[apparmor] [PATCH 0/2] Test the compilation of audit and deny modifiers

Fri Mar 13 21:15:07 UTC 2015

On 2015-03-13 15:47:59, Tyler Hicks wrote:
> After seeing the bug[1] about the audit modifier not having an affect on exec
> rules, I decided to write up a quick set of tests to test other rule types.
> 
> It turned out to be worthwhile because it uncovered a similar bug[2] in a
> certain type of pivot_root rule.
> 
> Tyler
> 
> [1] https://launchpad.net/bugs/1431717
> [2] https://launchpad.net/bugs/1432045

Here's the new output of the equality.sh script with the two patches in
this series applied:

$ ./equality.sh
Binary equality dbus send ok
Binary equality dbus receive ok
Binary equality dbus send + receive ok
Binary equality dbus all accesses ok
Binary equality dbus implied accesses with a bus conditional ok
Binary equality dbus implied accesses for services ok
Binary equality dbus implied accesses for messages ok
Binary equality dbus implied accesses for messages with peer names ok
Binary equality dbus implied accesses for messages with peer labels ok
Binary equality dbus element parsing ok
Binary equality dbus access parsing ok
Binary equality dbus variable expansion ok
Binary equality dbus variable expansion, multiple values/rules ok
Binary equality dbus variable expansion, ensure rule de-duping occurs ok
Binary equality dbus minimization with all perms ok
Binary equality dbus minimization with bind ok
Binary equality dbus minimization with send and a bus conditional ok
Binary equality dbus minimization with an audit modifier ok
Binary equality dbus minimization with a deny modifier ok
Binary equality dbus minimization found in dbus abstractions ok
Binary inequality audit, deny, and audit deny modifiers for "capability" ok
Binary inequality audit, deny, and audit deny modifiers for "capability mac_admin" ok
Binary inequality audit, deny, and audit deny modifiers for "network" ok
Binary inequality audit, deny, and audit deny modifiers for "network tcp" ok
Binary inequality audit, deny, and audit deny modifiers for "network inet6 tcp" ok
Binary inequality audit, deny, and audit deny modifiers for "mount" ok
Binary inequality audit, deny, and audit deny modifiers for "mount /a" ok
Binary inequality audit, deny, and audit deny modifiers for "mount /a -> /b" ok
Binary inequality audit, deny, and audit deny modifiers for "mount options in (ro) /a -> b" ok
Binary inequality audit, deny, and audit deny modifiers for "remount" ok
Binary inequality audit, deny, and audit deny modifiers for "remount /a" ok
Binary inequality audit, deny, and audit deny modifiers for "umount" ok
Binary inequality audit, deny, and audit deny modifiers for "umount /a" ok
Binary inequality audit, deny, and audit deny modifiers for "pivot_root" ok
Binary inequality audit, deny, and audit deny modifiers for "pivot_root /a" ok
Binary inequality audit, deny, and audit deny modifiers for "pivot_root oldroot=/" ok
Binary inequality audit, deny, and audit deny modifiers for "pivot_root oldroot=/ /a"
FAIL: Hash values match
known-good (422b222b6608dff7aca3420062aad3db) == profile-under-test (422b222b6608dff7aca3420062aad3db) for the following profile:
/t { audit pivot_root oldroot=/ /a, }

Binary inequality audit, deny, and audit deny modifiers for "pivot_root oldroot=/ /a -> foo"
FAIL: Hash values match
known-good (6383026319d787039d36ff7ffe4e3f6d) == profile-under-test (6383026319d787039d36ff7ffe4e3f6d) for the following profile:
/t { audit pivot_root oldroot=/ /a -> foo, }

Binary inequality audit, deny, and audit deny modifiers for "ptrace" ok
Binary inequality audit, deny, and audit deny modifiers for "ptrace trace" ok
Binary inequality audit, deny, and audit deny modifiers for "ptrace (readby,tracedby) peer=unconfined" ok
Binary inequality audit, deny, and audit deny modifiers for "signal" ok
Binary inequality audit, deny, and audit deny modifiers for "signal (send,receive)" ok
Binary inequality audit, deny, and audit deny modifiers for "signal peer=unconfined" ok
Binary inequality audit, deny, and audit deny modifiers for "signal receive set=(kill)" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus send" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus bus=system" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus bind name=foo" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus peer=(label=foo)" ok
Binary inequality audit, deny, and audit deny modifiers for "dbus eavesdrop" ok
Binary inequality audit, deny, and audit deny modifiers for "unix" ok
Binary inequality audit, deny, and audit deny modifiers for "unix (create, listen, accept)" ok
Binary inequality audit, deny, and audit deny modifiers for "unix addr=@*" ok
Binary inequality audit, deny, and audit deny modifiers for "unix addr=none" ok
Binary inequality audit, deny, and audit deny modifiers for "unix peer=(label=foo)" ok
Binary inequality audit, deny, and audit deny modifiers for "/f r" ok
Binary inequality audit, deny, and audit deny modifiers for "/f w" ok
Binary inequality audit, deny, and audit deny modifiers for "/f rwmlk" ok
Binary inequality audit, deny, and audit deny modifiers for "/** r" ok
Binary inequality audit, deny, and audit deny modifiers for "/**/ w" ok
Binary inequality audit, deny, and audit deny modifiers for "file /f r" ok
Binary inequality audit, deny, and audit deny modifiers for "file /f w" ok
Binary inequality audit, deny, and audit deny modifiers for "file /f rwmlk" ok
Binary inequality deny, audit deny modifier for "/f ux"
FAIL: Hash values match
known-good (9396a69f971e4ef586f3d3da7f6dd0a6) == profile-under-test (9396a69f971e4ef586f3d3da7f6dd0a6) for the following profile:
/t { audit /f ux, }

Binary inequality deny, audit deny modifier for "/f Ux"
FAIL: Hash values match
known-good (5c34761b1d519dcb569569f3e228b2b9) == profile-under-test (5c34761b1d519dcb569569f3e228b2b9) for the following profile:
/t { audit /f Ux, }

Binary inequality deny, audit deny modifier for "/f px"
FAIL: Hash values match
known-good (8f61d68abbebfe8096fe9fe5bd4b8c1c) == profile-under-test (8f61d68abbebfe8096fe9fe5bd4b8c1c) for the following profile:
/t { audit /f px, }

Binary inequality deny, audit deny modifier for "/f Px"
FAIL: Hash values match
known-good (f6126c7364d17c89f0febca6d01e1e6e) == profile-under-test (f6126c7364d17c89f0febca6d01e1e6e) for the following profile:
/t { audit /f Px, }

Binary inequality deny, audit deny modifier for "/f ix"
FAIL: Hash values match
known-good (e66d0f388a8bf756182994c856cae022) == profile-under-test (e66d0f388a8bf756182994c856cae022) for the following profile:
/t { audit /f ix, }

Binary inequality deny, audit deny modifier for "file /f ux"
FAIL: Hash values match
known-good (9396a69f971e4ef586f3d3da7f6dd0a6) == profile-under-test (9396a69f971e4ef586f3d3da7f6dd0a6) for the following profile:
/t { audit file /f ux, }

Binary inequality deny, audit deny modifier for "file /f UX"
FAIL: Hash values match
known-good (5c34761b1d519dcb569569f3e228b2b9) == profile-under-test (5c34761b1d519dcb569569f3e228b2b9) for the following profile:
/t { audit file /f UX, }

Binary inequality deny, audit deny modifier for "file /f px"
FAIL: Hash values match
known-good (8f61d68abbebfe8096fe9fe5bd4b8c1c) == profile-under-test (8f61d68abbebfe8096fe9fe5bd4b8c1c) for the following profile:
/t { audit file /f px, }

Binary inequality deny, audit deny modifier for "file /f Px"
FAIL: Hash values match
known-good (f6126c7364d17c89f0febca6d01e1e6e) == profile-under-test (f6126c7364d17c89f0febca6d01e1e6e) for the following profile:
/t { audit file /f Px, }

Binary inequality deny, audit deny modifier for "file /f ix"
FAIL: Hash values match
known-good (e66d0f388a8bf756182994c856cae022) == profile-under-test (e66d0f388a8bf756182994c856cae022) for the following profile:
/t { audit file /f ix, }

ERRORS: 0
FAILS: 12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150313/56d9d33c/attachment.pgp>