From afc0a7cd3bbcb633189196676e57cc93744a1dae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 19 Jun 2024 18:39:16 +0100 Subject: [PATCH] test(aa): rule interface: update unit tests to last changes. --- pkg/aa/rules_test.go | 480 +++++++++++++++++++------------------------ 1 file changed, 211 insertions(+), 269 deletions(-) diff --git a/pkg/aa/rules_test.go b/pkg/aa/rules_test.go index 2b944005..48de7949 100644 --- a/pkg/aa/rules_test.go +++ b/pkg/aa/rules_test.go @@ -32,28 +32,11 @@ func TestRules_Validate(t *testing.T) { } } -func TestRules_Less(t *testing.T) { +func TestCapability_Compare(t *testing.T) { for _, tt := range testRule { - if tt.oLess == nil { - continue - } t.Run(tt.name, func(t *testing.T) { - if got := tt.rule.Less(tt.oLess); got != tt.wLessErr { - t.Errorf("Rule.Less() = %v, want %v", got, tt.wLessErr) - } - }) - } -} - -func TestRules_Equals(t *testing.T) { - for _, tt := range testRule { - if tt.oEqual == nil { - continue - } - t.Run(tt.name, func(t *testing.T) { - r := tt.rule - if got := r.Equals(tt.oEqual); got != tt.wEqualErr { - t.Errorf("Rule.Equals() = %v, want %v", got, tt.wEqualErr) + if got := tt.rule.Compare(tt.other); got != tt.wCompare { + t.Errorf("Rule.Compare() = %v, want %v", got, tt.wCompare) } }) } @@ -77,138 +60,123 @@ var ( log map[string]string rule Rule wValidErr bool - oLess Rule - wLessErr bool - oEqual Rule - wEqualErr bool + other Rule + wCompare int wString string }{ { - name: "comment", - rule: comment1, - oLess: comment2, - wLessErr: false, - oEqual: comment2, - wEqualErr: false, - wString: "#comment", + name: "comment", + rule: comment1, + other: comment2, + wCompare: 0, + wString: "#comment", }, { - name: "abi", - rule: abi1, - oLess: abi2, - wLessErr: false, - oEqual: abi1, - wEqualErr: true, - wString: "abi ,", + name: "abi", + rule: abi1, + other: abi2, + wCompare: 1, + wString: "abi ,", }, { - name: "alias", - rule: alias1, - oLess: alias2, - wLessErr: true, - oEqual: alias2, - wEqualErr: false, - wString: "alias /mnt/usr -> /usr,", + name: "alias", + rule: alias1, + other: alias2, + wCompare: -1, + wString: "alias /mnt/usr -> /usr,", }, { - name: "include1", - rule: include1, - oLess: includeLocal1, - wLessErr: false, - oEqual: includeLocal1, - wEqualErr: false, - wString: "include ", + name: "include1", + rule: include1, + other: includeLocal1, + wCompare: -11, + wString: "include ", }, { name: "include2", rule: include1, - oLess: include2, - wLessErr: false, + other: include2, + wCompare: 1, wString: "include ", }, { name: "include-local", rule: includeLocal1, - oLess: include1, - wLessErr: true, + other: include1, + wCompare: 11, wString: "include if exists ", }, { - name: "include/abs", - rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, - wString: `include "/usr/share/apparmor.d/"`, + name: "include/abs", + rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, + other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true}, + wCompare: -1, + wString: `include "/usr/share/apparmor.d/"`, }, { - name: "variable", - rule: variable1, - oLess: variable2, - wLessErr: true, - oEqual: variable1, - wEqualErr: true, - wString: "@{bin} = /{,usr/}{,s}bin", + name: "variable", + rule: variable1, + other: variable2, + wCompare: 0, + wString: "@{bin} = /{,usr/}{,s}bin", }, { - name: "all", - rule: all1, - oLess: all2, - wLessErr: false, - oEqual: all2, - wEqualErr: false, - wString: "all,", + name: "all", + rule: all1, + other: all2, + wCompare: 0, + wString: "all,", }, { - name: "rlimit", - rule: rlimit1, - oLess: rlimit2, - wLessErr: false, - oEqual: rlimit1, - wEqualErr: true, - wString: "set rlimit nproc <= 200,", + name: "rlimit", + rule: rlimit1, + other: rlimit2, + wCompare: 11, + wString: "set rlimit nproc <= 200,", }, { name: "rlimit2", rule: rlimit2, - oLess: rlimit2, - wLessErr: false, + other: rlimit2, + wCompare: 0, wString: "set rlimit cpu <= 2,", }, { name: "rlimit3", rule: rlimit3, - oLess: rlimit1, - wLessErr: true, - - wString: "set rlimit nproc < 2,", + other: rlimit1, + wCompare: -1, + wString: "set rlimit nproc < 2,", }, { - name: "userns", - rule: userns1, - oLess: userns2, - wLessErr: true, - oEqual: userns1, - wEqualErr: true, - wString: "userns,", + name: "userns", + rule: userns1, + other: userns2, + wCompare: 1, + wString: "userns,", }, { - name: "capbability", - fromLog: newCapabilityFromLog, - log: capability1Log, - rule: capability1, - oLess: capability2, - wLessErr: true, - oEqual: capability1, - wEqualErr: true, - wString: "capability net_admin,", + name: "capbability", + fromLog: newCapabilityFromLog, + log: capability1Log, + rule: capability1, + other: capability2, + wCompare: -5, + wString: "capability net_admin,", }, { - name: "capability/multi", - rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, - wString: "capability dac_override dac_read_search,", + name: "capability/multi", + rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, + other: capability2, + wCompare: -15, + wString: "capability dac_override dac_read_search,", }, { - name: "capability/all", - rule: &Capability{}, - wString: "capability,", + name: "capability/all", + rule: &Capability{}, + other: capability2, + wCompare: -1, + wString: "capability,", }, { name: "network", @@ -216,57 +184,49 @@ var ( log: network1Log, rule: network1, wValidErr: true, - oLess: network2, - wLessErr: false, - oEqual: network1, - wEqualErr: true, + other: network2, + wCompare: 5, wString: "network netlink raw,", }, { - name: "mount", - fromLog: newMountFromLog, - log: mount1Log, - rule: mount1, - oEqual: mount2, - wEqualErr: false, - wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", + name: "mount", + fromLog: newMountFromLog, + log: mount1Log, + rule: mount1, + other: mount2, + wCompare: 38, + wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, { - name: "remount", - rule: remount1, - oLess: remount2, - wLessErr: true, - oEqual: remount1, - wEqualErr: true, - wString: "remount /,", + name: "remount", + rule: remount1, + other: remount2, + wCompare: -6, + wString: "remount /,", }, { - name: "umount", - fromLog: newUmountFromLog, - log: umount1Log, - rule: umount1, - oLess: umount2, - wLessErr: true, - oEqual: umount1, - wEqualErr: true, - wString: "umount /,", + name: "umount", + fromLog: newUmountFromLog, + log: umount1Log, + rule: umount1, + other: umount2, + wCompare: -8, + wString: "umount /,", }, { - name: "pivot_root1", - fromLog: newPivotRootFromLog, - log: pivotroot1Log, - rule: pivotroot1, - oLess: pivotroot2, - wLessErr: false, - oEqual: pivotroot2, - wEqualErr: false, - wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", + name: "pivot_root1", + fromLog: newPivotRootFromLog, + log: pivotroot1Log, + rule: pivotroot1, + other: pivotroot2, + wCompare: 7, + wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", }, { name: "pivot_root2", rule: pivotroot1, - oLess: pivotroot3, - wLessErr: false, + other: pivotroot3, + wCompare: 28, wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", }, { @@ -274,190 +234,172 @@ var ( fromLog: newChangeProfileFromLog, log: changeprofile1Log, rule: changeprofile1, - oLess: changeprofile2, - wLessErr: false, + other: changeprofile2, + wCompare: 17, wString: "change_profile -> systemd-user,", }, { - name: "change_profile2", - rule: changeprofile2, - oLess: changeprofile3, - wLessErr: true, - oEqual: changeprofile1, - wEqualErr: false, - wString: "change_profile -> brwap,", + name: "change_profile2", + rule: changeprofile2, + other: changeprofile3, + wCompare: -4, + wString: "change_profile -> brwap,", }, { - name: "mqueue", - rule: mqueue1, - oLess: mqueue2, - wLessErr: true, - oEqual: mqueue1, - wEqualErr: true, - wString: "mqueue r type=posix /,", + name: "mqueue", + rule: mqueue1, + other: mqueue2, + wCompare: -3, + wString: "mqueue r type=posix /,", }, { - name: "iouring", - rule: iouring1, - oLess: iouring2, - wLessErr: false, - oEqual: iouring2, - wEqualErr: false, - wString: "io_uring sqpoll label=foo,", + name: "iouring", + rule: iouring1, + other: iouring2, + wCompare: 4, + wString: "io_uring sqpoll label=foo,", }, { - name: "signal", - fromLog: newSignalFromLog, - log: signal1Log, - rule: signal1, - oLess: signal2, - wLessErr: false, - oEqual: signal1, - wEqualErr: true, - wString: "signal receive set=kill peer=firefox//&firejail-default,", + name: "signal", + fromLog: newSignalFromLog, + log: signal1Log, + rule: signal1, + other: signal2, + wCompare: -10, + wString: "signal receive set=kill peer=firefox//&firejail-default,", }, { - name: "ptrace/xdg-document-portal", - fromLog: newPtraceFromLog, - log: ptrace1Log, - rule: ptrace1, - oLess: ptrace2, - wLessErr: false, - oEqual: ptrace1, - wEqualErr: true, - wString: "ptrace read peer=nautilus,", + name: "ptrace/xdg-document-portal", + fromLog: newPtraceFromLog, + log: ptrace1Log, + rule: ptrace1, + other: ptrace1, + wCompare: 0, + wString: "ptrace read peer=nautilus,", }, { - name: "ptrace/snap-update-ns.firefox", - fromLog: newPtraceFromLog, - log: ptrace2Log, - rule: ptrace2, - oLess: ptrace1, - wLessErr: false, - oEqual: ptrace1, - wEqualErr: false, - wString: "ptrace readby peer=systemd-journald,", + name: "ptrace/snap-update-ns.firefox", + fromLog: newPtraceFromLog, + log: ptrace2Log, + rule: ptrace2, + other: ptrace1, + wCompare: 2, + wString: "ptrace readby peer=systemd-journald,", }, { - name: "unix", - fromLog: newUnixFromLog, - log: unix1Log, - rule: unix1, - oLess: unix1, - wLessErr: false, - oEqual: unix1, - wEqualErr: true, - wString: "unix (send receive) type=stream protocol=0 addr=none peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),", + name: "unix", + fromLog: newUnixFromLog, + log: unix1Log, + rule: unix1, + other: unix1, + wCompare: 0, + wString: "unix (send receive) type=stream protocol=0 addr=none peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),", }, { - name: "dbus", - fromLog: newDbusFromLog, - log: dbus1Log, - rule: dbus1, - oLess: dbus1, - wLessErr: false, - oEqual: dbus2, - wEqualErr: false, - wString: "dbus receive bus=session path=/org/gtk/vfs/metadata\n interface=org.gtk.vfs.Metadata\n member=Remove\n peer=(name=:1.15, label=tracker-extract),", + name: "dbus", + fromLog: newDbusFromLog, + log: dbus1Log, + rule: dbus1, + other: dbus1, + wCompare: 0, + wString: "dbus receive bus=session path=/org/gtk/vfs/metadata\n interface=org.gtk.vfs.Metadata\n member=Remove\n peer=(name=:1.15, label=tracker-extract),", }, { name: "dbus2", rule: dbus2, - oLess: dbus3, - wLessErr: false, + other: dbus3, + wCompare: 9, wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", }, { - name: "dbus/bind", - rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, - wString: `dbus bind bus=session name=org.gnome.*,`, + name: "dbus/bind", + rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, + other: dbus2, + wCompare: -33, + wString: `dbus bind bus=session name=org.gnome.*,`, }, { - name: "dbus/full", - rule: &Dbus{Bus: "accessibility"}, - wString: `dbus bus=accessibility,`, + name: "dbus/full", + rule: &Dbus{Bus: "accessibility"}, + other: dbus1, + wCompare: -1, + wString: `dbus bus=accessibility,`, }, { - name: "file", - fromLog: newFileFromLog, - log: file1Log, - rule: file1, - oLess: file2, - wLessErr: true, - oEqual: file2, - wEqualErr: false, - wString: "/usr/share/poppler/cMap/Identity-H r,", + name: "file", + fromLog: newFileFromLog, + log: file1Log, + rule: file1, + other: file2, + wCompare: -14, + wString: "/usr/share/poppler/cMap/Identity-H r,", }, { name: "file/empty", rule: &File{}, - oLess: &File{}, - wLessErr: false, + other: &File{}, + wCompare: 0, wString: " ,", }, { name: "file/equal", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wLessErr: false, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 0, wString: "/usr/share/poppler/cMap/Identity-H ,", }, { name: "file/owner", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, - oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wLessErr: true, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: 1, wString: "owner /usr/share/poppler/cMap/Identity-H ,", }, { name: "file/access", rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, - oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, - wLessErr: false, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, + wCompare: -5, wString: "/usr/share/poppler/cMap/Identity-H r,", }, { name: "file/close", rule: &File{Path: "/usr/share/poppler/cMap/"}, - oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, - wLessErr: true, + other: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, + wCompare: -10, wString: "/usr/share/poppler/cMap/ ,", }, { - name: "link", - fromLog: newLinkFromLog, - log: link1Log, - rule: link1, - oLess: link2, - wLessErr: true, - oEqual: link3, - wEqualErr: false, - wString: "link /tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst -> /tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst,", + name: "link1", + fromLog: newLinkFromLog, + log: link1Log, + rule: link1, + other: link2, + wCompare: -1, + wString: "link /tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst -> /tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst,", }, { - name: "link", - fromLog: newFileFromLog, - log: link3Log, - rule: link3, - wString: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", + name: "link2", + fromLog: newFileFromLog, + log: link3Log, + rule: link3, + other: link1, + wCompare: 1, + wString: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", }, { - name: "profile", - rule: profile1, - oLess: profile2, - wLessErr: true, - oEqual: profile1, - wEqualErr: true, - wString: "profile sudo {\n}", + name: "profile", + rule: profile1, + other: profile2, + wCompare: -4, + wString: "profile sudo {\n}", }, { - name: "hat", - rule: hat1, - oLess: hat2, - wLessErr: false, - oEqual: hat1, - wEqualErr: true, - wString: "hat user {\n}", + name: "hat", + rule: hat1, + other: hat2, + wCompare: 3, + wString: "hat user {\n}", }, } )