mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/test/test-aa.py

768 lines
38 KiB
Python
Raw Normal View History

Switch utils to python3 As discussed a while ago, switch the utils (including their tests) to use python3 by default. While on it, drop usage of "env" to always get the system python3 instead of a random one that happens to live somewhere in $PATH. In practise, this patch doesn't change much - AFAIK openSUSE, Debian and Ubuntu already patch aa-* to use python3. Also add a note to README to officially deprecate Python 2.x. (I won't break Python 2.x support intentionally - unless some future change gives me a very good reason to finally drop Python 2.x support.) Acked-by: Seth Arnold <seth.arnold@canonical.com> (since 2016-08-23, but the commit had to wait for the FileRule series because it touches test-file.py)
2016-10-01 20:57:09 +02:00
#! /usr/bin/python3
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
# ------------------------------------------------------------------
#
ProfileStorage: store parent profile ... and extend the tests to get some coverage.
2024-10-06 20:39:01 +02:00
# Copyright (C) 2014-2024 Christian Boltz
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
import os
[15/38] Change handle_children() and ask_the_questions() to FileRule This patch changes handle_children() (which asks about exec events) and ask_the_questions() (which asks everything else) to FileRule. This solves the "brain split" introduced by the previous patch. This means aa-logprof and aa-genprof ask useful questions again, and store the answers at the right place. In detail, this means (with '-' line number from the diff) - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common() returns an empty result. - (484) profile_storage(): drop profile['allow']['path'] and profile['deny']['path'] - (510) create_new_profile(): switch to FileRule - (1190..1432) lots of changes in handle_children(): - drop escaping (done in FileRule) - don't add events with 'x' perms to prelog - use is_known_rule() instead of profile_known_exec() - replace several regexes for the selected CMD_* with more readable 'in' clauses. While on it, drop unused parts of the regex. - use plain 'ix', 'px' (as str) instead of str_to_mode() format - call handle_binfmt() for the interpreter in ix, Pix and Cix rules - (1652) ask_the_questions(): disable the old file-specific code (not dropped because some features aren't ported to FileRule yet) - (2336) collapse_log(): - convert file log events to FileRule (and add some workarounds and TODOs for logparser.py behaviour that needs to change) - disable the old file-specific code (not dropped because merging of existing permissions isn't ported to FileRule yet) - (2403) drop now unused validate_profile_mode() and the regexes it used - (3374) drop now unused profile_known_exec() Test changes: - adjust fake_ldd to handle /bin/bash - change test-aa.py AaTest_create_new_profile to expect FileRule instead of a path hasher. Also copy the profiles to the tempdir and load the abstractions that are needed by the test. (These tests get skipped on py2 because changing apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason) Important: Some nice-to-have features are not yet implemented for FileRule: - globbing - (N)ew (allowing the user to enter a custom path) - displaying and merging of permissions already existing in the profile This means: aa-logprof works, but it's not as user-friendly as before. The next patches will fix that ;-) Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE() because of undefined symbols (aamode, profile, hat). This will be fixed when the old code gets dropped in one of the later patches. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1569316
2016-10-01 19:55:58 +02:00
import shutil
Order imports and module-level dunder name assignments.
2022-08-07 20:32:07 -04:00
import unittest
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
Add tests for aa.py get_output() and get_reqs() To make these tests independent from the underlaying system, add a fake_ldd script that provides hardcoded ldd output for the "known" executables and libraries. To avoid interferences with the real system (especially symlinks), all paths in fake_ldd have '/AATest' prepended. Acked-by: Kshitij Gupta <kgupta8592@gmail.com>
2016-02-21 21:48:09 +01:00
import apparmor.aa # needed to set global vars in some tests
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
from apparmor.aa import (
Stop calling ldd in aa-genprof and aa-autodep In some cases, ldd might obtain information by executing the given binary (see ldd(1)) - which is not something we should do on potentially unknown binaries, especially because aa-genprof and aa-autodep (and therefore also ldd) are often started as root. Additionally, the ldd result typically listed libraries already covered by abstractions/base, which makes the ldd call superfluous. While on it, - remove all references to ldd - remove code only used for calling ldd and handling its results - remove tests checking ldd results, and the fake_ldd script - adjust a test where fake_ldd had added some libraries - remove ldd path from logprof.conf [settings]
2024-03-31 18:53:12 +02:00
change_profile_flags, check_for_apparmor, create_new_profile, get_file_perms, get_interpreter_and_abstraction, get_profile_flags,
Drop now-unused split_to_merged() and its tests
2024-11-01 22:05:48 +01:00
merged_to_split, parse_profile_data, propose_file_rules, set_options_audit_mode, set_options_owner_mode)
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
from apparmor.aare import AARE
Order imports and module-level dunder name assignments.
2022-08-07 20:32:07 -04:00
from apparmor.common import AppArmorBug, AppArmorException, is_skippable_file
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
from apparmor.rule.file import FileRule
store include rules (also) in 'inc_ie' (IncludeRueset) ... and write them (only) from 'inc_ie' (IncludeRuleset), which can handle both "include" and "include if exists" rules. This duplicates storage of include rules because 'include' is still used and needed at various places that work on/with the include rules. With this, we get removal of duplicate include lines insinde a profile in aa-cleanprof "for free" - extend cleanprof_test.in to confirm this.
2020-05-13 21:45:00 +02:00
from apparmor.rule.include import IncludeRule
Order imports and module-level dunder name assignments.
2022-08-07 20:32:07 -04:00
from common_test import AATest, read_file, setup_aa, setup_all_loops, write_file
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTestWithTempdir(AATest):
Add tempdir and tempfile handling to AATest Add writeTmpfile() to AATest to write a file into the tmpdir. If no tmpdir exists yet, automatically create one. createTmpdir() is a separate function so that it's possible to manually create the tmpdir (for example, if a test needs an empty tmpdir). Also add a tearDown() function to delete the tmpdir again. This function calls self.AATeardown() to avoid the need for super() in child classes. Finally, simplify AaTestWithTempdir in test-aa.py to use createTmpdir() and add an example for AATeardown() to test-example.py. Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 12:55:38 +02:00
def AASetup(self):
self.createTmpdir()
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
class AaTest_check_for_apparmor(AaTestWithTempdir):
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
FILESYSTEMS_WITHOUT_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
MOUNTS_WITH_SECURITYFS = (
'proc /proc proc rw,relatime 0 0\n'
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
'securityfs %s/security securityfs rw,nosuid,nodev,noexec,relatime 0 0\n'
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
'/dev/sda1 / ext3 rw,noatime,data=ordered 0 0')
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
MOUNTS_WITHOUT_SECURITYFS = (
'proc /proc proc rw,relatime 0 0\n'
'/dev/sda1 / ext3 rw,noatime,data=ordered 0 0')
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
def test_check_for_apparmor_None_1(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_None_2(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_None_3(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_filesystems(self):
filesystems = ''
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % (self.tmpdir,))
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_mounts(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
mounts = ''
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_invalid_securityfs_path(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % ('xxx',))
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_mounted(self):
filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % (self.tmpdir,))
self.assertEqual(self.tmpdir + '/security/apparmor', check_for_apparmor(filesystems, mounts))
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
class AaTest_create_new_profile(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# file content filename expected interpreter expected abstraction (besides 'base') expected profiles
(('#!/bin/bash\ntrue', 'script'), (u'/bin/bash', 'abstractions/bash', ['script'])),
(('foo bar', 'fake_binary'), (None, None, ['fake_binary'])),
(('hats expected', 'apache2'), (None, None, ['apache2', 'apache2//DEFAULT_URI', 'apache2//HANDLING_UNTRUSTED_INPUT'])),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
def _run_test(self, params, expected):
[15/38] Change handle_children() and ask_the_questions() to FileRule This patch changes handle_children() (which asks about exec events) and ask_the_questions() (which asks everything else) to FileRule. This solves the "brain split" introduced by the previous patch. This means aa-logprof and aa-genprof ask useful questions again, and store the answers at the right place. In detail, this means (with '-' line number from the diff) - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common() returns an empty result. - (484) profile_storage(): drop profile['allow']['path'] and profile['deny']['path'] - (510) create_new_profile(): switch to FileRule - (1190..1432) lots of changes in handle_children(): - drop escaping (done in FileRule) - don't add events with 'x' perms to prelog - use is_known_rule() instead of profile_known_exec() - replace several regexes for the selected CMD_* with more readable 'in' clauses. While on it, drop unused parts of the regex. - use plain 'ix', 'px' (as str) instead of str_to_mode() format - call handle_binfmt() for the interpreter in ix, Pix and Cix rules - (1652) ask_the_questions(): disable the old file-specific code (not dropped because some features aren't ported to FileRule yet) - (2336) collapse_log(): - convert file log events to FileRule (and add some workarounds and TODOs for logparser.py behaviour that needs to change) - disable the old file-specific code (not dropped because merging of existing permissions isn't ported to FileRule yet) - (2403) drop now unused validate_profile_mode() and the regexes it used - (3374) drop now unused profile_known_exec() Test changes: - adjust fake_ldd to handle /bin/bash - change test-aa.py AaTest_create_new_profile to expect FileRule instead of a path hasher. Also copy the profiles to the tempdir and load the abstractions that are needed by the test. (These tests get skipped on py2 because changing apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason) Important: Some nice-to-have features are not yet implemented for FileRule: - globbing - (N)ew (allowing the user to enter a custom path) - displaying and merging of permissions already existing in the profile This means: aa-logprof works, but it's not as user-friendly as before. The next patches will fix that ;-) Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE() because of undefined symbols (aamode, profile, hat). This will be fixed when the old code gets dropped in one of the later patches. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1569316
2016-10-01 19:55:58 +02:00
self.createTmpdir()
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# copy the local profiles to the test directory
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.profile_dir = self.tmpdir + '/profiles'
[15/38] Change handle_children() and ask_the_questions() to FileRule This patch changes handle_children() (which asks about exec events) and ask_the_questions() (which asks everything else) to FileRule. This solves the "brain split" introduced by the previous patch. This means aa-logprof and aa-genprof ask useful questions again, and store the answers at the right place. In detail, this means (with '-' line number from the diff) - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common() returns an empty result. - (484) profile_storage(): drop profile['allow']['path'] and profile['deny']['path'] - (510) create_new_profile(): switch to FileRule - (1190..1432) lots of changes in handle_children(): - drop escaping (done in FileRule) - don't add events with 'x' perms to prelog - use is_known_rule() instead of profile_known_exec() - replace several regexes for the selected CMD_* with more readable 'in' clauses. While on it, drop unused parts of the regex. - use plain 'ix', 'px' (as str) instead of str_to_mode() format - call handle_binfmt() for the interpreter in ix, Pix and Cix rules - (1652) ask_the_questions(): disable the old file-specific code (not dropped because some features aren't ported to FileRule yet) - (2336) collapse_log(): - convert file log events to FileRule (and add some workarounds and TODOs for logparser.py behaviour that needs to change) - disable the old file-specific code (not dropped because merging of existing permissions isn't ported to FileRule yet) - (2403) drop now unused validate_profile_mode() and the regexes it used - (3374) drop now unused profile_known_exec() Test changes: - adjust fake_ldd to handle /bin/bash - change test-aa.py AaTest_create_new_profile to expect FileRule instead of a path hasher. Also copy the profiles to the tempdir and load the abstractions that are needed by the test. (These tests get skipped on py2 because changing apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason) Important: Some nice-to-have features are not yet implemented for FileRule: - globbing - (N)ew (allowing the user to enter a custom path) - displaying and merging of permissions already existing in the profile This means: aa-logprof works, but it's not as user-friendly as before. The next patches will fix that ;-) Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE() because of undefined symbols (aamode, profile, hat). This will be fixed when the old code gets dropped in one of the later patches. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1569316
2016-10-01 19:55:58 +02:00
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
fix setting apparmor.aa.profile_dir in some tests
2020-06-01 15:54:34 +02:00
apparmor.aa.profile_dir = self.profile_dir
Change internal include file storage to absolute paths This removes the need to remove profile_dir from include paths at various places. A side effect is that aa-logprof / match_includes() now propose more include rules, for example matching local/ files. Another side effect is that proposals for include rules (match_includes() again) now come with the full path. Both side effects will be fixed in the next commits.
2020-06-01 17:03:52 +02:00
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
[15/38] Change handle_children() and ask_the_questions() to FileRule This patch changes handle_children() (which asks about exec events) and ask_the_questions() (which asks everything else) to FileRule. This solves the "brain split" introduced by the previous patch. This means aa-logprof and aa-genprof ask useful questions again, and store the answers at the right place. In detail, this means (with '-' line number from the diff) - (391) handle_binfmt(): use FileRule. Also avoid breakage if glob_common() returns an empty result. - (484) profile_storage(): drop profile['allow']['path'] and profile['deny']['path'] - (510) create_new_profile(): switch to FileRule - (1190..1432) lots of changes in handle_children(): - drop escaping (done in FileRule) - don't add events with 'x' perms to prelog - use is_known_rule() instead of profile_known_exec() - replace several regexes for the selected CMD_* with more readable 'in' clauses. While on it, drop unused parts of the regex. - use plain 'ix', 'px' (as str) instead of str_to_mode() format - call handle_binfmt() for the interpreter in ix, Pix and Cix rules - (1652) ask_the_questions(): disable the old file-specific code (not dropped because some features aren't ported to FileRule yet) - (2336) collapse_log(): - convert file log events to FileRule (and add some workarounds and TODOs for logparser.py behaviour that needs to change) - disable the old file-specific code (not dropped because merging of existing permissions isn't ported to FileRule yet) - (2403) drop now unused validate_profile_mode() and the regexes it used - (3374) drop now unused profile_known_exec() Test changes: - adjust fake_ldd to handle /bin/bash - change test-aa.py AaTest_create_new_profile to expect FileRule instead of a path hasher. Also copy the profiles to the tempdir and load the abstractions that are needed by the test. (These tests get skipped on py2 because changing apparmor.aa.cfg['settings']['ldd'] doesn't work for some unknown reason) Important: Some nice-to-have features are not yet implemented for FileRule: - globbing - (N)ew (allowing the user to enter a custom path) - displaying and merging of permissions already existing in the profile This means: aa-logprof works, but it's not as user-friendly as before. The next patches will fix that ;-) Also note that pyflakes will fail for ask_the_questions_OLD_FILE_CODE() because of undefined symbols (aamode, profile, hat). This will be fixed when the old code gets dropped in one of the later patches. Acked-by: Steve Beattie <steve@nxnw.org> Bug: https://launchpad.net/bugs/1569316
2016-10-01 19:55:58 +02:00
extend create_new_profile() tests to cover required hats
2021-04-09 00:12:18 +02:00
exp_interpreter_path, exp_abstraction, exp_profiles = expected
utils: fixup test-aa.py tests that fail due to usr-merge Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
2019-02-01 00:27:17 -08:00
# damn symlinks!
if exp_interpreter_path:
exp_interpreter_path = os.path.realpath(exp_interpreter_path)
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
extend create_new_profile() tests to cover required hats
2021-04-09 00:12:18 +02:00
file_content, filename = params
program = self.writeTmpfile(filename, file_content)
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
profile = create_new_profile(program)
extend create_new_profile() tests to cover required hats
2021-04-09 00:12:18 +02:00
expected_profiles = []
for prof in exp_profiles:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
expected_profiles.append('{}/{}'.format(self.tmpdir, prof)) # actual profile names start with tmpdir, prepend it to the expected profile names
extend create_new_profile() tests to cover required hats
2021-04-09 00:12:18 +02:00
self.assertEqual(list(profile.keys()), expected_profiles)
create_new_profile(): use and return merged profile names ... and adjust all callers and the tests. For bonus points ;-) this also removes a hasher usage, and extends the test to check that only the expected profile gets created.
2021-04-08 23:42:56 +02:00
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
if exp_interpreter_path:
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self.assertEqual(
set(profile[program]['file'].get_clean()),
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
{'{} ix,'.format(exp_interpreter_path), '{} r,'.format(program), ''})
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
else:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.assertEqual(set(profile[program]['file'].get_clean()), {'{} mr,'.format(program), ''})
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
if exp_abstraction:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.assertEqual(profile[program]['inc_ie'].get_clean(), ['include <abstractions/base>', 'include <{}>'.format(exp_abstraction), ''])
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
else:
create_new_profile(): use and return merged profile names ... and adjust all callers and the tests. For bonus points ;-) this also removes a hasher usage, and extends the test to check that only the expected profile gets created.
2021-04-08 23:42:56 +02:00
self.assertEqual(profile[program]['inc_ie'].get_clean(), ['include <abstractions/base>', ''])
Add tests for create_new_profile() These tests ensure that create_new_profile() sets the expected basic permissions for scripts and non-script files. Acked-by: John Johansen <john.johansen@canonical.com>
2015-10-20 23:14:42 +02:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
class AaTest_get_interpreter_and_abstraction(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
('#!/bin/bash', ('/bin/bash', 'abstractions/bash')),
('#!/bin/dash', ('/bin/dash', 'abstractions/bash')),
('#!/bin/sh', ('/bin/sh', 'abstractions/bash')),
('#! /bin/sh ', ('/bin/sh', 'abstractions/bash')),
('#! /bin/sh -x ', ('/bin/sh', 'abstractions/bash')), # '-x' is not part of the interpreter path
('#!/usr/bin/perl', ('/usr/bin/perl', 'abstractions/perl')),
('#!/usr/bin/perl -w', ('/usr/bin/perl', 'abstractions/perl')), # '-w' is not part of the interpreter path
('#!/usr/bin/python', ('/usr/bin/python', 'abstractions/python')),
('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')),
('#!/usr/bin/python2.7', ('/usr/bin/python2.7', 'abstractions/python')),
('#!/usr/bin/python3', ('/usr/bin/python3', 'abstractions/python')),
('#!/usr/bin/python4', ('/usr/bin/python4', None)), # python abstraction is only applied to py2 and py3
('#!/usr/bin/ruby', ('/usr/bin/ruby', 'abstractions/ruby')),
('#!/usr/bin/ruby2.2', ('/usr/bin/ruby2.2', 'abstractions/ruby')),
('#!/usr/bin/ruby1.9.1', ('/usr/bin/ruby1.9.1', 'abstractions/ruby')),
('#!/usr/bin/foobarbaz', ('/usr/bin/foobarbaz', None)), # we don't have an abstraction for "foobarbaz"
('foo', (None, None)), # no hashbang - not a script
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
def _run_test(self, params, expected):
exp_interpreter_path, exp_abstraction = expected
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
program = self.writeTmpfile('program', params + "\nfoo\nbar")
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
interpreter_path, abstraction = get_interpreter_and_abstraction(program)
# damn symlinks!
utils: fixup test-aa.py tests that fail due to usr-merge Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
2019-02-01 00:27:17 -08:00
if exp_interpreter_path:
exp_interpreter_path = os.path.realpath(exp_interpreter_path)
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
self.assertEqual(interpreter_path, exp_interpreter_path)
self.assertEqual(abstraction, exp_abstraction)
def test_special_file(self):
self.assertEqual((None, None), get_interpreter_and_abstraction('/dev/null'))
def test_file_not_found(self):
self.createTmpdir()
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.assertEqual((None, None), get_interpreter_and_abstraction(self.tmpdir + '/file-not-found'))
merge script handling into get_interpreter_and_abstraction() Both create_new_profile() and handle_children() check if the given exec target is a script and add permissions for the interpreter and a matching abstraction. This patch merges that into the get_interpreter_and_abstraction() function and changes create_new_profile() and handle_children() to use this function. A nice side effect is that handle_children() now knows more abstractions (its original list was incomplete). The behaviour of create_new_profile() doesn't change. Also add tests for get_interpreter_and_abstraction() to make sure it does what we expect. Acked-by: Kshitij Gupta <kgupta8592@gmail.com> Bug: https://launchpad.net/bugs/1505775
2015-10-20 23:16:41 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
class AaTest_get_profile_flags(AaTestWithTempdir):
def _test_get_flags(self, profile_header, expected_flags):
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
file = write_file(self.tmpdir, 'profile', profile_header + ' {\n}\n')
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
flags = get_profile_flags(file, '/foo')
self.assertEqual(flags, expected_flags)
def test_get_flags_01(self):
self._test_get_flags('/foo', None)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_02(self):
self._test_get_flags('/foo ( complain )', ' complain ')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_04(self):
self._test_get_flags('/foo (complain)', 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_05(self):
self._test_get_flags('/foo flags=(complain)', 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_06(self):
self._test_get_flags('/foo flags=(complain, audit)', 'complain, audit')
def test_get_flags_invalid_01(self):
replace RE_PROFILE_START Replace RE_PROFILE_START with RE_PROFILE_START_2 and adjust all code sections that used RE_PROFILE_START_2. The only real change is that test_get_flags_invalid_01 and test_get_flags_invalid_02 now expect AppArmorException instead of AppArmorBug. Acked-by: Steve Beattie <steve@nxnw.org> for trunk
2015-04-03 17:28:03 +02:00
with self.assertRaises(AppArmorException):
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
self._test_get_flags('/foo ()', None)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_invalid_02(self):
replace RE_PROFILE_START Replace RE_PROFILE_START with RE_PROFILE_START_2 and adjust all code sections that used RE_PROFILE_START_2. The only real change is that test_get_flags_invalid_01 and test_get_flags_invalid_02 now expect AppArmorException instead of AppArmorBug. Acked-by: Steve Beattie <steve@nxnw.org> for trunk
2015-04-03 17:28:03 +02:00
with self.assertRaises(AppArmorException):
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
self._test_get_flags('/foo flags=()', None)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
def test_get_flags_invalid_03(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/foo ( )', ' ')
def test_get_flags_other_profile(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/no-such-profile flags=(complain)', 'complain')
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
class AaTest_change_profile_flags(AaTestWithTempdir):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
def _test_change_profile_flags(
self, profile, old_flags, flags_to_change, set_flag, expected_flags, whitespace='',
comment='', more_rules='', expected_more_rules='@-@-@', check_new_flags=True, profile_name='/foo'):
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
if old_flags:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
old_flags = ' ' + old_flags
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
if expected_flags:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
expected_flags = ' flags=({})'.format(expected_flags)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
else:
expected_flags = ''
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
if expected_more_rules == '@-@-@':
expected_more_rules = more_rules
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
if comment:
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
comment = ' ' + comment
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
dummy_profile_content = ' #include <abstractions/base>\n capability chown,\n /bar r,'
prof_template = '%s%s%s {%s\n%s\n%s\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
old_prof = prof_template % (whitespace, profile, old_flags, comment, more_rules, dummy_profile_content)
When changing flags, use correct amount of whitespace .. instead of preserving the original leading whitespace. This change affects the behaviour of aa-complain, aa-enforce and aa-audit.
2021-05-23 19:00:06 +02:00
new_prof = prof_template % ('', profile, expected_flags, comment, expected_more_rules, dummy_profile_content)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
self.file = write_file(self.tmpdir, 'profile', old_prof)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
change_profile_flags(self.file, profile_name, flags_to_change, set_flag)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
if check_new_flags:
real_new_prof = read_file(self.file)
self.assertEqual(new_prof, real_new_prof)
# tests that actually don't change the flags
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_02(self):
self._test_change_profile_flags('/foo', '( complain )', 'complain', True, 'complain', whitespace=' ')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_03(self):
self._test_change_profile_flags('/foo', '(complain)', 'complain', True, 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_04(self):
self._test_change_profile_flags('/foo', 'flags=(complain)', 'complain', True, 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_05(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', True, 'audit, complain', whitespace=' ')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_06(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', True, 'audit, complain', whitespace=' ', comment='# a comment')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_07(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'audit', True, 'audit, complain', whitespace=' ', more_rules=' # a comment\n#another comment')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_08(self):
self._test_change_profile_flags('profile /foo', 'flags=(complain)', 'complain', True, 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_09(self):
self._test_change_profile_flags('profile xy /foo', 'flags=(complain)', 'complain', True, 'complain', profile_name='xy')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_10(self):
self._test_change_profile_flags('profile "/foo bar"', 'flags=(complain)', 'complain', True, 'complain', profile_name='/foo bar')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_11(self):
self._test_change_profile_flags('/foo', '(complain)', 'complain', True, 'complain', profile_name=None)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_nochange_12(self):
# XXX changes the flags for the child profile (which happens to have the same profile name) to 'complain'
self._test_change_profile_flags('/foo', 'flags=(complain)', 'complain', True, 'complain', more_rules=' profile /foo {\n}', expected_more_rules=' profile /foo flags=(complain) {\n}')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
# tests that change the flags
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_01(self):
self._test_change_profile_flags('/foo', '', 'audit', True, 'audit')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_02(self):
self._test_change_profile_flags('/foo', '( complain )', 'audit', True, 'audit, complain', whitespace=' ')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_04(self):
self._test_change_profile_flags('/foo', '(complain)', 'audit', True, 'audit, complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_05(self):
self._test_change_profile_flags('/foo', 'flags=(complain)', 'audit', True, 'audit, complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_06(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', False, 'audit', whitespace=' ')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_07(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'audit', False, 'complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_08(self):
self._test_change_profile_flags('/foo', '( complain )', 'audit', True, 'audit, complain', whitespace=' ', profile_name=None)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_09(self):
self._test_change_profile_flags('profile /foo', 'flags=(complain)', 'audit', True, 'audit, complain')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_10(self):
self._test_change_profile_flags('profile xy /foo', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='xy')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_11(self):
self._test_change_profile_flags('profile "/foo bar"', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='/foo bar')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_12(self):
self._test_change_profile_flags('profile xy "/foo bar"', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='xy')
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_13(self):
self._test_change_profile_flags('/foo', '(audit)', 'audit', False, '')
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
# test handling of hat flags
def test_set_flags_with_hat_01(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', 'flags=(complain)', 'audit', True, 'audit, complain',
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
more_rules='\n ^foobar {\n}\n',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
expected_more_rules='\n ^foobar flags=(audit) {\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_hat_02(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', 'flags=(complain)', 'audit', False, 'complain',
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
profile_name=None,
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
more_rules='\n ^foobar flags=(audit) {\n}\n',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
expected_more_rules='\n ^foobar {\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_hat_03(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', 'flags=(complain)', 'audit', True, 'audit, complain',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
more_rules='\n^foobar (attach_disconnected) { # comment\n}\n',
When changing flags, use correct amount of whitespace .. instead of preserving the original leading whitespace. This change affects the behaviour of aa-complain, aa-enforce and aa-audit.
2021-05-23 19:00:06 +02:00
expected_more_rules='\n ^foobar flags=(attach_disconnected, audit) { # comment\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_hat_04(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', '', 'audit', True, 'audit',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
more_rules='\n hat foobar (attach_disconnected) { # comment\n}\n',
expected_more_rules='\n hat foobar flags=(attach_disconnected, audit) { # comment\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_hat_05(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', '(audit)', 'audit', False, '',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
more_rules='\n hat foobar (attach_disconnected) { # comment\n}\n',
expected_more_rules='\n hat foobar flags=(attach_disconnected) { # comment\n}\n'
Add more set_profile_flags() tests The existing tests didn't test removing all flags. Acked-by: Steve Beattie <steve@nxnw.org>
2015-06-26 23:21:29 +02:00
)
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
# test handling of child profiles
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_child_01(self):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', 'flags=(complain)', 'audit', True, 'audit, complain',
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
profile_name=None,
more_rules='\n profile /bin/bar {\n}\n',
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
expected_more_rules='\n profile /bin/bar flags=(audit) {\n}\n'
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_with_child_02(self):
Let set_profile_flags() change the flags for all hats It did this in the old 2.8 code, but didn't in 2.9.x (first there was a broken hat regex, then I commented out the hat handling to avoid breakage caused by the broken regex). This patch makes sure the hat flags get set when setting the flags for the main profile. Also change RE_PROFILE_HAT_DEF to use more named matches (leadingwhitespace and hat_keyword). Luckily all code that uses the regex uses named matches already, which means adding another (...) pair doesn't hurt. Finally adjust the tests: - change _test_set_flags to accept another optional parameter expected_more_rules (used to specify the expected hat definition) - add tests for hats (with '^foobar' and 'hat foobar' syntax) - add tests for child profiles, one of them commented out (see below) Remaining known issues (also added as TODO notes): - The hat and child profile flags are *overwritten* with the flags used for the main profile. (That's well-known behaviour from 2.8 :-/ but we have more flags now, which makes this more annoying.) The correct behaviour would be to add or remove the specified flag, while keeping other flags unchanged. - Child profiles are not handled/changed if you specify the 'program' parameter. This means: - 'aa-complain smbldap-useradd' or 'aa-complain /usr/sbin/smbldap-useradd' _will not_ change the flags for the nscd child profile - 'aa-complain /etc/apparmor.d/usr.sbin.smbldap-useradd' _will_ change the flags for the nscd child profile (and any other profile and child profile in that file) Even with those remaining issues (which need bigger changes in set_profile_flags() and maybe also in the whole flags handling), the patch improves things and fixes the regression from the 2.8 code. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9
2015-05-28 22:14:37 +02:00
# XXX child profile flags aren't changed if profile parameter is not None
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags(
'/foo', 'flags=(complain)', 'audit', True, 'audit, complain',
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
more_rules='\n profile /bin/bar {\n}\n',
expected_more_rules='\n profile /bin/bar {\n}\n' # flags(audit) should be added
)
def test_change_profile_flags_invalid_01(self):
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
with self.assertRaises(AppArmorBug):
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
self._test_change_profile_flags('/foo', '()', None, False, '', check_new_flags=False)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_invalid_02(self):
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
with self.assertRaises(AppArmorBug):
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
self._test_change_profile_flags('/foo', 'flags=()', None, True, '', check_new_flags=False)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_invalid_03(self):
let change_profile_flags() change flags in child profiles ... instead of overwriting them with the flags of the main profile. This fixes a longstanding issue with aa-complain, aa-enforce and aa-audit which broke the flags of child profiles and hats if they differed from the main profile. It also fixes several issues documented in the tests (which obviously need adjustment to match the fixed behaviour). Also change the "no profile found" cases to AppArmorException - errors in a profile are not worth triggering AppArmorBug ;-)
2018-07-25 23:22:33 +02:00
with self.assertRaises(AppArmorBug):
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
self._test_change_profile_flags('/foo', '( )', '', True, '', check_new_flags=False)
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_invalid_04(self):
change_profile_flags: raise AppArmorBug on empty new flag
2018-07-25 22:30:13 +02:00
with self.assertRaises(AppArmorBug):
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', ' ', True, 'audit, complain', check_new_flags=False) # whitespace-only newflags
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_other_profile(self):
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
# test behaviour if the file doesn't contain the specified /foo profile
orig_prof = '/no-such-profile flags=(complain) {\n}'
self.file = write_file(self.tmpdir, 'profile', orig_prof)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
with self.assertRaises(AppArmorException):
change_profile_flags(self.file, '/foo', 'audit', True)
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
# the file should not be changed
real_new_prof = read_file(self.file)
self.assertEqual(orig_prof, real_new_prof)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_no_profile_found(self):
[patch] make set_profile_flags more strict this patch makes set_profile_flags more strict: - raise AppArmorBug if newflags contains only whitespace - raise AppArmorBug if the file doesn't contain the specified profile or no profile at all The tests are adjusted to expect AppArmorBug instead of a silent failure. Also, some tests are added for profile=None, which means to change the flags for all profiles in a file. - test_set_flags_08 is now test_set_flags_invalid_04 - test_set_flags_invalid_03 is changed to only contain one reason for a failure, not two ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:25:18 +02:00
# test behaviour if the file doesn't contain any profile
orig_prof = '# /comment flags=(complain) {\n# }'
self.file = write_file(self.tmpdir, 'profile', orig_prof)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
with self.assertRaises(AppArmorException):
change_profile_flags(self.file, None, 'audit', True)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
# the file should not be changed
real_new_prof = read_file(self.file)
self.assertEqual(orig_prof, real_new_prof)
rewrite set_profile_flags() tests to use change_profile_flags() All callers call change_profile_flags(), so it makes sense to test this function instead of set_profile_flags(). Besides that, set_profile_flags() will be merged into change_profile_flags() in the next commit ;-) Note that this commit adds some '# XXX' notes to the tests. These will be addressed in later commits.
2018-07-25 22:20:48 +02:00
def test_change_profile_flags_file_not_found(self):
rewrite set_profile_flags() to use write_header() Changes in set_profile_flags(): - rewrite set_profile_flags to use parse_profile_start_line() and write_header(). - replace the silent failure for non-existing files with a proper exception (using lazy programming - the check is done by removing the "if os.path.isfile()" check, open_file_read then raises the exception ;-) - comment out regex_hat_flag and the code that was supposed to handle hat flags, which were totally broken. We'll need another patch to fix it, and we also need to decide if we want to do that because it introduces a behaviour change (currently, aa-complain etc. don't change hat flags). The tests for set_profile_flags() are also updated: - prepend a space to comments because write_header always adds a space between '{' and the comment - remove a test with superfluous quotes that are no longer kept (that's just a profile cleanup, so dropping that test is the easiest way) - update test_set_flags_10 and test_set_flags_12 to use the correct profile name - enable the tests for invalid (empty) flags - update the test for a non-existing file Note: test_set_flags_10, test_set_flags_12 and test_set_flags_nochange_09 will fail with this patch applied. The next patch will fix that. Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-03 17:20:14 +02:00
with self.assertRaises(IOError):
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
change_profile_flags(self.tmpdir + '/file-not-found', '/foo', 'audit', True)
add tests for set_profile_flags() (and some fun) Add various tests for set_profile_flags, and document various interesting[tm] things I discovered while writing the tests (see the inline comments for details). Also adds a read_file() function to common_test.py. The most interesting[tm] thing I found is: regex_hat_flag = re.compile('^([a-z]*)\s+([A-Z]*)\s*(#.*)?$') which matches various unexpected things - but not a hat :-/ (see mailinglist for all funny details) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:43:29 +02:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
[25/38] Set audit mode for all options Add set_options_audit_mode() to switch the audit mode in all options offered by aa-logprof and aa-mergeprof, not only the "original" rule (in aa-logprof, this means the non-globbed rule_obj). As usual, add some tests to ensure the function works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:05:27 +02:00
class AaTest_set_options_audit_mode(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
((FileRule.create_instance('audit /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,']), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
((FileRule.create_instance('audit /foo/bar r,'), ['/foo/bar r,', 'audit /foo/* r,', 'audit /** r,']), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']),
((FileRule.create_instance('/foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,']), ['/foo/bar r,', '/foo/* r,', '/** r,']),
((FileRule.create_instance('/foo/bar r,'), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']), ['/foo/bar r,', '/foo/* r,', '/** r,']),
((FileRule.create_instance('audit /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '#include <abstractions/base>']), ['audit /foo/bar r,', 'audit /foo/* r,', '#include <abstractions/base>']),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
[25/38] Set audit mode for all options Add set_options_audit_mode() to switch the audit mode in all options offered by aa-logprof and aa-mergeprof, not only the "original" rule (in aa-logprof, this means the non-globbed rule_obj). As usual, add some tests to ensure the function works as expected. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:05:27 +02:00
def _run_test(self, params, expected):
rule_obj, options = params
new_options = set_options_audit_mode(rule_obj, options)
self.assertEqual(new_options, expected)
Add some tests for aa.py get_profile_flags(). Also adds a check to get_profile_flags() to catch an invalid syntax: /foo ( ) { was accepted by get_profile_flags, while /foo () { failed. When testing with the parser, both result in a syntax error, therefore the patch makes sure it also fails in get_profile_flags(). Acked-by: Steve Beattie <steve@nxnw.org>
2015-03-02 19:36:20 +01:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
split set_options_audit_mode() and add set_options_owner_mode() - move the code of set_options_audit_mode() to a new function set_options_mode() and make set_options_audit_mode() a wrapper for it. - add set_options_owner_mode() as another wrapper for set_options_mode() and add code to switch the owner flag to set_options_mode() - add tests for set_options_owner_mode()
2017-12-17 16:42:12 +01:00
class AaTest_set_options_owner_mode(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
((FileRule.create_instance('owner /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,']), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']),
((FileRule.create_instance('owner /foo/bar r,'), ['/foo/bar r,', 'owner /foo/* r,', 'owner /** r,']), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']),
((FileRule.create_instance('/foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,']), ['/foo/bar r,', '/foo/* r,', '/** r,']),
((FileRule.create_instance('/foo/bar r,'), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']), ['/foo/bar r,', '/foo/* r,', '/** r,']),
((FileRule.create_instance('audit owner /foo/bar r,'), ['audit /foo/bar r,', 'audit /foo/* r,', '#include <abstractions/base>']), ['audit owner /foo/bar r,', 'audit owner /foo/* r,', '#include <abstractions/base>']),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
split set_options_audit_mode() and add set_options_owner_mode() - move the code of set_options_audit_mode() to a new function set_options_mode() and make set_options_audit_mode() a wrapper for it. - add set_options_owner_mode() as another wrapper for set_options_mode() and add code to switch the owner flag to set_options_mode() - add tests for set_options_owner_mode()
2017-12-17 16:42:12 +01:00
def _run_test(self, params, expected):
rule_obj, options = params
new_options = set_options_owner_mode(rule_obj, options)
self.assertEqual(new_options, expected)
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
add tests for write_header() Also add loop support to test-aa.py. BTW: In case you wonder - the need to replace unittest.TestCase with AATest is intentional. It might look annoying, but it makes sure that a test-*.py file doesn't contain a test class where tests = [...] is ignored because it's still unittest.TestCase. (Technically, setup_all_tests() will error out if a test class doesn't contain tests = [...] - either explicit or via its parent AATest.) Acked-by: Steve Beattie <steve@nxnw.org>
2015-04-01 23:48:50 +02:00
class AaTest_is_skippable_file(AATest):
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_01(self):
self.assertFalse(is_skippable_file('bin.ping'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_02(self):
self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_03(self):
self.assertFalse(is_skippable_file('bin.~ping'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_04(self):
self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_05(self):
# normally is_skippable_file should be called without directory, but it shouldn't hurt too much
self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_not_skippable_06(self):
self.assertFalse(is_skippable_file('bin.pingrej'))
def test_skippable_01(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_02(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_03(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_04(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_05(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.dpkg-remove'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_06(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.pacsave'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_07(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.pacnew'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_08(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_09(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
def test_skippable_10(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping.orig'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
def test_skippable_11(self):
Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3
2018-03-30 17:46:25 +02:00
self.assertTrue(is_skippable_file('bin.ping.rej'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3
2018-03-30 17:46:25 +02:00
def test_skippable_12(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('bin.ping~'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3
2018-03-30 17:46:25 +02:00
def test_skippable_13(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('.bin.ping'))
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3
2018-03-30 17:46:25 +02:00
def test_skippable_14(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('')) # empty filename
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add .pacsave/.pacnew to apparmor parser ignored list Currently there is a list of file extensions which apparmor parser should ignore which contains rpm and dpkg backup files. The list could be extended with extensions used by pacman package manager (Archlinux/Manjaro/Antergos): .pacsave .pacnew https://wiki.archlinux.org/index.php/Pacman/Pacnew_and_Pacsave References: https://gitlab.com/apparmor/apparmor/issues/3
2018-03-30 17:46:25 +02:00
def test_skippable_15(self):
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename
utils: fix coding style to match PEP8 Annotate exceptions with ' # noqa: ERROR' Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-05-17 13:53:42 +02:00
Add ".dpkg-remove" to apparmor parser ignored list References: https://bugs.debian.org/893974
2018-03-30 18:05:06 +02:00
def test_skippable_16(self):
Update is_skippable_file() to match all extensions that are listed in libapparmor _aa_is_blacklisted() - some extensions were missing in the python code. Also make the code more readable and add some testcases. Notes: - the original code additionally ignored *.swp. I didn't include that - *.swp looks like vim swap files which are also dot files - the python code ignores README files, but the C code doesn't (do we need to add README in the C code?) Acked-by: Kshitij Gupta <kgupta8592@gmail.com> for 2.9 and trunk Acked-by: Steve Beattie <steve@nxnw.org>
2015-02-04 13:16:29 +01:00
self.assertTrue(is_skippable_file('README'))
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
class AaTest_parse_profile_data(AATest):
def test_parse_empty_profile_01(self):
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
prof = parse_profile_data('/foo {\n}\n'.split(), 'somefile', False, False)
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
self.assertEqual(list(prof.keys()), ['/foo'])
parse_profile_data(): return merged profile names ... instead of the old [profile][hat] structure. This needs changes in read_profile() (now using the merged profile name) and attach_profile_data() (using merged_to_split() for now). Also adjust test-aa.py to expect the merged structure.
2021-04-04 00:45:14 +02:00
self.assertEqual(prof['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['flags'], None)
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
ProfileStorage: store parent profile ... and extend the tests to get some coverage.
2024-10-06 20:39:01 +02:00
def test_parse_parent_and_child(self):
prof = parse_profile_data('profile /foo {\nprofile /bar {\n}\n}\n'.split(), 'somefile', False, False)
self.assertEqual(list(prof.keys()), ['/foo', '/foo///bar'])
self.assertEqual(prof['/foo']['parent'], '')
self.assertEqual(prof['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['flags'], None)
self.assertEqual(prof['/foo///bar']['parent'], '/foo')
self.assertEqual(prof['/foo///bar']['name'], '/bar')
self.assertEqual(prof['/foo///bar']['filename'], 'somefile')
self.assertEqual(prof['/foo///bar']['flags'], None)
parse_profile_data(): better way to check for duplicate hats Instead of checking filelist[file]['profiles'] for duplicate hats, check profile_data[profile][hat]. With this, the duplicate hat check is done in the same way as the check for duplicate profiles and child profiles. Also add tests for duplicate child profiles and duplicate hats.
2020-05-08 21:45:26 +02:00
def test_parse_duplicate_profile(self):
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
with self.assertRaises(AppArmorException):
# file contains two profiles with the same name
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
parse_profile_data('profile /foo {\n}\nprofile /foo {\n}\n'.split(), 'somefile', False, False)
let parse_profile_data() check for in-file duplicate profiles Add a check to parse_profile_data() to detect if a file contains two profiles with the same name. Note: Two profiles with the same name, but in different files, won't be detected by this check. Also add basic tests to ensure that a valid profile gets parsed, and two profiles with the same name inside the same file raise an exception. (Sidenote: these simple tests improve aa.py coverage from 9% to 12%, which also confirms the function is too long ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2015-05-29 13:00:32 +02:00
parse_profile_data(): better way to check for duplicate hats Instead of checking filelist[file]['profiles'] for duplicate hats, check profile_data[profile][hat]. With this, the duplicate hat check is done in the same way as the check for duplicate profiles and child profiles. Also add tests for duplicate child profiles and duplicate hats.
2020-05-08 21:45:26 +02:00
def test_parse_duplicate_child_profile(self):
with self.assertRaises(AppArmorException):
# file contains two child profiles with the same name
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
parse_profile_data('profile /foo {\nprofile /bar {\n}\nprofile /bar {\n}\n}\n'.split(), 'somefile', False, False)
parse_profile_data(): better way to check for duplicate hats Instead of checking filelist[file]['profiles'] for duplicate hats, check profile_data[profile][hat]. With this, the duplicate hat check is done in the same way as the check for duplicate profiles and child profiles. Also add tests for duplicate child profiles and duplicate hats.
2020-05-08 21:45:26 +02:00
def test_parse_duplicate_hat(self):
with self.assertRaises(AppArmorException):
# file contains two hats with the same name
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
parse_profile_data('profile /foo {\n^baz {\n}\n^baz {\n}\n}\n'.split(), 'somefile', False, False)
parse_profile_data(): better way to check for duplicate hats Instead of checking filelist[file]['profiles'] for duplicate hats, check profile_data[profile][hat]. With this, the duplicate hat check is done in the same way as the check for duplicate profiles and child profiles. Also add tests for duplicate child profiles and duplicate hats.
2020-05-08 21:45:26 +02:00
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
def test_parse_xattrs_01(self):
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
prof = parse_profile_data('/foo xattrs=(user.bar=bar) {\n}\n'.split(), 'somefile', False, False)
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
self.assertEqual(list(prof.keys()), ['/foo'])
parse_profile_data(): return merged profile names ... instead of the old [profile][hat] structure. This needs changes in read_profile() (now using the merged profile name) and attach_profile_data() (using merged_to_split() for now). Also adjust test-aa.py to expect the merged structure.
2021-04-04 00:45:14 +02:00
self.assertEqual(prof['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['flags'], None)
self.assertEqual(prof['/foo']['xattrs'], 'user.bar=bar')
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
def test_parse_xattrs_02(self):
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
prof = parse_profile_data('/foo xattrs=(user.bar=bar user.foo=*) {\n}\n'.split(), 'somefile', False, False)
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
self.assertEqual(list(prof.keys()), ['/foo'])
parse_profile_data(): return merged profile names ... instead of the old [profile][hat] structure. This needs changes in read_profile() (now using the merged profile name) and attach_profile_data() (using merged_to_split() for now). Also adjust test-aa.py to expect the merged structure.
2021-04-04 00:45:14 +02:00
self.assertEqual(prof['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['flags'], None)
self.assertEqual(prof['/foo']['xattrs'], 'user.bar=bar user.foo=*')
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
def test_parse_xattrs_03(self):
d = '/foo xattrs=(user.bar=bar) flags=(complain) {\n}\n'
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
prof = parse_profile_data(d.split(), 'somefile', False, False)
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
self.assertEqual(list(prof.keys()), ['/foo'])
parse_profile_data(): return merged profile names ... instead of the old [profile][hat] structure. This needs changes in read_profile() (now using the merged profile name) and attach_profile_data() (using merged_to_split() for now). Also adjust test-aa.py to expect the merged structure.
2021-04-04 00:45:14 +02:00
self.assertEqual(prof['/foo']['name'], '/foo')
self.assertEqual(prof['/foo']['filename'], 'somefile')
self.assertEqual(prof['/foo']['flags'], 'complain')
self.assertEqual(prof['/foo']['xattrs'], 'user.bar=bar')
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
def test_parse_xattrs_04(self):
with self.assertRaises(AppArmorException):
# flags before xattrs
d = '/foo flags=(complain) xattrs=(user.bar=bar) {\n}\n'
Add in_preamble parameter to profile loading/parsing functions in_preamble keeps track of the current parsing position. It's True while parsing the preamble of a profile file, and when loading an include file that is included in the preamble (typically tunables/*). While inside a profile or parsing abstractions/*, it is False. This commit only hands the information around and keeps in_preamble updated, but it doesn't really get used yet. Also adjust the tests to hand over the additional parameter to parse_profile_data().
2021-02-22 22:22:25 +01:00
parse_profile_data(d.split(), 'somefile', False, False)
utils: add support to tools for profiles with xattrs Signed-off-by: Eric Chiang <ericchiang@google.com>
2018-11-28 11:04:49 -08:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
class AaTest_get_file_perms_1(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
('/usr/share/common-licenses/foo/bar', {'allow': {'all': set(), 'owner': {'w'}}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**'}}),
('/dev/null', {'allow': {'all': {'r', 'w', 'k'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/dev/null'}}),
('/foo/bar', {'allow': {'all': {'r', 'w'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/foo/bar'}}), # exec perms not included
('/no/thing', {'allow': {'all': set(), 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': set()}),
('/usr/lib/ispell/', {'allow': {'all': set(), 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': set()}),
('/usr/lib/aspell/*.so', {'allow': {'all': set(), 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': set()}),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
def _run_test(self, params, expected):
self.createTmpdir()
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# copy the local profiles to the test directory
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.profile_dir = self.tmpdir + '/profiles'
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
[1/3] Rename profile_storage() to ProfileStorage() This is a preparation to make the next patch smaller and easier to read ;-) Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-11 13:30:29 +02:00
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
# simple profile without any includes
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['file'].add(FileRule.create_instance('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.create_instance('/dev/null rwk,'))
profile['file'].add(FileRule.create_instance('/foo/bar rwix,'))
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
perms = get_file_perms(profile, params, False, False) # only testing with audit and deny = False
self.assertEqual(perms, expected)
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
class AaTest_get_file_perms_2(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
('/usr/share/common-licenses/foo/bar', {'allow': {'all': {'r'}, 'owner': {'w'}}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**'}}),
('/usr/share/common-licenses/what/ever', {'allow': {'all': {'r'}, 'owner': {'w'}}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**', '/usr/share/common-licenses/what/ever'}}),
('/dev/null', {'allow': {'all': {'r', 'w', 'k'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/dev/null'}}),
('/foo/bar', {'allow': {'all': {'r', 'w'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/foo/bar'}}), # exec perms not included
('/no/thing', {'allow': {'all': set(), 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': set()}),
('/usr/lib/ispell/', {'allow': {'all': {'r'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/usr/lib/ispell/', '/{usr/,}lib{,32,64}/**'}}), # from abstractions/enchant
('/usr/lib/aspell/*.so', {'allow': {'all': {'m', 'r'}, 'owner': set()}, 'deny': {'all': set(), 'owner': set()}, 'paths': {'/usr/lib/aspell/*', '/usr/lib/aspell/*.so', '/{usr/,}lib{,32,64}/**', '/{usr/,}lib{,32,64}/**.so*'}}), # from abstractions/aspell via abstractions/enchant and from abstractions/base
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
def _run_test(self, params, expected):
self.createTmpdir()
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# copy the local profiles to the test directory
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.profile_dir = self.tmpdir + '/profiles'
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
fix setting apparmor.aa.profile_dir in some tests
2020-06-01 15:54:34 +02:00
apparmor.aa.profile_dir = self.profile_dir
Change internal include file storage to absolute paths This removes the need to remove profile_dir from include paths at various places. A side effect is that aa-logprof / match_includes() now propose more include rules, for example matching local/ files. Another side effect is that proposals for include rules (match_includes() again) now come with the full path. Both side effects will be fixed in the next commits.
2020-06-01 17:03:52 +02:00
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
[1/3] Rename profile_storage() to ProfileStorage() This is a preparation to make the next patch smaller and easier to read ;-) Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-11 13:30:29 +02:00
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/bash>'))
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/enchant>'))
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['file'].add(FileRule.create_instance('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.create_instance('owner /usr/share/common-licenses/what/ever a,')) # covered by the above 'w' rule, so 'a' should be ignored
profile['file'].add(FileRule.create_instance('/dev/null rwk,'))
profile['file'].add(FileRule.create_instance('/foo/bar rwix,'))
[23/38] Add get_file_perms() to aa.py get_file_perms() collects the existing permissions for a file from various rules (exact matches, wildcards) in the main profile and the included abstractions. It will be used to get displaying the current permissions back, and also to propose rules with merged permissions (next patch). Also add some tests to make sure it does what it promises ;-) Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:03:44 +02:00
perms = get_file_perms(profile, params, False, False) # only testing with audit and deny = False
self.assertEqual(perms, expected)
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
class AaTest_propose_file_rules(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# log event path and perms expected proposals
(('/usr/share/common-licenses/foo/bar', 'w'), ['/usr/share/common*/foo/* rw,', '/usr/share/common-licenses/** rw,', '/usr/share/common-licenses/foo/bar rw,']),
(('/dev/null', 'wk'), ['/dev/null rwk,']),
(('/foo/bar', 'rw'), ['/foo/bar rw,']),
(('/usr/lib/ispell/', 'w'), ['/{usr/,}lib{,32,64}/** rw,', '/usr/lib/ispell/ rw,']),
(('/usr/lib/aspell/some.so', 'k'), ['/usr/lib/aspell/* mrk,', '/usr/lib/aspell/*.so mrk,', '/{usr/,}lib{,32,64}/** mrk,', '/{usr/,}lib{,32,64}/**.so* mrk,', '/usr/lib/aspell/some.so mrk,']),
(('/foo/log', 'w'), ['/foo/log w,']),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
def _run_test(self, params, expected):
self.createTmpdir()
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# copy the local profiles to the test directory
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.profile_dir = self.tmpdir + '/profiles'
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
fix setting apparmor.aa.profile_dir in some tests
2020-06-01 15:54:34 +02:00
apparmor.aa.profile_dir = self.profile_dir
Change internal include file storage to absolute paths This removes the need to remove profile_dir from include paths at various places. A side effect is that aa-logprof / match_includes() now propose more include rules, for example matching local/ files. Another side effect is that proposals for include rules (match_includes() again) now come with the full path. Both side effects will be fixed in the next commits.
2020-06-01 17:03:52 +02:00
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
# add some user_globs ('(N)ew') to simulate a professional aa-logprof user (and to make sure that part of the code also gets tested)
apparmor.aa.user_globs['/usr/share/common*/foo/*'] = AARE('/usr/share/common*/foo/*', True)
apparmor.aa.user_globs['/no/thi*ng'] = AARE('/no/thi*ng', True)
[1/3] Rename profile_storage() to ProfileStorage() This is a preparation to make the next patch smaller and easier to read ;-) Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-11 13:30:29 +02:00
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/bash>'))
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/enchant>'))
store include rules (also) in 'inc_ie' (IncludeRueset) ... and write them (only) from 'inc_ie' (IncludeRuleset), which can handle both "include" and "include if exists" rules. This duplicates storage of include rules because 'include' is still used and needed at various places that work on/with the include rules. With this, we get removal of duplicate include lines insinde a profile in aa-cleanprof "for free" - extend cleanprof_test.in to confirm this.
2020-05-13 21:45:00 +02:00
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['file'].add(FileRule.create_instance('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.create_instance('/dev/null rwk,'))
profile['file'].add(FileRule.create_instance('/foo/bar rwix,'))
profile['file'].add(FileRule.create_instance('/foo/log a,')) # will be replaced with '/foo/log w,' (not 'wa')
[24/38] Add propose_file_rules() to propose globbed etc. file rules in aa-logprof aa.py: - add propose_file_rules() - will propose matching paths from existing rules in the profile or one of the includes - save user_globs if user selects '(N)ew' (will be re-used when proposing rules) - change user_globs to a dict so that it can carry the human-readable path and an AARE object for it - change order_globs() to ensure the original path (given as parameter) is always the last item in the resulting list - add a ruletype switch to ask_the_questions() so that it uses propose_file_rules() for file events (I don't like this ruletype-specific solution too much, but everything else would make things even more complicated) Also keep aa-mergeprof ask_the_questions() in sync with aa.py. In FileRule, add original_perms (might be set by propose_file_rules()) Finally, add some tests to ensure propose_file_rules() does what it promises. Acked-by: Steve Beattie <steve@nxnw.org>
2016-10-01 20:04:42 +02:00
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
self.assertEqual(proposals, expected)
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
class AaTest_propose_file_rules_with_absolute_includes(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# log event path and perms expected proposals
(('/not/found/anywhere', 'r'), ['/not/found/anywhere r,']),
(('/dev/null', 'w'), ['/dev/null rw,']),
(('/some/random/include', 'r'), ['/some/random/include rw,']),
(('/some/other/include', 'w'), ['/some/other/* rw,', '/some/other/inc* rw,', '/some/other/include rw,']),
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
def _run_test(self, params, expected):
self.createTmpdir()
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
# copy the local profiles to the test directory
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
self.profile_dir = self.tmpdir + '/profiles'
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
fix setting apparmor.aa.profile_dir in some tests
2020-06-01 15:54:34 +02:00
apparmor.aa.profile_dir = self.profile_dir
Change internal include file storage to absolute paths This removes the need to remove profile_dir from include paths at various places. A side effect is that aa-logprof / match_includes() now propose more include rules, for example matching local/ files. Another side effect is that proposals for include rules (match_includes() again) now come with the full path. Both side effects will be fixed in the next commits.
2020-06-01 17:03:52 +02:00
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
abs_include1 = write_file(self.tmpdir, 'test-abs1', "/some/random/include rw,")
apparmor.aa.load_include(abs_include1)
abs_include2 = write_file(self.tmpdir, 'test-abs2', "/some/other/* rw,")
apparmor.aa.load_include(abs_include2)
abs_include3 = write_file(self.tmpdir, 'test-abs3', "/some/other/inc* rw,")
apparmor.aa.load_include(abs_include3)
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
Rename BaseRule's parse() method to create_instance()
2022-09-10 19:45:22 -04:00
profile['inc_ie'].add(IncludeRule.create_instance('include <abstractions/base>'))
Change string formatting method in Python tests
2023-02-19 16:26:14 -05:00
profile['inc_ie'].add(IncludeRule.create_instance('include "{}"'.format(abs_include1)))
profile['inc_ie'].add(IncludeRule.create_instance('include "{}"'.format(abs_include2)))
profile['inc_ie'].add(IncludeRule.create_instance('include "{}"'.format(abs_include3)))
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
self.assertEqual(proposals, expected)
class AaTest_nonexistent_includes(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
("/nonexistent/absolute/path", AppArmorException),
("nonexistent/relative/path", AppArmorBug), # load_include() only accepts absolute paths
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
Add checks to load_include() to ensure absolute paths Also update the tests to the new behaviour.
2020-06-01 17:06:45 +02:00
def _run_test(self, params, expected):
with self.assertRaises(expected):
apparmor.aa.load_include(params)
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
add merged_to_split() ... and a little test for it. This function is meant to convert a merged foo['profile//hat'] to old-style foo_compat['profile']['hat'].
2021-04-02 19:35:59 +02:00
class AaTest_merged_to_split(AATest):
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
tests = (
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
("foo", ("foo", "foo")),
("foo//bar", ("foo", "bar")),
("foo//bar//baz", ("foo", "bar")), # XXX known limitation
Speed up list creations, and change lists to tuples where appropriate..
2022-06-18 14:30:49 -04:00
)
add merged_to_split() ... and a little test for it. This function is meant to convert a merged foo['profile//hat'] to old-style foo_compat['profile']['hat'].
2021-04-02 19:35:59 +02:00
def _run_test(self, params, expected):
merged = {}
merged[params] = True # simplified, but enough for this test
result = merged_to_split(merged)
profile, hat = expected
self.assertEqual(list(result.keys()), [profile])
self.assertEqual(list(result[profile].keys()), [hat])
self.assertTrue(result[profile][hat])
update python tools to support includes with absolute paths For now we only allow quoted absolute paths without spaces in the name due to: - 1738877: include rules don't handle files with spaces in the name - 1738879: include rules don't handle absolute paths without quotes in some versions of parser - 1738880: include rules don't handle relative paths in some versions of the parser
2017-12-18 19:37:35 +00:00
Fix most PEP 8 whitespace, indentation, and major line length violations.
2022-08-07 12:26:24 -04:00
utils: Require apparmor.aa users to call init_aa() Introduce an apparmor.aa.init_aa() method and move the initialization code of the apparmor.aa module into it. Note that this change will break any external users of apparmor.aa because global variables that were previously initialized when importing apparmor.aa will not be initialized unless a call to the new apparmor.aa.init_aa() method is made. The main purpose of this change is to allow the utils tests to be able to set a non-default location for configuration files. Instead of hard-coding the location of logprof.conf and other utils related configuration files to /etc/apparmor/, this patch allows it to be configured by calling apparmor.aa.init_aa(confdir=PATH). This allows for the make check target to use the in-tree config file, profiles, and parser by default. A helper method, setup_aa(), is added to common_test.py that checks for an environment variable containing a non-default configuration directory path prior to calling apparmor.aa.init_aa(). All test scripts that use apparmor.aa are updated to call setup_aa(). Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Suggested-by: Christian Boltz <apparmor@cboltz.de> Acked-by: Seth Arnold <seth.arnold@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de>
2017-03-02 21:21:53 +00:00
setup_aa(apparmor.aa)
Enable testloops for nosetests Ensure nosetests sees all tests in the tests[] tuples. This requires some name changes because nosetests thinks all function names containing "test" are tests. (A "not a test" docorator would be an alternative, but that would require some try/except magic to avoid a dependency on nose.) To avoid nosetests thinks the functions are a test, - rename setup_all_tests() to setup_all_loops() - rename regex_test() to _regex_test() (in test-regex_matches.py) Also add the module_name as parameter to setup_all_loops and always run it (not only if __name__ == '__main__'). Known issue: nosetests errors out with ValueError: no such test method in <class ...>: stub_test when trying to run a single test generated out of tests[]. (debugging hint: stub_test is the name used in setup_test_loop().) But that's still an improvement over not seeing those tests at all ;-) Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9.
2015-04-22 22:01:34 +02:00
setup_all_loops(__name__)
Add some tests for aa.py check_for_apparmor() Also change check_for_apparmor() to allow easier testing by optionally specifying alternative locations for /proc/filesystems and /proc/mounts as parameter. Note that the code in check_for_apparmor() differs from what the comment says - valid_path() only does syntax checks, but doesn't check if the directory exists. I added a comment saying exactly that. Acked-by: Steve Beattie <steve@nxnw.org>
2014-11-27 23:20:26 +01:00
if __name__ == '__main__':
make utils tests less verbose Given the big number of tests, printing a dot for each test (instead of multiple lines) is enough ;-)
2018-04-08 20:18:30 +02:00
unittest.main(verbosity=1)
Reference in a new issue Copy permalink