mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 16:35:02 +01:00
17f0565afc
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
102 lines
1.9 KiB
Text
102 lines
1.9 KiB
Text
#
|
|
#=DESCRIPTION validate audit allow w/capabilities in hats.
|
|
#=EXRESULT PASS
|
|
# vim:syntax=apparmor
|
|
# Last Modified: Sun Apr 17 19:44:44 2005
|
|
#
|
|
|
|
/does/not/exist2 {
|
|
^chown {
|
|
audit allow capability chown,
|
|
}
|
|
^dac_override {
|
|
audit allow capability dac_override,
|
|
}
|
|
^dac_read_search {
|
|
audit allow capability dac_read_search,
|
|
}
|
|
^fowner {
|
|
audit allow capability fowner,
|
|
}
|
|
^fsetid {
|
|
audit allow capability fsetid,
|
|
}
|
|
^kill {
|
|
audit allow capability kill,
|
|
}
|
|
^setgid {
|
|
audit allow capability setgid,
|
|
}
|
|
^setuid {
|
|
audit allow capability setuid,
|
|
}
|
|
^setpcap {
|
|
audit allow capability setpcap,
|
|
}
|
|
^linux_immutable {
|
|
audit allow capability linux_immutable,
|
|
}
|
|
^net_bind_service {
|
|
audit allow capability net_bind_service,
|
|
}
|
|
^net_broadcast {
|
|
audit allow capability net_broadcast,
|
|
}
|
|
^net_admin {
|
|
audit allow capability net_admin,
|
|
}
|
|
^net_raw {
|
|
audit allow capability net_raw,
|
|
}
|
|
^ipc_lock {
|
|
audit allow capability ipc_lock,
|
|
}
|
|
^ipc_owner {
|
|
audit allow capability ipc_owner,
|
|
}
|
|
^sys_module {
|
|
audit allow capability sys_module,
|
|
}
|
|
^sys_rawio {
|
|
audit allow capability sys_rawio,
|
|
}
|
|
^sys_chroot {
|
|
audit allow capability sys_chroot,
|
|
}
|
|
^sys_ptrace {
|
|
audit allow capability sys_ptrace,
|
|
}
|
|
^sys_pacct {
|
|
audit allow capability sys_pacct,
|
|
}
|
|
^sys_admin {
|
|
audit allow capability sys_admin,
|
|
}
|
|
^sys_boot {
|
|
audit allow capability sys_boot,
|
|
}
|
|
^sys_nice {
|
|
audit allow capability sys_nice,
|
|
}
|
|
^sys_resource {
|
|
audit allow capability sys_resource,
|
|
}
|
|
^sys_time {
|
|
audit allow capability sys_time,
|
|
}
|
|
^sys_tty_config {
|
|
audit allow capability sys_tty_config,
|
|
}
|
|
^mknod {
|
|
audit allow capability mknod,
|
|
}
|
|
^lease {
|
|
audit allow capability lease,
|
|
}
|
|
^audit_write {
|
|
audit allow capability audit_write,
|
|
}
|
|
^audit_control {
|
|
audit allow capability audit_control,
|
|
}
|
|
}
|