tests: add 'make check' for common issues in Apparmor profiles.

2025-01-24 20:08:11 +01:00 · 2024-10-06 15:39:21 +01:00 · 2024-10-06 15:39:21 +01:00 · 36f620dab1
commit 36f620dab1
parent 7757038a4f
3 changed files with 90 additions and 9 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -23,7 +23,7 @@ bash:
  image: koalaman/shellcheck-alpine
  script:
    - shellcheck --shell=bash
-        PKGBUILD dists/build.sh dists/docker.sh
+        PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
        tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh

 golangci-lint:
--- a/19
+++ b/19
@ -4,12 +4,12 @@
 # SPDX-License-Identifier: GPL-2.0-only

 DESTDIR ?= /
-BUILD := .build
-PKGDEST := /tmp/pkg
+BUILD ?= .build
+PKGDEST ?= /tmp/pkg
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))

-.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint man docs serve clean
+.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean

 all: build
 	@./${BUILD}/prebuild --complain
@ -101,18 +101,21 @@ lint:
 	@golangci-lint run
 	@make --directory=tests lint
 	@shellcheck --shell=bash \
-		PKGBUILD dists/build.sh dists/docker.sh \
+		PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
 		tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
 		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm

-man:
-	pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
+check:
+	@bash tests/check.sh
+
+manual:
+	@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md

 docs:
-	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict

 serve:
-	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve

 clean:
 	@rm -rf \
--- a/tests/check.sh
+++ b/tests/check.sh
@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Usage: make check
+# shellcheck disable=SC2044
+
+set -eu -o pipefail
+
+readonly APPARMORD="apparmor.d"
+
+check_profiles() {
+    echo "⋅ Checking if all profiles contain:"
+    echo "    - 'abi <abi/4.0>,'"
+    echo "    - 'profile *profile_name* {'"
+    echo "    - 'include if exists <local/*>'"
+    echo "    - include if exists local for subprofiles"
+    directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*")
+    # shellcheck disable=SC2068
+    for dir in ${directories[@]}; do
+        for file in $(find "$dir" -maxdepth 1 -type f); do
+            case "$file" in */README.md) continue ;; esac
+            name="$(basename "$file")"
+            name="${name/.apparmor.d/}"
+            include="include if exists <local/$name>"
+            if ! grep -q "^  *${include}$" "$file"; then
+                echo "$name does not contain '$include'"
+                exit 1
+            fi
+            if ! grep -q "^ *abi <abi/4.0>," "$file"; then
+                echo "$name does not contain 'abi <abi/4.0>,'"
+                exit 1
+            fi
+            if ! grep -q "^profile $name" "$file"; then
+                echo "$name does not contain 'profile $name'"
+                exit 1
+            fi
+            mapfile -t subrofiles < <(grep "^  *profile*" "$file" | awk '{print $2}')
+            for subprofile in "${subrofiles[@]}"; do
+                include="include if exists <local/${name}_${subprofile}>"
+                if ! grep -q "^  *${include}$" "$file"; then
+                    echo "$name: $name//$subprofile does not contain '$include'"
+                    exit 1
+                fi
+            done
+        done
+    done
+}
+
+check_abstractions() {
+    echo "⋅ Checking if all abstractions contain:"
+    echo "    - 'abi <abi/4.0>,'"
+    echo "    - 'include if exists <abstractions/*.d>'"
+    directories=(
+        "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
+        "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
+    )
+    for dir in "${directories[@]}"; do
+        for file in $(find "$dir" -maxdepth 1 -type f); do
+            name="$(basename "$file")"
+            root="${dir/${APPARMORD}\/abstractions\//}"
+            include="include if exists <abstractions/${root}${name}.d>"
+            if ! grep -q "^  *${include}$" "$file"; then
+                echo "$file does not contain '$include'"
+                exit 1
+            fi
+            # if ! grep -q "^ *abi <abi/4.0>," "$file"; then
+            # 	echo "$file does not contain 'abi <abi/4.0>,'"
+            # 	exit 1
+            # fi
+        done
+    done
+
+}
+
+check_profiles
+check_abstractions