Example gen_unix() inputs and outputs:

  "unix:ALL" -> "  unix,\n"

  "unix:(create,bind,listen,accept):addr=@foo:peer=(label=bar)" ->
    "  unix (create,bind,listen accept) addr=@foo peer=(label=bar),\n"
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

Earlier fixes to the parser's handling of escape sequences involving '\'
caused a behavioral change that profiles no longer needed to contain
'\\' before an octal escape sequence. However, the regression tests were
never modified to take this change into account, and thus the i18n.sh
octal tests would fail. This patch fixes that.

Also, with the changes, the parser no longer accepts _\_ as a valid
sequence, so we skip this character.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com> (on IRC)

Allow for the regression tests to specify arbitrary profile names
without hitting fatal errors or getting warnings from mkprofile.pl.

This allows for a test to have a line like this:

  genprofile change_profile->':arbitrary_name -- \
	     image=arbitrary_name addimage:$test

In the example above, $test can call aa_change_onexec("arbitrary_name")
and then re-exec itself to test behavior across exec transitions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>

Update mkprofile.pl to generate ptrace rules and update test scripts to
test ptrace mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

Update mkprofile.pl to generate signal rules and update test scripts to
grant signal permissions when needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

This test attempts to clone itself in a new mount namespace, pivot root
into a new filesystem (ext2 disk image mounted over loopback), and then
verify that a profile transition, if one was specified in the pivot_root
rule, has properly occurred.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>

The mount.sh regression test script was not testing with actual AppArmor
mount rules. This patch improves mkprofile.pl by adding the ability to
generate mount rules and adds tests to mount.sh that verify mount
mediation is working properly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Fixed a couple typos and added fstype tests]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>

From: John Johansen <john.johansen@canonical.com>

let allow be used as a prefix in place of deny.  Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric

   eg.
      /foo rw,
      allow /foo rw,
      deny /foo rw,

Patch history:
  v1: - initial revision

  v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
        that it can be either an allow or deny modifier
      - break apart tests into more digestible chunks and to clarify
        their purpose
      - fix some tests to exercise 'audit allow'
      - add negative tests for 'allow' and 'deny' in the same rule
      - add support for 'allow' keyword to apparmor.vim
      - fix a bug in apparmor.vim to let it recognize multiple
        capability entries in a single line.

  v3: - add support for optional keywords on capability rules in
        regression tests, as well as the bare capability keyword (via
        'cap:ALL')
      - add allow, deny, and conflicting capability behavioral
        regression tests
      - fix vim syntax modeline to refer to apparmor in parser tests
      - adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

This extends the auto-profile generation so that it can take profiles formated
in standard profile language augemented by a few special variables for
the automatically generated rules.  This will all extended the regression
tests in ways that are not currently supported, because mkprofile format
does not match of the profile language.

the special apparmorish variables are
@{gen_elf name} - generate rules for elf binaries
@{gen_bin name} - generate rules for a binary
@{gen_def} - generate default rules
@{gen name} - do @{gen_def} @{gen_bin name}

To generate a profile you do

genprofile --stdin <<EOF
/profile/name {
@{gen /profile/name}
}
EOF

eg. to generate the equivalent of
  genprofile
you would do
  genprofile --stdin <<EOF
  $test {
  @{gen $test}
  }
EOF

and the equiv of
  genprofile $file:rw
would be
  genprofile --stdin <<EOF
  $test {
  @{gen $test}
  $file rw,
  }


while it takes a little more to generate a base profile than the old syntax, it
use the actual profile language (augmented with the special variables), it is a
lot more flexible, and a lot easier to expand when new rule types are added.

eg. of something not possible with the current auto generation
    Generate a profile with a child profile and hat and a trailing profile

genprofile --stdin <<EOF
$test {
@{gen $test}

  profile $bin/open {
@{gen $bin/open}
  }

  ^hatfoo {
     $file rw,
  }
}
profile $bin/exec {
@{gen $bin/exec}
}
EOF
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

  file,

was not given the correct permissions.  It was only being given the owner
set of permissions.  This would result in rejects when trying look at
files owned by other users
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>

add 'rix' permissions on executable images (but still auto-generate
ldd dependencies), for use when specifying alternate permissions
on executables.

Where appropriate, it also converts a few testcases to make use of
the option.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>

generated profile and have the ldd auto-generation of rules occur on
it. It also kills all testcase usage of $dynlibs, which had stopped
being generated by prologue.inc in a prior patch.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>

mkprofile.pl helper and take the convoluted code out of the bash
prologue.inc. It also detects if the binary is a script and performs
ldd analysis on the interpreter.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>

their purpose a little more accurately; renames the dump_flags to
emit_flags for the same reason, and also adds a modicum a function
prototype information to the function declarations.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>

write access to /proc/*/attr/current to mkprofile.pl from prologue.inc.
Signed-Off-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>

to try to get rid of programmatic use of $Id$ in kernel regression tests.

Includes spelling fixes, drops of old documentation, and removal of notes on
tests that no longer fail.

development tree (trunk branch). From svn repo version 6381.