mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2024-11-14 23:43:56 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

test(aa-log): update tests to the last changes.

Browse Source
This commit is contained in:
Alexandre Pujol 2024-09-27 12:20:48 +01:00
parent e1f665aec1
commit a8c18f9b94
No known key found for this signature in database
GPG Key ID: C5469996F0DF68EC
4 changed files with 50 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/aa/file.go
View File

@ -118,14 +118,20 @@ func (r *File) String() string {
} }
func (r *File) Validate() error { func (r *File) Validate() error {
if r.Path == "" && r.Target == "" && len(r.Access) == 0 {
return nil // rule: `file` or `owner file`
}
if !isAARE(r.Path) { if !isAARE(r.Path) {
return fmt.Errorf("'%s' is not a valid AARE", r.Path) return fmt.Errorf("'%s' is not a valid AARE", r.Path)
} }
if len(r.Access) == 0 {
return fmt.Errorf("missing file access")
}
for _, v := range r.Access { for _, v := range r.Access {
if v == "" { if v == "" {
continue continue
} }
if !slices.Contains(requirements[r.Kind()]["access"], v) || if !slices.Contains(requirements[r.Kind()]["access"], v) &&
!slices.Contains(requirements[r.Kind()]["transition"], v) { !slices.Contains(requirements[r.Kind()]["transition"], v) {
return fmt.Errorf("invalid mode '%s'", v) return fmt.Errorf("invalid mode '%s'", v)
} }

10
pkg/aa/parse.go
View File

@ -187,11 +187,11 @@ func parseParagraph(input string) (Rules, error) {
} }
res = append(res, rrr...) res = append(res, rrr...)
for _, r := range res { // for _, r := range res {
if r.Constraint() == PreambleRule { // if r.Constraint() == PreambleRule {
return nil, fmt.Errorf("Rule not allowed in block: %s", r) // return nil, fmt.Errorf("Rule not allowed in block: %s", r)
} // }
} // }
return res, nil return res, nil
} }

12
pkg/aa/parse_test.go
View File

@ -843,7 +843,7 @@ var (
raw string raw string
apparmor *AppArmorProfileFile apparmor *AppArmorProfileFile
wParseErr bool wParseErr bool
wRules []Rules wRules ParaRules
wParseRulesErr bool wParseRulesErr bool
}{ }{
{ {
@ -851,7 +851,7 @@ var (
raw: "", raw: "",
apparmor: &AppArmorProfileFile{}, apparmor: &AppArmorProfileFile{},
wParseErr: false, wParseErr: false,
wRules: []Rules{}, wRules: ParaRules{},
wParseRulesErr: false, wParseRulesErr: false,
}, },
{ {
@ -875,7 +875,7 @@ var (
}, },
}, },
wParseErr: false, wParseErr: false,
wRules: []Rules{}, wRules: ParaRules{},
wParseRulesErr: false, wParseRulesErr: false,
}, },
{ {
@ -914,7 +914,7 @@ var (
}, },
}, },
wParseErr: false, wParseErr: false,
wRules: []Rules{}, wRules: ParaRules{},
wParseRulesErr: false, wParseRulesErr: false,
}, },
{ {
@ -943,7 +943,7 @@ var (
}, },
}, },
wParseErr: false, wParseErr: false,
wRules: []Rules{ wRules: ParaRules{
{ {
&Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/base"},
&Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
@ -1050,7 +1050,7 @@ var (
}, },
}, },
wParseErr: false, wParseErr: false,
wRules: []Rules{ wRules: ParaRules{
{ {
&Include{IsMagic: true, Path: "abstractions/base"}, &Include{IsMagic: true, Path: "abstractions/base"},
&Include{IsMagic: true, Path: "abstractions/nameservice-strict"}, &Include{IsMagic: true, Path: "abstractions/nameservice-strict"},

61
pkg/aa/rule_test.go
View File

@ -124,7 +124,7 @@ var (
wString: "include if exists <local/foo>", wString: "include if exists <local/foo>",
}, },
{ {
name: "include/abs", name: "include-abs",
rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false},
other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true}, other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true},
wCompare: -1, wCompare: -1,
@ -190,7 +190,7 @@ var (
wString: "capability net_admin,", wString: "capability net_admin,",
}, },
{ {
name: "capability/multi", name: "capability-multi",
rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, rule: &Capability{Names: []string{"dac_override", "dac_read_search"}},
other: capability2, other: capability2,
wCompare: -15, wCompare: -15,
@ -198,7 +198,7 @@ var (
wString: "capability dac_override dac_read_search,", wString: "capability dac_override dac_read_search,",
}, },
{ {
name: "capability/all", name: "capability-all",
rule: &Capability{}, rule: &Capability{},
other: capability2, other: capability2,
wCompare: -1, wCompare: -1,
@ -222,7 +222,7 @@ var (
log: mount1Log, log: mount1Log,
rule: mount1, rule: mount1,
other: mount2, other: mount2,
wCompare: 38, wCompare: 37,
wMerge: false, wMerge: false,
wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check",
}, },
@ -250,7 +250,7 @@ var (
log: pivotroot1Log, log: pivotroot1Log,
rule: pivotroot1, rule: pivotroot1,
other: pivotroot2, other: pivotroot2,
wCompare: 7, wCompare: -5,
wMerge: false, wMerge: false,
wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
}, },
@ -307,7 +307,7 @@ var (
wString: "signal receive set=kill peer=firefox//&firejail-default,", wString: "signal receive set=kill peer=firefox//&firejail-default,",
}, },
{ {
name: "ptrace/xdg-document-portal", name: "ptrace-xdg-document-portal",
fromLog: newPtraceFromLog, fromLog: newPtraceFromLog,
log: ptrace1Log, log: ptrace1Log,
rule: ptrace1, rule: ptrace1,
@ -317,7 +317,7 @@ var (
wString: "ptrace read peer=nautilus,", wString: "ptrace read peer=nautilus,",
}, },
{ {
name: "ptrace/snap-update-ns.firefox", name: "ptrace-snap-update-ns.firefox",
fromLog: newPtraceFromLog, fromLog: newPtraceFromLog,
log: ptrace2Log, log: ptrace2Log,
rule: ptrace2, rule: ptrace2,
@ -355,7 +355,7 @@ var (
wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,",
}, },
{ {
name: "dbus/bind", name: "dbus-bind",
rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"},
other: dbus2, other: dbus2,
wCompare: -39, wCompare: -39,
@ -381,31 +381,33 @@ var (
wString: "/usr/share/poppler/cMap/Identity-H r,", wString: "/usr/share/poppler/cMap/Identity-H r,",
}, },
{ {
name: "file/empty", name: "file-all",
rule: &File{}, rule: &File{},
other: &File{}, other: &File{},
wCompare: 0, wCompare: 0,
wMerge: true, wMerge: true,
wString: " ,", wString: " ,", // FIXME:
}, },
{ {
name: "file/equal", name: "file-equal",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wCompare: 0, wValidErr: true,
wMerge: true, wCompare: 0,
wString: "/usr/share/poppler/cMap/Identity-H ,", wMerge: true,
wString: "/usr/share/poppler/cMap/Identity-H ,",
}, },
{ {
name: "file/owner", name: "file-owner",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wCompare: 1, wCompare: 1,
wMerge: false, wValidErr: true,
wString: "owner /usr/share/poppler/cMap/Identity-H ,", wMerge: false,
wString: "owner /usr/share/poppler/cMap/Identity-H ,",
}, },
{ {
name: "file/access", name: "file-access",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}},
other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}},
wCompare: -5, wCompare: -5,
@ -413,12 +415,13 @@ var (
wString: "/usr/share/poppler/cMap/Identity-H r,", wString: "/usr/share/poppler/cMap/Identity-H r,",
}, },
{ {
name: "file/close", name: "file-close",
rule: &File{Path: "/usr/share/poppler/cMap/"}, rule: &File{Path: "/usr/share/poppler/cMap/"},
other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wCompare: -10, wCompare: -10,
wMerge: false, wValidErr: true,
wString: "/usr/share/poppler/cMap/ ,", wMerge: false,
wString: "/usr/share/poppler/cMap/ ,",
}, },
{ {
name: "link1", name: "link1",