diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index 1ed85194..016aa272 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -6,11 +6,15 @@ package aa var ( // Include - includeLocal1 = &Include{ - IfExists: true, - IsMagic: true, - Path: "local/foo", - } + include1 = &Include{IsMagic: true, Path: "abstraction/base"} + include2 = &Include{IsMagic: false, Path: "abstraction/base"} + include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"} + includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"} + + // Rlimit + rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"} + rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"} + rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"} // Capability capability1Log = map[string]string{ @@ -38,15 +42,8 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } - network1 = &Network{ - Domain: "netlink", - Type: "raw", - Protocol: "15", - } - network2 = &Network{ - Domain: "inet", - Type: "dgram", - } + network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} + network2 = &Network{Domain: "inet", Type: "dgram"} // Mount mount1Log = map[string]string{ @@ -84,6 +81,11 @@ var ( MountPoint: "/var/lib/docker/overlay2/metacopy-check906831159/merged/", } + // Change Profile + changeprofile1 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap//default"} + changeprofile2 = &ChangeProfile{ExecMode: "Px", Exec: "/bin/bash", ProfileName: "brwap"} + changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/foo", ProfileName: "brwap//default"} + // Signal signal1Log = map[string]string{ "apparmor": "ALLOWED", @@ -127,16 +129,8 @@ var ( "denied_mask": "readby", "peer": "systemd-journald", } - ptrace1 = &Ptrace{ - Qualifier: Qualifier{}, - Access: "read", - Peer: "nautilus", - } - ptrace2 = &Ptrace{ - Qualifier: Qualifier{}, - Access: "readby", - Peer: "systemd-journald", - } + ptrace1 = &Ptrace{Access: "read", Peer: "nautilus"} + ptrace2 = &Ptrace{Access: "readby", Peer: "systemd-journald"} // Unix unix1Log = map[string]string{ @@ -205,6 +199,11 @@ var ( Bus: "session", Name: "org.gnome.evolution.dataserver.Sources5", } + dbus3 = &Dbus{ + Access: "bind", + Bus: "session", + Name: "org.gnome.evolution.dataserver", + } // File file1Log = map[string]string{ @@ -236,15 +235,10 @@ var ( "OUID": "user", "error": "-1", } - file1 = &File{ - Path: "/usr/share/poppler/cMap/Identity-H", - Access: "r", - Target: "", - } + file1 = &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: "r"} file2 = &File{ Qualifier: Qualifier{Owner: true, NoNewPrivs: true}, Path: "@{PROC}/4163/cgroup", Access: "r", - Target: "", } ) diff --git a/pkg/aa/profile_test.go b/pkg/aa/profile_test.go index d2cebd40..4817ef81 100644 --- a/pkg/aa/profile_test.go +++ b/pkg/aa/profile_test.go @@ -45,30 +45,13 @@ func TestAppArmorProfile_String(t *testing.T) { name: "foo", p: &AppArmorProfile{ Preamble: Preamble{ - Abi: []Abi{ - { - IsMagic: true, - Path: "abi/4.0", - }, - }, - Includes: []Include{ - { - IsMagic: true, - Path: "tunables/global", - }, - }, - Aliases: []Alias{ - { - Path: "/mnt/usr", - RewrittenPath: "/usr", - }, - }, - Variables: []Variable{ - { - Name: "exec_path", - Values: []string{"@{bin}/foo", "@{lib}/foo"}, - }, - }, + Abi: []Abi{{IsMagic: true, Path: "abi/4.0"}}, + Includes: []Include{{IsMagic: true, Path: "tunables/global"}}, + Aliases: []Alias{{Path: "/mnt/usr", RewrittenPath: "/usr"}}, + Variables: []Variable{{ + Name: "exec_path", + Values: []string{"@{bin}/foo", "@{lib}/foo"}, + }}, }, Profile: Profile{ Name: "foo", @@ -76,29 +59,13 @@ func TestAppArmorProfile_String(t *testing.T) { Attributes: map[string]string{"security.tagged": "allowed"}, Flags: []string{"complain", "attach_disconnected"}, Rules: []ApparmorRule{ - &Include{ - IsMagic: true, - Path: "abstractions/base", - }, - &Include{ - IsMagic: true, - Path: "abstractions/nameservice-strict", - }, - &Rlimit{ - Key: "nproc", - Op: "<=", - Value: "200", - }, + &Include{IsMagic: true, Path: "abstractions/base"}, + &Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, + rlimit1, &Capability{Name: "dac_read_search"}, &Capability{Name: "dac_override"}, - &Network{ - Domain: "inet", - Type: "stream", - }, - &Network{ - Domain: "inet6", - Type: "stream", - }, + &Network{Domain: "inet", Type: "stream"}, + &Network{Domain: "inet6", Type: "stream"}, &Mount{ MountConditions: MountConditions{ FsType: "fuse.portal", @@ -116,11 +83,7 @@ func TestAppArmorProfile_String(t *testing.T) { Set: "term", Peer: "at-spi-bus-launcher", }, - - &Ptrace{ - Access: "read", - Peer: "nautilus", - }, + &Ptrace{Access: "read", Peer: "nautilus"}, &Unix{ Access: "send receive", Type: "stream", @@ -142,19 +105,9 @@ func TestAppArmorProfile_String(t *testing.T) { Member: "AddMatch", Label: "power-profiles-daemon", }, - &File{ - Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", - Access: "rm", - }, - - &File{ - Path: "@{PROC}/@{pid}/task/@{tid}/comm", - Access: "rw", - }, - &File{ - Path: "@{sys}/devices/pci[0-9]*/**/class", - Access: "r", - }, + &File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: "rm"}, + &File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: "rw"}, + &File{Path: "@{sys}/devices/pci[0-9]*/**/class", Access: "r"}, includeLocal1, }, },