[apparmor] [patch] parser: tests: exercise local and peer addr perms

Steve Beattie steve at nxnw.org
Thu Sep 18 23:53:47 UTC 2014 

On Thu, Sep 18, 2014 at 10:15:26AM -0500, Tyler Hicks wrote:
> This patch updates the parser code to reject rules that contain local
> socket permissions and peer conditional elements. The error message for
> that condition is also corrected to resolve a copy and paste mistake
> from the D-Bus rule parsing code.
> 
> The patch also updates the man page to correctly describe the two sets
> of socket permissions and fixes an example rule that resulted in a
> parser error after the change described above.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Steve Beattie <steve at nxnw.org>

Some test cases to go along with that patch (bind was already covered).

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 parser/tst/simple_tests/unix/bad_attr_1.sd     |    7 +++++++
 parser/tst/simple_tests/unix/bad_attr_2.sd     |    7 +++++++
 parser/tst/simple_tests/unix/bad_attr_3.sd     |    7 +++++++
 parser/tst/simple_tests/unix/bad_attr_4.sd     |    7 +++++++
 parser/tst/simple_tests/unix/bad_create_1.sd   |    7 +++++++
 parser/tst/simple_tests/unix/bad_create_2.sd   |    7 +++++++
 parser/tst/simple_tests/unix/bad_listen_1.sd   |    7 +++++++
 parser/tst/simple_tests/unix/bad_listen_2.sd   |    7 +++++++
 parser/tst/simple_tests/unix/bad_opt_1.sd      |    7 +++++++
 parser/tst/simple_tests/unix/bad_opt_2.sd      |    7 +++++++
 parser/tst/simple_tests/unix/bad_opt_3.sd      |    7 +++++++
 parser/tst/simple_tests/unix/bad_opt_4.sd      |    7 +++++++
 parser/tst/simple_tests/unix/bad_shutdown_1.sd |    7 +++++++
 parser/tst/simple_tests/unix/bad_shutdown_2.sd |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_5.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_attr_6.sd      |    7 +++++++
 parser/tst/simple_tests/unix/ok_create_3.sd    |    7 +++++++
 parser/tst/simple_tests/unix/ok_listen_3.sd    |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_5.sd       |    7 +++++++
 parser/tst/simple_tests/unix/ok_opt_6.sd       |    7 +++++++
 parser/tst/simple_tests/unix/ok_shutdown_3.sd  |    7 +++++++
 21 files changed, 147 insertions(+)

Index: b/parser/tst/simple_tests/unix/bad_attr_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_attr_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getattr w/peer modifier
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix getattr peer=(addr=none),
+}
Index: b/parser/tst/simple_tests/unix/bad_attr_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_attr_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getattr acceptance test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (getattr) peer=(label=unconfined),
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_5.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_5.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getattr w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix getattr addr=none,
+}
Index: b/parser/tst/simple_tests/unix/ok_attr_6.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_attr_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setattr w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix setattr addr=none,
+}
Index: b/parser/tst/simple_tests/unix/bad_create_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_create_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix create w/peer acceptance test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix create peer=(label=/usr/sbin/apache2),
+}
Index: b/parser/tst/simple_tests/unix/bad_create_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_create_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix create acceptance test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (create) peer=(addr=@somesuch),
+}
Index: b/parser/tst/simple_tests/unix/bad_shutdown_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_shutdown_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix shutdown w/peer test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix shutdown peer=(addr=none),
+}
Index: b/parser/tst/simple_tests/unix/bad_shutdown_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_shutdown_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix shutdown acceptance test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (shutdown) peer=(label=@{profile_name}),
+}
Index: b/parser/tst/simple_tests/unix/ok_shutdown_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_shutdown_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix shutdown w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix shutdown addr=@HypotheticalServiceDaemon,
+}
Index: b/parser/tst/simple_tests/unix/ok_create_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_create_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix create w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix create addr=none,
+}
Index: b/parser/tst/simple_tests/unix/ok_listen_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_listen_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix listen w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix listen addr=@foo**,
+}
Index: b/parser/tst/simple_tests/unix/bad_listen_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_listen_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix listen w/peer test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix listen peer=(label=you_cannot_label_me),
+}
Index: b/parser/tst/simple_tests/unix/bad_listen_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_listen_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix listen w/peer test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (listen) peer=(addr=@unknown),
+}
Index: b/parser/tst/simple_tests/unix/bad_attr_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_attr_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setattr w/peer test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix setattr peer=(label=orange),
+}
Index: b/parser/tst/simple_tests/unix/bad_attr_4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_attr_4.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setattr w/peer addr test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (setattr) peer=(addr=@spork),
+}
Index: b/parser/tst/simple_tests/unix/bad_opt_1.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_opt_1.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getopt w/peer addr test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix getopt peer=(addr=none),
+}
Index: b/parser/tst/simple_tests/unix/bad_opt_2.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_opt_2.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getopt w/peer label test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (getopt) peer=(label=strongbad),
+}
Index: b/parser/tst/simple_tests/unix/bad_opt_3.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_opt_3.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setopt w/peer addr test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix setopt peer=(addr=@/dbus-vfs-daemon/socket-*),
+}
Index: b/parser/tst/simple_tests/unix/bad_opt_4.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/bad_opt_4.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setopt w/peer label test
+#=EXRESULT FAIL
+
+profile a_profile {
+  unix (setopt) peer=(label=unconfined),
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_5.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_5.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix getopt w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix getopt addr=@private/defer,
+}
Index: b/parser/tst/simple_tests/unix/ok_opt_6.sd
===================================================================
--- /dev/null
+++ b/parser/tst/simple_tests/unix/ok_opt_6.sd
@@ -0,0 +1,7 @@
+#
+#=DESCRIPTION simple unix setopt w/addr acceptance test
+#=EXRESULT PASS
+
+profile a_profile {
+  unix setopt addr=none,
+}


-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140918/ef9b6846/attachment.pgp>

More information about the AppArmor mailing list