mirrors/apparmor.d
1
0
Fork 0
mirror of https://github.com/roddhjav/apparmor.d.git synced 2025-01-30 14:55:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(aa): add more unit tests.

Browse source
This commit is contained in:
Alexandre Pujol 2024-05-28 18:23:37 +01:00
parent e33c1243cc
commit fe4c86a245
Failed to generate hash of commit
2 changed files with 249 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
pkg/aa/data_test.go
View file

@ -5,17 +5,41 @@
package aa package aa
var ( var (
// Comment
comment1 = &Comment{RuleBase: RuleBase{Comment: "comment", IsLineRule: true}}
comment2 = &Comment{RuleBase: RuleBase{Comment: "another comment", IsLineRule: true}}
// Abi
abi1 = &Abi{IsMagic: true, Path: "abi/4.0"}
abi2 = &Abi{IsMagic: true, Path: "abi/3.0"}
// Alias
alias1 = &Alias{Path: "/mnt/usr", RewrittenPath: "/usr"}
alias2 = &Alias{Path: "/mnt/var", RewrittenPath: "/var"}
// Include // Include
include1 = &Include{IsMagic: true, Path: "abstraction/base"} include1 = &Include{IsMagic: true, Path: "abstraction/base"}
include2 = &Include{IsMagic: false, Path: "abstraction/base"} include2 = &Include{IsMagic: false, Path: "abstraction/base"}
include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"} include3 = &Include{IfExists: true, IsMagic: true, Path: "abstraction/base"}
includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"} includeLocal1 = &Include{IfExists: true, IsMagic: true, Path: "local/foo"}
// Variable
variable1 = &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}
variable2 = &Variable{Name: "exec_path", Values: []string{"@{bin}/foo", "@{lib}/foo"}, Define: true}
// All
all1 = &All{}
all2 = &All{RuleBase: RuleBase{Comment: "comment"}}
// Rlimit // Rlimit
rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"} rlimit1 = &Rlimit{Key: "nproc", Op: "<=", Value: "200"}
rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"} rlimit2 = &Rlimit{Key: "cpu", Op: "<=", Value: "2"}
rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"} rlimit3 = &Rlimit{Key: "nproc", Op: "<", Value: "2"}
// Userns
userns1 = &Userns{Create: true}
userns2 = &Userns{}
// Capability // Capability
capability1Log = map[string]string{ capability1Log = map[string]string{
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
@ -83,8 +107,12 @@ var (
MountPoint: "/newroot/dev/tty", MountPoint: "/newroot/dev/tty",
} }
// Remount
remount1 = &Remount{MountPoint: "/"}
remount2 = &Remount{MountPoint: "/{,**}/"}
// Umount // Umount
umount1Log = map[string]string{ umount1Log = map[string]string{
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"class": "mount", "class": "mount",
"operation": "umount", "operation": "umount",
@ -96,7 +124,6 @@ var (
umount2 = &Umount{MountPoint: "/oldroot/"} umount2 = &Umount{MountPoint: "/oldroot/"}
// PivotRoot // PivotRoot
// pivotroot1LogStr = `apparmor="ALLOWED" operation="pivotroot" class="mount" profile="systemd" name="@{run}/systemd/mount-rootfs/" comm="(ostnamed)" srcname="@{run}/systemd/mount-rootfs/"`
pivotroot1Log = map[string]string{ pivotroot1Log = map[string]string{
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"class": "mount", "class": "mount",
@ -120,7 +147,6 @@ var (
} }
// Change Profile // Change Profile
// changeprofile1LogStr = `apparmor="ALLOWED" operation="change_onexec" class="file" profile="systemd" name="systemd-user" comm="(systemd)" target="systemd-user"`
changeprofile1Log = map[string]string{ changeprofile1Log = map[string]string{
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
"class": "file", "class": "file",
@ -134,6 +160,14 @@ var (
changeprofile2 = &ChangeProfile{ProfileName: "brwap"} changeprofile2 = &ChangeProfile{ProfileName: "brwap"}
changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"} changeprofile3 = &ChangeProfile{ExecMode: "safe", Exec: "/bin/bash", ProfileName: "brwap//default"}
// Mqueue
mqueue1 = &Mqueue{Access: []string{"r"}, Type: "posix", Name: "/"}
mqueue2 = &Mqueue{Access: []string{"r"}, Type: "sysv", Name: "/"}
// IO Uring
iouring1 = &IOUring{Access: []string{"sqpoll"}, Label: "foo"}
iouring2 = &IOUring{Access: []string{"override_creds"}}
// Signal // Signal
signal1Log = map[string]string{ signal1Log = map[string]string{
"apparmor": "ALLOWED", "apparmor": "ALLOWED",
@ -335,4 +369,26 @@ var (
Path: "@{user_config_dirs}/kiorc", Path: "@{user_config_dirs}/kiorc",
Target: "@{user_config_dirs}/#3954", Target: "@{user_config_dirs}/#3954",
} }
// Profile
profile1 = &Profile{
Header: Header{
Name: "sudo",
Attachments: []string{},
Attributes: map[string]string{},
Flags: []string{},
},
}
profile2 = &Profile{
Header: Header{
Name: "systemctl",
Attachments: []string{},
Attributes: map[string]string{},
Flags: []string{},
},
}
// Hat
hat1 = &Hat{Name: "user"}
hat2 = &Hat{Name: "root"}
) )

193
pkg/aa/rules_test.go
View file

@ -117,6 +117,18 @@ func TestRules_Less(t *testing.T) {
other Rule other Rule
want bool want bool
}{ }{
{
name: "comment",
rule: comment1,
other: comment2,
want: false,
},
{
name: "abi",
rule: abi1,
other: abi2,
want: false,
},
{ {
name: "include1", name: "include1",
rule: include1, rule: include1,
@ -135,6 +147,18 @@ func TestRules_Less(t *testing.T) {
other: include3, other: include3,
want: false, want: false,
}, },
{
name: "variable",
rule: variable2,
other: variable1,
want: false,
},
{
name: "all",
rule: all1,
other: all2,
want: false,
},
{ {
name: "rlimit", name: "rlimit",
rule: rlimit1, rule: rlimit1,
@ -153,6 +177,12 @@ func TestRules_Less(t *testing.T) {
other: rlimit3, other: rlimit3,
want: false, want: false,
}, },
{
name: "userns",
rule: userns1,
other: userns2,
want: true,
},
{ {
name: "capability", name: "capability",
rule: capability1, rule: capability1,
@ -171,6 +201,12 @@ func TestRules_Less(t *testing.T) {
other: mount2, other: mount2,
want: false, want: false,
}, },
{
name: "remount",
rule: remount1,
other: remount2,
want: true,
},
{ {
name: "umount", name: "umount",
rule: umount1, rule: umount1,
@ -201,6 +237,18 @@ func TestRules_Less(t *testing.T) {
other: changeprofile3, other: changeprofile3,
want: true, want: true,
}, },
{
name: "mqueue",
rule: mqueue1,
other: mqueue2,
want: true,
},
{
name: "iouring",
rule: iouring1,
other: iouring2,
want: false,
},
{ {
name: "signal", name: "signal",
rule: signal1, rule: signal1,
@ -279,6 +327,18 @@ func TestRules_Less(t *testing.T) {
other: link2, other: link2,
want: true, want: true,
}, },
{
name: "profile",
rule: profile1,
other: profile2,
want: true,
},
{
name: "hat",
rule: hat1,
other: hat2,
want: false,
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -298,17 +358,53 @@ func TestRules_Equals(t *testing.T) {
want bool want bool
}{ }{
{ {
name: "include1", name: "comment",
rule: comment1,
other: comment2,
want: false,
},
{
name: "abi",
rule: abi1,
other: abi1,
want: true,
},
{
name: "alias",
rule: alias1,
other: alias2,
want: false,
},
{
name: "include",
rule: include1, rule: include1,
other: includeLocal1, other: includeLocal1,
want: false, want: false,
}, },
{
name: "variable",
rule: variable1,
other: variable2,
want: false,
},
{
name: "all",
rule: all1,
other: all2,
want: false,
},
{ {
name: "rlimit", name: "rlimit",
rule: rlimit1, rule: rlimit1,
other: rlimit1, other: rlimit1,
want: true, want: true,
}, },
{
name: "userns",
rule: userns1,
other: userns1,
want: true,
},
{ {
name: "capability/equal", name: "capability/equal",
rule: capability1, rule: capability1,
@ -324,7 +420,19 @@ func TestRules_Equals(t *testing.T) {
{ {
name: "mount", name: "mount",
rule: mount1, rule: mount1,
other: mount1, other: mount2,
want: false,
},
{
name: "remount",
rule: remount2,
other: remount2,
want: true,
},
{
name: "umount",
rule: umount1,
other: umount1,
want: true, want: true,
}, },
{ {
@ -339,6 +447,18 @@ func TestRules_Equals(t *testing.T) {
other: changeprofile2, other: changeprofile2,
want: false, want: false,
}, },
{
name: "mqueue",
rule: mqueue1,
other: mqueue1,
want: true,
},
{
name: "iouring",
rule: iouring1,
other: iouring2,
want: false,
},
{ {
name: "signal1/equal", name: "signal1/equal",
rule: signal1, rule: signal1,
@ -381,6 +501,18 @@ func TestRules_Equals(t *testing.T) {
other: link3, other: link3,
want: false, want: false,
}, },
{
name: "profile",
rule: profile1,
other: profile1,
want: true,
},
{
name: "hat",
rule: hat1,
other: hat1,
want: true,
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -399,7 +531,22 @@ func TestRules_String(t *testing.T) {
want string want string
}{ }{
{ {
name: "include1", name: "comment",
rule: comment1,
want: "#comment",
},
{
name: "abi",
rule: abi1,
want: "abi <abi/4.0>,",
},
{
name: "alias",
rule: alias1,
want: "alias /mnt/usr -> /usr,",
},
{
name: "include",
rule: include1, rule: include1,
want: "include <abstraction/base>", want: "include <abstraction/base>",
}, },
@ -413,11 +560,26 @@ func TestRules_String(t *testing.T) {
rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false}, rule: &Include{Path: "/usr/share/apparmor.d/", IsMagic: false},
want: `include "/usr/share/apparmor.d/"`, want: `include "/usr/share/apparmor.d/"`,
}, },
{
name: "variable",
rule: variable1,
want: "@{bin} = /{,usr/}{,s}bin",
},
{
name: "all",
rule: all1,
want: "all,",
},
{ {
name: "rlimit", name: "rlimit",
rule: rlimit1, rule: rlimit1,
want: "set rlimit nproc <= 200,", want: "set rlimit nproc <= 200,",
}, },
{
name: "userns",
rule: userns1,
want: "userns,",
},
{ {
name: "capability", name: "capability",
rule: capability1, rule: capability1,
@ -443,6 +605,16 @@ func TestRules_String(t *testing.T) {
rule: mount1, rule: mount1,
want: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check", want: "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check",
}, },
{
name: "remount",
rule: remount1,
want: "remount /,",
},
{
name: "umount",
rule: umount1,
want: "umount /,",
},
{ {
name: "pivot_root", name: "pivot_root",
rule: pivotroot1, rule: pivotroot1,
@ -453,6 +625,16 @@ func TestRules_String(t *testing.T) {
rule: changeprofile1, rule: changeprofile1,
want: "change_profile -> systemd-user,", want: "change_profile -> systemd-user,",
}, },
{
name: "mqeue",
rule: mqueue1,
want: "mqueue r type=posix /,",
},
{
name: "iouring",
rule: iouring1,
want: "io_uring sqpoll label=foo,",
},
{ {
name: "signal", name: "signal",
rule: signal1, rule: signal1,
@ -496,6 +678,11 @@ func TestRules_String(t *testing.T) {
rule: link3, rule: link3,
want: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,", want: "owner link @{user_config_dirs}/kiorc -> @{user_config_dirs}/#3954,",
}, },
{
name: "hat",
rule: hat1,
want: "hat user {\n}",
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {