mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
17f0565afc
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
101 lines
1.7 KiB
Text
101 lines
1.7 KiB
Text
#
|
|
#=DESCRIPTION validate uses of allow/capabilities in hats
|
|
#=EXRESULT PASS
|
|
# vim:syntax=apparmor
|
|
# Last Modified: Sun Apr 17 19:44:44 2005
|
|
#
|
|
/does/not/exist2 {
|
|
^chown {
|
|
allow capability chown,
|
|
}
|
|
^dac_override {
|
|
allow capability dac_override,
|
|
}
|
|
^dac_read_search {
|
|
allow capability dac_read_search,
|
|
}
|
|
^fowner {
|
|
allow capability fowner,
|
|
}
|
|
^fsetid {
|
|
allow capability fsetid,
|
|
}
|
|
^kill {
|
|
allow capability kill,
|
|
}
|
|
^setgid {
|
|
allow capability setgid,
|
|
}
|
|
^setuid {
|
|
allow capability setuid,
|
|
}
|
|
^setpcap {
|
|
allow capability setpcap,
|
|
}
|
|
^linux_immutable {
|
|
allow capability linux_immutable,
|
|
}
|
|
^net_bind_service {
|
|
allow capability net_bind_service,
|
|
}
|
|
^net_broadcast {
|
|
allow capability net_broadcast,
|
|
}
|
|
^net_admin {
|
|
allow capability net_admin,
|
|
}
|
|
^net_raw {
|
|
allow capability net_raw,
|
|
}
|
|
^ipc_lock {
|
|
allow capability ipc_lock,
|
|
}
|
|
^ipc_owner {
|
|
allow capability ipc_owner,
|
|
}
|
|
^sys_module {
|
|
allow capability sys_module,
|
|
}
|
|
^sys_rawio {
|
|
allow capability sys_rawio,
|
|
}
|
|
^sys_chroot {
|
|
allow capability sys_chroot,
|
|
}
|
|
^sys_ptrace {
|
|
allow capability sys_ptrace,
|
|
}
|
|
^sys_pacct {
|
|
allow capability sys_pacct,
|
|
}
|
|
^sys_admin {
|
|
allow capability sys_admin,
|
|
}
|
|
^sys_boot {
|
|
allow capability sys_boot,
|
|
}
|
|
^sys_nice {
|
|
allow capability sys_nice,
|
|
}
|
|
^sys_resource {
|
|
allow capability sys_resource,
|
|
}
|
|
^sys_time {
|
|
allow capability sys_time,
|
|
}
|
|
^sys_tty_config {
|
|
allow capability sys_tty_config,
|
|
}
|
|
^mknod {
|
|
allow capability mknod,
|
|
}
|
|
^lease {
|
|
allow capability lease,
|
|
}
|
|
^audit_write {
|
|
allow capability audit_write,
|
|
}
|
|
^audit_control {
|
|
allow capability audit_control,
|
|
}
|
|
}
|