1. 05 Sep, 2014 1 commit
  2. 19 Jun, 2014 1 commit
    • Steve Beattie's avatar
      regression tests: adjust for parser escape fixes · 7c14d01d
      Steve Beattie authored
      Earlier fixes to the parser's handling of escape sequences involving '\'
      caused a behavioral change that profiles no longer needed to contain
      '\\' before an octal escape sequence. However, the regression tests were
      never modified to take this change into account, and thus the i18n.sh
      octal tests would fail. This patch fixes that.
      
      Also, with the changes, the parser no longer accepts _\_ as a valid
      sequence, so we skip this character.
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: John Johansen <john.johansen@canonical.com> (on IRC)
      7c14d01d
  3. 27 May, 2014 1 commit
  4. 23 Apr, 2014 2 commits
  5. 15 Apr, 2014 1 commit
    • Tyler Hicks's avatar
      tests: Add pivot_root tests · 1f01ade1
      Tyler Hicks authored
      This test attempts to clone itself in a new mount namespace, pivot root
      into a new filesystem (ext2 disk image mounted over loopback), and then
      verify that a profile transition, if one was specified in the pivot_root
      rule, has properly occurred.
      Signed-off-by: Tyler Hicks's avatarTyler Hicks <tyhicks@canonical.com>
      1f01ade1
  6. 27 Mar, 2014 1 commit
  7. 20 Sep, 2013 1 commit
    • Steve Beattie's avatar
      add optional allow prefix to the language · 17f0565a
      Steve Beattie authored
      From: John Johansen <john.johansen@canonical.com>
      
      let allow be used as a prefix in place of deny.  Allow is the default
      and is implicit so it is not needed but some user keep tripping over
      it, and it makes the language more symmetric
      
         eg.
            /foo rw,
            allow /foo rw,
            deny /foo rw,
      
      Patch history:
        v1: - initial revision
      
        v2: - rename yacc target rule from opt_deny to opt_perm_mode to
      reflect
              that it can be either an allow or deny modifier
            - break apart tests into more digestible chunks and to clarify
              their purpose
            - fix some tests to exercise 'audit allow'
            - add negative tests for 'allow' and 'deny' in the same rule
            - add support for 'allow' keyword to apparmor.vim
            - fix a bug in apparmor.vim to let it recognize multiple
              capability entries in a single line.
      
        v3: - add support for optional keywords on capability rules in
              regression tests, as well as the bare capability keyword (via
              'cap:ALL')
            - add allow, deny, and conflicting capability behavioral
              regression tests
            - fix vim syntax modeline to refer to apparmor in parser tests
            - adjust FILE regex in vim syntax file creator script
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: Steve Beattie's avatarSteve Beattie <steve@nxnw.org>
      Acked-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      17f0565a
  8. 11 Apr, 2012 1 commit
    • John Johansen's avatar
      expand automated profile generation to to allow profile generation from stdin · 562eb639
      John Johansen authored
      This extends the auto-profile generation so that it can take profiles formated
      in standard profile language augemented by a few special variables for
      the automatically generated rules.  This will all extended the regression
      tests in ways that are not currently supported, because mkprofile format
      does not match of the profile language.
      
      the special apparmorish variables are
      @{gen_elf name} - generate rules for elf binaries
      @{gen_bin name} - generate rules for a binary
      @{gen_def} - generate default rules
      @{gen name} - do @{gen_def} @{gen_bin name}
      
      To generate a profile you do
      
      genprofile --stdin <<EOF
      /profile/name {
      @{gen /profile/name}
      }
      EOF
      
      eg. to generate the equivalent of
        genprofile
      you would do
        genprofile --stdin <<EOF
        $test {
        @{gen $test}
        }
      EOF
      
      and the equiv of
        genprofile $file:rw
      would be
        genprofile --stdin <<EOF
        $test {
        @{gen $test}
        $file rw,
        }
      
      
      while it takes a little more to generate a base profile than the old syntax, it
      use the actual profile language (augmented with the special variables), it is a
      lot more flexible, and a lot easier to expand when new rule types are added.
      
      eg. of something not possible with the current auto generation
          Generate a profile with a child profile and hat and a trailing profile
      
      genprofile --stdin <<EOF
      $test {
      @{gen $test}
      
        profile $bin/open {
      @{gen $bin/open}
        }
      
        ^hatfoo {
           $file rw,
        }
      }
      profile $bin/exec {
      @{gen $bin/exec}
      }
      EOF
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Acked-By: default avatarSteve Beattie <sbeattie@ubuntu.com>
      562eb639
  9. 09 Mar, 2012 1 commit
  10. 12 Jan, 2012 5 commits
  11. 26 Jul, 2010 2 commits
  12. 11 Nov, 2009 1 commit
  13. 23 Dec, 2007 1 commit
  14. 11 Apr, 2006 1 commit