mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-02-03 16:55:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests: add 'make check' for common issues in Apparmor profiles.

Browse source
This commit is contained in:
Alexandre Pujol 2024-10-06 15:39:21 +01:00
parent 7757038a4f
commit 36f620dab1
Failed to generate hash of commit
3 changed files with 90 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitlab-ci.yml
View file

@ -23,7 +23,7 @@ bash:
image: koalaman/shellcheck-alpine image: koalaman/shellcheck-alpine
script: script:
- shellcheck --shell=bash - shellcheck --shell=bash
PKGBUILD dists/build.sh dists/docker.sh PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
golangci-lint: golangci-lint:

19
Makefile
View file

@ -4,12 +4,12 @@
# SPDX-License-Identifier: GPL-2.0-only # SPDX-License-Identifier: GPL-2.0-only
DESTDIR ?= / DESTDIR ?= /
BUILD := .build BUILD ?= .build
PKGDEST := /tmp/pkg PKGDEST ?= /tmp/pkg
PKGNAME := apparmor.d PKGNAME := apparmor.d
P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint man docs serve clean .PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean
all: build all: build
@./${BUILD}/prebuild --complain @./${BUILD}/prebuild --complain
@ -101,18 +101,21 @@ lint:
@golangci-lint run @golangci-lint run
@make --directory=tests lint @make --directory=tests lint
@shellcheck --shell=bash \ @shellcheck --shell=bash \
PKGBUILD dists/build.sh dists/docker.sh \ PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
man: check:
pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md @bash tests/check.sh
manual:
@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
docs: docs:
ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
serve: serve:
ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
clean: clean:
@rm -rf \ @rm -rf \

78
tests/check.sh Normal file
View file

@ -0,0 +1,78 @@
#!/usr/bin/env bash
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# Usage: make check
# shellcheck disable=SC2044
set -eu -o pipefail
readonly APPARMORD="apparmor.d"
check_profiles() {
echo "⋅ Checking if all profiles contain:"
echo " - 'abi <abi/4.0>,'"
echo " - 'profile *profile_name* {'"
echo " - 'include if exists <local/*>'"
echo " - include if exists local for subprofiles"
directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*")
# shellcheck disable=SC2068
for dir in ${directories[@]}; do
for file in $(find "$dir" -maxdepth 1 -type f); do
case "$file" in */README.md) continue ;; esac
name="$(basename "$file")"
name="${name/.apparmor.d/}"
include="include if exists <local/$name>"
if ! grep -q "^ *${include}$" "$file"; then
echo "$name does not contain '$include'"
exit 1
fi
if ! grep -q "^ *abi <abi/4.0>," "$file"; then
echo "$name does not contain 'abi <abi/4.0>,'"
exit 1
fi
if ! grep -q "^profile $name" "$file"; then
echo "$name does not contain 'profile $name'"
exit 1
fi
mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}')
for subprofile in "${subrofiles[@]}"; do
include="include if exists <local/${name}_${subprofile}>"
if ! grep -q "^ *${include}$" "$file"; then
echo "$name: $name//$subprofile does not contain '$include'"
exit 1
fi
done
done
done
}
check_abstractions() {
echo "⋅ Checking if all abstractions contain:"
echo " - 'abi <abi/4.0>,'"
echo " - 'include if exists <abstractions/*.d>'"
directories=(
"$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
"$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
)
for dir in "${directories[@]}"; do
for file in $(find "$dir" -maxdepth 1 -type f); do
name="$(basename "$file")"
root="${dir/${APPARMORD}\/abstractions\//}"
include="include if exists <abstractions/${root}${name}.d>"
if ! grep -q "^ *${include}$" "$file"; then
echo "$file does not contain '$include'"
exit 1
fi
# if ! grep -q "^ *abi <abi/4.0>," "$file"; then
# echo "$file does not contain 'abi <abi/4.0>,'"
# exit 1
# fi
done
done
}
check_profiles
check_abstractions