2016-10-01 20:57:09 +02:00
|
|
|
#! /usr/bin/python3
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2014 Canonical Ltd.
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
|
# modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
# License published by the Free Software Foundation.
|
|
|
|
|
#
|
|
|
|
|
# ------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
import apparmor.aa as aa
|
|
|
|
|
import unittest
|
2017-03-02 21:21:53 +00:00
|
|
|
from common_test import AATest, setup_all_loops, setup_aa
|
2015-06-19 21:41:41 +02:00
|
|
|
from apparmor.common import AppArmorBug, AppArmorException
|
2015-04-02 11:42:28 +02:00
|
|
|
|
2016-05-23 23:17:37 +02:00
|
|
|
from apparmor.regex import ( strip_parenthesis, strip_quotes, parse_profile_start_line, re_match_include,
|
|
|
|
|
RE_PROFILE_START, RE_PROFILE_DBUS, RE_PROFILE_CAP, RE_PROFILE_PTRACE, RE_PROFILE_SIGNAL )
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexTest(AATest):
|
|
|
|
|
def _run_test(self, params, expected):
|
2015-04-22 22:01:34 +02:00
|
|
|
return _regex_test(self, params, expected)
|
2015-03-31 22:31:36 +02:00
|
|
|
|
2015-04-02 11:42:28 +02:00
|
|
|
class AANamedRegexTest(AATest):
|
|
|
|
|
def _run_test(self, line, expected):
|
|
|
|
|
'''Run a line through self.regex.search() and verify the result
|
|
|
|
|
|
|
|
|
|
Keyword arguments:
|
|
|
|
|
line -- the line to search
|
|
|
|
|
expected -- False if the search isn't expected to match or, if the search
|
|
|
|
|
is expected to match, a tuple of expected match groups.
|
|
|
|
|
'''
|
|
|
|
|
matches = self.regex.search(line)
|
|
|
|
|
if not expected:
|
|
|
|
|
self.assertFalse(matches)
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
self.assertTrue(matches)
|
|
|
|
|
|
|
|
|
|
for exp in expected:
|
|
|
|
|
match = matches.group(exp)
|
|
|
|
|
if match:
|
|
|
|
|
match = match
|
|
|
|
|
self.assertEqual(match, expected[exp], 'Group %s mismatch in rule %s' % (exp,line))
|
|
|
|
|
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
|
|
|
|
|
class AARegexHasComma(AATest):
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
'''Tests for apparmor.aa.RE_RULE_HAS_COMMA'''
|
|
|
|
|
|
|
|
|
|
def _check(self, line, expected=True):
|
|
|
|
|
result = aa.RE_RULE_HAS_COMMA.search(line)
|
|
|
|
|
if expected:
|
|
|
|
|
self.assertTrue(result, 'Couldn\'t find a comma in "%s"' % line)
|
|
|
|
|
else:
|
|
|
|
|
self.assertEqual(None, result, 'Found an unexpected comma in "%s"' % line)
|
|
|
|
|
|
|
|
|
|
regex_has_comma_testcases = [
|
|
|
|
|
('dbus send%s', 'simple'),
|
|
|
|
|
('dbus (r, w, bind, eavesdrop)%s', 'embedded parens 01'),
|
|
|
|
|
('dbus (r, w,, bind, eavesdrop) %s', 'embedded parens 02'),
|
|
|
|
|
('dbus (r, w,, ) %s', 'embedded parens 03'),
|
|
|
|
|
('dbus () %s', 'empty parens'),
|
|
|
|
|
('member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} %s ', 'embedded curly braces 01'),
|
|
|
|
|
('member={Hello,,,,,,AddMatch,,,NameHasOwner,StartServiceByName} %s ', 'embedded curly braces 02'),
|
|
|
|
|
('member={,Hello,,,,,,AddMatch,,,NameHasOwner,} %s ', 'embedded curly braces 03'),
|
|
|
|
|
('member={} %s ', 'empty curly braces'),
|
|
|
|
|
('dbus send%s# this is a comment', 'comment 01'),
|
|
|
|
|
('dbus send%s# this is a comment,', 'comment 02'),
|
|
|
|
|
('audit "/tmp/foo, bar" rw%s', 'quotes 01'),
|
|
|
|
|
('audit "/tmp/foo, bar" rw%s # comment', 'quotes 02'),
|
|
|
|
|
('audit "/tmp/foo, # bar" rw%s', 'comment embedded in quote 01'),
|
|
|
|
|
('audit "/tmp/foo, # bar" rw%s # comment', 'comment embedded in quote 02'),
|
|
|
|
|
|
|
|
|
|
# lifted from parser/tst/simple_tests/vars/vars_alternation_3.sd
|
2014-04-23 15:39:14 -05:00
|
|
|
('/does/not/@{BAR},exist,notexist} r%s', 'partial alternation'),
|
|
|
|
|
|
|
|
|
|
('signal%s', 'bare signal'),
|
|
|
|
|
('signal receive%s', 'simple signal'),
|
|
|
|
|
('signal (send, receive)%s', 'embedded parens signal 01'),
|
|
|
|
|
('signal (send, receive) set=(hup, quit)%s', 'embedded parens signal 02'),
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
|
2014-04-23 15:40:20 -05:00
|
|
|
('ptrace%s', 'bare ptrace'),
|
|
|
|
|
('ptrace trace%s', 'simple ptrace'),
|
|
|
|
|
('ptrace (tracedby, readby)%s', 'embedded parens ptrace 01'),
|
|
|
|
|
('ptrace (trace) peer=/usr/bin/foo%s', 'embedded parens ptrace 02'),
|
|
|
|
|
|
2014-04-23 15:41:03 -05:00
|
|
|
('pivot_root%s', 'bare pivot_root'),
|
|
|
|
|
('pivot_root /old%s', 'pivot_root with old'),
|
|
|
|
|
('pivot_root /old new%s', 'pivot_root with new'),
|
|
|
|
|
('pivot_root /old /new -> child%s', 'pivot_root with child'),
|
|
|
|
|
|
2014-09-03 18:18:33 -07:00
|
|
|
('unix%s', 'bare unix'),
|
|
|
|
|
('unix create%s', 'simple unix'),
|
|
|
|
|
('peer=(addr=@abad1dea,label=a_profile) %s ', 'peer parens and comma'),
|
|
|
|
|
('type=stream%s', 'unix type'),
|
|
|
|
|
('unix (connect, receive, send)%s', 'unix perms'),
|
|
|
|
|
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
# the following fail due to inadequacies in the regex
|
|
|
|
|
# ('dbus (r, w, %s', 'incomplete dbus action'),
|
|
|
|
|
# ('member="{Hello,AddMatch,RemoveMatch, %s', 'incomplete {} regex'), # also invalid policy
|
|
|
|
|
# ('member={Hello,AddMatch,RemoveMatch, %s', 'incomplete {} regex'), # also invalid policy when trailing comma exists
|
|
|
|
|
|
|
|
|
|
# the following passes the tests, but variable declarations are
|
|
|
|
|
# odd in that they *don't* allow trailing commas; commas at the end
|
|
|
|
|
# of the line need to be quoted.
|
|
|
|
|
# ('@{BAR}={bar,baz,blort %s', 'tricksy variable declaration')
|
|
|
|
|
# ('@{BAR}="{bar,baz,blort," %s', 'tricksy variable declaration')
|
|
|
|
|
# The following fails the no comma test, but is invalid
|
|
|
|
|
# ('@{BAR}={bar,baz,blort, %s', 'tricksy variable declaration')
|
|
|
|
|
# The following fails the comma test, because it's really a no comma situation
|
|
|
|
|
# ('@{BAR}="{bar,baz,blort%s" ', 'tricksy variable declaration')
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def setup_has_comma_testcases():
|
|
|
|
|
i = 0
|
|
|
|
|
for (test_string, description) in regex_has_comma_testcases:
|
|
|
|
|
i += 1
|
|
|
|
|
def stub_test_comma(self, test_string=test_string):
|
|
|
|
|
self._check(test_string % ',')
|
|
|
|
|
def stub_test_no_comma(self, test_string=test_string):
|
|
|
|
|
self._check(test_string % ' ', False)
|
|
|
|
|
stub_test_comma.__doc__ = "test %s (w/comma)" % (description)
|
|
|
|
|
stub_test_no_comma.__doc__ = "test %s (no comma)" % (description)
|
|
|
|
|
setattr(AARegexHasComma, 'test_comma_%d' % (i), stub_test_comma)
|
|
|
|
|
setattr(AARegexHasComma, 'test_no_comma_%d' % (i), stub_test_no_comma)
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexSplitComment(AATest):
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
'''Tests for RE_HAS_COMMENT_SPLIT'''
|
|
|
|
|
|
|
|
|
|
def _check(self, line, expected, comment=None, not_comment=None):
|
|
|
|
|
result = aa.RE_HAS_COMMENT_SPLIT.search(line)
|
|
|
|
|
if expected:
|
|
|
|
|
self.assertTrue(result, 'Couldn\'t find a comment in "%s"' % line)
|
|
|
|
|
self.assertEqual(result.group('comment'), comment, 'Expected comment "%s", got "%s"'
|
|
|
|
|
% (comment, result.group('comment')))
|
|
|
|
|
self.assertEqual(result.group('not_comment'), not_comment, 'Expected not comment "%s", got "%s"'
|
|
|
|
|
% (not_comment, result.group('not_comment')))
|
|
|
|
|
else:
|
|
|
|
|
self.assertEqual(None, result, 'Found an unexpected comment "%s" in "%s"'
|
|
|
|
|
% ("" if result is None else result.group('comment'), line ))
|
|
|
|
|
|
|
|
|
|
# Tuples of (string, expected result), where expected result is False if
|
|
|
|
|
# the string should not be considered as having a comment, or a second
|
|
|
|
|
# tuple of the not comment and comment sections split apart
|
|
|
|
|
regex_split_comment_testcases = [
|
|
|
|
|
('dbus send # this is a comment', ('dbus send ', '# this is a comment')),
|
|
|
|
|
('dbus send member=no_comment', False),
|
|
|
|
|
('dbus send member=no_comment, ', False),
|
|
|
|
|
('audit "/tmp/foo, # bar" rw', False),
|
|
|
|
|
('audit "/tmp/foo, # bar" rw # comment', ('audit "/tmp/foo, # bar" rw ', '# comment')),
|
2014-04-03 21:58:59 -05:00
|
|
|
('file,', False),
|
|
|
|
|
('file, # bare', ('file, ', '# bare')),
|
|
|
|
|
('file /tmp/foo rw, # read-write', ('file /tmp/foo rw, ', '# read-write')),
|
2014-04-23 15:39:14 -05:00
|
|
|
('signal, # comment', ('signal, ', '# comment')),
|
|
|
|
|
('signal receive set=(usr1 usr2) peer=foo,', False),
|
2014-04-23 15:40:20 -05:00
|
|
|
('ptrace, # comment', ('ptrace, ', '# comment')),
|
|
|
|
|
('ptrace (trace read) peer=/usr/bin/foo,', False),
|
2014-04-23 15:41:03 -05:00
|
|
|
('pivot_root, # comment', ('pivot_root, ', '# comment')),
|
|
|
|
|
('pivot_root /old /new -> child,', False),
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def setup_split_comment_testcases():
|
|
|
|
|
i = 0
|
|
|
|
|
for (test_string, result) in regex_split_comment_testcases:
|
|
|
|
|
i += 1
|
|
|
|
|
def stub_test(self, test_string=test_string, result=result):
|
|
|
|
|
if result is False:
|
|
|
|
|
self._check(test_string, False)
|
|
|
|
|
else:
|
|
|
|
|
self._check(test_string, True, not_comment=result[0], comment=result[1])
|
|
|
|
|
stub_test.__doc__ = "test '%s'" % (test_string)
|
|
|
|
|
setattr(AARegexSplitComment, 'test_split_comment_%d' % (i), stub_test)
|
|
|
|
|
|
2014-03-20 12:38:37 -07:00
|
|
|
|
2015-04-22 22:01:34 +02:00
|
|
|
def _regex_test(self, line, expected):
|
2014-04-23 16:41:44 -05:00
|
|
|
'''Run a line through self.regex.search() and verify the result
|
2014-03-20 12:38:37 -07:00
|
|
|
|
2014-04-23 16:41:44 -05:00
|
|
|
Keyword arguments:
|
|
|
|
|
line -- the line to search
|
|
|
|
|
expected -- False if the search isn't expected to match or, if the search
|
|
|
|
|
is expected to match, a tuple of expected match groups with all
|
|
|
|
|
of the strings stripped
|
|
|
|
|
'''
|
|
|
|
|
result = self.regex.search(line)
|
|
|
|
|
if not expected:
|
|
|
|
|
self.assertFalse(result)
|
|
|
|
|
return
|
2014-03-20 12:38:37 -07:00
|
|
|
|
2014-04-23 16:41:44 -05:00
|
|
|
self.assertTrue(result)
|
2014-03-20 12:38:37 -07:00
|
|
|
|
2014-04-23 16:41:44 -05:00
|
|
|
groups = result.groups()
|
|
|
|
|
self.assertEqual(len(groups), len(expected))
|
|
|
|
|
for (i, group) in enumerate(groups):
|
|
|
|
|
if group:
|
|
|
|
|
group = group.strip()
|
2014-10-01 21:45:22 +02:00
|
|
|
self.assertEqual(group, expected[i], 'Group %d mismatch in rule %s' % (i,line))
|
2014-03-20 12:38:37 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2014-04-03 21:58:59 -05:00
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexCapability(AARegexTest):
|
2014-04-23 16:41:44 -05:00
|
|
|
'''Tests for RE_PROFILE_CAP'''
|
2014-04-03 21:58:59 -05:00
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2015-04-26 22:02:01 +02:00
|
|
|
self.regex = RE_PROFILE_CAP
|
2014-04-03 21:58:59 -05:00
|
|
|
|
2014-04-23 16:41:44 -05:00
|
|
|
tests = [
|
2014-10-01 21:45:22 +02:00
|
|
|
(' capability net_raw,', (None, None, 'net_raw', 'net_raw', None)),
|
|
|
|
|
('capability net_raw , ', (None, None, 'net_raw', 'net_raw', None)),
|
|
|
|
|
(' capability,', (None, None, None, None, None)),
|
|
|
|
|
(' capability , ', (None, None, None, None, None)),
|
2014-04-23 16:41:44 -05:00
|
|
|
(' capabilitynet_raw,', False)
|
|
|
|
|
]
|
2014-04-03 21:58:59 -05:00
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexDbus(AARegexTest):
|
2014-04-26 13:10:44 +02:00
|
|
|
'''Tests for RE_PROFILE_DBUS'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2016-05-23 23:17:37 +02:00
|
|
|
self.regex = RE_PROFILE_DBUS
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
tests = [
|
2016-05-23 23:10:48 +02:00
|
|
|
(' dbus,', (None, None, 'dbus,', None, None)),
|
|
|
|
|
(' audit dbus,', ('audit', None, 'dbus,', None, None)),
|
|
|
|
|
(' dbus send member=no_comment,', (None, None, 'dbus send member=no_comment,', 'send member=no_comment', None)),
|
|
|
|
|
(' dbus send member=no_comment, # comment', (None, None, 'dbus send member=no_comment,', 'send member=no_comment', '# comment')),
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
(' dbusdriver,', False),
|
|
|
|
|
(' audit dbusdriver,', False),
|
|
|
|
|
]
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexMount(AARegexTest):
|
2014-04-26 13:10:44 +02:00
|
|
|
'''Tests for RE_PROFILE_MOUNT'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2014-09-03 18:22:04 -07:00
|
|
|
self.regex = aa.RE_PROFILE_MOUNT
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
tests = [
|
|
|
|
|
(' mount,', (None, None, 'mount,', 'mount', None, None)),
|
|
|
|
|
(' audit mount,', ('audit', None, 'mount,', 'mount', None, None)),
|
|
|
|
|
(' umount,', (None, None, 'umount,', 'umount', None, None)),
|
|
|
|
|
(' audit umount,', ('audit', None, 'umount,', 'umount', None, None)),
|
2014-06-03 16:23:30 -05:00
|
|
|
(' unmount,', (None, None, 'unmount,', 'unmount', None, None)),
|
|
|
|
|
(' audit unmount,', ('audit', None, 'unmount,', 'unmount', None, None)),
|
2014-04-26 13:10:44 +02:00
|
|
|
(' remount,', (None, None, 'remount,', 'remount', None, None)),
|
|
|
|
|
(' deny remount,', (None, 'deny', 'remount,', 'remount', None, None)),
|
|
|
|
|
|
|
|
|
|
(' mount, # comment', (None, None, 'mount,', 'mount', None, '# comment')),
|
|
|
|
|
|
|
|
|
|
(' mountain,', False),
|
|
|
|
|
(' audit mountain,', False),
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexSignal(AARegexTest):
|
2014-04-23 15:39:14 -05:00
|
|
|
'''Tests for RE_PROFILE_SIGNAL'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2015-11-24 00:07:06 +01:00
|
|
|
self.regex = RE_PROFILE_SIGNAL
|
2014-04-23 16:41:44 -05:00
|
|
|
|
|
|
|
|
tests = [
|
2015-11-23 23:46:32 +01:00
|
|
|
(' signal,', (None, None, 'signal,', None, None)),
|
|
|
|
|
(' audit signal,', ('audit', None, 'signal,', None, None)),
|
|
|
|
|
(' signal receive,', (None, None, 'signal receive,', 'receive', None)),
|
|
|
|
|
(' signal (send, receive),', (None, None, 'signal (send, receive),', '(send, receive)', None)),
|
|
|
|
|
(' audit signal (receive),', ('audit', None, 'signal (receive),', '(receive)', None)),
|
|
|
|
|
(' signal (send, receive) set=(usr1 usr2),', (None, None, 'signal (send, receive) set=(usr1 usr2),', '(send, receive) set=(usr1 usr2)', None)),
|
|
|
|
|
(' signal send set=(hup, quit) peer=/usr/sbin/daemon,', (None, None, 'signal send set=(hup, quit) peer=/usr/sbin/daemon,',
|
|
|
|
|
'send set=(hup, quit) peer=/usr/sbin/daemon', None)),
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
(' signalling,', False),
|
|
|
|
|
(' audit signalling,', False),
|
|
|
|
|
(' signalling receive,', False),
|
2014-04-23 16:41:44 -05:00
|
|
|
]
|
|
|
|
|
|
2014-04-23 15:39:14 -05:00
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexPtrace(AARegexTest):
|
2014-04-23 15:40:20 -05:00
|
|
|
'''Tests for RE_PROFILE_PTRACE'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2015-12-27 01:16:55 +01:00
|
|
|
self.regex = RE_PROFILE_PTRACE
|
2014-04-23 16:41:44 -05:00
|
|
|
|
|
|
|
|
tests = [
|
2015-12-27 01:14:54 +01:00
|
|
|
# audit allow rule rule details comment
|
|
|
|
|
(' ptrace,', (None, None, 'ptrace,', None, None)),
|
|
|
|
|
(' audit ptrace,', ('audit', None, 'ptrace,', None, None)),
|
|
|
|
|
(' ptrace trace,', (None, None, 'ptrace trace,', 'trace', None)),
|
|
|
|
|
(' ptrace (tracedby, readby),', (None, None, 'ptrace (tracedby, readby),', '(tracedby, readby)', None)),
|
|
|
|
|
(' audit ptrace (read),', ('audit', None, 'ptrace (read),', '(read)', None)),
|
|
|
|
|
(' ptrace trace peer=/usr/sbin/daemon,', (None, None, 'ptrace trace peer=/usr/sbin/daemon,', 'trace peer=/usr/sbin/daemon', None)),
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
(' ptraceback,', False),
|
|
|
|
|
(' audit ptraceback,', False),
|
|
|
|
|
(' ptraceback trace,', False),
|
2014-04-23 16:41:44 -05:00
|
|
|
]
|
|
|
|
|
|
2014-04-23 15:40:20 -05:00
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexPivotRoot(AARegexTest):
|
2014-04-23 15:41:03 -05:00
|
|
|
'''Tests for RE_PROFILE_PIVOT_ROOT'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2014-09-03 18:22:04 -07:00
|
|
|
self.regex = aa.RE_PROFILE_PIVOT_ROOT
|
2014-04-23 16:41:44 -05:00
|
|
|
|
|
|
|
|
tests = [
|
|
|
|
|
(' pivot_root,', (None, None, 'pivot_root,', None)),
|
|
|
|
|
(' audit pivot_root,', ('audit', None, 'pivot_root,', None)),
|
|
|
|
|
(' pivot_root oldroot=/new/old,',
|
|
|
|
|
(None, None, 'pivot_root oldroot=/new/old,', None)),
|
|
|
|
|
(' pivot_root oldroot=/new/old /new,',
|
|
|
|
|
(None, None, 'pivot_root oldroot=/new/old /new,', None)),
|
|
|
|
|
(' pivot_root oldroot=/new/old /new -> child,',
|
|
|
|
|
(None, None, 'pivot_root oldroot=/new/old /new -> child,', None)),
|
|
|
|
|
(' audit pivot_root oldroot=/new/old /new -> child,',
|
|
|
|
|
('audit', None, 'pivot_root oldroot=/new/old /new -> child,', None)),
|
2014-04-26 13:10:44 +02:00
|
|
|
|
|
|
|
|
('pivot_root', False), # comma missing
|
|
|
|
|
|
|
|
|
|
('pivot_rootbeer,', False),
|
|
|
|
|
('pivot_rootbeer , ', False),
|
|
|
|
|
('pivot_rootbeer, # comment', False),
|
|
|
|
|
('pivot_rootbeer /new, ', False),
|
|
|
|
|
('pivot_rootbeer /new, # comment', False),
|
2014-04-23 16:41:44 -05:00
|
|
|
]
|
2014-04-23 15:41:03 -05:00
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class AARegexUnix(AARegexTest):
|
2014-09-03 18:18:33 -07:00
|
|
|
'''Tests for RE_PROFILE_UNIX'''
|
|
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2014-09-03 18:18:33 -07:00
|
|
|
self.regex = aa.RE_PROFILE_UNIX
|
|
|
|
|
|
|
|
|
|
tests = [
|
|
|
|
|
(' unix,', (None, None, 'unix,', None)),
|
|
|
|
|
(' audit unix,', ('audit', None, 'unix,', None)),
|
|
|
|
|
(' unix accept,', (None, None, 'unix accept,', None)),
|
|
|
|
|
(' allow unix connect,', (None, 'allow', 'unix connect,', None)),
|
|
|
|
|
(' audit allow unix bind,', ('audit', 'allow', 'unix bind,', None)),
|
|
|
|
|
(' deny unix bind,', (None, 'deny', 'unix bind,', None)),
|
|
|
|
|
('unix peer=(label=@{profile_name}),',
|
|
|
|
|
(None, None, 'unix peer=(label=@{profile_name}),', None)),
|
|
|
|
|
('unix (receive) peer=(label=unconfined),',
|
|
|
|
|
(None, None, 'unix (receive) peer=(label=unconfined),', None)),
|
|
|
|
|
(' unix (getattr, shutdown) peer=(addr=none),',
|
|
|
|
|
(None, None, 'unix (getattr, shutdown) peer=(addr=none),', None)),
|
|
|
|
|
('unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),',
|
|
|
|
|
(None, None, 'unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),', None)),
|
|
|
|
|
('unixlike', False),
|
|
|
|
|
('deny unixlike,', False),
|
|
|
|
|
]
|
|
|
|
|
|
2015-04-02 11:42:28 +02:00
|
|
|
class AANamedRegexProfileStart_2(AANamedRegexTest):
|
2015-04-03 17:28:03 +02:00
|
|
|
'''Tests for RE_PROFILE_START'''
|
2015-04-02 11:42:28 +02:00
|
|
|
|
2015-04-28 23:37:49 +02:00
|
|
|
def AASetup(self):
|
2015-04-03 17:28:03 +02:00
|
|
|
self.regex = RE_PROFILE_START
|
2015-04-02 11:42:28 +02:00
|
|
|
|
|
|
|
|
tests = [
|
|
|
|
|
('/bin/foo ', False), # no '{'
|
|
|
|
|
('/bin/foo /bin/bar', False), # missing 'profile' keyword
|
|
|
|
|
('profile {', False), # no attachment
|
|
|
|
|
(' profile foo bar /foo {', False), # missing quotes around "foo bar"
|
2015-05-09 01:09:08 +02:00
|
|
|
('bin/foo {', False), # not starting with '/'
|
|
|
|
|
('"bin/foo" {', False), # not starting with '/', quoted version
|
2015-04-02 11:42:28 +02:00
|
|
|
|
|
|
|
|
(' /foo {', { 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' "/foo" {', { 'plainprofile': '"/foo"', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile /foo {', { 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile "/foo" {', { 'plainprofile': None, 'namedprofile': '"/foo"', 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile foo /foo {', { 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile foo /foo (audit) {', { 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }),
|
|
|
|
|
(' profile "foo" "/foo" {', { 'plainprofile': None, 'namedprofile': '"foo"', 'attachment': '"/foo"', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile "foo bar" /foo {', { 'plainprofile': None, 'namedprofile': '"foo bar"', 'attachment': '/foo', 'flags': None, 'comment': None }),
|
|
|
|
|
(' /foo (complain) {', { 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
|
|
|
|
|
(' /foo flags=(complain) {', { 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
|
|
|
|
|
(' /foo (complain) { # x', { 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}),
|
2015-07-08 22:50:01 +02:00
|
|
|
(' /foo flags = ( complain ){#',{ 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': ' complain ', 'comment': '#'}),
|
2015-08-03 00:16:23 +02:00
|
|
|
(' @{foo} {', { 'plainprofile': '@{foo}', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} {', { 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} /bar {', { 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '/bar', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile foo @{bar} {', { 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '@{bar}', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} @{bar} {', { 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '@{bar}', 'flags': None, 'comment': None }),
|
2015-04-02 11:42:28 +02:00
|
|
|
|
|
|
|
|
(' /foo {', { 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': ' ' }),
|
|
|
|
|
('/foo {', { 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': '' }),
|
|
|
|
|
(' profile foo {', { 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': ' ' }),
|
|
|
|
|
('profile foo {', { 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': '' }),
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Test_parse_profile_start_line(AATest):
|
|
|
|
|
tests = [
|
|
|
|
|
(' /foo {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile "/foo" {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }),
|
2015-04-03 17:26:26 +02:00
|
|
|
(' profile foo /foo {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile foo /foo (audit) {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': 'audit', 'comment': None }),
|
|
|
|
|
(' profile "foo" "/foo" {', { 'profile': 'foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '/foo', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile "foo bar" /foo {', { 'profile': 'foo bar', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': 'foo bar','attachment': '/foo', 'flags': None, 'comment': None }),
|
2015-04-02 11:42:28 +02:00
|
|
|
(' /foo (complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
|
|
|
|
|
(' /foo flags=(complain) {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': None }),
|
2015-07-08 22:50:01 +02:00
|
|
|
(' /foo flags = ( complain ){', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': ' complain ', 'comment': None }),
|
2015-04-02 11:42:28 +02:00
|
|
|
(' /foo (complain) { # x', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': 'complain', 'comment': '# x'}),
|
|
|
|
|
|
|
|
|
|
(' /foo {', { 'profile': '/foo', 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': ' ' }),
|
|
|
|
|
('/foo {', { 'profile': '/foo', 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': None }),
|
|
|
|
|
(' profile foo {', { 'profile': 'foo', 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': ' ' }),
|
|
|
|
|
('profile foo {', { 'profile': 'foo', 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': None }),
|
2015-08-03 00:16:23 +02:00
|
|
|
(' @{foo} {', { 'profile': '@{foo}', 'plainprofile': '@{foo}', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} {', { 'profile': '@{foo}', 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': None, 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} /bar {', { 'profile': '@{foo}', 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '/bar', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile foo @{bar} {', { 'profile': 'foo', 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '@{bar}', 'flags': None, 'comment': None }),
|
|
|
|
|
(' profile @{foo} @{bar} {', { 'profile': '@{foo}', 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '@{bar}', 'flags': None, 'comment': None }),
|
2015-04-02 11:42:28 +02:00
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def _run_test(self, line, expected):
|
|
|
|
|
matches = parse_profile_start_line(line, 'somefile')
|
|
|
|
|
|
|
|
|
|
self.assertTrue(matches)
|
|
|
|
|
|
|
|
|
|
for exp in expected:
|
|
|
|
|
self.assertEqual(matches[exp], expected[exp], 'Group %s mismatch in rule %s' % (exp,line))
|
|
|
|
|
|
|
|
|
|
class TestInvalid_parse_profile_start_line(AATest):
|
|
|
|
|
tests = [
|
|
|
|
|
('/bin/foo ', False), # no '{'
|
|
|
|
|
('/bin/foo /bin/bar', False), # missing 'profile' keyword
|
|
|
|
|
('profile {', False), # no attachment
|
|
|
|
|
(' profile foo bar /foo {', False), # missing quotes around "foo bar"
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def _run_test(self, line, expected):
|
|
|
|
|
with self.assertRaises(AppArmorBug):
|
|
|
|
|
parse_profile_start_line(line, 'somefile')
|
|
|
|
|
|
2015-06-19 21:41:41 +02:00
|
|
|
class Test_re_match_include(AATest):
|
|
|
|
|
tests = [
|
|
|
|
|
('#include <abstractions/base>', 'abstractions/base' ),
|
|
|
|
|
('#include <abstractions/base> # comment', 'abstractions/base' ),
|
|
|
|
|
('#include<abstractions/base>#comment', 'abstractions/base' ),
|
|
|
|
|
(' #include <abstractions/base> ', 'abstractions/base' ),
|
|
|
|
|
('include <abstractions/base>', 'abstractions/base' ), # not supported by parser
|
|
|
|
|
# ('include foo', 'foo' ), # XXX not supported in tools yet
|
|
|
|
|
# ('include /foo/bar', '/foo/bar' ), # XXX not supported in tools yet
|
|
|
|
|
# ('include "foo"', 'foo' ), # XXX not supported in tools yet
|
|
|
|
|
# ('include "/foo/bar"', '/foo/bar' ), # XXX not supported in tools yet
|
|
|
|
|
(' some #include <abstractions/base>', None, ),
|
|
|
|
|
(' /etc/fstab r,', None, ),
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def _run_test(self, params, expected):
|
|
|
|
|
self.assertEqual(re_match_include(params), expected)
|
|
|
|
|
|
|
|
|
|
class TestInvalid_re_match_include(AATest):
|
|
|
|
|
tests = [
|
|
|
|
|
('#include <>', AppArmorException ),
|
|
|
|
|
('#include < >', AppArmorException ),
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def _run_test(self, params, expected):
|
|
|
|
|
with self.assertRaises(expected):
|
|
|
|
|
re_match_include(params)
|
|
|
|
|
|
2015-04-02 11:42:28 +02:00
|
|
|
|
2016-05-23 23:12:07 +02:00
|
|
|
class TestStripParenthesis(AATest):
|
|
|
|
|
tests = [
|
|
|
|
|
('foo', 'foo' ),
|
|
|
|
|
('(foo)', 'foo' ),
|
|
|
|
|
('( foo )', 'foo' ),
|
|
|
|
|
('(foo', '(foo' ),
|
|
|
|
|
('foo )', 'foo )' ),
|
|
|
|
|
('foo ()', 'foo ()' ),
|
|
|
|
|
('()', '' ),
|
|
|
|
|
('( )', '' ),
|
|
|
|
|
('(())', '()' ),
|
|
|
|
|
(' (foo)', '(foo)' ), # parenthesis not first char, whitespace stripped nevertheless
|
|
|
|
|
('(foo) ', '(foo)' ), # parenthesis not last char, whitespace stripped nevertheless
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
def _run_test(self, params, expected):
|
|
|
|
|
self.assertEqual(strip_parenthesis(params), expected)
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
class TestStripQuotes(AATest):
|
2020-05-24 13:33:12 +02:00
|
|
|
tests = [
|
|
|
|
|
('foo', 'foo'),
|
|
|
|
|
('"foo"', 'foo'),
|
|
|
|
|
('"foo', '"foo'),
|
|
|
|
|
('foo"', 'foo"'),
|
|
|
|
|
('""', ''),
|
|
|
|
|
('foo"bar', 'foo"bar'),
|
|
|
|
|
('"foo"bar"', 'foo"bar'),
|
|
|
|
|
('""""foo"bar""""', '"""foo"bar"""'),
|
|
|
|
|
('', ''),
|
|
|
|
|
('/', '/'),
|
|
|
|
|
('"', '"'),
|
|
|
|
|
]
|
2015-03-03 20:15:00 +01:00
|
|
|
|
2020-05-24 13:33:12 +02:00
|
|
|
def _run_test(self, params, expected):
|
|
|
|
|
self.assertEqual(strip_quotes(params), expected)
|
2015-03-03 20:15:00 +01:00
|
|
|
|
|
|
|
|
|
2017-03-02 21:21:53 +00:00
|
|
|
setup_aa(aa)
|
2015-04-22 22:01:34 +02:00
|
|
|
setup_all_loops(__name__)
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
if __name__ == '__main__':
|
2015-03-31 22:31:36 +02:00
|
|
|
# these two are not converted to a tests[] loop yet
|
utils: add simple parsing of multi-line rules [v3]
D-Bus rules in particular seem to get written as multi-line rules. This
patch adds very simple hackish support for multiple lines. Essentially,
what it does is if the parsing of a line doesn't match anything and
falls all the way through, it saves the line and prepends it to the next
line that occurs in the profile, but *only* if the line does not have a
trailing comma to indicate the end of a rule. If the trailing comma
exists, then it assumes that it's a rule that it doesn't understand and
aborts.
With this patch, the simpler tools (aa-enforce, aa-complain, etc.) can
parse policies containing multi-line rules to an extent and continue to
function correctly. Again, aa-logprof and aa-genprof may have issues on
the writing back of profiles, so some assistance testing here would be
appreciated.
Some testcases are added to exercise the regex that looks for a rule
with a trailing comma but can still handle rules that have (,) or {,}
in them.
Patch history:
v1 - initial version
v2 - simplify and rearrange rule-ending comma search regex, since
we only care about the trailing comma
- add a new regex to search for trailing comments to filter out
- simplify reset of lastline variable
- restructure tests into a new script, and add more tests
v3 - add additional testcases, most of which are problematic and thus
commented out :(
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
2014-03-07 10:04:57 -08:00
|
|
|
setup_has_comma_testcases()
|
|
|
|
|
setup_split_comment_testcases()
|
|
|
|
|
|
2015-03-31 22:31:36 +02:00
|
|
|
unittest.main(verbosity=2)
|