apparmor.d/pkg/integration/scenario.go

129 lines
3.4 KiB
Go
Raw Normal View History

// apparmor.d - Full set of apparmor profiles
// Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
// SPDX-License-Identifier: GPL-2.0-only
// TODO:
// - Finish templating
// - Provide a large selection of resources: files, disks, http server... for automatic test on them
// - Expand support for interactive program (stdin and Control-D)
// - Properlly log the test result
// - Dbus integration
package integration
import (
"os"
"os/exec"
"strings"
"github.com/arduino/go-paths-helper"
"github.com/roddhjav/apparmor.d/pkg/logging"
"golang.org/x/exp/slices"
)
2023-09-10 13:21:55 +02:00
// Test represents of a list of tests for a given program
type Test struct {
Name string `yaml:"name"`
Profiled bool `yaml:"profiled"` // The program is profiled in apparmor.d
Root bool `yaml:"root"` // Run the test as user or as root
Dependencies []string `yaml:"require"` // Packages required for the tests to run "$(pacman -Qqo Scenario.Name)"
Arguments map[string]string `yaml:"arguments"` // Arguments to pass to the program, specific to this scenario
Commands []Command `yaml:"tests"`
}
// Command is a command line to run as part of a test
type Command struct {
Description string `yaml:"dsc"`
Cmd string `yaml:"cmd"`
Stdin []string `yaml:"stdin"`
}
2023-09-10 13:21:55 +02:00
func NewTest() *Test {
return &Test{
Name: "",
Profiled: false,
Root: false,
Dependencies: []string{},
Arguments: map[string]string{},
2023-09-10 13:21:55 +02:00
Commands: []Command{},
}
}
// HasProfile returns true if the program in the scenario is profiled in apparmor.d
2023-09-10 13:21:55 +02:00
func (t *Test) hasProfile(profiles paths.PathList) bool {
for _, path := range profiles {
2023-09-10 13:21:55 +02:00
if t.Name == path.Base() {
return true
}
}
return false
}
2023-09-10 13:21:55 +02:00
func (t *Test) installed() bool {
if _, err := exec.LookPath(t.Name); err != nil {
return false
}
return true
}
2023-09-10 13:21:55 +02:00
func (t *Test) resolve(in string) string {
res := in
2023-09-10 13:21:55 +02:00
for key, value := range t.Arguments {
res = strings.ReplaceAll(res, "{{ "+key+" }}", value)
}
return res
}
// mergeArguments merge the arguments of the scenario with the global arguments
2023-09-10 13:21:55 +02:00
// Test arguments have priority over global arguments
func (t *Test) mergeArguments(args map[string]string) {
for key, value := range args {
2023-09-10 13:21:55 +02:00
t.Arguments[key] = value
}
}
// Run the scenarios tests
2023-09-10 13:21:55 +02:00
func (t *Test) Run(dryRun bool) (ran int, nb int, err error) {
nb = 0
2023-09-10 13:21:55 +02:00
if t.Profiled && t.installed() {
if slices.Contains(Ignore, t.Name) {
return 0, nb, err
}
2023-09-10 13:21:55 +02:00
logging.Step("%s", t.Name)
t.mergeArguments(Arguments)
for _, test := range t.Commands {
cmd := t.resolve(test.Cmd)
if !strings.Contains(cmd, "{{") {
nb++
if dryRun {
logging.Bullet(cmd)
} else {
2023-09-10 13:21:55 +02:00
cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n"))
if cmdErr != nil {
// TODO: log the error
logging.Error("%v", cmdErr)
} else {
logging.Success(cmd)
}
}
}
}
return 1, nb, err
}
return 0, nb, err
}
2023-09-10 13:21:55 +02:00
func (t *Test) run(cmdline string, in string) error {
// Running the command in a shell ensure it does not run confined under the sudo profile.
// The shell is run unconfined and therefore the cmdline can be confined without no-new-privs issue.
sufix := " &" // TODO: we need a goroutine here
cmd := exec.Command("sh", "-c", cmdline+sufix)
2023-09-10 13:21:55 +02:00
if t.Root {
cmd = exec.Command("sudo", "sh", "-c", cmdline+sufix)
}
cmd.Stdin = strings.NewReader(in)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
return cmd.Run()
}