mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 09:21:00 +01:00
b28ce5a2a0
2.13: Add basic support for abi rules to the tools Add basic "understand and keep" support for abi rules, where "understand" means to not error out when seeing an abi rule, and "keep" simply means to keep the original abi rule when serializing a profile. On the long term, abi rules should be parsed (similar to include rules), but for now, this patch is the smallest possible changeset and easy to backport. Note that the only added test is via cleanprof_test.* which is used by minitools_test.py - and does not run if you do a 'make check'. Oh, and of course the simple_tests/abi/ files also get parsed by test-parser-simple-tests.py. BTW: Even serialize_profile_from_old_profile() can handle abi rules :-) This is a backport of072d3e04/ !202 (merged) to 2.13 (with some adjustments because that commit didn't appy cleanly) I propose this patch for 2.10..2.13 PR: https://gitlab.com/apparmor/apparmor/merge_requests/216 Acked-by: John Johansen <john.johansen@canonical.com> (cherry picked from commitab91f7bfa3)420aea62Add basic support for abi rules to the tools
59 lines
1.4 KiB
Text
59 lines
1.4 KiB
Text
# A simple test comment which will persist
|
|
#include <tunables/global>
|
|
|
|
alias /foo -> /bar ,
|
|
abi <abi/4.19> ,
|
|
|
|
/usr/bin/a/simple/cleanprof/test/profile {
|
|
# Just for the heck of it, this comment wont see the day of light
|
|
#include <abstractions/base>
|
|
|
|
capability sys_admin,
|
|
audit capability,
|
|
|
|
change_profile -> /bin/foo,
|
|
change_profile,
|
|
|
|
network inet stream,
|
|
abi "abi/4.20" ,
|
|
network stream,
|
|
|
|
#Below rule comes from abstractions/base
|
|
allow /usr/share/X11/locale/** r,
|
|
allow /home/*/** r,
|
|
|
|
ptrace tracedby peer=/bin/strace,
|
|
ptrace tracedby,
|
|
unix (receive) type=dgram,
|
|
|
|
dbus send bus=session,
|
|
dbus send bus=session peer=(label=foo),
|
|
|
|
set rlimit nofile <= 256,
|
|
set rlimit nofile <= 64,
|
|
|
|
signal set=(hup int quit ill trap abrt)
|
|
set=(bus,fpe,,,kill,usr1)
|
|
set=segv set=usr2 set=pipe set=alrm set=term set=stkflt set=chld,
|
|
signal set=(hup int quit),
|
|
|
|
^foo {
|
|
/etc/fstab r,
|
|
capability dac_override,
|
|
}
|
|
|
|
^foo, # hat declarations are obsolete and will be removed when aa-cleanprof or aa-logprof writes the profile
|
|
|
|
|
|
link subset /alpha/beta -> /tmp/**,
|
|
|
|
allow /home/foo/bar r,
|
|
allow /home/foo/** w,
|
|
}
|
|
|
|
/usr/bin/other/cleanprof/test/profile {
|
|
# This one shouldn't be affected by the processing
|
|
# However this comment will be wiped, need to change that
|
|
allow /home/*/** rw,
|
|
allow /home/foo/bar r,
|
|
}
|