tests: enforce abstractions test.
This commit is contained in:
Alexandre Pujol
parent
f29041576e
commit
3ffff07f3f
2 changed files with 10 additions and 14 deletions
|
|
@ -7,15 +7,10 @@ abi <abi/4.0>,
|
||||||
|
|
||||||
include <tunables/global>
|
include <tunables/global>
|
||||||
|
|
||||||
# Debugging the syslogger can be difficult if it can't write to the file
|
|
||||||
# that the kernel is logging denials to. In these cases, you can do the
|
|
||||||
# following:
|
|
||||||
# watch -n 1 'dmesg | tail -5'
|
|
||||||
|
|
||||||
@{exec_path} = @{sbin}/rsyslogd
|
@{exec_path} = @{sbin}/rsyslogd
|
||||||
profile rsyslogd @{exec_path} {
|
profile rsyslogd @{exec_path} {
|
||||||
include <abstractions/base>
|
include <abstractions/base>
|
||||||
include <abstractions/nameservice>
|
include <abstractions/nameservice-strict>
|
||||||
|
|
||||||
capability chown, # For creating new log files and changing their owner/group
|
capability chown, # For creating new log files and changing their owner/group
|
||||||
capability net_admin, # For remote logs
|
capability net_admin, # For remote logs
|
||||||
|
|
@ -24,18 +19,19 @@ profile rsyslogd @{exec_path} {
|
||||||
capability sys_nice,
|
capability sys_nice,
|
||||||
capability syslog,
|
capability syslog,
|
||||||
|
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 dgram,
|
||||||
|
|
||||||
signal receive set=hup peer=@{p_systemd},
|
signal receive set=hup peer=@{p_systemd},
|
||||||
|
|
||||||
@{exec_path} mr,
|
@{exec_path} mr,
|
||||||
|
@{sh_path} mr,
|
||||||
|
|
||||||
@{lib}/@{multiarch}/rsyslog/*.so mr,
|
@{lib}/@{multiarch}/rsyslog/*.so mr,
|
||||||
|
|
||||||
/etc/rsyslog.conf r,
|
/etc/rsyslog.conf r,
|
||||||
/etc/rsyslog.d/{,**} r,
|
/etc/rsyslog.d/{,**} r,
|
||||||
|
|
||||||
/etc/CA/*.crt r,
|
|
||||||
/etc/CA/*.key r,
|
|
||||||
|
|
||||||
/var/log/** rw,
|
/var/log/** rw,
|
||||||
/var/spool/rsyslog/ r,
|
/var/spool/rsyslog/ r,
|
||||||
/var/spool/rsyslog/** rw,
|
/var/spool/rsyslog/** rw,
|
||||||
|
|
|
||||||
|
|
@ -93,7 +93,7 @@ _check() {
|
||||||
# Rules checks: security, compatibility and rule issues
|
# Rules checks: security, compatibility and rule issues
|
||||||
|
|
||||||
readonly ABS="abstractions"
|
readonly ABS="abstractions"
|
||||||
readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp)
|
readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp)
|
||||||
declare -A ABS_DEPRECATED=(
|
declare -A ABS_DEPRECATED=(
|
||||||
["nameservice"]="nameservice-strict"
|
["nameservice"]="nameservice-strict"
|
||||||
["bash"]="shell"
|
["bash"]="shell"
|
||||||
|
|
@ -373,7 +373,7 @@ check_profiles() {
|
||||||
)
|
)
|
||||||
jobs=0
|
jobs=0
|
||||||
WITH_CHECK=(
|
WITH_CHECK=(
|
||||||
equivalent
|
abstractions equivalent
|
||||||
abi include profile header tabs trailing indentation subprofiles vim
|
abi include profile header tabs trailing indentation subprofiles vim
|
||||||
)
|
)
|
||||||
for file in "${files[@]}"; do
|
for file in "${files[@]}"; do
|
||||||
|
|
@ -393,7 +393,7 @@ check_abstractions() {
|
||||||
mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*")
|
mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*")
|
||||||
jobs=0
|
jobs=0
|
||||||
WITH_CHECK=(
|
WITH_CHECK=(
|
||||||
equivalent
|
abstractions equivalent
|
||||||
abi include header tabs trailing indentation vim
|
abi include header tabs trailing indentation vim
|
||||||
)
|
)
|
||||||
for file in "${files[@]}"; do
|
for file in "${files[@]}"; do
|
||||||
|
|
@ -414,7 +414,7 @@ check_abstractions() {
|
||||||
# shellcheck disable=SC2034
|
# shellcheck disable=SC2034
|
||||||
jobs=0
|
jobs=0
|
||||||
WITH_CHECK=(
|
WITH_CHECK=(
|
||||||
equivalent
|
abstractions equivalent
|
||||||
header tabs trailing indentation vim
|
header tabs trailing indentation vim
|
||||||
)
|
)
|
||||||
for file in "${files[@]}"; do
|
for file in "${files[@]}"; do
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue