From 36f620dab18c82237d1b624e0525ef60b712cca7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Oct 2024 15:39:21 +0100 Subject: [PATCH] tests: add 'make check' for common issues in Apparmor profiles. --- .gitlab-ci.yml | 2 +- Makefile | 19 ++++++------ tests/check.sh | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 9 deletions(-) create mode 100644 tests/check.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7737e2d3..40f21276 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -23,7 +23,7 @@ bash: image: koalaman/shellcheck-alpine script: - shellcheck --shell=bash - PKGBUILD dists/build.sh dists/docker.sh + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh golangci-lint: diff --git a/Makefile b/Makefile index e8929aec..9b25bb5e 100644 --- a/Makefile +++ b/Makefile @@ -4,12 +4,12 @@ # SPDX-License-Identifier: GPL-2.0-only DESTDIR ?= / -BUILD := .build -PKGDEST := /tmp/pkg +BUILD ?= .build +PKGDEST ?= /tmp/pkg PKGNAME := apparmor.d P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) -.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint man docs serve clean +.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean all: build @./${BUILD}/prebuild --complain @@ -101,18 +101,21 @@ lint: @golangci-lint run @make --directory=tests lint @shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm -man: - pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md +check: + @bash tests/check.sh + +manual: + @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md docs: - ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict serve: - ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve clean: @rm -rf \ diff --git a/tests/check.sh b/tests/check.sh new file mode 100644 index 00000000..5704ebfb --- /dev/null +++ b/tests/check.sh @@ -0,0 +1,78 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: make check +# shellcheck disable=SC2044 + +set -eu -o pipefail + +readonly APPARMORD="apparmor.d" + +check_profiles() { + echo "⋅ Checking if all profiles contain:" + echo " - 'abi ,'" + echo " - 'profile *profile_name* {'" + echo " - 'include if exists '" + echo " - include if exists local for subprofiles" + directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") + # shellcheck disable=SC2068 + for dir in ${directories[@]}; do + for file in $(find "$dir" -maxdepth 1 -type f); do + case "$file" in */README.md) continue ;; esac + name="$(basename "$file")" + name="${name/.apparmor.d/}" + include="include if exists " + if ! grep -q "^ *${include}$" "$file"; then + echo "$name does not contain '$include'" + exit 1 + fi + if ! grep -q "^ *abi ," "$file"; then + echo "$name does not contain 'abi ,'" + exit 1 + fi + if ! grep -q "^profile $name" "$file"; then + echo "$name does not contain 'profile $name'" + exit 1 + fi + mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') + for subprofile in "${subrofiles[@]}"; do + include="include if exists " + if ! grep -q "^ *${include}$" "$file"; then + echo "$name: $name//$subprofile does not contain '$include'" + exit 1 + fi + done + done + done +} + +check_abstractions() { + echo "⋅ Checking if all abstractions contain:" + echo " - 'abi ,'" + echo " - 'include if exists '" + directories=( + "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" + "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" + ) + for dir in "${directories[@]}"; do + for file in $(find "$dir" -maxdepth 1 -type f); do + name="$(basename "$file")" + root="${dir/${APPARMORD}\/abstractions\//}" + include="include if exists " + if ! grep -q "^ *${include}$" "$file"; then + echo "$file does not contain '$include'" + exit 1 + fi + # if ! grep -q "^ *abi ," "$file"; then + # echo "$file does not contain 'abi ,'" + # exit 1 + # fi + done + done + +} + +check_profiles +check_abstractions