mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-18 08:58:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

test(aa): rule interface: update unit tests to last changes.

Browse source
This commit is contained in:
Alexandre Pujol 2024-06-19 18:39:16 +01:00
parent 4cbacc186c
commit afc0a7cd3b
Failed to generate hash of commit
1 changed files with 211 additions and 269 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

480
pkg/aa/rules_test.go
View file

@ -32,28 +32,11 @@ func TestRules_Validate(t *testing.T) {
} }
} }
func TestRules_Less(t *testing.T) { func TestCapability_Compare(t *testing.T) {
for _, tt := range testRule { for _, tt := range testRule {
if tt.oLess == nil {
continue
}
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := tt.rule.Less(tt.oLess); got != tt.wLessErr { if got := tt.rule.Compare(tt.other); got != tt.wCompare {
t.Errorf("Rule.Less() = %v, want %v", got, tt.wLessErr) t.Errorf("Rule.Compare() = %v, want %v", got, tt.wCompare)
}
})
}
}
func TestRules_Equals(t *testing.T) {
for _, tt := range testRule {
if tt.oEqual == nil {
continue
}
t.Run(tt.name, func(t *testing.T) {
r := tt.rule
if got := r.Equals(tt.oEqual); got != tt.wEqualErr {
t.Errorf("Rule.Equals() = %v, want %v", got, tt.wEqualErr)
} }
}) })
} }
@ -77,138 +60,123 @@ var (
log map[string]string log map[string]string
rule Rule rule Rule
wValidErr bool wValidErr bool
oLess Rule other Rule
wLessErr bool wCompare int
oEqual Rule
wEqualErr bool
wString string wString string
}{ }{
{ {
name: "comment", name: "comment",
rule: comment1, rule: comment1,
oLess: comment2, other: comment2,
wLessErr: false, wCompare: 0,
oEqual: comment2, wString: "#comment",
wEqualErr: false,
wString: "#comment",
}, },
{ {
name: "abi", name: "abi",
rule: abi1, rule: abi1,
oLess: abi2, other: abi2,
wLessErr: false, wCompare: 1,
oEqual: abi1, wString: "abi <abi/4.0>,",
wEqualErr: true,
wString: "abi <abi/4.0>,",
}, },
{ {
name: "alias", name: "alias",
rule: alias1, rule: alias1,
oLess: alias2, other: alias2,
wLessErr: true, wCompare: -1,
oEqual: alias2, wString: "alias /mnt/usr -> /usr,",
wEqualErr: false,
wString: "alias /mnt/usr -> /usr,",
}, },
{ {
name: "include1", name: "include1",
rule: include1, rule: include1,
oLess: includeLocal1, other: includeLocal1,
wLessErr: false, wCompare: -11,
oEqual: includeLocal1, wString: "include <abstraction/base>",
wEqualErr: false,
wString: "include <abstraction/base>",
}, },
{ {
name: "include2", name: "include2",
rule: include1, rule: include1,
oLess: include2, other: include2,
wLessErr: false, wCompare: 1,
wString: "include <abstraction/base>", wString: "include <abstraction/base>",
}, },
{ {
name: "include-local", name: "include-local",
rule: includeLocal1, rule: includeLocal1,
oLess: include1, other: include1,
wLessErr: true, wCompare: 11,
wString: "include if exists <local/foo>", wString: "include if exists <local/foo>",
}, },
{ {
name: "include/abs", name: "include/abs",
rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false},
wString: `include "/usr/share/apparmor.d/"`, other: &Include{Path: "/usr/share/apparmor.d/", IsMagic: true},
wCompare: -1,
wString: `include "/usr/share/apparmor.d/"`,
}, },
{ {
name: "variable", name: "variable",
rule: variable1, rule: variable1,
oLess: variable2, other: variable2,
wLessErr: true, wCompare: 0,
oEqual: variable1, wString: "@{bin} = /{,usr/}{,s}bin",
wEqualErr: true,
wString: "@{bin} = /{,usr/}{,s}bin",
}, },
{ {
name: "all", name: "all",
rule: all1, rule: all1,
oLess: all2, other: all2,
wLessErr: false, wCompare: 0,
oEqual: all2, wString: "all,",
wEqualErr: false,
wString: "all,",
}, },
{ {
name: "rlimit", name: "rlimit",
rule: rlimit1, rule: rlimit1,
oLess: rlimit2, other: rlimit2,
wLessErr: false, wCompare: 11,
oEqual: rlimit1, wString: "set rlimit nproc <= 200,",
wEqualErr: true,
wString: "set rlimit nproc <= 200,",
}, },
{ {
name: "rlimit2", name: "rlimit2",
rule: rlimit2, rule: rlimit2,
oLess: rlimit2, other: rlimit2,
wLessErr: false, wCompare: 0,
wString: "set rlimit cpu <= 2,", wString: "set rlimit cpu <= 2,",
}, },
{ {
name: "rlimit3", name: "rlimit3",
rule: rlimit3, rule: rlimit3,
oLess: rlimit1, other: rlimit1,
wLessErr: true, wCompare: -1,
wString: "set rlimit nproc < 2,",
wString: "set rlimit nproc < 2,",
}, },
{ {
name: "userns", name: "userns",
rule: userns1, rule: userns1,
oLess: userns2, other: userns2,
wLessErr: true, wCompare: 1,
oEqual: userns1, wString: "userns,",
wEqualErr: true,
wString: "userns,",
}, },
{ {
name: "capbability", name: "capbability",
fromLog: newCapabilityFromLog, fromLog: newCapabilityFromLog,
log: capability1Log, log: capability1Log,
rule: capability1, rule: capability1,
oLess: capability2, other: capability2,
wLessErr: true, wCompare: -5,
oEqual: capability1, wString: "capability net_admin,",
wEqualErr: true,
wString: "capability net_admin,",
}, },
{ {
name: "capability/multi", name: "capability/multi",
rule: &Capability{Names: []string{"dac_override", "dac_read_search"}}, rule: &Capability{Names: []string{"dac_override", "dac_read_search"}},
wString: "capability dac_override dac_read_search,", other: capability2,
wCompare: -15,
wString: "capability dac_override dac_read_search,",
}, },
{ {
name: "capability/all", name: "capability/all",
rule: &Capability{}, rule: &Capability{},
wString: "capability,", other: capability2,
wCompare: -1,
wString: "capability,",
}, },
{ {
name: "network", name: "network",
@ -216,57 +184,49 @@ var (
log: network1Log, log: network1Log,
rule: network1, rule: network1,
wValidErr: true, wValidErr: true,
oLess: network2, other: network2,
wLessErr: false, wCompare: 5,
oEqual: network1,
wEqualErr: true,
wString: "network netlink raw,", wString: "network netlink raw,",
}, },
{ {
name: "mount", name: "mount",
fromLog: newMountFromLog, fromLog: newMountFromLog,
log: mount1Log, log: mount1Log,
rule: mount1, rule: mount1,
oEqual: mount2, other: mount2,
wEqualErr: false, wCompare: 38,
wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", wString: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check",
}, },
{ {
name: "remount", name: "remount",
rule: remount1, rule: remount1,
oLess: remount2, other: remount2,
wLessErr: true, wCompare: -6,
oEqual: remount1, wString: "remount /,",
wEqualErr: true,
wString: "remount /,",
}, },
{ {
name: "umount", name: "umount",
fromLog: newUmountFromLog, fromLog: newUmountFromLog,
log: umount1Log, log: umount1Log,
rule: umount1, rule: umount1,
oLess: umount2, other: umount2,
wLessErr: true, wCompare: -8,
oEqual: umount1, wString: "umount /,",
wEqualErr: true,
wString: "umount /,",
}, },
{ {
name: "pivot_root1", name: "pivot_root1",
fromLog: newPivotRootFromLog, fromLog: newPivotRootFromLog,
log: pivotroot1Log, log: pivotroot1Log,
rule: pivotroot1, rule: pivotroot1,
oLess: pivotroot2, other: pivotroot2,
wLessErr: false, wCompare: 7,
oEqual: pivotroot2, wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
wEqualErr: false,
wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
}, },
{ {
name: "pivot_root2", name: "pivot_root2",
rule: pivotroot1, rule: pivotroot1,
oLess: pivotroot3, other: pivotroot3,
wLessErr: false, wCompare: 28,
wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,", wString: "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
}, },
{ {
@ -274,190 +234,172 @@ var (
fromLog: newChangeProfileFromLog, fromLog: newChangeProfileFromLog,
log: changeprofile1Log, log: changeprofile1Log,
rule: changeprofile1, rule: changeprofile1,
oLess: changeprofile2, other: changeprofile2,
wLessErr: false, wCompare: 17,
wString: "change_profile -> systemd-user,", wString: "change_profile -> systemd-user,",
}, },
{ {
name: "change_profile2", name: "change_profile2",
rule: changeprofile2, rule: changeprofile2,
oLess: changeprofile3, other: changeprofile3,
wLessErr: true, wCompare: -4,
oEqual: changeprofile1, wString: "change_profile -> brwap,",
wEqualErr: false,
wString: "change_profile -> brwap,",
}, },
{ {
name: "mqueue", name: "mqueue",
rule: mqueue1, rule: mqueue1,
oLess: mqueue2, other: mqueue2,
wLessErr: true, wCompare: -3,
oEqual: mqueue1, wString: "mqueue r type=posix /,",
wEqualErr: true,
wString: "mqueue r type=posix /,",
}, },
{ {
name: "iouring", name: "iouring",
rule: iouring1, rule: iouring1,
oLess: iouring2, other: iouring2,
wLessErr: false, wCompare: 4,
oEqual: iouring2, wString: "io_uring sqpoll label=foo,",
wEqualErr: false,
wString: "io_uring sqpoll label=foo,",
}, },
{ {
name: "signal", name: "signal",
fromLog: newSignalFromLog, fromLog: newSignalFromLog,
log: signal1Log, log: signal1Log,
rule: signal1, rule: signal1,
oLess: signal2, other: signal2,
wLessErr: false, wCompare: -10,
oEqual: signal1, wString: "signal receive set=kill peer=firefox//&firejail-default,",
wEqualErr: true,
wString: "signal receive set=kill peer=firefox//&firejail-default,",
}, },
{ {
name: "ptrace/xdg-document-portal", name: "ptrace/xdg-document-portal",
fromLog: newPtraceFromLog, fromLog: newPtraceFromLog,
log: ptrace1Log, log: ptrace1Log,
rule: ptrace1, rule: ptrace1,
oLess: ptrace2, other: ptrace1,
wLessErr: false, wCompare: 0,
oEqual: ptrace1, wString: "ptrace read peer=nautilus,",
wEqualErr: true,
wString: "ptrace read peer=nautilus,",
}, },
{ {
name: "ptrace/snap-update-ns.firefox", name: "ptrace/snap-update-ns.firefox",
fromLog: newPtraceFromLog, fromLog: newPtraceFromLog,
log: ptrace2Log, log: ptrace2Log,
rule: ptrace2, rule: ptrace2,
oLess: ptrace1, other: ptrace1,
wLessErr: false, wCompare: 2,
oEqual: ptrace1, wString: "ptrace readby peer=systemd-journald,",
wEqualErr: false,
wString: "ptrace readby peer=systemd-journald,",
}, },
{ {
name: "unix", name: "unix",
fromLog: newUnixFromLog, fromLog: newUnixFromLog,
log: unix1Log, log: unix1Log,
rule: unix1, rule: unix1,
oLess: unix1, other: unix1,
wLessErr: false, wCompare: 0,
oEqual: unix1, wString: "unix (send receive) type=stream protocol=0 addr=none peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),",
wEqualErr: true,
wString: "unix (send receive) type=stream protocol=0 addr=none peer=(label=dbus-daemon, addr=@/tmp/dbus-AaKMpxzC4k),",
}, },
{ {
name: "dbus", name: "dbus",
fromLog: newDbusFromLog, fromLog: newDbusFromLog,
log: dbus1Log, log: dbus1Log,
rule: dbus1, rule: dbus1,
oLess: dbus1, other: dbus1,
wLessErr: false, wCompare: 0,
oEqual: dbus2, wString: "dbus receive bus=session path=/org/gtk/vfs/metadata\n interface=org.gtk.vfs.Metadata\n member=Remove\n peer=(name=:1.15, label=tracker-extract),",
wEqualErr: false,
wString: "dbus receive bus=session path=/org/gtk/vfs/metadata\n interface=org.gtk.vfs.Metadata\n member=Remove\n peer=(name=:1.15, label=tracker-extract),",
}, },
{ {
name: "dbus2", name: "dbus2",
rule: dbus2, rule: dbus2,
oLess: dbus3, other: dbus3,
wLessErr: false, wCompare: 9,
wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,", wString: "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,",
}, },
{ {
name: "dbus/bind", name: "dbus/bind",
rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"}, rule: &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"},
wString: `dbus bind bus=session name=org.gnome.*,`, other: dbus2,
wCompare: -33,
wString: `dbus bind bus=session name=org.gnome.*,`,
}, },
{ {
name: "dbus/full", name: "dbus/full",
rule: &Dbus{Bus: "accessibility"}, rule: &Dbus{Bus: "accessibility"},
wString: `dbus bus=accessibility,`, other: dbus1,
wCompare: -1,
wString: `dbus bus=accessibility,`,
}, },
{ {
name: "file", name: "file",
fromLog: newFileFromLog, fromLog: newFileFromLog,
log: file1Log, log: file1Log,
rule: file1, rule: file1,
oLess: file2, other: file2,
wLessErr: true, wCompare: -14,
oEqual: file2, wString: "/usr/share/poppler/cMap/Identity-H r,",
wEqualErr: false,
wString: "/usr/share/poppler/cMap/Identity-H r,",
}, },
{ {
name: "file/empty", name: "file/empty",
rule: &File{}, rule: &File{},
oLess: &File{}, other: &File{},
wLessErr: false, wCompare: 0,
wString: " ,", wString: " ,",
}, },
{ {
name: "file/equal", name: "file/equal",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wLessErr: false, wCompare: 0,
wString: "/usr/share/poppler/cMap/Identity-H ,", wString: "/usr/share/poppler/cMap/Identity-H ,",
}, },
{ {
name: "file/owner", name: "file/owner",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wLessErr: true, wCompare: 1,
wString: "owner /usr/share/poppler/cMap/Identity-H ,", wString: "owner /usr/share/poppler/cMap/Identity-H ,",
}, },
{ {
name: "file/access", name: "file/access",
rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}}, rule: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}},
oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}},
wLessErr: false, wCompare: -5,
wString: "/usr/share/poppler/cMap/Identity-H r,", wString: "/usr/share/poppler/cMap/Identity-H r,",
}, },
{ {
name: "file/close", name: "file/close",
rule: &File{Path: "/usr/share/poppler/cMap/"}, rule: &File{Path: "/usr/share/poppler/cMap/"},
oLess: &File{Path: "/usr/share/poppler/cMap/Identity-H"}, other: &File{Path: "/usr/share/poppler/cMap/Identity-H"},
wLessErr: true, wCompare: -10,
wString: "/usr/share/poppler/cMap/ ,", wString: "/usr/share/poppler/cMap/ ,",
}, },
{ {
name: "link", name: "link1",
fromLog: newLinkFromLog, fromLog: newLinkFromLog,
log: link1Log, log: link1Log,
rule: link1, rule: link1,
oLess: link2, other: link2,
wLessErr: true, wCompare: -1,
oEqual: link3, wString: "link /tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst -> /tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst,",
wEqualErr: false,
wString: "link /tmp/mkinitcpio.QDWtza/early@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst -> /tmp/mkinitcpio.QDWtza/root@{lib}/firmware/i915/dg1_dmc_ver2_02.bin.zst,",
}, },
{ {
name: "link", name: "link2",
fromLog: newFileFromLog, fromLog: newFileFromLog,
log: link3Log, log: link3Log,
rule: link3, rule: link3,
wString: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", other: link1,
wCompare: 1,
wString: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,",
}, },
{ {
name: "profile", name: "profile",
rule: profile1, rule: profile1,
oLess: profile2, other: profile2,
wLessErr: true, wCompare: -4,
oEqual: profile1, wString: "profile sudo {\n}",
wEqualErr: true,
wString: "profile sudo {\n}",
}, },
{ {
name: "hat", name: "hat",
rule: hat1, rule: hat1,
oLess: hat2, other: hat2,
wLessErr: false, wCompare: 3,
oEqual: hat1, wString: "hat user {\n}",
wEqualErr: true,
wString: "hat user {\n}",
}, },
} }
) )