File apparmor-2.5-r1445 of Package apparmor

Overview Repositories Revisions Requests Users Attributes Meta

File apparmor-2.5-r1445 of Package apparmor

=== added file '.bzrignore'
--- a/.bzrignore	1970-01-01 00:00:00 +0000
+++ b/.bzrignore	2011-01-10 18:12:33 +0000
@@ -0,0 +1,1 @@
+parser/tst/simple_tests/generated_x/*.sd

=== modified file 'libraries/libapparmor/testsuite/Makefile.am'
--- a/libraries/libapparmor/testsuite/Makefile.am	2008-05-19 22:48:31 +0000
+++ b/libraries/libapparmor/testsuite/Makefile.am	2011-01-10 18:12:33 +0000
@@ -12,7 +12,7 @@
 test_multi_multi_SOURCES	= test_multi.c
 test_multi_multi_CFLAGS		= $(CFLAGS) -Wall
 test_multi_multi_LDFLAGS	= $(LDFLAGS)
-test_multi_multi_LDADD		= ../src/.libs/libapparmor.a
+test_multi_multi_LDADD		= -L../src/.libs -lapparmor
 
 clean-local:
 	rm -f tmp.err.* tmp.out.* site.exp site.bak

=== modified file 'parser/Makefile'
--- a/parser/Makefile	2009-11-11 18:58:57 +0000
+++ b/parser/Makefile	2011-01-10 18:12:33 +0000
@@ -45,11 +45,14 @@
 				echo "$${warning}"; \
 			fi ; \
 		done)
-CFLAGS	= -O2 -pipe
+ifndef CFLAGS
+CFLAGS	= -g -O2 -pipe
 
 ifdef DEBUG
 CFLAGS = -g
 endif
+endif #CFLAGS
+
 EXTRA_CFLAGS = ${CFLAGS} ${WARNINGS} -D_GNU_SOURCE
 
 #LEXLIB	:= -lfl
@@ -125,9 +128,20 @@
 techdoc.txt: techdoc/index.html
 	w3m -dump $< > $@
 
-all: 	$(TOOLS) $(MANPAGES) ${HTMLMANPAGES} techdoc.pdf
+# targets arranged this way so that people who don't want full docs can
+# pick specific targets they want.
+main: 	$(TOOLS)
 	$(Q)make -C po all
-	$(Q)make -s tests
+
+manpages:	$(MANPAGES)
+
+htmlmanpages:	$(HTMLMANPAGES)
+
+pdf:	techdoc.pdf
+
+docs:	manpages htmlmanpages pdf
+
+all:	main docs tests
 
 apparmor_parser: $(OBJECTS) $(PCREOBJECTS) $(AAREOBJECTS)
 	rm -f ./libstdc++.a
@@ -191,7 +205,7 @@
 af_names.h: /usr/include/bits/socket.h
 	LC_ALL=C sed -n -e '/$(__FILTER)/d' -e "s/^\#define[ \\t]\\+PF_\$[A-Z0-9_]\\+\$[ \\t]\\+\$[0-9]\\+\$\$.*\$\$$/#ifndef AF_\\1\\n#  define AF_\\1 \\2\\n#endif\\nAA_GEN_NET_ENT(\"\\L\\1\", \\UAF_\\1)\\n/p" $< > $@
 	LC_ALL=C sed -n -e "s/^\#define[ \\t]\\+PF_MAX[ \\t]\\+\$[0-9]\\+\$[ \\t]\\+.*/#define AA_AF_MAX \\1\n/p" $< >> $@
-	cat $@
+	# cat $@
 
 cap_names.h: /usr/include/linux/capability.h
 	LC_ALL=C sed -n -e "/CAP_EMPTY_SET/d" -e "s/^\#define[ \\t]\\+CAP_\$[A-Z0-9_]\\+\$[ \\t]\\+\$[0-9xa-f]\\+\$\$.*\$\$$/\{\"\\L\\1\", \\UCAP_\\1\},/p" $< > $@
@@ -224,7 +238,7 @@
 .SILENT: $(AAREOBJECTS)
 .PHONY: $(AAREOBJECTS)
 $(AAREOBJECTS):
-	make -C $(AAREDIR)
+	make -C $(AAREDIR) CFLAGS="$(CFLAGS)"
 
 .SILENT: $(PCREOBJECTS)
 .PHONY: $(PCREOBJECTS)

=== modified file 'parser/immunix.h'
--- a/parser/immunix.h	2009-08-20 15:41:10 +0000
+++ b/parser/immunix.h	2011-01-10 18:12:33 +0000
@@ -148,12 +148,12 @@
 #include <stdio.h>
 static inline int is_merged_x_consistent(int a, int b)
 {
-	if ((a & AA_USER_EXEC_TYPE) && (b & AA_USER_EXEC_TYPE) &&
+	if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
 	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
 { fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
 		return 0;
 }
-	if ((a & AA_OTHER_EXEC_TYPE) && (b & AA_OTHER_EXEC_TYPE) &&
+	if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
 	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
 { fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
 		return 0;

=== modified file 'parser/libapparmor_re/regexp.y'
--- a/parser/libapparmor_re/regexp.y	2010-07-24 14:16:14 +0000
+++ b/parser/libapparmor_re/regexp.y	2011-01-10 18:12:33 +0000
@@ -720,17 +720,19 @@
 		Node *i = t->child[!dir];
 		for (;dynamic_cast<AltNode *>(i); p = i, i = i->child[!dir]) {
 			if (t->child[dir]->eq(i->child[dir])) {
+				Node *old = t;
 				t->child[!dir]->dup();
-				t->release();
 				t = t->child[!dir];
+				old->release();
 				continue;
 			}
 		}
 		// last altnode of chain check other dir as well
 		if (t->child[dir]->eq(p->child[!dir])) {
+			Node *old = t;
 			t->child[!dir]->dup();
-			t->release();
 			t = t->child[!dir];
+			old->release();
 			continue;
 		}
 
@@ -2581,9 +2583,9 @@
 #define MATCH_FLAGS_SIZE (sizeof(uint32_t) * 8 - 1)
 MatchFlag *match_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
 DenyMatchFlag *deny_flags[FLAGS_WIDTH][MATCH_FLAGS_SIZE];
-#define EXEC_MATCH_FLAGS_SIZE ((AA_EXEC_COUNT << 2) * 2)
-MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix *u::o*/
-ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe +ix *u::o*/
+#define EXEC_MATCH_FLAGS_SIZE (AA_EXEC_COUNT *2 * 2 * 2)	/* double for each of ix pux, unsafe x bits * u::o */
+MatchFlag *exec_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];	/* mods + unsafe + ix + pux * u::o*/
+ExactMatchFlag *exact_match_flags[FLAGS_WIDTH][EXEC_MATCH_FLAGS_SIZE];/* mods + unsafe + ix + pux *u::o*/
 
 extern "C" void aare_reset_matchflags(void)
 {
@@ -2644,8 +2646,8 @@
 	flip_tree(tree);
 
 
-/* 0x3f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, after shift */
-#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 8)) & 0x3f)
+/* 0x7f == 4 bits x mods + 1 bit unsafe mask + 1 bit ix, + 1 pux after shift */
+#define EXTRACT_X_INDEX(perm, shift) (((perm) >> (shift + 7)) & 0x7f)
 
 //if (perms & ALL_AA_EXEC_TYPE && (!perms & AA_EXEC_BITS))
 //	fprintf(stderr, "adding X rule without MAY_EXEC: 0x%x %s\n", perms, rulev[0]);

=== modified file 'parser/tst/Makefile'
--- a/parser/tst/Makefile	2010-09-15 18:34:38 +0000
+++ b/parser/tst/Makefile	2011-01-10 18:12:33 +0000
@@ -11,8 +11,11 @@
 
 all: tests
 
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity caching
+
+gen_xtrans:
+	perl ./gen-xtrans.pl
 
 error_output: $(PARSER)
 	$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@
 
 $(PARSER):
 	make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+	rm -f simple_tests/generated_x/*

=== added file 'parser/tst/gen-xtrans.pl'
--- a/parser/tst/gen-xtrans.pl	1970-01-01 00:00:00 +0000
+++ b/parser/tst/gen-xtrans.pl	2011-01-10 18:12:33 +0000
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+    "p" => \@modifiers,
+    "P" => \@modifiers,
+    "c" => \@modifiers,
+    "C" => \@modifiers,
+    );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+    "p" => \@targets,
+    "P" => \@targets,
+    "c" => \@targets,
+    "C" => \@targets,
+    "u" => \@null_target,
+    "i" => \@null_target,
+    );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+    my @output;
+    foreach my $trans (@trans_types) {
+	if ($trans_modifiers{$trans}) {
+	    foreach my $mod (@{$trans_modifiers{$trans}}) {
+		push @output, "${trans}${mod}x";
+	    }
+	}
+	push @output, "${trans}x";
+    }
+    return @output;
+}
+
+sub print_rule($$$$) {
+    my ($file, $name, $perm, $target) = @_;
+    print $file "\t${name} ${perm}";
+    if ($target ne "") {
+	print $file " -> $target";
+    }
+    print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+    my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+#    print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+    my $file;
+    unless (open $file, ">$name") {
+	print("couldn't open $name\n");
+	exit 1;
+    }
+
+    print $file "#\n";
+    print $file "#=DESCRIPTION ${name}\n";
+    print $file "#=EXRESULT ${xres}\n";
+    print $file "#\n";
+    print $file "/usr/bin/foo {\n";
+    print_rule($file, $rule1, $perm1, $target1);
+    print_rule($file, $rule2, $perm2, $target2);
+    print $file "}";
+    close($file);
+
+    $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+#      so
+# /foo {
+#    /* px -> /foo//bar,
+#    /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+#      It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+    my ($name, $rule1, $rule2, $default) = @_;
+
+    my @perms = gen_list();
+
+#    print "@perms\n";
+
+    foreach my $i (@perms) {
+	foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+	    foreach my $q (@qualifiers) {
+		foreach my $j (@perms) {
+		    foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+			foreach my $r (@qualifiers) {
+			    my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+#		    print "$file\n";
+
+		    #override failures when transitions are the same
+			    my $xres = ${default};
+			    if ($i eq $j && $t eq $u) {
+				$xres = "PASS";
+			    }
+
+
+#		    print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+			    gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+}
+
+sub gen_conflicting_x {
+    gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+    gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+    gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+    gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}

=== added directory 'parser/tst/simple_tests/generated_x'
=== added file 'parser/tst/simple_tests/generated_x/readme'
--- a/parser/tst/simple_tests/generated_x/readme	1970-01-01 00:00:00 +0000
+++ b/parser/tst/simple_tests/generated_x/readme	2011-01-10 18:12:33 +0000
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+

=== modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers	2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers	2011-01-10 18:12:33 +0000
@@ -18,7 +18,7 @@
   /usr/bin/prism PUx,
   /usr/bin/rekonq PUx,
   /usr/bin/seamonkey PUx,
-  /usr/bin/sensible-browser PUxr,
+  /usr/bin/sensible-browser Pixr,
 
   /usr/bin/chromium-browser PUx,
   /usr/lib/chromium-browser/chromium-browser PUx,

=== modified file 'profiles/apparmor.d/abstractions/ubuntu-email'
--- a/profiles/apparmor.d/abstractions/ubuntu-email	2010-09-10 15:28:28 +0000
+++ b/profiles/apparmor.d/abstractions/ubuntu-email	2011-01-10 18:12:33 +0000
@@ -15,5 +15,5 @@
   /usr/bin/tkrat PUx,
 
   /usr/lib/thunderbird/thunderbird PUx,
-  /usr/lib/thunderbird-3*/thunderbird PUx,
+  /usr/lib/thunderbird-3*/thunderbird{,.sh} PUx,

=== modified file 'tests/regression/subdomain/changehat_misc.sh'
--- a/tests/regression/subdomain/changehat_misc.sh	2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/changehat_misc.sh	2011-01-10 18:12:33 +0000
@@ -64,7 +64,7 @@
 echo "*** A 'Killed' message from bash is expected for the following test"
 runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
 
-# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
+# 1. ATTEMPT TO CHANGEHAT TO AN INVALID PROFILE, SHOULD PUT US INTO A NULL
 #    PROFILE
 # 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
 settest changehat_fail

=== modified file 'tests/regression/subdomain/deleted.c'
--- a/tests/regression/subdomain/deleted.c	2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/deleted.c	2011-01-10 18:12:33 +0000
@@ -90,7 +90,7 @@
         }
 
 	/* test that we can create the file.  Not necessarily a (deleted)
-	 * case but lets use flush out other combinations
+	 * case but lets us flush out other combinations.
 	 */
 	fd2=creat(argv[2], S_IRUSR | S_IWUSR);
 	if (fd2 == -1){

=== modified file 'tests/regression/subdomain/deleted.sh'
--- a/tests/regression/subdomain/deleted.sh	2007-12-23 01:00:19 +0000
+++ b/tests/regression/subdomain/deleted.sh	2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
 #! /bin/bash
-# $Id$
-
+#
 #	Copyright (C) 2002-2005 Novell/SUSE
+#	Copyright (C) 2010 Canonical, Ltd
 #
 #	This program is free software; you can redistribute it and/or
 #	modify it under the terms of the GNU General Public License as
@@ -10,7 +10,7 @@
 
 #=NAME deleted
 #=DESCRIPTION 
-# Test subdomain is properly working around a kernel in which the kernel 
+# Test AppArmor is properly working around a kernel in which the kernel 
 # appends (deleted) to deleted files verifies that the d_path appending 
 # (deleted) fix is working
 #=END
@@ -24,6 +24,7 @@
 
 file=$tmpdir/file
 file2="$tmpdir/file (deleted)"
+file3="$tmpdir/unavailable"
 okperm=rwl
 
 subtest=sub
@@ -40,8 +41,8 @@
 # NO CHANGEHAT TEST - doesn't force revalidation
 
 genprofile $file:$okperm
-
 runchecktest "NO CHANGEHAT (access file)" pass nochange $file
+runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
 
 genprofile "$file2":$okperm
 runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
@@ -49,6 +50,7 @@
 # CHANGEHAT TEST - force revalidation using changehat
 genprofile $file:$okperm hat:$subtest $file:$okperm
 runchecktest "CHANGEHAT (access file)" pass $subtest $file
+runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
 
 genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
 runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
@@ -115,7 +117,7 @@
 # FAIL - confined client, w access to the file
 
 genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
-runchecktest "fd passing; confined client w/ w only" pass $file $socket $fd_client "delete_file"
+runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"
 
 sleep 1
 rm -f ${socket}

=== modified file 'tests/regression/subdomain/mkprofile.pl'
--- a/tests/regression/subdomain/mkprofile.pl	2009-11-11 18:44:26 +0000
+++ b/tests/regression/subdomain/mkprofile.pl	2011-01-10 18:12:33 +0000
@@ -5,7 +5,7 @@
 #
 # Gawd, I hate writing perl. It shows, too.
 #
-my $__VERSION__='$Id$';
+my $__VERSION__=$0;
 
 use strict;
 use Getopt::Long;

=== modified file 'tests/regression/subdomain/prologue.inc'
--- a/tests/regression/subdomain/prologue.inc	2010-08-26 18:24:41 +0000
+++ b/tests/regression/subdomain/prologue.inc	2011-01-10 18:12:33 +0000
@@ -93,8 +93,10 @@
 
 	while [ -h ${link} ]
 	do
-		if [ -x /usr/bin/readlink ] ; then 
-			target=$(/usr/bin/readlink ${link})
+		if [ -x /usr/bin/readlink ] ; then
+			target=$(/usr/bin/readlink -f ${link})
+		elif [ -x /bin/readlink ] ; then
+			target=$(/bin/readlink -f ${link})
 		else 
 			# I'm sure there's a more perlish way to do this
 			target=$( perl -e "printf (\"%s\n\", readlink(\"${link}\"));")

=== modified file 'tests/regression/subdomain/pwrite.sh'
--- a/tests/regression/subdomain/pwrite.sh	2007-12-23 00:58:47 +0000
+++ b/tests/regression/subdomain/pwrite.sh	2011-01-10 18:12:33 +0000
@@ -27,7 +27,7 @@
 
 genprofile $file:$okperm
 
-runtestbg "PWRITE with w" pass $file
+runtestbg "PREAD/PWRITE with rw" pass $file
 
 sleep 2

=== modified file 'tests/regression/subdomain/swap.sh'
--- a/tests/regression/subdomain/swap.sh	2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/swap.sh	2011-01-10 18:12:33 +0000
@@ -32,7 +32,7 @@
 swap_file=$tmpdir/swapfile
 
 dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
-/sbin/mkswap ${swap_file} > /dev/null
+/sbin/mkswap -f ${swap_file} > /dev/null
 
 # TEST 1.  Make sure can enable and disable swap unconfined

=== modified file 'tests/regression/subdomain/syscall.sh'
--- a/tests/regression/subdomain/syscall.sh	2007-12-23 01:02:50 +0000
+++ b/tests/regression/subdomain/syscall.sh	2011-01-10 18:12:33 +0000
@@ -1,7 +1,7 @@
 #! /bin/bash
-# $Id$
-
+#
 #	Copyright (C) 2002-2005 Novell/SUSE
+#	Copyright (C) 2010 Canonical, Ltd.
 #
 #	This program is free software; you can redistribute it and/or
 #	modify it under the terms of the GNU General Public License as
@@ -114,9 +114,9 @@
 runchecktest "MKNOD sock (permissions)" fail s $mknod_file
 
 ##
-## D. SETHOSTNAME
+## C. SYSCTL
 ##
-sh syscall_sysctl.sh
+bash syscall_sysctl.sh
 
 ##
 ## D. SETHOSTNAME

=== modified file 'tests/regression/subdomain/unix_fd_server.c'
--- a/tests/regression/subdomain/unix_fd_server.c	2006-05-19 17:32:14 +0000
+++ b/tests/regression/subdomain/unix_fd_server.c	2011-01-10 18:12:33 +0000
@@ -2,6 +2,7 @@
 
 /*
  *	Copyright (C) 2002-2005 Novell/SUSE
+ *	Copyright (C) 2010 Canonical, Ltd.
  *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License as
@@ -134,6 +135,7 @@
 	}
 
 	/* Check for info re: reading the file */
+	memset(inbound_buffer, 0, sizeof(inbound_buffer));
 	if (recv(in_sock, inbound_buffer, 16,0) == -1 ) {
 		fprintf(stderr, "FAIL - recv %s\n",
 			strerror(errno));

=== modified file 'tests/regression/subdomain/xattrs.sh'
--- a/tests/regression/subdomain/xattrs.sh	2010-02-07 07:04:57 +0000
+++ b/tests/regression/subdomain/xattrs.sh	2011-01-10 18:12:33 +0000
@@ -38,41 +38,59 @@
 
 . $bin/prologue.inc
 
-file=$tmpdir/testfile
-link=$tmpdir/testlink
-dir=$tmpdir/testdir/
+tmpmount=$tmpdir/mountpoint
+diskimg=$tmpdir/disk.img
+file=$tmpmount/testfile
+link=$tmpmount/testlink
+dir=$tmpmount/testdir/
 okperm=rw
 badperm=r
 
+# guarantee fs supports user_xattrs
+dd if=/dev/zero of=${diskimg} bs=4096 count=4096 2> /dev/null
+mkfs.ext3 -q -F ${diskimg}
+mkdir ${tmpmount}
+mount -o loop,user_xattr ${diskimg} ${tmpmount}
+
 touch $file
 ln -s $file $link
 mkdir $dir
 
+add_attrs()
+{
+    #set the xattr for thos that passed above again so we can test removing it
+    setfattr -h -n security.sdtest -v hello "$1"
+    setfattr -h -n trusted.sdtest -v hello "$1"
+    if [ "$1" != $link ] ; then
+        setfattr -h -n user.sdtest -v hello "$1"
+    fi
+}
+
 for var in $file $link $dir ; do
 #write xattr
     genprofile $var:$badperm
     xattrtest $var $badperm write security fail
     #xattrtest $var $badperm write system fail
     xattrtest $var $badperm write trusted fail
-    if [ $var != $link ] ; then xattrtest $var $badperm write user fail ; fi
+    if [ $var != $link ] ; then xattrtest $var $badperm write user xfail ; fi
 
     genprofile $var:$badperm capability:sys_admin
     xattrtest $var "$badperm+cap SYS_ADMIN" write security xfail
     #xattrtest $var "$badperm+cap SYS_ADMIN" write system fail
     xattrtest $var "$badperm+cap SYS_ADMIN" write trusted xfail
-    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user fail ; fi
+    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" write user xfail ; fi
 
     genprofile $var:$okperm
     xattrtest $var $okperm write security xpass
     #xattrtest $var $okperm write system fail
     xattrtest $var $okperm write trusted fail
-    if [ $var != $link ] ; then xattrtest $var $okperm write user xpass ; fi
+    if [ $var != $link ] ; then xattrtest $var $okperm write user pass ; fi
 
     genprofile $var:$okperm capability:sys_admin
     xattrtest $var "$okperm+cap SYS_ADMIN" write security pass
     #xattrtest $var "$okperm+cap SYS_ADMIN" write system pass
     xattrtest $var "$okperm+cap SYS_ADMIN" write trusted pass
-    if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user xpass ; fi
+    if [ $var != $link ] ; then xattrtest $var "$okperm+cap SYS_ADMIN" write user pass ; fi
 
 
 #read xattr
@@ -80,13 +98,13 @@
     xattrtest $var $badperm read security pass
     #xattrtest $var $badperm read system fail
     xattrtest $var $badperm read trusted fail
-    if [ $var != $link ] ; then xattrtest $var $badperm read user xpass ; fi
+    if [ $var != $link ] ; then xattrtest $var $badperm read user pass ; fi
 
     genprofile $var:$badperm capability:sys_admin
     xattrtest $var "$badperm+cap SYS_ADMIN" read security pass
     #xattrtest $var "$badperm+cap SYS_ADMIN" read system pass
     xattrtest $var "$badperm+cap SYS_ADMIN" read trusted pass
-    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user xpass ; fi
+    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" read user pass ; fi
 
 
 #remove xattr
@@ -94,23 +112,25 @@
     xattrtest $var $badperm remove security fail
     #xattrtest $var $badperm remove system fail
     xattrtest $var $badperm remove trusted fail
-    if [ $var != $link ] ; then xattrtest $var $badperm remove user fail ; fi
+    if [ $var != $link ] ; then xattrtest $var $badperm remove user xfail ; fi
+
+    add_attrs $var
 
     genprofile $var:$badperm capability:sys_admin
     xattrtest $var "$badperm+cap SYS_ADMIN" remove security xfail
     #xattrtest $var "$badperm+cap SYS_ADMIN" remove system fail
     xattrtest $var "$badperm+cap SYS_ADMIN" remove trusted xfail
-    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user fail ; fi
+    if [ $var != $link ] ; then xattrtest $var "$badperm+cap SYS_ADMIN" remove user xfail ; fi
+
+    add_attrs $var
 
     genprofile $var:$okperm
     xattrtest $var $okperm remove security xpass
     #xattrtest $var $okperm remove system fail
     xattrtest $var $okperm remove trusted fail
-    if [ $var != $link ] ; then xattrtest $var $okperm remove user xpass ; fi
+    if [ $var != $link ] ; then xattrtest $var $okperm remove user pass ; fi
 
-    #set the xattr for thos that passed above again so we can test removing it
-    setfattr -h -n security.sdtest -v hello $var
-    if [ $var != $link ] ; then setfattr -h -n user.sdtest -v hello $var ; fi
+    add_attrs $var
 
     genprofile $var:$okperm capability:sys_admin
     xattrtest $var "$okperm+cap SYS_ADMIN" remove security pass
@@ -120,3 +140,4 @@
 
 done
 
+umount ${tmpmount}

=== modified file 'utils/SubDomain.pm'
--- a/utils/SubDomain.pm	2010-09-21 07:40:50 +0000
+++ b/utils/SubDomain.pm	2011-01-10 18:12:33 +0000
@@ -2420,7 +2420,7 @@
 my $RE_LOG_v2_1_audit  =
     qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
 my $RE_LOG_v2_6_audit =
-    qr/type=AVC\s+audit$[\d\.\:]+$:\s+apparmor=/;
+    qr/type=AVC\s+(msg=)?audit$[\d\.\:]+$:\s+apparmor=/;
 
 sub prefetch_next_log_entry {
     # if we already have an existing cache entry, something's broken
@@ -6622,10 +6622,14 @@
     LibAppArmor::free_record($event);
 
     #map new c and d to w as logprof doesn't support them yet
-    $rmask =~ s/c/w/g;
-    $rmask =~ s/d/w/g;
-    $dmask =~ s/c/w/g;
-    $dmask =~ s/d/w/g;
+    if ($rmask) {
+        $rmask =~ s/c/w/g;
+        $rmask =~ s/d/w/g;
+    }
+    if ($dmask) {
+        $dmask =~ s/c/w/g;
+        $dmask =~ s/d/w/g;
+    }
 
     if ($rmask && !validate_log_mode(hide_log_mode($rmask))) {
         fatal_error(sprintf(gettext('Log contains unknown mode %s.'),

Places

File apparmor-2.5-r1445 of Package apparmor

Places