apparmor.d/tests/check.sh

#!/usr/bin/env bash
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Usage: make check
# shellcheck disable=SC2044

set -eu -o pipefail

readonly APPARMORD="apparmor.d"

_ensure_include() {
    local file="$1"
    local include="$2"
    if ! grep -q "^  *${include}$" "$file"; then
        echo "$file does not contain '$include'"
        exit 1
    fi
}

_ensure_abi() {
    local file="$1"
    if ! grep -q "^ *abi <abi/4.0>," "$file"; then
        echo "$file does not contain 'abi <abi/4.0>,'"
        exit 1
    fi
}

_ensure_vim() {
    local file="$1"
    if ! grep -q "^# vim:syntax=apparmor" "$file"; then
        echo "$file does not contain '# vim:syntax=apparmor'"
        exit 1
    fi
}

check_profiles() {
    echo "⋅ Checking if all profiles contain:"
    echo "    - 'abi <abi/4.0>,'"
    echo "    - 'profile <profile_name>'"
    echo "    - 'include if exists <local/*>'"
    echo "    - include if exists local for subprofiles"
    echo "    - vim:syntax=apparmor"
    directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*")
    # shellcheck disable=SC2068
    for dir in ${directories[@]}; do
        for file in $(find "$dir" -maxdepth 1 -type f); do
            case "$file" in */README.md) continue ;; esac
            name="$(basename "$file")"
            name="${name/.apparmor.d/}"
            include="include if exists <local/$name>"
            _ensure_include "$file" "$include"
            _ensure_abi "$file"
            _ensure_vim "$file"
            if ! grep -q "^profile $name" "$file"; then
                echo "$name does not contain 'profile $name'"
                exit 1
            fi
            mapfile -t subrofiles < <(grep "^  *profile*" "$file" | awk '{print $2}')
            for subprofile in "${subrofiles[@]}"; do
                include="include if exists <local/${name}_${subprofile}>"
                if ! grep -q "^  *${include}$" "$file"; then
                    echo "$name: $name//$subprofile does not contain '$include'"
                    exit 1
                fi
            done
        done
    done
}

check_abstractions() {
    echo "⋅ Checking if all abstractions contain:"
    echo "    - 'abi <abi/4.0>,'"
    echo "    - 'include if exists <abstractions/*.d>'"
    echo "    - vim:syntax=apparmor"
    directories=(
        "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
        "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
    )
    for dir in "${directories[@]}"; do
        for file in $(find "$dir" -maxdepth 1 -type f); do
            name="$(basename "$file")"
            root="${dir/${APPARMORD}\/abstractions\//}"
            include="include if exists <abstractions/${root}${name}.d>"
            _ensure_include "$file" "$include"
            _ensure_abi "$file"
            _ensure_vim "$file"
        done
    done

}

check_profiles
check_abstractions
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`#!/usr/bin/env bash`
			`# apparmor.d - Full set of apparmor profiles`
			`# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>`
			`# SPDX-License-Identifier: GPL-2.0-only`

			`# Usage: make check`
			`# shellcheck disable=SC2044`

			`set -eu -o pipefail`

			`readonly APPARMORD="apparmor.d"`

tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`_ensure_include() {`
			`local file="$1"`
			`local include="$2"`
			`if ! grep -q "^ *${include}$" "$file"; then`
			`echo "$file does not contain '$include'"`
			`exit 1`
			`fi`
			`}`

			`_ensure_abi() {`
			`local file="$1"`
			`if ! grep -q "^ *abi <abi/4.0>," "$file"; then`
			`echo "$file does not contain 'abi <abi/4.0>,'"`
			`exit 1`
			`fi`
			`}`

			`_ensure_vim() {`
			`local file="$1"`
			`if ! grep -q "^# vim:syntax=apparmor" "$file"; then`
			`echo "$file does not contain '# vim:syntax=apparmor'"`
			`exit 1`
			`fi`
			`}`

tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`check_profiles() {`
			`echo "⋅ Checking if all profiles contain:"`
			`echo " - 'abi <abi/4.0>,'"`
tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`echo " - 'profile <profile_name>'"`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`echo " - 'include if exists <local/*>'"`
			`echo " - include if exists local for subprofiles"`
tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`echo " - vim:syntax=apparmor"`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`directories=("$APPARMORD/groups/" "$APPARMORD/profiles--*")`
			`# shellcheck disable=SC2068`
			`for dir in ${directories[@]}; do`
			`for file in $(find "$dir" -maxdepth 1 -type f); do`
			`case "$file" in */README.md) continue ;; esac`
			`name="$(basename "$file")"`
			`name="${name/.apparmor.d/}"`
			`include="include if exists <local/$name>"`
tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`_ensure_include "$file" "$include"`
			`_ensure_abi "$file"`
			`_ensure_vim "$file"`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`if ! grep -q "^profile $name" "$file"; then`
			`echo "$name does not contain 'profile $name'"`
			`exit 1`
			`fi`
			`mapfile -t subrofiles < <(grep "^ profile" "$file" \| awk '{print $2}')`
			`for subprofile in "${subrofiles[@]}"; do`
			`include="include if exists <local/${name}_${subprofile}>"`
			`if ! grep -q "^ *${include}$" "$file"; then`
			`echo "$name: $name//$subprofile does not contain '$include'"`
			`exit 1`
			`fi`
			`done`
			`done`
			`done`
			`}`

			`check_abstractions() {`
			`echo "⋅ Checking if all abstractions contain:"`
			`echo " - 'abi <abi/4.0>,'"`
			`echo " - 'include if exists <abstractions/*.d>'"`
tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`echo " - vim:syntax=apparmor"`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`directories=(`
			`"$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"`
			`"$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"`
			`)`
			`for dir in "${directories[@]}"; do`
			`for file in $(find "$dir" -maxdepth 1 -type f); do`
			`name="$(basename "$file")"`
			`root="${dir/${APPARMORD}\/abstractions\//}"`
			`include="include if exists <abstractions/${root}${name}.d>"`
tests: ensure vim syntax and abi are set on all profile/abs. 2024-10-09 23:26:11 +02:00			`_ensure_include "$file" "$include"`
			`_ensure_abi "$file"`
			`_ensure_vim "$file"`
tests: add 'make check' for common issues in Apparmor profiles. 2024-10-06 16:39:21 +02:00			`done`
			`done`

			`}`

			`check_profiles`
			`check_abstractions`