepn\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af11\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b\sbasedon1\snext1{\*\soutlvl1} Heading 2;}
{\s9\rtlch\af6\afs20\lang255\ltrch\dbch\af11\afs20\langfe255\loch\f6\fs20\lang1033\sbasedon1\snext9 WW-Plain Text;}
{\*\cs11\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 1;}
{\*\cs12\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 2;}
{\*\cs13\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 3;}
{\*\cs14\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 4;}
{\*\cs15\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 5;}
{\*\cs16\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 6;}
{\*\cs17\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 7;}
{\*\cs18\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 8;}
{\*\cs19\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 9;}
{\*\cs20\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 2 10;}
{\*\cs21\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 1;}
{\*\cs22\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 2;}
{\*\cs23\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 3;}
{\*\cs24\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 4;}
{\*\cs25\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 5;}
{\*\cs26\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 6;}
{\*\cs27\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 7;}
{\*\cs28\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 8;}
{\*\cs29\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 9;}
{\*\cs30\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 10;}
{\*\cs31\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 1;}
{\*\cs32\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 2;}
{\*\cs33\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 3;}
{\*\cs34\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 4;}
{\*\cs35\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 5;}
{\*\cs36\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 6;}
{\*\cs37\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 7;}
{\*\cs38\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 8;}
{\*\cs39\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 9;}
{\*\cs40\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 3 10;}
{\*\cs41\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 1;}
{\*\cs42\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 2;}
{\*\cs43\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 3;}
{\*\cs44\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 4;}
{\*\cs45\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 5;}
{\*\cs46\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 6;}
{\*\cs47\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 7;}
{\*\cs48\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 8;}
{\*\cs49\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 9;}
{\*\cs50\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 RTF_Num 3 10;}
{\*\cs51\rtlch\af8\afs24\lang255\ltrch\dbch\af8\afs24\langfe255\loch\f8\fs24\lang1033 RTF_Num 5 1;}
{\*\cs52\rtlch\af6\afs24\lang255\ltrch\dbch\af6\afs24\langfe255\loch\f6\fs24\lang1033 RTF_Num 5 2;}
{\*\cs53\rtlch\af9\afs24\lang255\ltrch\dbch\af9\afs24\langfe255\loch\f9\fs24\lang1033 RTF_Num 5 3;}
{\*\cs54\rtlch\af8\afs24\lang255\ltrch\dbch\af8\afs24\langfe255\loch\f8\fs24\lang1033 RTF_Num 5 4;}
{\*\cs55\rtlch\af6\afs24\lang255\ltrch\dbch\af6\afs24\langfe255\loch\f6\fs24\lang1033 RTF_Num 5 5;}
{\*\cs56\rtlch\af9\afs24\lang255\ltrch\dbch\af9\afs24\langfe255\loch\f9\fs24\lang1033 RTF_Num 5 6;}
{\*\cs57\rtlch\af8\afs24\lang255\ltrch\dbch\af8\afs24\langfe255\loch\f8\fs24\lang1033 RTF_Num 5 7;}
{\*\cs58\rtlch\af6\afs24\lang255\ltrch\dbch\af6\afs24\langfe255\loch\f6\fs24\lang1033 RTF_Num 5 8;}
{\*\cs59\rtlch\af9\afs24\lang255\ltrch\dbch\af9\afs24\langfe255\loch\f9\fs24\lang1033 RTF_Num 5 9;}
{\*\cs60\cf0\rtlch\af1\afs24\lang255\ltrch\dbch\af1\afs24\langfe255\loch\f1\fs24\lang1033 RTF_Num 5 10;}
{\*\cs61\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 1;}
{\*\cs62\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 2;}
{\*\cs63\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 3;}
{\*\cs64\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 4;}
{\*\cs65\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 5;}
{\*\cs66\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 6;}
{\*\cs67\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 7;}
{\*\cs68\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 8;}
{\*\cs69\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 9;}
{\*\cs70\rtlch\afs24\lang255\ltrch\dbch\afs24\langfe255\loch\fs24\lang1033 RTF_Num 4 10;}
{\*\cs71\cf0\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f1\fs24\lang1033 Numbering Symbols;}
{\*\cs72\cf0\rtlch\af7\afs18\lang255\ltrch\dbch\af7\afs18\langfe255\loch\f7\fs18\lang1033 Bullets;}
{\*\cs73\cf0\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f8\fs24\lang1033 WW8Num1z0;}
{\*\cs74\cf0\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f6\fs24\lang1033 WW8Num1z1;}
{\*\cs75\cf0\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f9\fs24\lang1033 WW8Num1z2;}
{\*\cs76\cf0\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f1\fs24\lang1033 WW-Default Paragraph Font;}
}{\*\listtable{\list\listtemplateid1
{\listlevel\levelnfc0\leveljc0\levelstartat3\levelfollow2{\leveltext \'02\'00.;}{\levelnumbers\'01;}\f8\f8\f8\fi-283\li283}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'01.;}{\levelnumbers\'01;}\f6\f6\f6\fi-283\li567}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'02.;}{\levelnumbers\'01;}\f9\f9\f9\fi-283\li850}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'03.;}{\levelnumbers\'01;}\f8\f8\f8\fi-283\li1134}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'04.;}{\levelnumbers\'01;}\f6\f6\f6\fi-283\li1417}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'05.;}{\levelnumbers\'01;}\f9\f9\f9\fi-283\li1701}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'06.;}{\levelnumbers\'01;}\f8\f8\f8\fi-283\li1984}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'07.;}{\levelnumbers\'01;}\f6\f6\f6\fi-283\li2268}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'08.;}{\levelnumbers\'01;}\f9\f9\f9\fi-283\li2551}
{\*\soutlvl{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'09.;}{\levelnumbers\'01;}\fi-283\li2835}}{\listname RTF_Num 5;}\listid1}
{\list\listtemplateid2
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li283}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li567}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li850}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li1134}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li1417}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li1701}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li1984}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li2268}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li2551}
{\*\soutlvl{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u9679 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f7\fi-283\li2835}}{\listname RTF_Num 3;}\listid2}
{\list\listtemplateid3
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'00.;}{\levelnumbers\'01;}\fi-283\li283}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-283\li567}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-283\li850}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-283\li1134}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-283\li1417}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-283\li1701}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-283\li1984}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-283\li2268}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-283\li2551}
{\*\soutlvl{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'09.;}{\levelnumbers\'01;}\fi-283\li2835}}{\listname RTF_Num 4;}\listid3}
{\list\listtemplateid4\listsimple
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61623 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f8\fi-360\li720}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u111 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f6\fi-360\li1440}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61607 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f9\fi-360\li2160}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61623 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f8\fi-360\li2880}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u111 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f6\fi-360\li3600}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61607 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f9\fi-360\li4320}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61623 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f8\fi-360\li5040}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u111 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f6\fi-360\li5760}
{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61607 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f9\fi-360\li6480}
{\*\soutlvl{\listlevel\levelnfc23\leveljc0\levelstartat1\levelfollow2{\leveltext \'01\u61623 ?;}{\levelnumbers;}\f7\fs18\f7\fs18\f7\fs18\f8\fi-360\li7200}}{\listname WW8Num1;}\listid4}
{\list\listtemplateid5
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'00.;}{\levelnumbers\'01;}\fi-283\li283}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'01.;}{\levelnumbers\'01;}\fi-283\li567}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'02.;}{\levelnumbers\'01;}\fi-283\li850}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'03.;}{\levelnumbers\'01;}\fi-283\li1134}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'04.;}{\levelnumbers\'01;}\fi-283\li1417}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'05.;}{\levelnumbers\'01;}\fi-283\li1701}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'06.;}{\levelnumbers\'01;}\fi-283\li1984}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'07.;}{\levelnumbers\'01;}\fi-283\li2268}
{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'08.;}{\levelnumbers\'01;}\fi-283\li2551}
{\*\soutlvl{\listlevel\levelnfc0\leveljc0\levelstartat1\levelfollow2{\leveltext \'02\'09.;}{\levelnumbers\'01;}\fi-283\li2835}}{\listname RTF_Num 2;}\listid5}
}{\listoverridetable{\listoverride\listid1\listoverridecount0\ls0}{\listoverride\listid2\listoverridecount0\ls1}{\listoverride\listid3\listoverridecount0\ls2}{\listoverride\listid4\listoverridecount0\ls3}{\listoverride\listid5\listoverridecount0\ls4}}

{\info{\comment StarWriter}{\vern6450}}\deftab720
{\*\pgdsctbl
{\pgdsc0\pgdscuse195\pgwsxn12240\pghsxn15840\marglsxn1800\margrsxn1800\margtsxn1440\margbsxn1440\pgdscnxt0 Default;}}
{\*\pgdscno0}\paperh15840\paperw12240\margl1800\margr1800\margt1440\margb1440\sectd\sbknone\pgwsxn12240\pghsxn15840\marglsxn1800\margrsxn1800\margtsxn1440\margbsxn1440\ftnbj\ftnstart1\ftnrstcont\ftnnar\aenddoc\aftnrstcont\aftnstart1\aftnnrlc
\pard\plain \sb240\sa60\keepn\f2\fs32\b\f12\fs32\b\f2\fs32\b\qc\aspalpha \ltrpar\s7\qc\aspalpha\sb240\sa60\keepn\rtlch\af2\afs32\lang255\ab\ltrch\dbch\af12\afs32\langfe255\ab\loch\f2\fs32\lang1033\b {\loch\f2\fs32\lang1033\i0\b AppArmor regression test suite}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \sb240\sa60\keepn\f2\fs28\i\b\f12\fs28\i\b\f2\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af2\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f2\fs28\lang1033\i\b {\loch\f2\fs28\lang1033\i\b Overview}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 The AppArmor regression test suite is designed to be an easily extensible family of tests where the individual tests are highly decomposed.  Tests exist to check for regressions in the key areas of AppArmor functionality.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 At the time of writing there are 26 tests that comprise the regression test suite.  A dedicated shell script implements each test. Some of these tests are very simple verifying just a few basic operations ('open' for example) whilst others are highly compl
ex involving many subtests and techniques such as iteration over features and comparison of behavior ('capabilities' and 'exec_qual' for example).   Regardless of the varying complexity each of these examples (shell scripts) utilize a common format and inf
rastructure support.}
\par \pard\plain \sb240\sa60\keepn\f2\fs28\i\b\f12\fs28\i\b\f2\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af2\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f2\fs28\lang1033\i\b {\loch\f2\fs28\lang1033\i\b Running the Test Suite}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The test suite is designed to be built and run from the main makefile using the command \lquote make tests\rquote .   The test suite may be built without running it using the command \lquote make.   Individual tests may be sun by the command \lquote sh <testname>.sh\rquote .  The set of tes
tnames is defined in the makefile as variable TESTS.}
\par \pard\plain \sb240\sa60\keepn\f2\fs28\i\b\f12\fs28\i\b\f2\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af2\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f2\fs28\lang1033\i\b {\loch\f2\fs28\lang1033\i\b Parsing the Results}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 As detailed above, each test comprising the test suite is controlled by a dedicated shell script (normally called <testname>.sh).   This test will cycle through its subtests.  Most shell scripts produce no output to the tty for a successful run (although t
he controlling makefile outputs \lquote running <testname>' before running each shell script) although some tests (capabilities for example) output the name of each subtest as it is run.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 In the case of an error, the test framework will output a diagnostic to the tty.  Diagnostics are divided into two main areas, functional errors and unexpected errors.   Functional errors occur are when the test executed but it did not function as expected
. For functional failure the test suite will output \lquote Error:\rdblquote  followed by a description of the error.  Unexpected errors are when either a test did executed in a way whereby the framework could not determine it\rquote s behavior or the framework itself experienced
 an error.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Examples:}
\par \pard\plain {\listtext\pard\plain \li720\ri0\lin720\rin0\fi-360\f2\fs20\f12\fs20\f2\fs20\f7\fs18\f7\fs18\f7\fs18 \u61623 ?}\ilvl0 \ltrpar\s9\ls3\li720\ri0\lin720\rin0\fi-360\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Functional error, test was expected to fail due to receipt of a signal but it passed:}
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Error: changehat_twice passed. Test 'CHANGEHAT (subprofile->subprofile w/ bad magic)' was expected to 'signal9'}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain {\listtext\pard\plain \li720\ri0\lin720\rin0\fi-360\f2\fs20\f12\fs20\f2\fs20\f7\fs18\f7\fs18\f7\fs18 \u61623 ?}\ilvl0 \ltrpar\s9\ls3\li720\ri0\lin720\rin0\fi-360\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Functional error, test was expected to pass but it failed:}
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Error: open failed. Test 'OPEN RW' was expected to 'pass'.}
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Reason for failure 'FAIL: open /tmp/sdtest.13983-32704-z13990/file failed - Permission denied'}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain {\listtext\pard\plain \li720\ri0\lin720\rin0\fi-360\f2\fs20\f12\fs20\f2\fs20\f7\fs18\f7\fs18\f7\fs18 \u61623 ?}\ilvl0 \ltrpar\s9\ls3\li720\ri0\lin720\rin0\fi-360\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Unexpected error, unable to execute a test:}
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Fatal Error (open): Unable to run test sub-executable}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain {\listtext\pard\plain \li720\ri0\lin720\rin0\fi-360\f2\fs20\f12\fs20\f2\fs20\f7\fs18\f7\fs18\f7\fs18 \u61623 ?}\ilvl0 \ltrpar\s9\ls3\li720\ri0\lin720\rin0\fi-360\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Unexpected error< error in shell script (or in framework):}
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Fatal Error (open): Unexpected shell error. }
\par \pard\plain \ltrpar\s9\li1440\ri0\lin1440\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 Run with -x to debug}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 In dealing with a failure, the first step is to determine reproducibility.  As previously mentioned, if you are running all of the tests via \lquote make tests\rquote  you can rerun an individual test via \lquote sh <testname>.sh\rquote .}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 If the problem is reproducible, running the test with \lquote -r\rquote  as the first argument, i.e. \lquote sh <testname>.sh -r\rquote  will retain the files for the test that failed and the directory path to these files will be output to the tty.  In this directory a script called 
\lquote runtest\rquote  will be present which can be used to rerun the first failing component of the test script outside of the test harness where it is easier to determine the problem. }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Beyond this, knowledge of the actual test may be required to debug the problem further.  See \ldblquote Design of Test Suite\rdblquote  for technical information on how the tests are implemented.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 In the case of an unexpected error, running with the \lquote -r\rquote  option will usually not he helpful as the test script or framework may have a problem.  At this point, as indicated by the diagnostic, it is normally necessary to run the script with the -x option (
\lquote sh -x testname.sh\rquote ) and debug either the test script or the base framework.  This is not for the uninitiated.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f12\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Pre-Requisites for running the suite}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 In order to compile the test suite the GNU C compiler (gcc) must be installed on the system plus necessary development tools such as make.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 In order to execute the tests the AppArmor module must be loaded and the AppArmor filesystem (normally /subdomain) must be mounted.  In addition the AppArmor parser (normally /sbin/subdomain_parser but an alternate location may be specified in uservars.inc
) must be present.  The parser and module must be compatible or errors will result during the loading of profiles during test suite execution.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 You must be root to run the test suite (it is not necessary to be root to build the suite however).}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 Note:     Executing /etc/init.d/subdomain start as root will ensure that these requirements are met on a system with the SHASS software correctly installed.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f12\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Design of Test Suite}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Each test consists of one controlling shell script and one or more executable files.  This is a requirement of the test harness.  Practically speaking most of the test functionality is of sufficient complexity that no shell api exists and functionality mus
t be implemented in an executable.   Currently all executables are written in the C programming language.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 It is important to note that a functioning test is achieved by the correct operation of both the shell script and the executable. The framework requires certain behavior but outside of this the test author is free to design the test as they wish but the sh
ell script and executables must agree on their conventions in order to correctly implement the test.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The file \lquote prologue.inc\rquote  implements most of the underlying shell framework.  It must be loaded into the shell script before any other test functionality is performed. You will see it loaded via the shell \lquote .\rquote  function at the start of each test shell script.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 By default, prologue.inc assumes the test binary is the same name as the shell script, with \lquote .sh\rquote  removed.  For test scripts with only one executable this makes things simple.  You may want to have a single shell script run multiple executables (syscall.sh
 for example). In this case, the \lquote settest\rquote  function is used to select a new binary executable for this test.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The \lquote genprofile\rquote  function generates a profile based on passed arguments.  The function automatically adds the necessary shared libraries and output files necessary to support the execution, it is not necessary to specify these manually.  Therefore a call t
o genprofile without arguments will build a profile allowing the executable to run but without any additional access (which assuming the test application attempts to access files will most likely cause AppArmor to report a REJECTION). Specifying additional
 arguments to genprofile in the form of <filename>:<perm> will allow additional access.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Genprofile also allows capabilities to be specified, it uses the same syntax as specifying file permissions except the filename component is always the literal \lquote capability\rquote . For example, specifying \lquote capability:admin\rquote  as an argument to genprofile will grant
 the profile CAP_SYS_ADMIN.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 By default genprofile assumes it is creating a profile for the test binary corresponding to the current testname (shell script name minus trailing .sh or the name specified in a subsequent \lquote settest\rquote  command).   Normally this is sufficient but certain tests
 require more complex profiles. Genprofile now supports two keywords \lquote subhat\rquote  and \lquote image\rdblquote  that allow complex profiles to be built which include subhats (necessary if the parent calls changehat) and support for more than one executable (useful if the primar
y test wants to pass control to a different executable which also must be controlled by a profile).  The \lquote \emdash \lquote  separator is used to separate each portion of the argument stream.  The separator may be used multiple times on the same argument line but after ea
ch use the only token that may follow it is \lquote subhat=\rquote  or \lquote image=\rquote .}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The following is a simple example showing the use of the \lquote subhat\rquote  keyword:}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 settest changehat_write}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 genprofile -- subhat=hat1 /tmp/file:rw -- subhat=hat2 /tmp/file2:rw}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "changehat (hat1 w access sub file1)" pass hat1 /tmp/file}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "changehat (hat1 w access sub file2)" fail hat1 /tmp/file2}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "changehat (hat2 w access sub file1)" pass hat2 /tmp/file}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "changehat (hat2 w access sub file2)" fail hat2 /tmp/file2}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 This sequence of actions generates a profile for the executable changehat_write. You will note that \lquote \emdash \lquote  is the first argument after genprofile.  This terminates the generation of files for the parent profile. This means that the only file entries for the p
arent hat will be those shared libraries and other support files automatically generated for changehat_write to begin execution (these files are determined by the function resolve_libs).}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 It also creates two subhats for the profile called \lquote hat1\rquote  and \lquote hat2\rquote . Hat1 has rw access to file\rquote /tmp/file\rquote  and hat2 has rw access to file \lquote /tmp/file2\rquote .}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The changehat_write test attempts to change to the specified hat (passed to changehat_write as argv[1]), open, read and write to the file passed as argv[2].}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 It should be obvious from the profile and from the 4 calls to runchecktest (see below for a description of this function) that hat1 only has the necessary access to /tmp/file and hat2 only to /tmp/file2.}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The following is an example showing the use of the \lquote image\rquote  keyword:}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 settest fork_child}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 genprofile $bin/fork_child2:px -- image=$bin/fork_child2 /tmp/file1:rw}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "subexecutable w access" fail $bin/fork_child3 /tmp/file1}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "subexecutable w access" pass $bin/fork_child2 /tmp/file1}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 runchecktest "subexecutable w access" fail $bin/fork_child2 /tmp/file2}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 This generates two profiles, which are loaded in one operation.  First is a profile for \lquote fork_child\rquote  (implicitly $bin/fork_child) which in addition to containing access to the necessary library/support files also has \lquote px\rquote  (meaning the profile must exist) a
ccess to fork_child2.   A profile for the executable fork_child2 is also created again with access to the necessary libraries and support files and also with rw access to /tmp/file1. In this example, the executable fork_child forks and execs the file speci
fied as its argv[1] passing to this image argv[2] as the child\rquote s argv[1].  The child attempts to open, read and write it\rquote s argv[1].  Clearly the first test fails because the profile for fork_child does not grant execute access to fork_child3.  The third te
st also fails because although fork_test2 was successfully executed, it\rquote s profile does not allow access to /tmp/file2.}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Executing a test is achieved by calling the \lquote runchecktest\rquote  function which will run either the executable matching the name of the shell script, or specified by settest.  The first argument is a brief description of what the executable does in this mode, wh
ich is displayed in the event of an error.  The second argument is either \ldblquote pass\rdblquote  or \ldblquote fail\rdblquote  indicating whether the test is expected to pass or fail.  The executable is expected to output \ldblquote PASS\rdblquote  for success and \ldblquote FAIL: <error message>\rdblquote  in the event of a failu
re.  If the executable outputs something other than this, the controlling shell script will interpret this as a test failure and output \ldblquote unable to run test sub executable\rdblquote  and terminate.  Remaining arguments to runchecktest are passed to the executable as 
argv[1] .. argv[n].}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The runchecktest command executes and checks the test serially.  If a test requires to be run in the background, so that the shell may do subsequent operations, such as sending it a signal before checking it\rquote s output, this is accomplished by separately cal
ling \lquote runtestbg\rquote  and \lquote checktestbg\rquote  instead of calling \lquote runchecktest\rquote .}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Profile loading, replacing and unloading is automatically handled by the shell script (via prologue.inc).  Also, cleanup (tempfile removal and profile unloading) on exit is automatic.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f12\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Implementing a new test case}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 As an example, the text shell script for exec (exec.sh) is 24 lines and}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 may be used as a template for creating new simple tests (changehat.sh is}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 a good template for subprofile tests and rw.sh is a template for tests}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 requiring signal passing)}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         #! /bin/bash}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         pwd=`dirname $0`}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         pwd=`cd $pwd ; pwd`}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 bin must be set prior to including prologue.inc. This is the only requirement placed on the shell script author by prologue.inc}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         bin=$pwd}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 prologie.inc must be included before running any tests}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         . $bin/prologue.inc}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 variable definitions used by this script}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         file=/bin/true}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         okperm=ix}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         badperm=r}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         # PASS TEST}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 generate a profile allowing ix access to /bin/true}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         genprofile $file:$okperm}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 run this test (exec) passing /bin/true as argv[1]}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 check it's output, it is expected to pass}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         runchecktest "EXEC with x" pass $file}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         # NOLINK PERMTEST}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 generate a new profile allowing only r access to /bin/true}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 subdomain_parser will automatically be invoked in -r mode}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         genprofile $file:$badperm}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 run this test (exec) passing /bin/true as argv[1]}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 check it's output, it is expected to FAIL}
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0         runchecktest "EXEC no x" fail $file}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs20\lang255\ai\ltrch\dbch\af12\afs20\langfe255\ai\loch\f2\fs20\lang1033\i {\loch\f2\fs20\lang1033\i\b0 That\rquote s it. Exit status $rc is automatically returned by epilogue.inc}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 The above shows the controlling shell script but this is only \'bd of the test.  The other half is the source code for the \lquote exec\rquote  executable.  The following is the sample code:}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <stdio.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <unistd.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <errno.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <sys/types.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <sys/wait.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab #include <signal.h>}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab int main(int argc, char *argv[])}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \{}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab pid_t pid;}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab extern char **environ;}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab /* basic check of arguments}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab  * runchecktest will pass the image to exec as argv[1]}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab  */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         if (argc < 2)\{}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 fprintf(stderr, "usage: %s program [args] \\n", argv[0]);}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 return 1;}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         \}}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         pid=fork();}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         if (pid)\{       /* parent */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 int status;}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 while (wait(&status) != pid);}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab /* runchecktest requires output of}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab  * PASS}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab  * -or-}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab  * FAILED - reason}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab  */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 if (WIFEXITED(status))\{}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                         printf("PASS\\n");}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 \}else\{}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab \tab /* most likely because child sent us a sigkill}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab \tab  * because the exec was denied by AppArmor}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab \tab  */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                         fprintf(stderr, "FAILED, child did not exit"}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \tab \tab \tab \tab \tab "normally\\n");}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 \}}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         \}else\{}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 /* child */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 (void)execve(argv[1], &argv[1], environ);}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab }
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 /* exec failed, kill outselves to flag parent */}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab                 (void)kill(getpid(), SIGKILL);}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         \}}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab         return 0;}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 {\loch\f10\fs20\lang1033\i0\b0 \tab \}}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f10\fs20\lang1033 
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af12\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 As you can see from these two examples, the test framework has certain requirements that the executable must adhere to (outputting PASS/FAIL and argument passing conventions are examples) but there is a fair degree of latitude in how to implement the test 
to achieve the goals required (for example, the decision to fork a subprocess inside the executable, other tests pass signals back and forth between the shell script and the executable).  What is important to understand is that although you may pick a diff
erent implementation strategy for different tests,  for a given test, the functionality is achieved by both the shell script and the executable and they must operate correctly together.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f11\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af11\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Test Coverage}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 1.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 capabilities }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 The capabilities test is an attempt to determine that for a variety of syscalls,  the expected capability (especially since Immunix intercepts capability processing for confined processes) and no others allows successful access.  For every syscall in the t
est, we iterate over each capability individually (plus no capabilities) in order to verify that only the expected capability grants access to the privileged operation.  The same is repeated for capabilities within hats. }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 The goal is to eventually extend this test verifying additional syscalls and also to perhaps do combinations of capabilities rather than just each individually.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 2.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 changehat }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 verifies basic file access permission checks for a parent profile and one subprofile/hat}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 3.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 changehat_fork }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 As 'changehat' but access checks for hats are verified across a fork}
\par \pard\plain \ltrpar\s2\li283\ri0\lin283\rin0\fi0\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 4.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 changehat_misc }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Variety of tests verifying entry to subprofiles and return back to parent.   AppArmor has rigid requirements around the correct use of the magic# token passed to changehat.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 5.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 chdir }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Verify change directory functions correctly for a confined process.  Subdomain should allow 'x' access on a directory without it being explicitly listed in tasks profile.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 6.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 exec }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Currently this test verifies inherit (ix) functionality.  Ensure that 'ix' is required in order to exec an executable.    Support for 'px' and 'ux' needs to be added (see Future Work)}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 7.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 exec_qual }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 See 'matrix.doc' in the SubDomain/Documentation directory.  This test currently verifies the enforce mode handling of exec between the various confinement conditions for execer and execee. }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 It needs to be extended to include the complain mode verification.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 8.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 fork }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Verifies that profiles are duplicated correctly for fork (the subtask receives a copy of it's parents profile).  The test attempts to access the files passed as arguments for both a parent and a child.    The test is repeated for permissive and restrictive
 profiles.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 9.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 link }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Link requires 'l' permission and that permissions on the src and target must match.  This test verifies matching, non-matching and missing link permissions in a profile.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 10.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 mmap }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 This test verifies that mmap based access control is also subject to the AppArmor profiles access specification.    The test needs some attention/rethought,  It is unclear what it's purpose really is. Also why does it fail when the profile is replaced with
 just read permission as no mapped write is reattempted.   Also a test should be added which causes the initial mmap write to fail (due to lack of write permission).  }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 11.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 mount }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 This test verifies that the mount syscall is indeed restricted for confined processes.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 12.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 named_pipe }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 This test verifies that subdomain file access checks function correctly for named piped (nodes in the filesystem created with mknod).  The test creates a parent/child process relationship which attempt to rendevous via the named pipe.   The tests are attem
pted for unconfined and confined processes and also for subhats.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 13.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 open }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Verify that the open syscall is correctly managed for confined profiles.  A test should be added verifying for non-confined.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 14.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 owlsm }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 AppArmor implements a portion of the OWLSM functionality related to hard and symbolic links.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Creating a hard link (as a non root user or more accurately, without CAP_FUSER) to a file owned by another user is disallowed.  Following a symbolic link in a directory with the sticky bit set is not allowed if the link is owned by a different user than th
e directory.   Note that these restrictions are for all processes, not just confined ones.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 15.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 pipe }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 This test is structured similarly to named_pipe except it uses the pipe(2) call to create a communication channel between parent and child rather than a node in the filesystem.   AppArmor does not mediate pipe io for either confined or non confined process
es. This test verifies that io functions as expected for both an unconfined process and a confined process with an empty profile.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 16.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 ptrace}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Read permission is required for a confined process to be able to be traced using ptrace.  This test verifies this.  Currently is it not functioning correctly. It stopped functioning correctly somewhere between 2.4.18 and 2.4.20.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 17.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 regex }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 This test verifies that tail globbing and regex globbing (perl regex engine) are functioning correctly for confined processes.  Single character, multi character and character class regexes are verified.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 18.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 rename }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 The rename system call changes the name of a file in the filesystem.   The test verifies that this operation (which involves AppArmor write and link permission checks) functions correctly for a confined process.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 19.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 readdir }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 AppArmor requires 'r' permission on a directory in order for a confined task to be able to read the directory contents.  This test verifies this.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 20.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 rw }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 This test verifies read/write operation.   AppArmor caches a successful open but checks (on read/write) to see if a confined processes profile has been replaced asynchronously. If it has, access is reevaluated.   The test waits for a signal at which point 
it reattempts to write, read and verify data.  The controlling script performs a profile replacement before sending the signal for the test to reattempt the io.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 21.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 swap }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Confined processes are prohibited from executing certain system calls entirely, including swapon(2) swapoff (2).  This test verifies that unconfined processes can call these syscalls but confined processes cannot.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 22.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 setattr }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Write permission is required in a confined processes profile in order to change the mode (chmod, chgrp, chown) of a file.  This test verifies these system calls for unconfined and confined processes.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 23.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 symlink }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 As the 'link' test but for symbolic rather than hard links.}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 24.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 syscall }
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 Confined processes are prohibited from executing certain system calls entirely.  This test checks a variety of such syscalls including ptrace, mknod, sysctl (write), sethostname, setdomainname, ioperm, iopl and reboot}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\sa120\f11\f13 25.}\ilvl0 \ltrpar\s2\ls4\li283\ri0\lin283\rin0\fi-283\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 unlink}
\par \pard\plain \ltrpar\s2\sa120\ql\rtlch\af13\afs24\lang255\ltrch\dbch\af11\afs24\langfe255\loch\fs24\lang1033 {\loch\f1\fs24\lang1033\i0\b0 In order to unlink a file, a confined process must have 'l' permission in it's profile for the relevant file.  This test verifies this.}
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f11\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af11\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Future work/changes}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\f2\f2\f2\aspalpha 1.}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls2\aspalpha\li283\ri0\lin283\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Add metadata (comments) to each test which can be used to automatically generate test coverage data (as the above section risks getting out of date quickly).}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\li283\ri0\lin283\rin0\fi0\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\f2\f2\f2\aspalpha 2.}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls2\aspalpha\li283\ri0\lin283\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Test cases for the following need to be added:}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 exec (unconstrained/ux and profile/px)}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 add fork tests (for clone, vfork etc)}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 add read/write tests (pread/pwrite/readv/writev)}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 complain mode verification for exec (exec_qual). The enforce portion of the matrix has been completed.}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 netdomain (complete tcp tests.  Create udp tests including sendmsg). Lots to do.}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 /proc/pid/attr tests.  Verify current restrictions on who can changehat, who can setprofile etc.}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 file descriptor passing via Unix domain sockets (normal and inside hat)}
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 reorganise structure of various changehat tests. }
\par \pard\plain {\listtext\pard\plain \li1003\ri0\lin1003\rin0\fi-283\f2\f2\f2\aspalpha\f7\fs18\f7\fs18\f7\fs18 \u9679 ?}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls1\aspalpha\li1003\ri0\lin1003\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Add more globbing (perl regex) tests}
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\li720\ri0\lin720\rin0\fi0\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\f2\f2\f2\aspalpha\f8\f8\f8 3.}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls0\aspalpha\li283\ri0\lin283\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Resolve mediation of mkdir/rmdir}
\par \pard\plain {\listtext\pard\plain \li283\ri0\lin283\rin0\fi-283\f2\f2\f2\aspalpha\f8\f8\f8 4.}\ilvl0 \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\ls0\aspalpha\li283\ri0\lin283\rin0\fi-283\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 {\loch\f2\fs24\lang1033\i0\b0 Resolve issues with ptrace failing (see README)}
\par \pard\plain \sb240\sa60\keepn\f5\fs28\i\b\f12\fs28\i\b\f5\fs28\i\b\aspalpha \ltrpar\s8\aspalpha\sb240\sa60\keepn\ql\rtlch\af5\afs28\lang255\ai\ab\ltrch\dbch\af12\afs28\langfe255\ai\ab\loch\f5\fs28\lang1033\i\b {\loch\f5\fs28\lang1033\i\b Additional Documentation}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 {\loch\f2\fs20\lang1033\i0\b0 For additional information see the file 'README' in the test suite package.}
\par \pard\plain \ltrpar\s9\ql\rtlch\af2\afs20\lang255\ltrch\dbch\af12\afs20\langfe255\loch\f2\fs20\lang1033 
\par \pard\plain \ltrpar\s1{\*\hyphen2\hyphlead2\hyphtrail2\hyphmax0}\aspalpha\ql\rtlch\af2\afs24\lang255\ltrch\dbch\af2\afs24\langfe255\loch\f2\fs24\lang1033 
\par }