On Tue, Feb 14, 2012 at 09:32:29AM -0800, John Johansen wrote: > Allow the capability rule to be bare to represent all capabilities similar > to how network, and other rule types work. > > capability, > > Signed-off-by: John Johansen <[email protected]> > --- > parser/parser_yacc.y | 18 +++++++----------- > parser/tst/simple_tests/capability/bad_3.sd | 9 +++++++++ > parser/tst/simple_tests/capability/bad_4.sd | 9 +++++++++ > parser/tst/simple_tests/capability/ok3.sd | 9 +++++++++ > 4 files changed, 34 insertions(+), 11 deletions(-) > create mode 100644 parser/tst/simple_tests/capability/bad_3.sd > create mode 100644 parser/tst/simple_tests/capability/bad_4.sd > create mode 100644 parser/tst/simple_tests/capability/ok3.sd > > diff --git a/parser/parser_yacc.y b/parser/parser_yacc.y > index 2a4fa5d..fff7e23 100644 > --- a/parser/parser_yacc.y > +++ b/parser/parser_yacc.y > @@ -1057,10 +1057,15 @@ set_caps: TOK_SET TOK_CAPABILITY caps > TOK_END_OF_RULE > > capability: TOK_CAPABILITY caps TOK_END_OF_RULE > { > - $$ = $2; > + if ($2 == 0) { > + /* bare capability keyword - set all caps */ > + $$ = 0xffffffffffffffff;
Should this be something more dynamic, using _LINUX_CAPABILITY_U32S_3 or something similar to detect size, or is it sufficient to assume unsigned long now? If it's safe, then: Acked-by: Kees Cook <[email protected]> :) > + } else > + $$ = $2; > }; > > -caps: caps TOK_ID > +caps: { /* nothing */ $$ = 0; } > + | caps TOK_ID > { > int cap = name_to_capability($2); > if (cap == -1) > @@ -1069,15 +1074,6 @@ caps: caps TOK_ID > $$ = $1 | CAP_TO_MASK(cap); > } > > -caps: TOK_ID > - { > - int cap = name_to_capability($1); > - if (cap == -1) > - yyerror(_("Invalid capability %s."), $1); > - free($1); > - $$ = CAP_TO_MASK(cap); > - }; > - > %% > #define MAXBUFSIZE 4096 > > diff --git a/parser/tst/simple_tests/capability/bad_3.sd > b/parser/tst/simple_tests/capability/bad_3.sd > new file mode 100644 > index 0000000..00e4f4b > --- /dev/null > +++ b/parser/tst/simple_tests/capability/bad_3.sd > @@ -0,0 +1,9 @@ > +# > +#=DESCRIPTION fail CAP_XXX syntax. > +#=EXRESULT FAIL > +# vim:syntax=subdomain > +# Last Modified: Sun Apr 17 19:44:44 2005 > +# > +/does/not/exist { > + capability chown CAP_CHOWN, > +} > diff --git a/parser/tst/simple_tests/capability/bad_4.sd > b/parser/tst/simple_tests/capability/bad_4.sd > new file mode 100644 > index 0000000..502c74a > --- /dev/null > +++ b/parser/tst/simple_tests/capability/bad_4.sd > @@ -0,0 +1,9 @@ > +# > +#=DESCRIPTION fail unknown keyword > +#=EXRESULT FAIL > +# vim:syntax=subdomain > +# Last Modified: Sun Apr 17 19:44:44 2005 > +# > +/does/not/exist { > + capability chown foobar, > +} > diff --git a/parser/tst/simple_tests/capability/ok3.sd > b/parser/tst/simple_tests/capability/ok3.sd > new file mode 100644 > index 0000000..454b96c > --- /dev/null > +++ b/parser/tst/simple_tests/capability/ok3.sd > @@ -0,0 +1,9 @@ > +# > +#=DESCRIPTION validate some uses of capabilties. > +#=EXRESULT PASS > +# vim:syntax=subdomain > +# Last Modified: Sun Apr 17 19:44:44 2005 > +# > +/does/not/exist { > + capability, > +} > -- > 1.7.9 > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor -- Kees Cook -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
