diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index d034788d..629010f2 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -5,17 +5,41 @@ package aa var ( + // Comment + comment1 = &Comment{RuleBase: RuleBase{Comment: "comment", IsLineRule: true}} + comment2 = &Comment{RuleBase: RuleBase{Comment: "another comment", IsLineRule: true}} + + // Abi + abi1 = &Abi{IsMagic: true, Path: "abi/4.0"} + abi2 = &Abi{IsMagic: true, Path: "abi/3.0"} + + // Alias + alias1 = &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"} + alias2 = &Alias{Path: "/mnt/var", RewrittenPath: "/var"} + // Include include1 = &Include{IsMagic: true, Path: "abstraction/base"} include2 = &Include{IsMagic: false, Path: "abstraction/base"} include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"} includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"} + // Variable + variable1 = &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true} + variable2 = &Variable{Name: "exec_path", Values: []string{"@{bin}/foo", "@{lib}/foo"}, Define: true} + + // All + all1 = &All{} + all2 = &All{RuleBase: RuleBase{Comment: "comment"}} + // Rlimit rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"} rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"} rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"} + // Userns + userns1 = &Userns{Create: true} + userns2 = &Userns{} + // Capability capability1Log = map[string]string{ "apparmor": "ALLOWED", @@ -83,8 +107,12 @@ var ( MountPoint: "/newroot/dev/tty", } + // Remount + remount1 = &Remount{MountPoint: "/"} + remount2 = &Remount{MountPoint: "/{,**}/"} + // Umount - umount1Log = map[string]string{ + umount1Log = map[string]string{ "apparmor": "ALLOWED", "class": "mount", "operation": "umount", @@ -96,7 +124,6 @@ var ( umount2 = &Umount{MountPoint: "/oldroot/"} // PivotRoot - // pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/" comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"` pivotroot1Log = map[string]string{ "apparmor": "ALLOWED", "class": "mount", @@ -120,7 +147,6 @@ var ( } // Change Profile - // changeprofile1LogStr = `apparmor="ALLOWED" operation="change_onexec" class="file" profile="systemd" name="systemd-user" comm="(systemd)" target="systemd-user"` changeprofile1Log = map[string]string{ "apparmor": "ALLOWED", "class": "file", @@ -134,6 +160,14 @@ var ( changeprofile2 = &ChangeProfile{ProfileName: "brwap"} changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"} + // Mqueue + mqueue1 = &Mqueue{Access: []string{"r"}, Type: "posix", Name: "/"} + mqueue2 = &Mqueue{Access: []string{"r"}, Type: "sysv", Name: "/"} + + // IO Uring + iouring1 = &IOUring{Access: []string{"sqpoll"}, Label: "foo"} + iouring2 = &IOUring{Access: []string{"override_creds"}} + // Signal signal1Log = map[string]string{ "apparmor": "ALLOWED", @@ -335,4 +369,26 @@ var ( Path: "@{user_config_dirs}/kiorc", Target: "@{user_config_dirs}/#3954", } + + // Profile + profile1 = &Profile{ + Header: Header{ + Name: "sudo", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + } + profile2 = &Profile{ + Header: Header{ + Name: "systemctl", + Attachments: []string{}, + Attributes: map[string]string{}, + Flags: []string{}, + }, + } + + // Hat + hat1 = &Hat{Name: "user"} + hat2 = &Hat{Name: "root"} ) diff --git a/pkg/aa/rules_test.go b/pkg/aa/rules_test.go index 67c8397e..4278da8f 100644 --- a/pkg/aa/rules_test.go +++ b/pkg/aa/rules_test.go @@ -117,6 +117,18 @@ func TestRules_Less(t *testing.T) { other Rule want bool }{ + { + name: "comment", + rule: comment1, + other: comment2, + want: false, + }, + { + name: "abi", + rule: abi1, + other: abi2, + want: false, + }, { name: "include1", rule: include1, @@ -135,6 +147,18 @@ func TestRules_Less(t *testing.T) { other: include3, want: false, }, + { + name: "variable", + rule: variable2, + other: variable1, + want: false, + }, + { + name: "all", + rule: all1, + other: all2, + want: false, + }, { name: "rlimit", rule: rlimit1, @@ -153,6 +177,12 @@ func TestRules_Less(t *testing.T) { other: rlimit3, want: false, }, + { + name: "userns", + rule: userns1, + other: userns2, + want: true, + }, { name: "capability", rule: capability1, @@ -171,6 +201,12 @@ func TestRules_Less(t *testing.T) { other: mount2, want: false, }, + { + name: "remount", + rule: remount1, + other: remount2, + want: true, + }, { name: "umount", rule: umount1, @@ -201,6 +237,18 @@ func TestRules_Less(t *testing.T) { other: changeprofile3, want: true, }, + { + name: "mqueue", + rule: mqueue1, + other: mqueue2, + want: true, + }, + { + name: "iouring", + rule: iouring1, + other: iouring2, + want: false, + }, { name: "signal", rule: signal1, @@ -279,6 +327,18 @@ func TestRules_Less(t *testing.T) { other: link2, want: true, }, + { + name: "profile", + rule: profile1, + other: profile2, + want: true, + }, + { + name: "hat", + rule: hat1, + other: hat2, + want: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -298,17 +358,53 @@ func TestRules_Equals(t *testing.T) { want bool }{ { - name: "include1", + name: "comment", + rule: comment1, + other: comment2, + want: false, + }, + { + name: "abi", + rule: abi1, + other: abi1, + want: true, + }, + { + name: "alias", + rule: alias1, + other: alias2, + want: false, + }, + { + name: "include", rule: include1, other: includeLocal1, want: false, }, + { + name: "variable", + rule: variable1, + other: variable2, + want: false, + }, + { + name: "all", + rule: all1, + other: all2, + want: false, + }, { name: "rlimit", rule: rlimit1, other: rlimit1, want: true, }, + { + name: "userns", + rule: userns1, + other: userns1, + want: true, + }, { name: "capability/equal", rule: capability1, @@ -324,7 +420,19 @@ func TestRules_Equals(t *testing.T) { { name: "mount", rule: mount1, - other: mount1, + other: mount2, + want: false, + }, + { + name: "remount", + rule: remount2, + other: remount2, + want: true, + }, + { + name: "umount", + rule: umount1, + other: umount1, want: true, }, { @@ -339,6 +447,18 @@ func TestRules_Equals(t *testing.T) { other: changeprofile2, want: false, }, + { + name: "mqueue", + rule: mqueue1, + other: mqueue1, + want: true, + }, + { + name: "iouring", + rule: iouring1, + other: iouring2, + want: false, + }, { name: "signal1/equal", rule: signal1, @@ -381,6 +501,18 @@ func TestRules_Equals(t *testing.T) { other: link3, want: false, }, + { + name: "profile", + rule: profile1, + other: profile1, + want: true, + }, + { + name: "hat", + rule: hat1, + other: hat1, + want: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -399,7 +531,22 @@ func TestRules_String(t *testing.T) { want string }{ { - name: "include1", + name: "comment", + rule: comment1, + want: "#comment", + }, + { + name: "abi", + rule: abi1, + want: "abi ,", + }, + { + name: "alias", + rule: alias1, + want: "alias /mnt/usr -> /usr,", + }, + { + name: "include", rule: include1, want: "include ", }, @@ -413,11 +560,26 @@ func TestRules_String(t *testing.T) { rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, want: `include "/usr/share/apparmor.d/"`, }, + { + name: "variable", + rule: variable1, + want: "@{bin} = /{,usr/}{,s}bin", + }, + { + name: "all", + rule: all1, + want: "all,", + }, { name: "rlimit", rule: rlimit1, want: "set rlimit nproc <= 200,", }, + { + name: "userns", + rule: userns1, + want: "userns,", + }, { name: "capability", rule: capability1, @@ -443,6 +605,16 @@ func TestRules_String(t *testing.T) { rule: mount1, want: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", }, + { + name: "remount", + rule: remount1, + want: "remount /,", + }, + { + name: "umount", + rule: umount1, + want: "umount /,", + }, { name: "pivot_root", rule: pivotroot1, @@ -453,6 +625,16 @@ func TestRules_String(t *testing.T) { rule: changeprofile1, want: "change_profile -> systemd-user,", }, + { + name: "mqeue", + rule: mqueue1, + want: "mqueue r type=posix /,", + }, + { + name: "iouring", + rule: iouring1, + want: "io_uring sqpoll label=foo,", + }, { name: "signal", rule: signal1, @@ -496,6 +678,11 @@ func TestRules_String(t *testing.T) { rule: link3, want: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", }, + { + name: "hat", + rule: hat1, + want: "hat user {\n}", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {