mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-06 17:31:01 +01:00
e1af0cdeca
This value is True if we are in a child profile (not: hat), but that's
information we get "for free", so there's no need to hand it around.
Besides that, it was wrongly set to False for main profiles (which are
not hats).
Remove the pps_set_profile return value from parse_profile_start(), and
always assume True unless we were parsing a hat. For completeness,
explicitely set it to False when parsing a hat.
To make sure child profiles and hats don't get mixed up, add a child
profile to cleanprof_test.{in,out}.
test-libapparmor-test_multi.py always interpreted foo//bar as being
a hat, therefore explicitely mark them as such. (Technically not really
needed since this is the default, but it helps to make things clear.)
93 lines
2.1 KiB
Text
93 lines
2.1 KiB
Text
# A simple test comment which will persist
|
|
#include <tunables/global>
|
|
|
|
#include if exists <tunables/nothing>
|
|
|
|
#include if exists <tunables/global>
|
|
include if exists <tunables/global>
|
|
|
|
alias /foo -> /bar ,
|
|
|
|
@{xy} = y x
|
|
|
|
abi <abi/4.19> ,
|
|
|
|
@{asdf} = foo ""
|
|
|
|
$foo = false
|
|
|
|
$bar = true
|
|
|
|
/usr/bin/a/simple/cleanprof/test/profile {
|
|
# Just for the heck of it, this comment won't see the day of light
|
|
#include <abstractions/base>
|
|
|
|
#include if exists <foo>
|
|
#include if exists <abstractions/base>
|
|
include <abstractions/base>
|
|
|
|
capability sys_admin,
|
|
audit capability,
|
|
|
|
change_profile -> /bin/foo,
|
|
change_profile,
|
|
|
|
network inet stream,
|
|
abi "abi/4.20" ,
|
|
network stream,
|
|
|
|
#Below rule comes from abstractions/base
|
|
allow /usr/share/X11/locale/** r,
|
|
allow /home/*/** r,
|
|
|
|
ptrace tracedby peer=/bin/strace,
|
|
ptrace tracedby,
|
|
unix (receive) type=dgram,
|
|
|
|
dbus send bus=session,
|
|
dbus send bus=session peer=(label=foo),
|
|
|
|
profile test_child /foobar {
|
|
/etc/child rw,
|
|
}
|
|
|
|
set rlimit nofile <= 256,
|
|
set rlimit nofile <= 64,
|
|
|
|
signal set=(hup int quit ill trap abrt)
|
|
set=(bus,fpe,,,kill,usr1)
|
|
set=segv set=usr2 set=pipe set=alrm set=term set=stkflt set=chld,
|
|
signal set=(hup int quit),
|
|
|
|
^foo {
|
|
/etc/fstab r,
|
|
capability dac_override,
|
|
}
|
|
|
|
^foo, # hat declarations are obsolete and will be removed when aa-cleanprof or aa-logprof writes the profile
|
|
|
|
mount options=(rw,suid) /c -> /3,
|
|
|
|
pivot_root oldroot=/mnt/root/old/,
|
|
|
|
deny owner link /some/thing -> /foo/bar ,
|
|
unix shutdown addr=@HypotheticalServiceDaemon,
|
|
|
|
link subset /alpha/beta -> /tmp/**,
|
|
|
|
allow /home/foo/bar r,
|
|
allow /home/foo/** w,
|
|
}
|
|
|
|
/usr/bin/other/cleanprof/test/profile {
|
|
# This one shouldn't be affected by the processing
|
|
# However this comment will be wiped, need to change that
|
|
allow /home/*/** rw,
|
|
allow /home/foo/bar r,
|
|
}
|
|
|
|
/what/ever/xattr xattrs=( foo=bar )
|
|
flags=( complain
|
|
) {
|
|
/what/ever r,
|
|
}
|