diff --git a/parser/tst/caching.py b/parser/tst/caching.py index 160ffc873..8d04aeac8 100755 --- a/parser/tst/caching.py +++ b/parser/tst/caching.py @@ -98,7 +98,8 @@ class AAParserCachingCommon(testlib.AATestTemplate): shutil.rmtree(self.tmp_dir) def get_cache_dir(self, create=False): - cmd = [config.parser, '--print-cache-dir'] + self.cmd_prefix + cmd = [config.parser, '--print-cache-dir'] + cmd.extend(self.cmd_prefix) rc, report = self.run_cmd(cmd) if rc != 0: if "unrecognized option '--print-cache-dir'" not in report: @@ -153,7 +154,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon): '''test profiles are not cached by default''' cmd = list(self.cmd_prefix) - cmd.extend(['-q', '-r', self.profile]) + cmd.extend(('-q', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False) @@ -161,7 +162,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon): '''test profiles are not cached with --skip-cache''' cmd = list(self.cmd_prefix) - cmd.extend(['-q', '--write-cache', '--skip-cache', '-r', self.profile]) + cmd.extend(('-q', '--write-cache', '--skip-cache', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(os.path.join(self.cache_dir, PROFILE), expected=False) @@ -169,7 +170,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon): '''test profiles are cached when requested''' cmd = list(self.cmd_prefix) - cmd.extend(['-q', '--write-cache', '-r', self.profile]) + cmd.extend(('-q', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(os.path.join(self.cache_dir, PROFILE)) @@ -177,7 +178,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon): '''test features file is written when caching''' cmd = list(self.cmd_prefix) - cmd.extend(['-q', '--write-cache', '-r', self.profile]) + cmd.extend(('-q', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(os.path.join(self.cache_dir, PROFILE)) self.assert_path_exists(os.path.join(self.cache_dir, '.features')) @@ -188,7 +189,7 @@ class AAParserBasicCachingTests(AAParserCachingCommon): self.require_apparmorfs() cmd = list(self.cmd_prefix) - cmd.extend(['-q', '--write-cache', '-r', self.profile]) + cmd.extend(('-q', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(os.path.join(self.cache_dir, PROFILE)) self.assert_path_exists(os.path.join(self.cache_dir, '.features')) @@ -206,7 +207,7 @@ class AAParserAltCacheBasicTests(AAParserBasicCachingTests): os.chmod(alt_cache_loc, 0o755) self.unused_cache_loc = self.cache_dir - self.cmd_prefix.extend(['--cache-loc', alt_cache_loc]) + self.cmd_prefix.extend(('--cache-loc', alt_cache_loc)) self.cache_dir = self.get_cache_dir() def tearDown(self): @@ -253,7 +254,7 @@ class AAParserCachingTests(AAParserCachingCommon): def _generate_cache_file(self): cmd = list(self.cmd_prefix) - cmd.extend(['-q', '--write-cache', '-r', self.profile]) + cmd.extend(('-q', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd) self.assert_path_exists(self.cache_file) @@ -282,7 +283,7 @@ class AAParserCachingTests(AAParserCachingCommon): self._generate_cache_file() cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', self.profile]) + cmd.extend(('-v', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Cached reload succeeded') def test_cache_not_loaded_when_skip_arg(self): @@ -291,7 +292,7 @@ class AAParserCachingTests(AAParserCachingCommon): self._generate_cache_file() cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--skip-cache', '-r', self.profile]) + cmd.extend(('-v', '--skip-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') def test_cache_not_loaded_when_skip_read_arg(self): @@ -300,7 +301,7 @@ class AAParserCachingTests(AAParserCachingCommon): self._generate_cache_file() cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--skip-read-cache', '-r', self.profile]) + cmd.extend(('-v', '--skip-read-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') def test_cache_not_loaded_when_features_differ(self): @@ -311,7 +312,7 @@ class AAParserCachingTests(AAParserCachingCommon): testlib.write_file(self.cache_dir, '.features', 'monkey\n') cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', self.profile]) + cmd.extend(('-v', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') def test_cache_writing_does_not_overwrite_features_when_features_differ(self): @@ -322,7 +323,7 @@ class AAParserCachingTests(AAParserCachingCommon): features_file = testlib.write_file(self.cache_dir, '.features', 'monkey\n') cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--write-cache', '--skip-bad-cache', '-r', self.profile]) + cmd.extend(('-v', '--write-cache', '--skip-bad-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') self.assert_path_exists(features_file) # ensure that the features does *not* match the current features set @@ -334,7 +335,7 @@ class AAParserCachingTests(AAParserCachingCommon): testlib.write_file(self.cache_dir, '.features', 'monkey\n') cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--write-cache', '--skip-bad-cache', '-r', self.profile]) + cmd.extend(('-v', '--write-cache', '--skip-bad-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') self.assert_path_exists(self.cache_file, expected=False) @@ -349,7 +350,7 @@ class AAParserCachingTests(AAParserCachingCommon): new_features_file = new_file + '/.features'; cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--write-cache', '-r', self.profile]) + cmd.extend(('-v', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') self.assert_path_exists(features_file) self.assert_path_exists(new_features_file) @@ -362,7 +363,7 @@ class AAParserCachingTests(AAParserCachingCommon): orig_stat = os.stat(cache_file) cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--write-cache', '-r', self.profile]) + cmd.extend(('-v', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') self.assert_path_exists(cache_file) stat = os.stat(cache_file) @@ -378,7 +379,7 @@ class AAParserCachingTests(AAParserCachingCommon): check_file = testlib.write_file(self.cache_dir, 'monkey', 'monkey\n') cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--write-cache', '-r', self.profile]) + cmd.extend(('-v', '--write-cache', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') self.assert_path_exists(check_file, expected=False) @@ -416,7 +417,7 @@ class AAParserCachingTests(AAParserCachingCommon): orig_stat = os.stat(self.cache_file) cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', self.profile]) + cmd.extend(('-v', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') stat = os.stat(self.cache_file) @@ -434,7 +435,7 @@ class AAParserCachingTests(AAParserCachingCommon): orig_stat = os.stat(self.cache_file) cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', self.profile]) + cmd.extend(('-v', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') stat = os.stat(self.cache_file) @@ -452,7 +453,7 @@ class AAParserCachingTests(AAParserCachingCommon): orig_stat = os.stat(self.cache_file) cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', '-W', self.profile]) + cmd.extend(('-v', '-r', '-W', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') stat = os.stat(self.cache_file) @@ -469,7 +470,7 @@ class AAParserCachingTests(AAParserCachingCommon): orig_stat = os.stat(self.cache_file) cmd = list(self.cmd_prefix) - cmd.extend(['-v', '-r', '-W', self.profile]) + cmd.extend(('-v', '-r', '-W', self.profile)) self.run_cmd_check(cmd, expected_string='Replacement succeeded for') stat = os.stat(self.cache_file) @@ -489,7 +490,7 @@ class AAParserCachingTests(AAParserCachingCommon): cmd = list(self.cmd_prefix) cmd[0] = new_parser - cmd.extend(['-v', '-r', self.profile]) + cmd.extend(('-v', '-r', self.profile)) self.run_cmd_check(cmd, expected_string='Cached reload succeeded for') def _purge_cache_test(self, location): @@ -497,7 +498,7 @@ class AAParserCachingTests(AAParserCachingCommon): cache_file = testlib.write_file(self.cache_dir, location, 'monkey\n') cmd = list(self.cmd_prefix) - cmd.extend(['-v', '--purge-cache', '-r', self.profile]) + cmd.extend(('-v', '--purge-cache', '-r', self.profile)) self.run_cmd_check(cmd) # no message is output self.assert_path_exists(cache_file, expected=False) @@ -526,7 +527,7 @@ class AAParserAltCacheTests(AAParserCachingTests): os.chmod(alt_cache_loc, 0o755) self.orig_cache_dir = self.cache_dir - self.cmd_prefix.extend(['--cache-loc', alt_cache_loc]) + self.cmd_prefix.extend(('--cache-loc', alt_cache_loc)) self.cache_dir = self.get_cache_dir(create=True) self.cache_file = os.path.join(self.cache_dir, PROFILE) @@ -540,7 +541,7 @@ class AAParserAltCacheTests(AAParserCachingTests): # skip tearDown check to ensure non-alt cache is empty self.check_orig_cache = False - filelist = [PROFILE, '.features', 'monkey'] + filelist = (PROFILE, '.features', 'monkey') for f in filelist: testlib.write_file(self.orig_cache_dir, f, 'monkey\n') diff --git a/parser/tst/errors.py b/parser/tst/errors.py index 1f4c4503d..85e7d0d91 100755 --- a/parser/tst/errors.py +++ b/parser/tst/errors.py @@ -36,9 +36,9 @@ class AAErrorTests(testlib.AATestTemplate): else: self.assertEqual(rc, 0, report) - ignore_messages = [ + ignore_messages = ( 'Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)\n', - ] + ) for ign in ignore_messages: if ign in outerr: outerr = outerr.replace(ign, '') diff --git a/parser/tst/gen-dbus.py b/parser/tst/gen-dbus.py index de144e2a5..1f2db8ac1 100755 --- a/parser/tst/gen-dbus.py +++ b/parser/tst/gen-dbus.py @@ -22,7 +22,7 @@ def get_rule (quantifier, perms, session, name, path, interface, member, peer): result = ' ' - for part in [quantifier, 'dbus', perms, session, name, path, interface, member, peer]: + for part in (quantifier, 'dbus', perms, session, name, path, interface, member, peer): if part: result += ' %s' % part @@ -59,8 +59,8 @@ def gen_files (test, xres, quantifiers, perms, sessions, names, paths, interface count=0 -quantifier = ['', 'deny', 'audit'] -session = ['', 'bus=session', 'bus=system', 'bus=accessibility'] +quantifier = ('', 'deny', 'audit') +session = ('', 'bus=session', 'bus=system', 'bus=accessibility') path = ['', 'path=/foo/bar', 'path="/foo/bar"'] interface = ['', 'interface=com.baz', 'interface="com.baz"'] member = ['', 'member=bar', 'member="bar"'] @@ -100,12 +100,14 @@ msg_perms = [ '(receive write)', ] +empty_tup = ('',) + gen_files('message-rules', 'PASS', quantifier, msg_perms, session, - [''], path, interface, member, peer) + empty_tup, path, interface, member, peer) gen_files('service-rules', 'PASS', quantifier, ['bind'], session, - name, [''], [''], [''], ['']) + name, empty_tup, empty_tup, empty_tup, empty_tup) gen_files('eavesdrop-rules', 'PASS', quantifier, ['eavesdrop'], session, - [''], [''], [''], [''], ['']) + empty_tup, empty_tup, empty_tup, empty_tup, empty_tup) gen_file('sloppy-formatting', 'PASS', '', '(send , receive )', 'bus=session', '', 'path ="/foo/bar"', 'interface = com.foo', ' member=bar', 'peer =( label= /usr/bin/app name ="com.foo")') @@ -122,26 +124,26 @@ interface.remove('') member.remove('') peer.remove('peer=()') -gen_files('message-incompat', 'FAIL', quantifier, msg_perms, session, name, [''], [''], [''], ['']) -gen_files('service-incompat', 'FAIL', quantifier, ['bind'], session, name, path, [''], [''], ['']) -gen_files('service-incompat', 'FAIL', quantifier, ['bind'], session, name, [''], interface, [''], ['']) -gen_files('service-incompat', 'FAIL', quantifier, ['bind'], session, name, [''], [''], member, ['']) -gen_files('service-incompat', 'FAIL', quantifier, ['bind'], session, name, [''], [''], [''], peer) -gen_files('eavesdrop-incompat', 'FAIL', quantifier, ['eavesdrop'], session, name, path, interface, member, peer) +gen_files('message-incompat', 'FAIL', quantifier, msg_perms, session, name, empty_tup, empty_tup, empty_tup, empty_tup) +gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, path, empty_tup, empty_tup, empty_tup) +gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, interface, empty_tup, empty_tup) +gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, empty_tup, member, empty_tup) +gen_files('service-incompat', 'FAIL', quantifier, ('bind',), session, name, empty_tup, empty_tup, empty_tup, peer) +gen_files('eavesdrop-incompat', 'FAIL', quantifier, ('eavesdrop',), session, name, path, interface, member, peer) -gen_files('pairing-unsupported', 'FAIL', quantifier, ['send', 'bind'], - session, ['name=sn', 'label=sl'], [''], [''], [''], - ['peer=(name=pn)', 'peer=(label=pl)']) +gen_files('pairing-unsupported', 'FAIL', quantifier, ('send', 'bind'), + session, ('name=sn', 'label=sl'), empty_tup, empty_tup, empty_tup, + ('peer=(name=pn)', 'peer=(label=pl)')) # missing bus= prefix gen_file('bad-formatting', 'FAIL', '', 'send', 'session', '', '', '', '', '') # incorrectly formatted permissions -gen_files('bad-perms', 'FAIL', [''], ['send receive', '(send', 'send)'], - ['bus=session'], [''], [''], [''], [''], ['']) +gen_files('bad-perms', 'FAIL', empty_tup, ('send receive', '(send', 'send)'), + ('bus=session',), empty_tup, empty_tup, empty_tup, empty_tup, empty_tup) # invalid permissions -gen_files('bad-perms', 'FAIL', [''], - ['a', 'x', 'Ux', 'ix', 'm', 'k', 'l', '(a)', '(x)'], [''], [''], - [''], [''], [''], ['']) +gen_files('bad-perms', 'FAIL', empty_tup, + ('a', 'x', 'Ux', 'ix', 'm', 'k', 'l', '(a)', '(x)'), empty_tup, empty_tup, + empty_tup, empty_tup, empty_tup, empty_tup) gen_file('duplicated-conditionals', 'FAIL', '', 'bus=1 bus=2', '', '', '', '', '', '') gen_file('duplicated-conditionals', 'FAIL', '', 'name=1 name=2', '', '', '', '', '', '') diff --git a/parser/tst/testlib.py b/parser/tst/testlib.py index c6be19570..66e729e1f 100644 --- a/parser/tst/testlib.py +++ b/parser/tst/testlib.py @@ -86,7 +86,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass): (rc, out, outerr) = self._run_cmd(command, input, stderr, stdout, stdin, timeout) report = out + outerr - return [rc, report] + return rc, report def _run_cmd(self, command, input=None, stderr=subprocess.PIPE, stdout=subprocess.PIPE, stdin=None, timeout=120): @@ -96,7 +96,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass): sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, preexec_fn=subprocess_setup, universal_newlines=True) except OSError as e: - return [127, str(e)] + return 127, str(e) timeout_communicate = TimeoutFunction(sp.communicate, timeout) out, outerr = (None, None) @@ -115,7 +115,7 @@ class AATestTemplate(unittest.TestCase, metaclass=AANoCleanupMetaClass): if outerr is None: outerr = '' - return (rc, out, outerr) + return rc, out, outerr # Timeout handler using alarm() from John P. Speno's Pythonic Avocado diff --git a/parser/tst/valgrind_simple.py b/parser/tst/valgrind_simple.py index 5a66f4e18..36c767c6d 100755 --- a/parser/tst/valgrind_simple.py +++ b/parser/tst/valgrind_simple.py @@ -42,8 +42,8 @@ class AAParserValgrindTests(testlib.AATestTemplate): self.maxDiff = None def _runtest(self, testname, config): - parser_args = ['-Q', '-I', config.testdir, '-M', './features_files/features.all'] - failure_rc = [VALGRIND_ERROR_CODE, testlib.TIMEOUT_ERROR_CODE] + parser_args = ('-Q', '-I', config.testdir, '-M', './features_files/features.all') + failure_rc = (VALGRIND_ERROR_CODE, testlib.TIMEOUT_ERROR_CODE) command = [config.valgrind] command.extend(VALGRIND_ARGS) command.append(config.parser) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index 9c9326928..2a85249e4 100644 --- a/utils/apparmor/aa.py +++ b/utils/apparmor/aa.py @@ -367,7 +367,7 @@ def get_reqs(file): if not os.path.isfile(ldd) or not os.access(ldd, os.EX_OK): raise AppArmorException('Can\'t find ldd') - ret, ldd_out = get_output([ldd, file]) + ret, ldd_out = get_output((ldd, file)) if ret == 0 or ret == 1: for line in ldd_out: if 'not a dynamic executable' in line: # comes with ret == 1 @@ -432,7 +432,7 @@ def get_interpreter_and_abstraction(exec_target): interpreter_path = get_full_path(interpreter) interpreter = re.sub('^(/usr)?/bin/', '', interpreter_path) - if interpreter in ['bash', 'dash', 'sh']: + if interpreter in ('bash', 'dash', 'sh'): abstraction = 'abstractions/bash' elif interpreter == 'perl': abstraction = 'abstractions/perl' @@ -755,7 +755,7 @@ def ask_addhat(hashlog): context = profile + ' -> ^%s' % hat ans = transitions.get(context, 'XXXINVALIDXXX') - while ans not in ['CMD_ADDHAT', 'CMD_USEDEFAULT', 'CMD_DENY']: + while ans not in ('CMD_ADDHAT', 'CMD_USEDEFAULT', 'CMD_DENY'): q = aaui.PromptQuestion() q.headers.extend((_('Profile'), profile)) @@ -883,7 +883,7 @@ def ask_exec(hashlog): # ask user about the exec mode to use ans = '' - while ans not in ['CMD_ix', 'CMD_px', 'CMD_cx', 'CMD_nx', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_ux', 'CMD_DENY']: # add '(I)gnore'? (hotkey conflict with '(i)x'!) + while ans not in ('CMD_ix', 'CMD_px', 'CMD_cx', 'CMD_nx', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_ux', 'CMD_DENY'): # add '(I)gnore'? (hotkey conflict with '(i)x'!) ans = q.promptUser()[0] if ans.startswith('CMD_EXEC_IX_'): @@ -916,7 +916,7 @@ def ask_exec(hashlog): if ans == 'CMD_ix': exec_mode = 'ix' - elif ans in ['CMD_px', 'CMD_cx', 'CMD_pix', 'CMD_cix']: + elif ans in ('CMD_px', 'CMD_cx', 'CMD_pix', 'CMD_cix'): exec_mode = ans.replace('CMD_', '') px_msg = _("Should AppArmor sanitise the environment when\nswitching profiles?\n\nSanitising environment is more secure,\nbut some applications depend on the presence\nof LD_PRELOAD or LD_LIBRARY_PATH.") if parent_uses_ld_xxx: @@ -1082,7 +1082,7 @@ def ask_the_questions(log_dict): continue ans = '' - while ans not in ['CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY']: + while ans not in ('CMD_ADDHAT', 'CMD_ADDSUBPROFILE', 'CMD_DENY'): q = aaui.PromptQuestion() q.headers.extend((_('Profile'), profile)) @@ -1625,7 +1625,7 @@ def collapse_log(hashlog, ignore_null_profiles=True): # Depending on the access type, not all parameters are allowed. # Ignore them, even if some of them appear in the log. # Also, the log doesn't provide a peer name, therefore always use ALL. - if access in ['send', 'receive']: + if access in ('send', 'receive'): dbus_event = DbusRule(access, bus, path, DbusRule.ALL, interface, member, DbusRule.ALL, peer_profile, log_event=True) elif access == 'bind': dbus_event = DbusRule(access, bus, DbusRule.ALL, name, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, log_event=True) @@ -1893,7 +1893,7 @@ def parse_profile_data(data, file, do_include, in_preamble): mount_rule.audit = audit mount_rule.deny = (allow == 'deny') - mount_rules = profile_data[profname][allow].get('mount', list()) + mount_rules = profile_data[profname][allow].get('mount', []) mount_rules.append(mount_rule) profile_data[profname][allow]['mount'] = mount_rules @@ -1915,7 +1915,7 @@ def parse_profile_data(data, file, do_include, in_preamble): pivot_root_rule.audit = audit pivot_root_rule.deny = (allow == 'deny') - pivot_root_rules = profile_data[profname][allow].get('pivot_root', list()) + pivot_root_rules = profile_data[profname][allow].get('pivot_root', []) pivot_root_rules.append(pivot_root_rule) profile_data[profname][allow]['pivot_root'] = pivot_root_rules @@ -1937,7 +1937,7 @@ def parse_profile_data(data, file, do_include, in_preamble): unix_rule.audit = audit unix_rule.deny = (allow == 'deny') - unix_rules = profile_data[profname][allow].get('unix', list()) + unix_rules = profile_data[profname][allow].get('unix', []) unix_rules.append(unix_rule) profile_data[profname][allow]['unix'] = unix_rules @@ -2001,7 +2001,7 @@ def parse_profile_data(data, file, do_include, in_preamble): def match_line_against_rule_classes(line, profile, file, lineno, in_preamble): ''' handle all lines handled by *Rule classes ''' - for rule_name in [ + for rule_name in ( 'abi', 'alias', 'boolean', @@ -2015,7 +2015,7 @@ def match_line_against_rule_classes(line, profile, file, lineno, in_preamble): 'ptrace', 'rlimit', 'signal', - ]: + ): if rule_name in ruletypes: rule_class = ruletypes[rule_name]['rule'] @@ -2246,8 +2246,8 @@ def get_file_perms(profile, path, audit, deny): for incname in includelist: incperms = include[incname][incname]['file'].get_perms_for_path(path, audit, deny) - for allow_or_deny in ['allow', 'deny']: - for owner_or_all in ['all', 'owner']: + for allow_or_deny in ('allow', 'deny'): + for owner_or_all in ('all', 'owner'): for perm in incperms[allow_or_deny][owner_or_all]: perms[allow_or_deny][owner_or_all].add(perm) @@ -2311,7 +2311,7 @@ def reload_base(bin_path): def reload_profile(prof_filename, raise_exc=False): ''' run apparmor_parser to reload the given profile file ''' - ret, out = cmd([parser, '-I%s' % profile_dir, '--base', profile_dir, '-r', prof_filename]) + ret, out = cmd((parser, '-I%s' % profile_dir, '--base', profile_dir, '-r', prof_filename)) if ret != 0: if raise_exc: diff --git a/utils/apparmor/common.py b/utils/apparmor/common.py index 39c1a0f1f..1f4a26c4b 100644 --- a/utils/apparmor/common.py +++ b/utils/apparmor/common.py @@ -273,7 +273,7 @@ if sys.version_info[0] > 2: def type_is_str(var): ''' returns True if the given variable is a str (or unicode string when using python 2)''' - if type(var) in [str, unicode]: # python 2 sometimes uses the 'unicode' type + if type(var) in (str, unicode): # python 2 sometimes uses the 'unicode' type return True else: return False diff --git a/utils/apparmor/easyprof.py b/utils/apparmor/easyprof.py index a6d5d394e..5496f7ff4 100644 --- a/utils/apparmor/easyprof.py +++ b/utils/apparmor/easyprof.py @@ -255,9 +255,9 @@ def verify_policy(policy, exe, base=None, include=None): command = [exe, '-QTK'] if base: - command.extend(['-b', base]) + command.extend(('-b', base)) if include: - command.extend(['-I', include]) + command.extend(('-I', include)) command.append(fn) rc, out = cmd(command) @@ -329,9 +329,9 @@ class AppArmorEasyProfile: self.policy_vendor = opt.policy_vendor self.policy_version = str(opt.policy_version) - for i in ['templates', 'policygroups']: - d = os.path.join(self.dirs[i], \ - self.policy_vendor, \ + for i in ('templates', 'policygroups'): + d = os.path.join(self.dirs[i], + self.policy_vendor, self.policy_version) if not os.path.isdir(d): raise AppArmorException( diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py index 02483b46d..75e61149a 100644 --- a/utils/apparmor/logparser.py +++ b/utils/apparmor/logparser.py @@ -157,7 +157,7 @@ class ReadLog: if aamode == 'UNKNOWN': raise AppArmorBug('aamode is UNKNOWN - %s' % e['type']) # should never happen - if aamode in ['AUDIT', 'STATUS', 'ERROR']: + if aamode in ('AUDIT', 'STATUS', 'ERROR'): return None # Skip if AUDIT event was issued due to a change_hat in unconfined mode diff --git a/utils/apparmor/profile_storage.py b/utils/apparmor/profile_storage.py index 4f870d35e..cde5a053c 100644 --- a/utils/apparmor/profile_storage.py +++ b/utils/apparmor/profile_storage.py @@ -80,12 +80,12 @@ class ProfileStorage: data['deny'] = dict() # mount, pivot_root, unix have a .get() fallback to list() - initialize them nevertheless - data['allow']['mount'] = list() - data['deny']['mount'] = list() - data['allow']['pivot_root'] = list() - data['deny']['pivot_root'] = list() - data['allow']['unix'] = list() - data['deny']['unix'] = list() + data['allow']['mount'] = [] + data['deny']['mount'] = [] + data['allow']['pivot_root'] = [] + data['deny']['pivot_root'] = [] + data['allow']['unix'] = [] + data['deny']['unix'] = [] self.data = data diff --git a/utils/apparmor/regex.py b/utils/apparmor/regex.py index 438a5565f..326877350 100644 --- a/utils/apparmor/regex.py +++ b/utils/apparmor/regex.py @@ -131,7 +131,7 @@ def parse_profile_start_line(line, filename): result[section] = matches.group(section) # sections with optional quotes - if section in ['plainprofile', 'namedprofile', 'attachment', 'hat']: + if section in ('plainprofile', 'namedprofile', 'attachment', 'hat'): result[section] = strip_quotes(result[section]) else: result[section] = None diff --git a/utils/apparmor/rule/__init__.py b/utils/apparmor/rule/__init__.py index ee9d8c476..15d192b3c 100644 --- a/utils/apparmor/rule/__init__.py +++ b/utils/apparmor/rule/__init__.py @@ -501,7 +501,7 @@ def check_and_split_list(lst, allowed_keywords, all_obj, classname, keyword_name return None, True, None elif type_is_str(lst): result_list = {lst} - elif type(lst) in [list, tuple, set] and (len(lst) > 0 or allow_empty_list): + elif type(lst) in (list, tuple, set) and (len(lst) > 0 or allow_empty_list): result_list = set(lst) else: raise AppArmorBug('Passed unknown %(type)s object to %(classname)s: %(unknown_object)s' % diff --git a/utils/apparmor/rule/boolean.py b/utils/apparmor/rule/boolean.py index b85c9af6b..4d6052cc5 100644 --- a/utils/apparmor/rule/boolean.py +++ b/utils/apparmor/rule/boolean.py @@ -52,7 +52,7 @@ class BooleanRule(BaseRule): raise AppArmorException('Passed empty value to %s: %s' % (self.__class__.__name__, value)) value = value.lower() - if value not in ['true', 'false']: + if value not in ('true', 'false'): raise AppArmorException('Passed invalid value to %s: %s' % (self.__class__.__name__, value)) self.varname = varname diff --git a/utils/apparmor/rule/file.py b/utils/apparmor/rule/file.py index 2c1754af6..f00c9be39 100644 --- a/utils/apparmor/rule/file.py +++ b/utils/apparmor/rule/file.py @@ -78,7 +78,7 @@ class FileRule(BaseRule): if perms == {'subset'}: raise AppArmorBug('subset without link permissions given') - elif perms in [{'link'}, {'link', 'subset'}]: + elif perms in ({'link'}, {'link', 'subset'}): self.perms = perms self.all_perms = False else: @@ -492,7 +492,7 @@ class FileRuleset(BaseRuleset): allow = {} deny = {} - for who in ['all', 'owner']: + for who in ('all', 'owner'): if all_perms['allow'][who]: allow[who] = FileRule.ALL else: diff --git a/utils/apparmor/rule/rlimit.py b/utils/apparmor/rule/rlimit.py index 2a2f5cd7a..4af4cee23 100644 --- a/utils/apparmor/rule/rlimit.py +++ b/utils/apparmor/rule/rlimit.py @@ -177,23 +177,23 @@ class RlimitRule(BaseRule): if unit == '': unit = default_unit - if unit in ['us', 'microsecond', 'microseconds']: + if unit in ('us', 'microsecond', 'microseconds'): number = number / 1000000.0 if default_unit == 'seconds': raise AppArmorException(_('Invalid unit in rlimit cpu %s rule') % value) - elif unit in ['ms', 'millisecond', 'milliseconds']: + elif unit in ('ms', 'millisecond', 'milliseconds'): number = number / 1000.0 if default_unit == 'seconds': raise AppArmorException(_('Invalid unit in rlimit cpu %s rule') % value) - elif unit in ['s', 'sec', 'second', 'seconds']: # manpage doesn't list sec + elif unit in ('s', 'sec', 'second', 'seconds'): # manpage doesn't list sec pass - elif unit in ['min', 'minute', 'minutes']: + elif unit in ('min', 'minute', 'minutes'): number = number * 60 - elif unit in ['h', 'hour', 'hours']: + elif unit in ('h', 'hour', 'hours'): number = number * 60 * 60 - elif unit in ['d', 'day', 'days']: # manpage doesn't list 'd' + elif unit in ('d', 'day', 'days'): # manpage doesn't list 'd' number = number * 60 * 60 * 24 - elif unit in ['week', 'weeks']: + elif unit in ('week', 'weeks'): number = number * 60 * 60 * 24 * 7 else: raise AppArmorException('Unknown unit %s in rlimit %s %s' % (unit, self.rlimit, value)) diff --git a/utils/apparmor/rule/variable.py b/utils/apparmor/rule/variable.py index a785e149f..5c2c206e7 100644 --- a/utils/apparmor/rule/variable.py +++ b/utils/apparmor/rule/variable.py @@ -52,7 +52,7 @@ class VariableRule(BaseRule): if not type_is_str(mode): raise AppArmorBug('Passed unknown type for variable assignment mode to %s: %s' % (self.__class__.__name__, mode)) - if mode not in ['=', '+=']: + if mode not in ('=', '+='): raise AppArmorBug('Passed unknown variable assignment mode to %s: %s' % (self.__class__.__name__, mode)) if type(values) is not set: diff --git a/utils/apparmor/sandbox.py b/utils/apparmor/sandbox.py index 2297f7314..f30fdaaa3 100644 --- a/utils/apparmor/sandbox.py +++ b/utils/apparmor/sandbox.py @@ -137,13 +137,13 @@ def aa_exec(command, opt, environ={}, verify_rules=[]): debug("using '%s' template" % opt.template) # TODO: get rid of this if opt.withx: - rc, report = cmd(['pkexec', 'apparmor_parser', '-r', '%s' % tmp.name]) + rc, report = cmd(('pkexec', 'apparmor_parser', '-r', '%s' % tmp.name)) else: - rc, report = cmd(['sudo', 'apparmor_parser', '-r', tmp.name]) + rc, report = cmd(('sudo', 'apparmor_parser', '-r', tmp.name)) if rc != 0: raise AppArmorException("Could not load policy") - rc, report = cmd(['sudo', 'apparmor_parser', '-p', tmp.name]) + rc, report = cmd(('sudo', 'apparmor_parser', '-p', tmp.name)) if rc != 0: raise AppArmorException("Could not dump policy") @@ -185,8 +185,8 @@ class SandboxXserver(): # preserve our environment self.old_environ = dict() - for env in ['DISPLAY', 'XAUTHORITY', 'UBUNTU_MENUPROXY', - 'QT_X11_NO_NATIVE_MENUBAR', 'LIBOVERLAY_SCROLLBAR']: + for env in ('DISPLAY', 'XAUTHORITY', 'UBUNTU_MENUPROXY', + 'QT_X11_NO_NATIVE_MENUBAR', 'LIBOVERLAY_SCROLLBAR'): if env in os.environ: self.old_environ[env] = os.environ[env] @@ -243,7 +243,7 @@ class SandboxXserver(): # sandboxed applications tmp = ":%d" % i os.environ["DISPLAY"] = tmp - rc, report = cmd(['xset', '-q']) + rc, report = cmd(('xset', '-q')) if rc != 0 and 'Invalid MIT-MAGIC-COOKIE-1' not in report: display = tmp break @@ -271,7 +271,7 @@ class SandboxXserver(): old_lang = os.environ['LANG'] os.environ['LANG'] = 'C' - rc, report = cmd(['xhost']) + rc, report = cmd(('xhost',)) if old_lang: os.environ['LANG'] = old_lang @@ -289,22 +289,22 @@ class SandboxXserver(): # clean up the old one if os.path.exists(self.xauth): os.unlink(self.xauth) - rc, cookie = cmd(['mcookie']) + rc, cookie = cmd(('mcookie',)) if rc != 0: raise AppArmorException("Could not generate magic cookie") - rc, out = cmd(['xauth', '-f', self.xauth, \ + rc, out = cmd(('xauth', '-f', self.xauth, \ 'add', \ self.display, \ 'MIT-MAGIC-COOKIE-1', \ - cookie.strip()]) + cookie.strip())) if rc != 0: raise AppArmorException("Could not generate '%s'" % self.display) class SandboxXephyr(SandboxXserver): def start(self): - for e in ['Xephyr', 'matchbox-window-manager']: + for e in ('Xephyr', 'matchbox-window-manager'): debug("Searching for '%s'" % e) if which(e) is None: raise AppArmorException("Could not find '%s'" % e) @@ -376,7 +376,7 @@ class SandboxXpra(SandboxXserver): # Annoyingly, xpra doesn't clean up itself well if the application # failed for some reason. Try to account for that. - rc, report = cmd(['ps', 'auxww']) + rc, report = cmd(('ps', 'auxww')) for line in report.splitlines(): if '-for-Xpra-%s' % self.display in line: self.pids.append(int(line.split()[1])) @@ -585,7 +585,7 @@ EndSection os.environ['XAUTHORITY'] = self.xauth # This will clean out any dead sessions - cmd(['xpra', 'list']) + cmd(('xpra', 'list')) x_args = ['--no-daemon', #'--no-mmap', # for security? @@ -621,7 +621,7 @@ EndSection raise AppArmorException("Could not start xpra (try again with -d)") for i in range(self.timeout): # Up to self.timeout seconds to start - rc, out = cmd(['xpra', 'list']) + rc, out = cmd(('xpra', 'list')) if 'DEAD session at %s' % self.display in out: error("xpra session at '%s' died" % self.display, do_exit=False) @@ -663,7 +663,7 @@ EndSection # Make sure that a client has attached for i in range(self.timeout): # up to self.timeout seconds to attach time.sleep(1) - rc, out = cmd (['xpra', 'info', self.display]) + rc, out = cmd (('xpra', 'info', self.display)) search = 'clients=1' if search in out: debug("Client successfully attached!") diff --git a/utils/apparmor/tools.py b/utils/apparmor/tools.py index 7809f5ee6..5b82deb35 100644 --- a/utils/apparmor/tools.py +++ b/utils/apparmor/tools.py @@ -35,7 +35,7 @@ class aa_tools: self.silent = None self.do_reload = args.do_reload - if tool_name in ['audit']: + if tool_name == 'audit': self.remove = args.remove elif tool_name == 'autodep': self.force = args.force diff --git a/utils/apparmor/ui.py b/utils/apparmor/ui.py index a3a911236..278501246 100644 --- a/utils/apparmor/ui.py +++ b/utils/apparmor/ui.py @@ -129,7 +129,7 @@ def UI_YesNo(text, default): yeskey = get_translated_hotkey(yes).lower() nokey = get_translated_hotkey(no).lower() ans = 'XXXINVALIDXXX' - while ans not in ['y', 'n']: + while ans not in ('y', 'n'): if UI_mode == 'json': jsonout = {'dialog': 'yesno', 'text': text, 'default': default} write_json(jsonout) @@ -173,7 +173,7 @@ def UI_YesNoCancel(text, default): cancelkey = get_translated_hotkey(cancel).lower() ans = 'XXXINVALIDXXX' - while ans not in ['c', 'n', 'y']: + while ans not in ('c', 'n', 'y'): if UI_mode == 'json': jsonout = {'dialog': 'yesnocancel', 'text': text, 'default': default} write_json(jsonout) @@ -373,8 +373,8 @@ class PromptQuestion(object): helptext = None def __init__(self): - self.headers = list() - self.functions = list() + self.headers = [] + self.functions = [] self.selected = 0 def promptUser(self, params=''): @@ -400,7 +400,7 @@ class PromptQuestion(object): if helptext: functions.append('CMD_HELP') - menu_items = list() + menu_items = [] keys = dict() for cmd in functions: diff --git a/utils/python-tools-setup.py b/utils/python-tools-setup.py index 2cbde8fc1..80ae81bc3 100644 --- a/utils/python-tools-setup.py +++ b/utils/python-tools-setup.py @@ -37,18 +37,18 @@ class Install(_install, object): prefix = self.root # Install scripts, configuration files and data - scripts = ['/usr/bin/aa-easyprof'] + scripts = ('/usr/bin/aa-easyprof',) self.mkpath(prefix + os.path.dirname(scripts[0])) for s in scripts: f = prefix + s self.copy_file(os.path.basename(s), f) - configs = ['easyprof/easyprof.conf'] + configs = ('easyprof/easyprof.conf',) self.mkpath(prefix + "/etc/apparmor") for c in configs: self.copy_file(c, os.path.join(prefix + "/etc/apparmor", os.path.basename(c))) - data = ['easyprof/templates', 'easyprof/policygroups'] + data = ('easyprof/templates', 'easyprof/policygroups') self.mkpath(prefix + "/usr/share/apparmor/easyprof") for d in data: self.copy_tree(d, os.path.join(prefix + "/usr/share/apparmor/easyprof", os.path.basename(d))) diff --git a/utils/test/common_test.py b/utils/test/common_test.py index f3d5c0113..3833575e5 100755 --- a/utils/test/common_test.py +++ b/utils/test/common_test.py @@ -52,7 +52,7 @@ class AATest(unittest.TestCase): self.createTmpdir() return write_file(self.tmpdir, file, contents) - tests = [] + tests = () tmpdir = None class AAParseTest(unittest.TestCase): diff --git a/utils/test/test-aa-decode.py b/utils/test/test-aa-decode.py index 96dfcfb48..1cd0011e9 100755 --- a/utils/test/test-aa-decode.py +++ b/utils/test/test-aa-decode.py @@ -43,7 +43,7 @@ def cmd(command, stdin=None): preexec_fn=subprocess_setup ) except OSError as e: - return [127, str(e)] + return 127, str(e) stdout, stderr = sp.communicate(input) @@ -54,7 +54,7 @@ def cmd(command, stdin=None): else: out = stdout - return [sp.returncode, out.decode('utf-8')] + return sp.returncode, out.decode('utf-8') def mkstemp_fill(contents, suffix='', prefix='tst-aadecode-', dir=None): @@ -82,22 +82,22 @@ class AADecodeTest(unittest.TestCase): '''Test --help argument''' expected = 0 - rc, report = cmd([aadecode_bin, "--help"]) + rc, report = cmd((aadecode_bin, "--help")) result = 'Got exit code %d, expected %d\n' % (rc, expected) self.assertEqual(expected, rc, result + report) - def _run_file_test(self, content, expected_list): + def _run_file_test(self, content, expected): '''test case helper function; takes log content and a list of expected strings as arguments''' - expected = 0 + expected_return_code = 0 (f, self.tmpfile) = mkstemp_fill(content) - rc, report = cmd([aadecode_bin], stdin=f) - result = 'Got exit code %d, expected %d\n' % (rc, expected) - self.assertEqual(expected, rc, result + report) - for expected_string in expected_list: + rc, report = cmd((aadecode_bin,), stdin=f) + result = 'Got exit code %d, expected %d\n' % (rc, expected_return_code) + self.assertEqual(expected_return_code, rc, result + report) + for expected_string in expected: result = 'could not find expected %s in output:\n' % (expected_string) self.assertIn(expected_string, report, result + report) f.close() @@ -109,7 +109,7 @@ class AADecodeTest(unittest.TestCase): expected_output = 'Decoded: /tmp/foo bar' test_code = '2F746D702F666F6F20626172' - rc, report = cmd([aadecode_bin, test_code]) + rc, report = cmd((aadecode_bin, test_code)) result = 'Got exit code %d, expected %d\n' % (rc, expected) self.assertEqual(expected, rc, result + report) result = 'Got output "%s", expected "%s"\n' % (report, expected_output) @@ -123,14 +123,14 @@ class AADecodeTest(unittest.TestCase): '''type=AVC msg=audit(1348982151.183:2934): apparmor="DENIED" operation="open" parent=30751 profile="/usr/lib/firefox/firefox{,*[^s] [^h]}" name=2F746D702F666F6F20626172 pid=30833 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ''' - self._run_file_test(content, [expected_string]) + self._run_file_test(content, (expected_string,)) def test_simple_multiline(self): '''test simple multiline decoding of the name argument''' - expected_strings = ['ses=4294967295 new ses=2762', + expected_strings = ('ses=4294967295 new ses=2762', 'name="/tmp/foo bar"', - 'name="/home/steve/tmp/my test file"'] + 'name="/home/steve/tmp/my test file"') content = \ ''' type=LOGIN msg=audit(1348980001.155:2925): login pid=17875 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2762 type=AVC msg=audit(1348982151.183:2934): apparmor="DENIED" operation="open" parent=30751 profile="/usr/lib/firefox/firefox{,*[^s] [^h]}" name=2F746D702F666F6F20626172 pid=30833 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 @@ -143,8 +143,8 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" '''test simple decoding of the profile argument''' '''Example take from LP: #897957''' - expected_strings = ['name="/lib/x86_64-linux-gnu/libdl-2.13.so"', - 'profile="/test space"'] + expected_strings = ('name="/lib/x86_64-linux-gnu/libdl-2.13.so"', + 'profile="/test space"') content = \ '''[289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=2F74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ''' @@ -155,8 +155,8 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" '''test simple decoding of name and profile argument''' '''Example take from LP: #897957''' - expected_strings = ['name="/home/steve/tmp/my test file"', - 'profile="/home/steve/tmp/my prog.sh"'] + expected_strings = ('name="/home/steve/tmp/my test file"', + 'profile="/home/steve/tmp/my prog.sh"') content = \ '''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D7920746573742066696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ''' @@ -166,7 +166,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" def test_simple_embedded_carat(self): '''test simple decoding of embedded ^ in files''' - expected_strings = ['name="/home/steve/tmp/my test ^file"'] + expected_strings = ('name="/home/steve/tmp/my test ^file"',) content = \ '''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374205E66696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ''' @@ -176,7 +176,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" def test_simple_embedded_backslash_carat(self): '''test simple decoding of embedded \^ in files''' - expected_strings = ['name="/home/steve/tmp/my test \^file"'] + expected_strings = ('name="/home/steve/tmp/my test \^file"',) content = \ '''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374205C5E66696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ''' @@ -186,7 +186,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" def test_simple_embedded_singlequote(self): '''test simple decoding of embedded \' in files''' - expected_strings = ['name="/home/steve/tmp/my test \'file"'] + expected_strings = ('name="/home/steve/tmp/my test \'file"',) content = \ '''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374202766696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ''' @@ -196,8 +196,8 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" def test_simple_encoded_nonpath_profiles(self): '''test simple decoding of nonpath profiles''' - expected_strings = ['name="/lib/x86_64-linux-gnu/libdl-2.13.so"', - 'profile="test space"'] + expected_strings = ('name="/lib/x86_64-linux-gnu/libdl-2.13.so"', + 'profile="test space"') content = \ '''[289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 ''' diff --git a/utils/test/test-aa-easyprof.py b/utils/test/test-aa-easyprof.py index dcab20097..23e5a2ffe 100755 --- a/utils/test/test-aa-easyprof.py +++ b/utils/test/test-aa-easyprof.py @@ -114,7 +114,7 @@ class T(unittest.TestCase): self.tmpdir = os.path.realpath(tempfile.mkdtemp(prefix='test-aa-easyprof')) # Copy everything into place - for d in ['easyprof/policygroups', 'easyprof/templates']: + for d in ('easyprof/policygroups', 'easyprof/templates'): shutil.copytree(os.path.join(topdir, d), os.path.join(self.tmpdir, os.path.basename(d))) @@ -196,7 +196,7 @@ TEMPLATES_DIR="%s/templates" os.mkdir(self.test_include_dir) os.mkdir(os.path.join(self.test_include_dir, "templates")) os.mkdir(os.path.join(self.test_include_dir, "policygroups")) - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): for f in easyprof.get_directory_contents(os.path.join( self.tmpdir, d)): shutil.copy(f, os.path.join(self.test_include_dir, d, @@ -532,10 +532,7 @@ POLICYGROUPS_DIR="%s/templates" def test_templates_show(self): '''Test templates (show)''' - files = [] - for f in glob.glob("%s/templates/*" % self.tmpdir): - files.append(f) - + files = glob.glob("%s/templates/*" % self.tmpdir) for f in files: args = self.full_args args += ['--show-template', '--template', f] @@ -572,10 +569,7 @@ POLICYGROUPS_DIR="%s/templates" def test_templates_show_include(self): '''Test templates (show with --include-templates-dir)''' - files = [] - for f in glob.glob("%s/templates/*" % self.test_include_dir): - files.append(f) - + files = glob.glob("%s/templates/*" % self.test_include_dir) for f in files: args = self.full_args args += ['--show-template', @@ -610,10 +604,7 @@ POLICYGROUPS_DIR="%s/templates" def test_policygroups_show(self): '''Test policygroups (show)''' - files = [] - for f in glob.glob("%s/policygroups/*" % self.tmpdir): - files.append(f) - + files = glob.glob("%s/policygroups/*" % self.tmpdir) for f in files: args = self.full_args args += ['--show-policy-group', @@ -651,10 +642,7 @@ POLICYGROUPS_DIR="%s/templates" def test_policygroups_show_include(self): '''Test policygroups (show with --include-policy-groups-dir)''' - files = [] - for f in glob.glob("%s/policygroups/*" % self.test_include_dir): - files.append(f) - + files = glob.glob("%s/policygroups/*" % self.test_include_dir) for f in files: args = self.full_args args += ['--show-policy-group', @@ -689,7 +677,7 @@ POLICYGROUPS_DIR="%s/templates" f.write(contents) args = self.full_args - args.extend(['--manifest', self.manifest]) + args.extend(('--manifest', self.manifest)) easyprof.parse_args(args) def _manifest_conflicts(self, opt, value): @@ -704,7 +692,7 @@ POLICYGROUPS_DIR="%s/templates" # opt first args = self.full_args - args.extend([opt, value, '--manifest', self.manifest]) + args.extend((opt, value, '--manifest', self.manifest)) raised = False try: easyprof.parse_args(args, InterceptingOptionParser()) @@ -716,7 +704,7 @@ POLICYGROUPS_DIR="%s/templates" # manifest first args = self.full_args - args.extend(['--manifest', self.manifest, opt, value]) + args.extend(('--manifest', self.manifest, opt, value)) raised = False try: easyprof.parse_args(args, InterceptingOptionParser()) @@ -845,7 +833,7 @@ POLICYGROUPS_DIR="%s/templates" def test__is_safe(self): '''Test _is_safe()''' - bad = [ + bad = ( "/../../../../etc/passwd", "abstraction with spaces", "semicolon;bad", @@ -853,7 +841,7 @@ POLICYGROUPS_DIR="%s/templates" "foo/bar", "foo'bar", 'foo"bar', - ] + ) for s in bad: self.assertFalse(easyprof._is_safe(s), "'%s' should be bad" %s) @@ -870,7 +858,7 @@ POLICYGROUPS_DIR="%s/templates" p = self._gen_policy(template=template) - for s in [self.test_template, test_string]: + for s in (self.test_template, test_string): self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p)) def test_genpolicy_templates_system(self): @@ -936,11 +924,11 @@ POLICYGROUPS_DIR="%s/templates" def test_genpolicy_abstractions_bad(self): '''Test genpolicy (abstractions - bad values)''' - bad = [ + bad = ( "nonexistent", "/../../../../etc/passwd", "abstraction with spaces", - ] + ) for s in bad: try: self._gen_policy(extra_args=['--abstractions=%s' % s]) @@ -1077,7 +1065,7 @@ POLICYGROUPS_DIR="%s/templates" groups = self.test_policygroup p = self._gen_policy(extra_args=['--policy-groups=%s' % groups]) - for s in ['#include ', '#include ']: + for s in ('#include ', '#include '): self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p)) inv_s = '###POLICYGROUPS###' self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p)) @@ -1096,10 +1084,10 @@ POLICYGROUPS_DIR="%s/templates" groups = "%s,%s" % (self.test_policygroup, test_policygroup2) p = self._gen_policy(extra_args=['--policy-groups=%s' % groups]) - for s in ['#include ', + for s in ('#include ', '#include ', '#include ', - '#include ']: + '#include '): self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p)) inv_s = '###POLICYGROUPS###' self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p)) @@ -1543,7 +1531,7 @@ POLICYGROUPS_DIR="%s/templates" m.add_policygroups(groups) p = self._gen_manifest_policy(m) - for s in ['#include ', '#include ']: + for s in ('#include ', '#include '): self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p)) inv_s = '###POLICYGROUPS###' self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p)) @@ -1564,10 +1552,10 @@ POLICYGROUPS_DIR="%s/templates" m.add_policygroups(groups) p = self._gen_manifest_policy(m) - for s in ['#include ', + for s in ('#include ', '#include ', '#include ', - '#include ']: + '#include '): self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p)) inv_s = '###POLICYGROUPS###' self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p)) @@ -1685,7 +1673,7 @@ POLICYGROUPS_DIR="%s/templates" } }''' - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): shutil.copytree(os.path.join(self.tmpdir, d), os.path.join(self.tmpdir, d, "somevendor/1.0")) @@ -1725,7 +1713,7 @@ POLICYGROUPS_DIR="%s/templates" } }''' - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): shutil.copytree(os.path.join(self.tmpdir, d), os.path.join(self.tmpdir, d, "ubuntu/1.0")) @@ -1854,7 +1842,7 @@ POLICYGROUPS_DIR="%s/templates" } }''' - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): shutil.copytree(os.path.join(self.tmpdir, d), os.path.join(self.tmpdir, d, "ubuntu/1.0")) @@ -2070,7 +2058,7 @@ POLICYGROUPS_DIR="%s/templates" def test_verify_manifest_profile_template_var_bad(self): '''Test verify_manifest (bad template_var)''' - for v in ['"VAR1": "f*o"', + for v in ('"VAR1": "f*o"', '"VAR2": "*foo"', '"VAR3": "fo*"', '"VAR4": "b{ar"', @@ -2079,7 +2067,7 @@ POLICYGROUPS_DIR="%s/templates" '"VAR7": "bar[0-9]"', '"VAR8": "b{ar"', '"VAR9": "foo/bar"' # this is valid, but potentially unsafe - ]: + ): m = '''{ "security": { "profiles": { @@ -2137,11 +2125,11 @@ POLICYGROUPS_DIR="%s/templates" def test_manifest_invalid4(self): '''Test invalid manifest (bad path in template var)''' - for v in ['"VAR1": "/tmp/../etc/passwd"', + for v in ('"VAR1": "/tmp/../etc/passwd"', '"VAR2": "./"', '"VAR3": "foo\"bar"', '"VAR4": "foo//bar"', - ]: + ): m = '''{ "security": { "profiles": { @@ -2213,7 +2201,7 @@ POLICYGROUPS_DIR="%s/templates" } } }''' % (policy_vendor, policy_version) - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): shutil.copytree(os.path.join(self.tmpdir, d), os.path.join(self.tmpdir, d, policy_subdir)) @@ -2243,7 +2231,7 @@ POLICYGROUPS_DIR="%s/templates" policy_subdir = "%s/%s" % (policy_vendor, policy_version) # Create the directories - for d in ['policygroups', 'templates']: + for d in ('policygroups', 'templates'): shutil.copytree(os.path.join(self.tmpdir, d), os.path.join(self.tmpdir, d, policy_subdir)) diff --git a/utils/test/test-aa-notify.py b/utils/test/test-aa-notify.py index b41df88f1..8eb0dd9ae 100644 --- a/utils/test/test-aa-notify.py +++ b/utils/test/test-aa-notify.py @@ -48,7 +48,7 @@ def cmd(command): preexec_fn=subprocess_setup ) except OSError as e: - return [127, str(e)] + return 127, str(e) stdout, stderr = sp.communicate(input) @@ -59,7 +59,7 @@ def cmd(command): else: out = stdout - return [sp.returncode, out.decode('utf-8')] + return sp.returncode, out.decode('utf-8') class AANotifyTest(AATest): diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py index 821c58f25..20b3fcc60 100644 --- a/utils/test/test-aa.py +++ b/utils/test/test-aa.py @@ -79,24 +79,24 @@ class AaTest_check_for_apparmor(AaTestWithTempdir): self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts)) class AATest_get_output(AATest): - tests = [ - (['./fake_ldd', '/AATest/lib64/libc-2.22.so'], (0, [' /AATest/lib64/ld-linux-x86-64.so.2 (0x0000556858473000)', ' linux-vdso.so.1 (0x00007ffe98912000)'] )), - (['./fake_ldd', '/tmp/aa-test-foo'], (0, [' not a dynamic executable'] )), - (['./fake_ldd', 'invalid'], (1, [] )), # stderr is not part of output - ] + tests = ( + (('./fake_ldd', '/AATest/lib64/libc-2.22.so'), (0, [' /AATest/lib64/ld-linux-x86-64.so.2 (0x0000556858473000)', ' linux-vdso.so.1 (0x00007ffe98912000)'] )), + (('./fake_ldd', '/tmp/aa-test-foo'), (0, [' not a dynamic executable'] )), + (('./fake_ldd', 'invalid'), (1, [] )), # stderr is not part of output + ) def _run_test(self, params, expected): self.assertEqual(get_output(params), expected) def test_get_output_nonexisting(self): with self.assertRaises(AppArmorException): - ret, output = get_output(['./_file_/_not_/_found_']) + ret, output = get_output(('./_file_/_not_/_found_',)) class AATest_get_reqs(AATest): - tests = [ + tests = ( ('/AATest/bin/bash', ['/AATest/lib64/libreadline.so.6', '/AATest/lib64/libtinfo.so.6', '/AATest/lib64/libdl.so.2', '/AATest/lib64/libc.so.6', '/AATest/lib64/ld-linux-x86-64.so.2']), ('/tmp/aa-test-foo', []), ('/AATest/sbin/ldconfig', []), # comes with $? == 1 - ] + ) def _run_test(self, params, expected): # for some reason, setting the ldd config option does not get @@ -110,12 +110,12 @@ class AATest_get_reqs(AATest): self.assertEqual(get_reqs(params), expected) class AaTest_create_new_profile(AATest): - tests = [ + tests = ( # file content filename expected interpreter expected abstraction (besides 'base') expected profiles (('#!/bin/bash\ntrue', 'script'), (u'/bin/bash', 'abstractions/bash', ['script'])), (('foo bar', 'fake_binary'), (None, None, ['fake_binary'])), (('hats expected', 'apache2'), (None, None, ['apache2', 'apache2//DEFAULT_URI', 'apache2//HANDLING_UNTRUSTED_INPUT'])), - ] + ) def _run_test(self, params, expected): apparmor.aa.cfg['settings']['ldd'] = './fake_ldd' # for some reason, setting the ldd config option does not get @@ -164,7 +164,7 @@ class AaTest_create_new_profile(AATest): self.assertEqual(profile[program]['inc_ie'].get_clean(), ['include ', '']) class AaTest_get_interpreter_and_abstraction(AATest): - tests = [ + tests = ( ('#!/bin/bash', ('/bin/bash', 'abstractions/bash')), ('#!/bin/dash', ('/bin/dash', 'abstractions/bash')), ('#!/bin/sh', ('/bin/sh', 'abstractions/bash')), @@ -182,7 +182,7 @@ class AaTest_get_interpreter_and_abstraction(AATest): ('#!/usr/bin/ruby1.9.1', ('/usr/bin/ruby1.9.1', 'abstractions/ruby')), ('#!/usr/bin/foobarbaz', ('/usr/bin/foobarbaz', None)), # we don't have an abstraction for "foobarbaz" ('foo', (None, None)), # no hashbang - not a script - ] + ) def _run_test(self, params, expected): exp_interpreter_path, exp_abstraction = expected @@ -406,13 +406,13 @@ class AaTest_change_profile_flags(AaTestWithTempdir): change_profile_flags('%s/file-not-found' % self.tmpdir, '/foo', 'audit', True) class AaTest_set_options_audit_mode(AATest): - tests = [ + tests = ( ((FileRule.parse('audit /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,'] ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']), ((FileRule.parse('audit /foo/bar r,'), ['/foo/bar r,', 'audit /foo/* r,', 'audit /** r,'] ), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,']), ((FileRule.parse('/foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,'] ), ['/foo/bar r,', '/foo/* r,', '/** r,']), ((FileRule.parse('/foo/bar r,'), ['audit /foo/bar r,', 'audit /foo/* r,', 'audit /** r,'] ), ['/foo/bar r,', '/foo/* r,', '/** r,']), ((FileRule.parse('audit /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '#include ']), ['audit /foo/bar r,', 'audit /foo/* r,', '#include ']), - ] + ) def _run_test(self, params, expected): rule_obj, options = params @@ -420,13 +420,13 @@ class AaTest_set_options_audit_mode(AATest): self.assertEqual(new_options, expected) class AaTest_set_options_owner_mode(AATest): - tests = [ + tests = ( ((FileRule.parse('owner /foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,'] ), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']), ((FileRule.parse('owner /foo/bar r,'), ['/foo/bar r,', 'owner /foo/* r,', 'owner /** r,'] ), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,']), ((FileRule.parse('/foo/bar r,'), ['/foo/bar r,', '/foo/* r,', '/** r,'] ), ['/foo/bar r,', '/foo/* r,', '/** r,']), ((FileRule.parse('/foo/bar r,'), ['owner /foo/bar r,', 'owner /foo/* r,', 'owner /** r,'] ), ['/foo/bar r,', '/foo/* r,', '/** r,']), ((FileRule.parse('audit owner /foo/bar r,'),['audit /foo/bar r,', 'audit /foo/* r,', '#include ']), ['audit owner /foo/bar r,', 'audit owner /foo/* r,', '#include ']), - ] + ) def _run_test(self, params, expected): rule_obj, options = params @@ -540,14 +540,14 @@ class AaTest_parse_profile_data(AATest): parse_profile_data(d.split(), 'somefile', False, False) class AaTest_get_file_perms_1(AATest): - tests = [ + tests = ( ('/usr/share/common-licenses/foo/bar', {'allow': {'all': set(), 'owner': {'w'} }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**'} }), ('/dev/null', {'allow': {'all': {'r', 'w', 'k'}, 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/dev/null'} }), ('/foo/bar', {'allow': {'all': {'r', 'w'}, 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/foo/bar'} }), # exec perms not included ('/no/thing', {'allow': {'all': set(), 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': set() }), ('/usr/lib/ispell/', {'allow': {'all': set(), 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': set() }), ('/usr/lib/aspell/*.so', {'allow': {'all': set(), 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': set() }), - ] + ) def _run_test(self, params, expected): self.createTmpdir() @@ -567,7 +567,7 @@ class AaTest_get_file_perms_1(AATest): self.assertEqual(perms, expected) class AaTest_get_file_perms_2(AATest): - tests = [ + tests = ( ('/usr/share/common-licenses/foo/bar', {'allow': {'all': {'r'}, 'owner': {'w'} }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**'} }), ('/usr/share/common-licenses/what/ever', {'allow': {'all': {'r'}, 'owner': {'w'} }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/usr/share/common-licenses/**', '/usr/share/common-licenses/what/ever'} }), ('/dev/null', {'allow': {'all': {'r', 'w', 'k'}, 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/dev/null'} }), @@ -575,7 +575,7 @@ class AaTest_get_file_perms_2(AATest): ('/no/thing', {'allow': {'all': set(), 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': set() }), ('/usr/lib/ispell/', {'allow': {'all': {'r'}, 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/usr/lib/ispell/', '/{usr/,}lib{,32,64}/**'} }), # from abstractions/enchant ('/usr/lib/aspell/*.so', {'allow': {'all': {'m', 'r'}, 'owner': set() }, 'deny': {'all':set(), 'owner': set()}, 'paths': {'/usr/lib/aspell/*', '/usr/lib/aspell/*.so', '/{usr/,}lib{,32,64}/**', '/{usr/,}lib{,32,64}/**.so*'} }), # from abstractions/aspell via abstractions/enchant and from abstractions/base - ] + ) def _run_test(self, params, expected): self.createTmpdir() @@ -605,15 +605,15 @@ class AaTest_get_file_perms_2(AATest): self.assertEqual(perms, expected) class AaTest_propose_file_rules(AATest): - tests = [ + tests = ( # log event path and perms expected proposals - (['/usr/share/common-licenses/foo/bar', 'w'], ['/usr/share/common*/foo/* rw,', '/usr/share/common-licenses/** rw,', '/usr/share/common-licenses/foo/bar rw,'] ), - (['/dev/null', 'wk'], ['/dev/null rwk,'] ), - (['/foo/bar', 'rw'], ['/foo/bar rw,'] ), - (['/usr/lib/ispell/', 'w'], ['/{usr/,}lib{,32,64}/** rw,', '/usr/lib/ispell/ rw,'] ), - (['/usr/lib/aspell/some.so', 'k'], ['/usr/lib/aspell/* mrk,', '/usr/lib/aspell/*.so mrk,', '/{usr/,}lib{,32,64}/** mrk,', '/{usr/,}lib{,32,64}/**.so* mrk,', '/usr/lib/aspell/some.so mrk,'] ), - (['/foo/log', 'w'], ['/foo/log w,'] ), - ] + (('/usr/share/common-licenses/foo/bar', 'w'), ['/usr/share/common*/foo/* rw,', '/usr/share/common-licenses/** rw,', '/usr/share/common-licenses/foo/bar rw,'] ), + (('/dev/null', 'wk'), ['/dev/null rwk,'] ), + (('/foo/bar', 'rw'), ['/foo/bar rw,'] ), + (('/usr/lib/ispell/', 'w'), ['/{usr/,}lib{,32,64}/** rw,', '/usr/lib/ispell/ rw,'] ), + (('/usr/lib/aspell/some.so', 'k'), ['/usr/lib/aspell/* mrk,', '/usr/lib/aspell/*.so mrk,', '/{usr/,}lib{,32,64}/** mrk,', '/{usr/,}lib{,32,64}/**.so* mrk,', '/usr/lib/aspell/some.so mrk,'] ), + (('/foo/log', 'w'), ['/foo/log w,'] ), + ) def _run_test(self, params, expected): self.createTmpdir() @@ -650,13 +650,13 @@ class AaTest_propose_file_rules(AATest): class AaTest_propose_file_rules_with_absolute_includes(AATest): - tests = [ + tests = ( # log event path and perms expected proposals - (['/not/found/anywhere', 'r'], ['/not/found/anywhere r,']), - (['/dev/null', 'w'], ['/dev/null rw,']), - (['/some/random/include', 'r'], ['/some/random/include rw,']), - (['/some/other/include', 'w'], ['/some/other/* rw,', '/some/other/inc* rw,', '/some/other/include rw,']), - ] + (('/not/found/anywhere', 'r'), ['/not/found/anywhere r,']), + (('/dev/null', 'w'), ['/dev/null rw,']), + (('/some/random/include', 'r'), ['/some/random/include rw,']), + (('/some/other/include', 'w'), ['/some/other/* rw,', '/some/other/inc* rw,', '/some/other/include rw,']), + ) def _run_test(self, params, expected): self.createTmpdir() @@ -690,21 +690,21 @@ class AaTest_propose_file_rules_with_absolute_includes(AATest): class AaTest_nonexistent_includes(AATest): - tests = [ + tests = ( ("/nonexistent/absolute/path", AppArmorException), ("nonexistent/relative/path", AppArmorBug), # load_include() only accepts absolute paths - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): apparmor.aa.load_include(params) class AaTest_merged_to_split(AATest): - tests = [ + tests = ( ("foo", ("foo", "foo")), ("foo//bar", ("foo", "bar")), ("foo//bar//baz", ("foo", "bar")), # XXX known limitation - ] + ) def _run_test(self, params, expected): merged = {} @@ -718,10 +718,10 @@ class AaTest_merged_to_split(AATest): self.assertTrue(result[profile][hat]) class AaTest_split_to_merged(AATest): - tests = [ + tests = ( (("foo", "foo"), "foo"), (("foo", "bar"), "foo//bar"), - ] + ) def _run_test(self, params, expected): old = {} diff --git a/utils/test/test-aare.py b/utils/test/test-aare.py index bc1f30f90..96af49822 100644 --- a/utils/test/test-aare.py +++ b/utils/test/test-aare.py @@ -19,7 +19,7 @@ from apparmor.common import convert_regexp, AppArmorBug, AppArmorException from apparmor.aare import AARE, convert_expression_to_aare class TestConvert_regexp(AATest): - tests = [ + tests = ( ('/foo', '^/foo$'), ('/{foo,bar}', '^/(foo|bar)$'), # ('/\{foo,bar}', '^/\{foo,bar}$'), # XXX gets converted to ^/\(foo|bar)$ @@ -31,13 +31,13 @@ class TestConvert_regexp(AATest): ('/fo?', '^/fo[^/\000]$'), ('/foo/*', '^/foo/(((?<=/)[^/\000]+)|((?,', exp('', 'abstractions/base', False, True )), # magic path ('abi , # comment', exp(' # comment', 'abstractions/base', False, True )), @@ -53,7 +53,7 @@ class AbiTestParse(AbiTest): ('abi "/foo/bar", # comment', exp(' # comment', '/foo/bar', False, False)), ('abi "/foo/bar",#comment', exp(' #comment', '/foo/bar', False, False)), (' abi "/foo/bar" , ', exp('', '/foo/bar', False, False)), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(AbiRule.match(rawrule)) @@ -62,12 +62,12 @@ class AbiTestParse(AbiTest): self._compare_obj(obj, expected) class AbiTestParseInvalid(AbiTest): - tests = [ + tests = ( # (' some abi ', AppArmorException), # (' /etc/fstab r,', AppArmorException), # ('/usr/abi r,', AppArmorException), # ('/abi r,', AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(AbiRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -77,34 +77,34 @@ class AbiTestParseInvalid(AbiTest): # class AbiTestParseFromLog(AbiTest): # we'll never have log events for abi class AbiFromInit(AbiTest): - tests = [ + tests = ( # AbiRule object ifexists ismagic comment path ifexists ismagic (AbiRule('abi/4.19', False, False) , exp('', 'abi/4.19', False, False )), (AbiRule('foo', False, False) , exp('', 'foo', False, False )), (AbiRule('bar', False, True) , exp('', 'bar', False, True )), (AbiRule('comment', False, False, comment='# cmt') , exp('# cmt', 'comment', False, False )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidAbiInit(AATest): - tests = [ + tests = ( # init params expected exception - ([False, False, False ] , AppArmorBug), # wrong type for path - (['', False, False ] , AppArmorBug), # empty path - ([None, False, False ] , AppArmorBug), # wrong type for path -# ([' ', False, False ] , AppArmorBug), # whitespace-only path - (['foo', None, False ] , AppArmorBug), # wrong type for ifexists - (['foo', '', False ] , AppArmorBug), # wrong type for ifexists - (['foo', False, None ] , AppArmorBug), # wrong type for ismagic - (['foo', False, '' ] , AppArmorBug), # wrong type for ismagic - (['', True, False ] , AppArmorBug), # ifexists set - ] + ((False, False, False ) , AppArmorBug), # wrong type for path + (('', False, False ) , AppArmorBug), # empty path + ((None, False, False ) , AppArmorBug), # wrong type for path +# ((' ', False, False ) , AppArmorBug), # whitespace-only path + (('foo', None, False ) , AppArmorBug), # wrong type for ifexists + (('foo', '', False ) , AppArmorBug), # wrong type for ifexists + (('foo', False, None ) , AppArmorBug), # wrong type for ismagic + (('foo', False, '' ) , AppArmorBug), # wrong type for ismagic + (('', True, False ) , AppArmorBug), # ifexists set + ) def _run_test(self, params, expected): with self.assertRaises(expected): - AbiRule(params[0], params[1], params[2]) + AbiRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -162,7 +162,7 @@ class WriteAbiTestAATest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule (' abi , ', 'abi ,' ), (' abi foo , ', 'abi "foo",' ), @@ -175,7 +175,7 @@ class WriteAbiTestAATest(AATest): (' abi "foo", # bar ', 'abi "foo", # bar' ), (' abi /foo, # bar ', 'abi "/foo", # bar' ), (' abi "/foo", # bar ', 'abi "/foo", # bar' ), - ] + ) def test_write_manually(self): obj = AbiRule('abs/foo', False, True, comment=' # cmt') @@ -202,24 +202,24 @@ class AbiCoveredTest(AATest): class AbiCoveredTest_01(AbiCoveredTest): rule = 'abi ,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('abi ,' , [ True , True , True , True ]), - ('abi "foo",' , [ False , False , False , False ]), - ('abi ,' , [ False , False , False , False ]), - ('abi "foo",' , [ False , False , False , False ]), - ] + ('abi ,' , ( True , True , True , True )), + ('abi "foo",' , ( False , False , False , False )), + ('abi ,' , ( False , False , False , False )), + ('abi "foo",' , ( False , False , False , False )), + ) class AbiCoveredTest_02(AbiCoveredTest): rule = 'abi "foo",' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('abi ,' , [ False , False , False , False ]), - ('abi "foo",' , [ True , True , True , True ]), - ('abi "foobar",' , [ False , False , False , False ]), - ('abi foo,' , [ True , False , True , True ]), - ] + ('abi ,' , ( False , False , False , False )), + ('abi "foo",' , ( True , True , True , True )), + ('abi "foobar",' , ( False , False , False , False )), + ('abi foo,' , ( True , False , True , True )), + ) #class AbiCoveredTest_Invalid(AATest): # def test_borked_obj_is_covered_1(self): @@ -266,10 +266,10 @@ class AbiCoveredTest_02(AbiCoveredTest): # obj.is_equal(testobj) class AbiLogprofHeaderTest(AATest): - tests = [ + tests = ( ('abi ,', [_('Abi'), 'abi ,', ]), ('abi "/foo/bar",', [_('Abi'), 'abi "/foo/bar",', ]), - ] + ) def _run_test(self, params, expected): obj = AbiRule.parse(params) @@ -289,10 +289,10 @@ class AbiRulesTest(AATest): def test_ruleset_1(self): ruleset = AbiRuleset() - rules = [ + rules = ( ' abi ,', ' abi "/bar", ', - ] + ) expected_raw = [ 'abi ,', diff --git a/utils/test/test-alias.py b/utils/test/test-alias.py index f9b6a3a99..75786d14a 100644 --- a/utils/test/test-alias.py +++ b/utils/test/test-alias.py @@ -23,8 +23,7 @@ from apparmor.common import AppArmorException, AppArmorBug from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['comment', - 'orig_path', 'target']) +exp = namedtuple('exp', ('comment', 'orig_path', 'target')) # --- tests for single AliasRule --- # @@ -40,12 +39,12 @@ class AliasTest(AATest): self.assertEqual(expected.comment, obj.comment) class AliasTestParse(AliasTest): - tests = [ + tests = ( # rawrule comment orig_path target ('alias /foo -> /bar,', exp('', '/foo', '/bar' )), (' alias /foo -> /bar , # comment', exp(' # comment', '/foo', '/bar' )), ('alias "/foo 2" -> "/bar 2" ,', exp('', '/foo 2', '/bar 2' )), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(AliasRule.match(rawrule)) @@ -54,14 +53,14 @@ class AliasTestParse(AliasTest): self._compare_obj(obj, expected) class AliasTestParseInvalid(AliasTest): - tests = [ + tests = ( # rawrule matches regex exception ('alias ,' , (False, AppArmorException)), ('alias /foo ,' , (False, AppArmorException)), ('alias /foo -> ,' , (True, AppArmorException)), ('alias -> /bar ,' , (True, AppArmorException)), ('/foo -> bar ,' , (False, AppArmorException)), - ] + ) def _run_test(self, rawrule, expected): self.assertEqual(AliasRule.match(rawrule), expected[0]) @@ -69,31 +68,31 @@ class AliasTestParseInvalid(AliasTest): AliasRule.parse(rawrule) class AliasFromInit(AliasTest): - tests = [ + tests = ( # AliasRule object comment orig_path target (AliasRule('/foo', '/bar'), exp('', '/foo', '/bar' )), (AliasRule('/foo', '/bar', comment='# cmt'), exp('# cmt', '/foo', '/bar' )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidAliasInit(AATest): - tests = [ + tests = ( # init params expected exception - ([None, '/bar' ], AppArmorBug), # orig_path not a str - (['', '/bar' ], AppArmorException), # empty orig_path - (['foo', '/bar' ], AppArmorException), # orig_path not starting with / + ((None, '/bar' ), AppArmorBug), # orig_path not a str + (('', '/bar' ), AppArmorException), # empty orig_path + (('foo', '/bar' ), AppArmorException), # orig_path not starting with / - (['/foo', None ], AppArmorBug), # target not a str - (['/foo', '' ], AppArmorException), # empty target - (['/foo', 'bar' ], AppArmorException), # target not starting with / - ] + (('/foo', None ), AppArmorBug), # target not a str + (('/foo', '' ), AppArmorException), # empty target + (('/foo', 'bar' ), AppArmorException), # target not starting with / + ) def _run_test(self, params, expected): with self.assertRaises(expected): - AliasRule(params[0], params[1]) + AliasRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -132,13 +131,13 @@ class InvalidAliasTest(AATest): class WriteAliasTestAATest(AATest): - tests = [ + tests = ( # raw rule clean rule (' alias /foo -> /bar, ', 'alias /foo -> /bar,'), (' alias /foo -> /bar, # comment', 'alias /foo -> /bar,'), (' alias "/foo" -> "/bar", ', 'alias /foo -> /bar,'), (' alias "/foo 2" -> "/bar 2", ', 'alias "/foo 2" -> "/bar 2",'), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(AliasRule.match(rawrule)) @@ -182,16 +181,16 @@ class AliasCoveredTest(AATest): class AliasCoveredTest_01(AliasCoveredTest): rule = 'alias /foo -> /bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' alias /foo -> /bar,' , [ True , True , True , True ]), - (' alias /foo -> /bar , ' , [ True , False , True , True ]), - (' alias /foo -> /bar, # comment' , [ True , False , True , True ]), - (' alias /foo -> /bar, # comment' , [ True , False , True , True ]), - (' alias /foo -> /asdf,' , [ False , False , False , False ]), - (' alias /whatever -> /bar,' , [ False , False , False , False ]), - (' alias /whatever -> /asdf,' , [ False , False , False , False ]), - ] + (' alias /foo -> /bar,' , ( True , True , True , True )), + (' alias /foo -> /bar , ' , ( True , False , True , True )), + (' alias /foo -> /bar, # comment' , ( True , False , True , True )), + (' alias /foo -> /bar, # comment' , ( True , False , True , True )), + (' alias /foo -> /asdf,' , ( False , False , False , False )), + (' alias /whatever -> /bar,' , ( False , False , False , False )), + (' alias /whatever -> /asdf,' , ( False , False , False , False )), + ) class AliasCoveredTest_Invalid(AATest): # def test_borked_obj_is_covered_1(self): @@ -228,9 +227,9 @@ class AliasCoveredTest_Invalid(AATest): obj.is_equal(testobj) class AliasLogprofHeaderTest(AATest): - tests = [ + tests = ( ('alias /foo -> /bar,', [_('Alias'), '/foo -> /bar' ]), - ] + ) def _run_test(self, params, expected): obj = AliasRule.parse(params) diff --git a/utils/test/test-boolean.py b/utils/test/test-boolean.py index 767500658..6b095cfdb 100644 --- a/utils/test/test-boolean.py +++ b/utils/test/test-boolean.py @@ -23,8 +23,7 @@ from apparmor.common import AppArmorException, AppArmorBug from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['comment', - 'varname', 'value']) +exp = namedtuple('exp', ('comment', 'varname', 'value')) # --- tests for single BooleanRule --- # @@ -40,7 +39,7 @@ class BooleanTest(AATest): self.assertEqual(expected.comment, obj.comment) class BooleanTestParse(BooleanTest): - tests = [ + tests = ( # rawrule comment varname value ('$foo=true', exp('', '$foo', 'true' )), ('$foo = false', exp('', '$foo', 'false' )), @@ -48,7 +47,7 @@ class BooleanTestParse(BooleanTest): ('$foo = FaLsE', exp('', '$foo', 'false' )), (' $foo = true ', exp('', '$foo', 'true' )), (' $foo = true # comment', exp(' # comment', '$foo', 'true' )), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(BooleanRule.match(rawrule)) @@ -57,7 +56,7 @@ class BooleanTestParse(BooleanTest): self._compare_obj(obj, expected) class BooleanTestParseInvalid(BooleanTest): - tests = [ + tests = ( # rawrule matches regex exception ('$foo =', (False, AppArmorException)), ('$ foo = # comment', (False, AppArmorException)), @@ -66,7 +65,7 @@ class BooleanTestParseInvalid(BooleanTest): # ('$foo = true,', (True, AppArmorException)), # trailing comma # ('$foo = false , ', (True, AppArmorException)), # trailing comma # ('$foo = true, # comment', (True, AppArmorException)), # trailing comma - ] + ) def _run_test(self, rawrule, expected): self.assertEqual(BooleanRule.match(rawrule), expected[0]) @@ -74,34 +73,34 @@ class BooleanTestParseInvalid(BooleanTest): BooleanRule.parse(rawrule) class BooleanFromInit(BooleanTest): -# tests = [ +# tests = ( # # BooleanRule object comment varname value # (BooleanRule('$foo', True, exp('', '$foo', True ))), # (BooleanRule('$foo', False, exp('', '$foo', False ))), # (BooleanRule('$foo', True, comment='# cmt'), exp('# cmt', '$foo', True ))), # (BooleanRule('$foo', False, comment='# cmt'), exp('# cmt', '$foo', False ))), -# ] +# ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidBooleanInit(AATest): - tests = [ + tests = ( # init params expected exception - ([None, True ], AppArmorBug), # varname not a str - (['', True ], AppArmorException), # empty varname - (['foo', True ], AppArmorException), # varname not starting with '$' - (['foo', True ], AppArmorException), # varname not starting with '$' + ((None, True ), AppArmorBug), # varname not a str + (('', True ), AppArmorException), # empty varname + (('foo', True ), AppArmorException), # varname not starting with '$' + (('foo', True ), AppArmorException), # varname not starting with '$' - (['$foo', None ], AppArmorBug), # value not a string - (['$foo', '' ], AppArmorException), # empty value - (['$foo', 'maybe' ], AppArmorException), # invalid value - ] + (('$foo', None ), AppArmorBug), # value not a string + (('$foo', '' ), AppArmorException), # empty value + (('$foo', 'maybe' ), AppArmorException), # invalid value + ) def _run_test(self, params, expected): with self.assertRaises(expected): - BooleanRule(params[0], params[1]) + BooleanRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -137,13 +136,13 @@ class InvalidBooleanTest(AATest): class WriteBooleanTestAATest(AATest): - tests = [ + tests = ( # raw rule clean rule (' $foo = true ', '$foo = true'), (' $foo = true # comment', '$foo = true'), (' $foo = false ', '$foo = false'), (' $foo = false # comment', '$foo = false'), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(BooleanRule.match(rawrule)) @@ -187,27 +186,27 @@ class BooleanCoveredTest(AATest): class BooleanCoveredTest_01(BooleanCoveredTest): rule = '$foo = true' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' $foo = true' , [ True , True , True , True ]), - (' $foo = TRUE' , [ True , False , True , True ]), # upper vs. lower case - (' $foo = true # comment' , [ True , False , True , True ]), - (' $foo = false' , [ False , False , False , False ]), - (' $foo = false # cmt' , [ False , False , False , False ]), - (' $bar = true' , [ False , False , False , False ]), # different variable name - ] + (' $foo = true' , ( True , True , True , True )), + (' $foo = TRUE' , ( True , False , True , True )), # upper vs. lower case + (' $foo = true # comment' , ( True , False , True , True )), + (' $foo = false' , ( False , False , False , False )), + (' $foo = false # cmt' , ( False , False , False , False )), + (' $bar = true' , ( False , False , False , False )), # different variable name + ) class BooleanCoveredTest_02(BooleanCoveredTest): rule = '$foo = false' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' $foo = false' , [ True , True , True , True ]), - (' $foo = false # comment' , [ True , False , True , True ]), - (' $foo = true' , [ False , False , False , False ]), - (' $foo = true # cmt' , [ False , False , False , False ]), - (' $bar = false' , [ False , False , False , False ]), # different variable name - ] + (' $foo = false' , ( True , True , True , True )), + (' $foo = false # comment' , ( True , False , True , True )), + (' $foo = true' , ( False , False , False , False )), + (' $foo = true # cmt' , ( False , False , False , False )), + (' $bar = false' , ( False , False , False , False )), # different variable name + ) class BooleanCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_2(self): @@ -236,9 +235,9 @@ class BooleanCoveredTest_Invalid(AATest): obj.is_equal(testobj) class BooleanLogprofHeaderTest(AATest): - tests = [ + tests = ( ('$foo = true', [_('Boolean Variable'), '$foo = true' ]), - ] + ) def _run_test(self, params, expected): obj = BooleanRule.parse(params) diff --git a/utils/test/test-capability.py b/utils/test/test-capability.py index 23e2d7c79..e3ab64286 100644 --- a/utils/test/test-capability.py +++ b/utils/test/test-capability.py @@ -426,13 +426,13 @@ class CapabilityCoveredTest(AATest): self.assertTrue(self._is_covered(obj2, 'capability ptrace,')) class CapabiliySeverityTest(AATest): - tests = [ + tests = ( ('fsetid', 9), ('dac_read_search', 7), (['fsetid', 'dac_read_search'], 9), (CapabilityRule.ALL, 10), ('foo', 'unknown'), - ] + ) def _run_test(self, params, expected): sev_db = severity.Severity('../severity.db', 'unknown') obj = CapabilityRule(params) @@ -440,7 +440,7 @@ class CapabiliySeverityTest(AATest): self.assertEqual(rank, expected) class CapabilityLogprofHeaderTest(AATest): - tests = [ + tests = ( ('capability,', [ _('Capability'), _('ALL'), ]), ('capability chown,', [ _('Capability'), 'chown', ]), ('capability chown fsetid,', [ _('Capability'), 'chown fsetid', ]), @@ -448,7 +448,7 @@ class CapabilityLogprofHeaderTest(AATest): ('deny capability chown,', [_('Qualifier'), 'deny', _('Capability'), 'chown', ]), ('allow capability chown fsetid,', [_('Qualifier'), 'allow', _('Capability'), 'chown fsetid', ]), ('audit deny capability,', [_('Qualifier'), 'audit deny', _('Capability'), _('ALL'), ]), - ] + ) def _run_test(self, params, expected): obj = CapabilityRule.parse(params) diff --git a/utils/test/test-change_profile.py b/utils/test/test-change_profile.py index fb597b7d5..ff41e051a 100644 --- a/utils/test/test-change_profile.py +++ b/utils/test/test-change_profile.py @@ -24,8 +24,8 @@ from apparmor.logparser import ReadLog from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'execmode', 'execcond', 'all_execconds', 'targetprofile', 'all_targetprofiles']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'execmode', 'execcond', 'all_execconds', 'targetprofile', 'all_targetprofiles')) # --- tests for single ChangeProfileRule --- # @@ -42,7 +42,7 @@ class ChangeProfileTest(AATest): self.assertEqual(expected.comment, obj.comment) class ChangeProfileTestParse(ChangeProfileTest): - tests = [ + tests = ( # rawrule audit allow deny comment execmode execcond all? targetprof all? ('change_profile,' , exp(False, False, False, '' , None , None , True , None , True )), ('change_profile /foo,' , exp(False, False, False, '' , None , '/foo', False, None , True )), @@ -70,7 +70,7 @@ class ChangeProfileTestParse(ChangeProfileTest): ('audit allow change_profile /**,' , exp(True , True , False, '' , None , '/**' , False, None , True )), ('change_profile -> "ba r",' , exp(False, False, False, '' , None , None , True , 'ba r' , False)), ('audit allow change_profile -> "ba r",' , exp(True , True , False, '' , None , None , True , 'ba r' , False)), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(ChangeProfileRule.match(rawrule)) @@ -79,12 +79,12 @@ class ChangeProfileTestParse(ChangeProfileTest): self._compare_obj(obj, expected) class ChangeProfileTestParseInvalid(ChangeProfileTest): - tests = [ + tests = ( ('change_profile -> ,' , AppArmorException), ('change_profile foo -> ,' , AppArmorException), ('change_profile notsafe,' , AppArmorException), ('change_profile safety -> /bar,' , AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertFalse(ChangeProfileRule.match(rawrule)) @@ -136,7 +136,7 @@ class ChangeProfileTestParseFromLog(ChangeProfileTest): class ChangeProfileFromInit(ChangeProfileTest): - tests = [ + tests = ( # ChangeProfileRule object audit allow deny comment execmode execcond all? targetprof all? (ChangeProfileRule(None , '/foo', '/bar', deny=True) , exp(False, False, True , '' , None , '/foo', False, '/bar' , False)), (ChangeProfileRule(None , '/foo', '/bar') , exp(False, False, False, '' , None , '/foo', False, '/bar' , False)), @@ -146,30 +146,30 @@ class ChangeProfileFromInit(ChangeProfileTest): (ChangeProfileRule(None , ChangeProfileRule.ALL, '/bar') , exp(False, False, False, '' , None , None , True , '/bar' , False)), (ChangeProfileRule(None , ChangeProfileRule.ALL, ChangeProfileRule.ALL) , exp(False, False, False, '' , None, None , True , None , True )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidChangeProfileInit(AATest): - tests = [ + tests = ( # init params expected exception - ([None , '/foo', '' ] , AppArmorBug), # empty targetprofile - ([None , '' , '/bar' ] , AppArmorBug), # empty execcond - ([None , ' ', '/bar' ] , AppArmorBug), # whitespace execcond - ([None , '/foo', ' ' ] , AppArmorBug), # whitespace targetprofile - ([None , 'xyxy', '/bar' ] , AppArmorException), # invalid execcond - ([None , dict(), '/bar' ] , AppArmorBug), # wrong type for execcond - ([None , None , '/bar' ] , AppArmorBug), # wrong type for execcond - ([None , '/foo', dict() ] , AppArmorBug), # wrong type for targetprofile - ([None , '/foo', None ] , AppArmorBug), # wrong type for targetprofile - (['maybe' , '/foo', '/bar' ] , AppArmorBug), # invalid keyword for execmode - ] + ((None , '/foo', '' ) , AppArmorBug), # empty targetprofile + ((None , '' , '/bar' ) , AppArmorBug), # empty execcond + ((None , ' ', '/bar' ) , AppArmorBug), # whitespace execcond + ((None , '/foo', ' ' ) , AppArmorBug), # whitespace targetprofile + ((None , 'xyxy', '/bar' ) , AppArmorException), # invalid execcond + ((None , dict(), '/bar' ) , AppArmorBug), # wrong type for execcond + ((None , None , '/bar' ) , AppArmorBug), # wrong type for execcond + ((None , '/foo', dict() ) , AppArmorBug), # wrong type for targetprofile + ((None , '/foo', None ) , AppArmorBug), # wrong type for targetprofile + (('maybe' , '/foo', '/bar' ) , AppArmorBug), # invalid keyword for execmode + ) def _run_test(self, params, expected): with self.assertRaises(expected): - ChangeProfileRule(params[0], params[1], params[2]) + ChangeProfileRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -211,7 +211,7 @@ class InvalidChangeProfileTest(AATest): class WriteChangeProfileTestAATest(AATest): - tests = [ + tests = ( # raw rule clean rule (' change_profile , # foo ' , 'change_profile, # foo'), (' audit change_profile /foo,' , 'audit change_profile /foo,'), @@ -220,7 +220,7 @@ class WriteChangeProfileTestAATest(AATest): (' allow change_profile -> /bar ,# foo bar' , 'allow change_profile -> /bar, # foo bar'), (' allow change_profile unsafe /** -> /bar ,# foo bar' , 'allow change_profile unsafe /** -> /bar, # foo bar'), (' allow change_profile "/fo o" -> "/b ar",' , 'allow change_profile "/fo o" -> "/b ar",'), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(ChangeProfileRule.match(rawrule)) @@ -256,95 +256,95 @@ class ChangeProfileCoveredTest(AATest): class ChangeProfileCoveredTest_01(ChangeProfileCoveredTest): rule = 'change_profile /foo,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' change_profile,' , [ False , False , False , False ]), - (' change_profile /foo,' , [ True , True , True , True ]), - (' change_profile safe /foo,' , [ True , False , True , True ]), - (' change_profile unsafe /foo,' , [ False , False , False , False ]), - (' change_profile /foo, # comment', [ True , False , True , True ]), - (' allow change_profile /foo,' , [ True , False , True , True ]), - (' change_profile /foo,' , [ True , False , True , True ]), - (' change_profile /foo -> /bar,' , [ False , False , True , True ]), - (' change_profile /foo -> bar,' , [ False , False , True , True ]), - ('audit change_profile /foo,' , [ False , False , False , False ]), - ('audit change_profile,' , [ False , False , False , False ]), - (' change_profile /asdf,' , [ False , False , False , False ]), - (' change_profile -> /bar,' , [ False , False , False , False ]), - ('audit deny change_profile /foo,' , [ False , False , False , False ]), - (' deny change_profile /foo,' , [ False , False , False , False ]), - ] + (' change_profile,' , ( False , False , False , False )), + (' change_profile /foo,' , ( True , True , True , True )), + (' change_profile safe /foo,' , ( True , False , True , True )), + (' change_profile unsafe /foo,' , ( False , False , False , False )), + (' change_profile /foo, # comment', ( True , False , True , True )), + (' allow change_profile /foo,' , ( True , False , True , True )), + (' change_profile /foo,' , ( True , False , True , True )), + (' change_profile /foo -> /bar,' , ( False , False , True , True )), + (' change_profile /foo -> bar,' , ( False , False , True , True )), + ('audit change_profile /foo,' , ( False , False , False , False )), + ('audit change_profile,' , ( False , False , False , False )), + (' change_profile /asdf,' , ( False , False , False , False )), + (' change_profile -> /bar,' , ( False , False , False , False )), + ('audit deny change_profile /foo,' , ( False , False , False , False )), + (' deny change_profile /foo,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_02(ChangeProfileCoveredTest): rule = 'audit change_profile /foo,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'change_profile /foo,' , [ False , False , True , False ]), - ('audit change_profile /foo,' , [ True , True , True , True ]), - ( 'change_profile /foo -> /bar,' , [ False , False , True , False ]), - ( 'change_profile safe /foo -> /bar,' , [ False , False , True , False ]), - ('audit change_profile /foo -> /bar,' , [ False , False , True , True ]), # XXX is "covered exact" correct here? - ( 'change_profile,' , [ False , False , False , False ]), - ('audit change_profile,' , [ False , False , False , False ]), - (' change_profile -> /bar,' , [ False , False , False , False ]), - ] + ( 'change_profile /foo,' , ( False , False , True , False )), + ('audit change_profile /foo,' , ( True , True , True , True )), + ( 'change_profile /foo -> /bar,' , ( False , False , True , False )), + ( 'change_profile safe /foo -> /bar,' , ( False , False , True , False )), + ('audit change_profile /foo -> /bar,' , ( False , False , True , True )), # XXX is "covered exact" correct here? + ( 'change_profile,' , ( False , False , False , False )), + ('audit change_profile,' , ( False , False , False , False )), + (' change_profile -> /bar,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_03(ChangeProfileCoveredTest): rule = 'change_profile /foo -> /bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'change_profile /foo -> /bar,' , [ True , True , True , True ]), - ('allow change_profile /foo -> /bar,' , [ True , False , True , True ]), - ( 'change_profile /foo,' , [ False , False , False , False ]), - ( 'change_profile,' , [ False , False , False , False ]), - ( 'change_profile /foo -> /xyz,' , [ False , False , False , False ]), - ('audit change_profile,' , [ False , False , False , False ]), - ('audit change_profile /foo -> /bar,' , [ False , False , False , False ]), - ( 'change_profile -> /bar,' , [ False , False , False , False ]), - ( 'change_profile,' , [ False , False , False , False ]), - ] + ( 'change_profile /foo -> /bar,' , ( True , True , True , True )), + ('allow change_profile /foo -> /bar,' , ( True , False , True , True )), + ( 'change_profile /foo,' , ( False , False , False , False )), + ( 'change_profile,' , ( False , False , False , False )), + ( 'change_profile /foo -> /xyz,' , ( False , False , False , False )), + ('audit change_profile,' , ( False , False , False , False )), + ('audit change_profile /foo -> /bar,' , ( False , False , False , False )), + ( 'change_profile -> /bar,' , ( False , False , False , False )), + ( 'change_profile,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_04(ChangeProfileCoveredTest): rule = 'change_profile,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'change_profile,' , [ True , True , True , True ]), - ('allow change_profile,' , [ True , False , True , True ]), - ( 'change_profile /foo,' , [ False , False , True , True ]), - ( 'change_profile /xyz -> bar,' , [ False , False , True , True ]), - ( 'change_profile -> /bar,' , [ False , False , True , True ]), - ( 'change_profile /foo -> /bar,' , [ False , False , True , True ]), - ('audit change_profile,' , [ False , False , False , False ]), - ('deny change_profile,' , [ False , False , False , False ]), - ] + ( 'change_profile,' , ( True , True , True , True )), + ('allow change_profile,' , ( True , False , True , True )), + ( 'change_profile /foo,' , ( False , False , True , True )), + ( 'change_profile /xyz -> bar,' , ( False , False , True , True )), + ( 'change_profile -> /bar,' , ( False , False , True , True )), + ( 'change_profile /foo -> /bar,' , ( False , False , True , True )), + ('audit change_profile,' , ( False , False , False , False )), + ('deny change_profile,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_05(ChangeProfileCoveredTest): rule = 'deny change_profile /foo,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny change_profile /foo,' , [ True , True , True , True ]), - ('audit deny change_profile /foo,' , [ False , False , False , False ]), - ( 'change_profile /foo,' , [ False , False , False , False ]), # XXX should covered be true here? - ( 'deny change_profile /bar,' , [ False , False , False , False ]), - ( 'deny change_profile,' , [ False , False , False , False ]), - ] + ( 'deny change_profile /foo,' , ( True , True , True , True )), + ('audit deny change_profile /foo,' , ( False , False , False , False )), + ( 'change_profile /foo,' , ( False , False , False , False )), # XXX should covered be true here? + ( 'deny change_profile /bar,' , ( False , False , False , False )), + ( 'deny change_profile,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_06(ChangeProfileCoveredTest): rule = 'change_profile safe /foo,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny change_profile /foo,' , [ False , False , False , False ]), - ('audit deny change_profile /foo,' , [ False , False , False , False ]), - ( 'change_profile /foo,' , [ True , False , True , True ]), - ( 'deny change_profile /bar,' , [ False , False , False , False ]), - ( 'deny change_profile,' , [ False , False , False , False ]), - ] + ( 'deny change_profile /foo,' , ( False , False , False , False )), + ('audit deny change_profile /foo,' , ( False , False , False , False )), + ( 'change_profile /foo,' , ( True , False , True , True )), + ( 'deny change_profile /bar,' , ( False , False , False , False )), + ( 'deny change_profile,' , ( False , False , False , False )), + ) class ChangeProfileCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): @@ -382,16 +382,16 @@ class ChangeProfileCoveredTest_Invalid(AATest): obj.is_equal(testobj) class ChangeProfileLogprofHeaderTest(AATest): - tests = [ + tests = ( ('change_profile,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), _('ALL'), ]), ('change_profile -> /bin/ping,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), '/bin/ping',]), ('change_profile /bar -> /bin/bar,', [ _('Exec Condition'), '/bar', _('Target Profile'), '/bin/bar', ]), - ('change_profile safe /foo,', [ _('Exec Mode'), 'safe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL'), ]), + ('change_profile safe /foo,', [ _('Exec Mode'), 'safe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL'), ]), ('audit change_profile -> /bin/ping,', [_('Qualifier'), 'audit', _('Exec Condition'), _('ALL'), _('Target Profile'), '/bin/ping',]), ('deny change_profile /bar -> /bin/bar,', [_('Qualifier'), 'deny', _('Exec Condition'), '/bar', _('Target Profile'), '/bin/bar', ]), ('allow change_profile unsafe /foo,', [_('Qualifier'), 'allow', _('Exec Mode'), 'unsafe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL'), ]), ('audit deny change_profile,', [_('Qualifier'), 'audit deny', _('Exec Condition'), _('ALL'), _('Target Profile'), _('ALL'), ]), - ] + ) def _run_test(self, params, expected): obj = ChangeProfileRule.parse(params) @@ -410,10 +410,10 @@ class ChangeProfileRulesTest(AATest): def test_ruleset_1(self): ruleset = ChangeProfileRuleset() - rules = [ + rules = ( 'change_profile -> /bar,', 'change_profile /foo,', - ] + ) expected_raw = [ 'change_profile -> /bar,', @@ -435,11 +435,11 @@ class ChangeProfileRulesTest(AATest): def test_ruleset_2(self): ruleset = ChangeProfileRuleset() - rules = [ + rules = ( 'change_profile /foo -> /bar,', 'allow change_profile /asdf,', 'deny change_profile -> xy, # example comment', - ] + ) expected_raw = [ ' change_profile /foo -> /bar,', diff --git a/utils/test/test-common.py b/utils/test/test-common.py index 87ba853c9..54b5f5e64 100644 --- a/utils/test/test-common.py +++ b/utils/test/test-common.py @@ -16,37 +16,37 @@ from apparmor.common import AppArmorBug from apparmor.common import type_is_str, split_name, combine_profname class TestIs_str_type(AATest): - tests = [ + tests = ( ('foo', True), (u'foo', True), (42, False), (True, False), ([], False), - ] + ) def _run_test(self, params, expected): self.assertEqual(type_is_str(params), expected) class AaTest_split_name(AATest): - tests = [ + tests = ( # full profile name expected parts ('foo', ('foo', 'foo')), ('foo//bar', ('foo', 'bar')), ('foo//bar//baz', ('foo', 'bar')), # XXX nested child profiles get cut off - ] + ) def _run_test(self, params, expected): self.assertEqual(split_name(params), expected) class AaTest_combine_profname(AATest): - tests = [ + tests = ( # name parts expected full profile name (['foo'], 'foo'), (['foo', 'bar'], 'foo//bar'), (['foo', 'bar', 'baz'], 'foo//bar//baz'), (['foo', 'bar', None], 'foo//bar'), (['foo', 'bar', 'baz', None], 'foo//bar//baz'), - ] + ) def _run_test(self, params, expected): self.assertEqual(combine_profname(params), expected) diff --git a/utils/test/test-config.py b/utils/test/test-config.py index eda323e36..e83fff3ce 100755 --- a/utils/test/test-config.py +++ b/utils/test/test-config.py @@ -38,7 +38,7 @@ class Test(unittest.TestCase): easyprof_Policygroup = './policygroups' easyprof_Templates = './templates' - self.assertEqual(sorted(list(conf[''].keys())), sorted(easyprof_sections)) + self.assertEqual(sorted(conf[''].keys()), easyprof_sections) self.assertEqual(conf['']['POLICYGROUPS_DIR'], easyprof_Policygroup) self.assertEqual(conf['']['TEMPLATES_DIR'], easyprof_Templates) diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py index 1fd87ce61..cf577d2d1 100644 --- a/utils/test/test-dbus.py +++ b/utils/test/test-dbus.py @@ -24,8 +24,8 @@ from apparmor.logparser import ReadLog from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'access', 'all_access', 'bus', 'all_buses', 'path', 'all_paths', 'name', 'all_names', 'interface', 'all_interfaces', 'member', 'all_members', 'peername', 'all_peernames', 'peerlabel', 'all_peerlabels']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'access', 'all_access', 'bus', 'all_buses', 'path', 'all_paths', 'name', 'all_names', 'interface', 'all_interfaces', 'member', 'all_members', 'peername', 'all_peernames', 'peerlabel', 'all_peerlabels')) # --- tests for single DbusRule --- # @@ -61,7 +61,7 @@ class DbusTest(AATest): self.assertEqual(obj, expected) class DbusTestParse(DbusTest): - tests = [ + tests = ( # DbusRule object audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all? ('dbus,' , exp(False, False, False, '', None , True , None, True, None, True, None, True, None, True, None, True, None, True, None, True)), ('dbus ( ),' , exp(False, False, False, '', None , True , None, True, None, True, None, True, None, True, None, True, None, True, None, True)), @@ -93,7 +93,7 @@ class DbusTestParse(DbusTest): ('dbus bus=system path=/foo/bar bus=session,' , exp(False, False, False, '', None , True , 'session', False, '/foo/bar', False, None, True, None, True, None, True, None, True, None, True)), # XXX bus= specified twice, last one wins ('dbus send peer=(label="foo") bus=session,' , exp(False, False, False, '', {'send'}, False, 'session', False, None, True, None, True, None, True, None, True, None, True, 'foo', False)), ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6,' , exp(False, False, False, '', None , True , '6', False, None, True, None, True, None, True, None, True, None, True, None, True)), # XXX bus= specified multiple times, last one wins - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(DbusRule.match(rawrule)) @@ -102,7 +102,7 @@ class DbusTestParse(DbusTest): self._compare_obj(obj, expected) class DbusTestParseInvalid(DbusTest): - tests = [ + tests = ( ('dbus foo,' , AppArmorException), ('dbus foo bar,' , AppArmorException), ('dbus foo int,' , AppArmorException), @@ -114,7 +114,7 @@ class DbusTestParseInvalid(DbusTest): ('dbus peer=,' , AppArmorException), ('dbus bus=session bind bus=system,', AppArmorException), ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(DbusRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -170,7 +170,7 @@ class DbusTestParseFromLog(DbusTest): # self.assertEqual(obj.get_raw(1), ' dbus send bus=system path=/org/freedesktop/DBus name=org.freedesktop.DBus member=Hello peer=(name=unconfined),') class DbusFromInit(DbusTest): - tests = [ + tests = ( #DbusRule# access bus path name interface member peername peerlabel audit=, deny=, allow_keyword, comment=, log_event) (DbusRule( 'send' , 'session', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL), #exp# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all? @@ -185,13 +185,13 @@ class DbusFromInit(DbusTest): (DbusRule(DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label'), #exp# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all? exp( False, False, False, '', None , True , None, True, None, True, None, True, '/int/face',False, '/mem/ber', False, '/peer/name', False, '/peer/label', False)), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidDbusInit(AATest): - tests = [ + tests = ( # access bus path name interface member peername peerlabel expected exception # empty fields @@ -260,11 +260,11 @@ class InvalidDbusInit(AATest): ( (DbusRule.ALL, DbusRule.ALL, 'foo/bar', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL ), AppArmorException), # path doesn't start with / ( (('foo'), DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL ), AppArmorException), # invalid access keyword ( (('foo', 'send'), DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL ), AppArmorException), # valid + invalid access keyword - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): - DbusRule(params[0], params[1], params[2], params[3], params[4], params[5], params[6], params[7]) + DbusRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -377,7 +377,7 @@ class WriteDbusTest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule (' dbus , # foo ' , 'dbus, # foo'), (' audit dbus send,' , 'audit dbus send,'), @@ -403,7 +403,7 @@ class WriteDbusTest(AATest): ('dbus (send receive) peer=(name=/usr/bin/bar),' , 'dbus (receive send) peer=(name=/usr/bin/bar),'), ('dbus (, receive ,,, send ,) interface=/sbin/baz,' , 'dbus (receive send) interface=/sbin/baz,'), # XXX leading and trailing ',' inside (...) causes error # XXX add more complex rules - ] + ) def test_write_manually_1(self): # access bus path name interface member peername peerlabel expected exception @@ -440,251 +440,251 @@ class DbusCoveredTest(AATest): class DbusCoveredTest_01(DbusCoveredTest): rule = 'dbus send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ True , True , True , True ]), - ('dbus send member=unconfined,' , [ False , False , True , True ]), - ('dbus send, # comment' , [ True , False , True , True ]), - ('allow dbus send,' , [ True , False , True , True ]), - ('dbus send,' , [ True , False , True , True ]), - ('dbus send bus=session,' , [ False , False , True , True ]), - ('dbus send member=(label=foo),' , [ False , False , True , True ]), - ('audit dbus send,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus member=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( True , True , True , True )), + ('dbus send member=unconfined,' , ( False , False , True , True )), + ('dbus send, # comment' , ( True , False , True , True )), + ('allow dbus send,' , ( True , False , True , True )), + ('dbus send,' , ( True , False , True , True )), + ('dbus send bus=session,' , ( False , False , True , True )), + ('dbus send member=(label=foo),' , ( False , False , True , True )), + ('audit dbus send,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus member=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_02(DbusCoveredTest): rule = 'audit dbus send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'dbus send,' , [ False , False , True , False ]), - ('audit dbus send,' , [ True , True , True , True ]), - ( 'dbus send bus=session,' , [ False , False , True , False ]), - ('audit dbus send bus=session,' , [ False , False , True , True ]), - ( 'dbus,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ] + ( 'dbus send,' , ( False , False , True , False )), + ('audit dbus send,' , ( True , True , True , True )), + ( 'dbus send bus=session,' , ( False , False , True , False )), + ('audit dbus send bus=session,' , ( False , False , True , True )), + ( 'dbus,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ) class DbusCoveredTest_03(DbusCoveredTest): rule = 'dbus send bus=session,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'dbus send bus=session,' , [ True , True , True , True ]), - ('allow dbus send bus=session,' , [ True , False , True , True ]), - ( 'dbus send,' , [ False , False , False , False ]), - ( 'dbus,' , [ False , False , False , False ]), - ( 'dbus send member=(label=foo),' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('audit dbus send bus=session,' , [ False , False , False , False ]), - ('audit dbus bus=session,' , [ False , False , False , False ]), - ( 'dbus send,' , [ False , False , False , False ]), - ( 'dbus,' , [ False , False , False , False ]), - ] + ( 'dbus send bus=session,' , ( True , True , True , True )), + ('allow dbus send bus=session,' , ( True , False , True , True )), + ( 'dbus send,' , ( False , False , False , False )), + ( 'dbus,' , ( False , False , False , False )), + ( 'dbus send member=(label=foo),' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('audit dbus send bus=session,' , ( False , False , False , False )), + ('audit dbus bus=session,' , ( False , False , False , False )), + ( 'dbus send,' , ( False , False , False , False )), + ( 'dbus,' , ( False , False , False , False )), + ) class DbusCoveredTest_04(DbusCoveredTest): rule = 'dbus,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'dbus,' , [ True , True , True , True ]), - ('allow dbus,' , [ True , False , True , True ]), - ( 'dbus send,' , [ False , False , True , True ]), - ( 'dbus receive bus=session,' , [ False , False , True , True ]), - ( 'dbus member=(label=foo),' , [ False , False , True , True ]), - ( 'dbus send bus=session,' , [ False , False , True , True ]), - ('audit dbus,' , [ False , False , False , False ]), - ('deny dbus,' , [ False , False , False , False ]), - ] + ( 'dbus,' , ( True , True , True , True )), + ('allow dbus,' , ( True , False , True , True )), + ( 'dbus send,' , ( False , False , True , True )), + ( 'dbus receive bus=session,' , ( False , False , True , True )), + ( 'dbus member=(label=foo),' , ( False , False , True , True )), + ( 'dbus send bus=session,' , ( False , False , True , True )), + ('audit dbus,' , ( False , False , False , False )), + ('deny dbus,' , ( False , False , False , False )), + ) class DbusCoveredTest_05(DbusCoveredTest): rule = 'deny dbus send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny dbus send,' , [ True , True , True , True ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ( 'dbus send,' , [ False , False , False , False ]), # XXX should covered be true here? - ( 'deny dbus receive,' , [ False , False , False , False ]), - ( 'deny dbus,' , [ False , False , False , False ]), - ] + ( 'deny dbus send,' , ( True , True , True , True )), + ('audit deny dbus send,' , ( False , False , False , False )), + ( 'dbus send,' , ( False , False , False , False )), # XXX should covered be true here? + ( 'deny dbus receive,' , ( False , False , False , False )), + ( 'deny dbus,' , ( False , False , False , False )), + ) class DbusCoveredTest_06(DbusCoveredTest): rule = 'dbus send peer=(name=unconfined),' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send peer=(name=unconfined),' , [ True , True , True , True ]), - ('dbus peer=(name=unconfined),' , [ False , False , False , False ]), - ('dbus send, # comment' , [ False , False , False , False ]), - ('allow dbus send,' , [ False , False , False , False ]), - ('allow dbus send peer=(name=unconfined),' , [ True , False , True , True ]), - ('allow dbus send peer=(name=/foo/bar),' , [ False , False , False , False ]), - ('allow dbus send peer=(name=/**),' , [ False , False , False , False ]), - ('allow dbus send peer=(name=**),' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send peer=(name=unconfined),' , [ True , False , True , True ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send peer=(name=unconfined label=foo),' , [ False , False , True , True ]), - ('audit dbus send peer=(name=unconfined),' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus peer=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send peer=(name=unconfined),' , ( True , True , True , True )), + ('dbus peer=(name=unconfined),' , ( False , False , False , False )), + ('dbus send, # comment' , ( False , False , False , False )), + ('allow dbus send,' , ( False , False , False , False )), + ('allow dbus send peer=(name=unconfined),' , ( True , False , True , True )), + ('allow dbus send peer=(name=/foo/bar),' , ( False , False , False , False )), + ('allow dbus send peer=(name=/**),' , ( False , False , False , False )), + ('allow dbus send peer=(name=**),' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send peer=(name=unconfined),' , ( True , False , True , True )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send peer=(name=unconfined label=foo),' , ( False , False , True , True )), + ('audit dbus send peer=(name=unconfined),' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus peer=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_07(DbusCoveredTest): rule = 'dbus send peer=(label=unconfined),' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send peer=(label=unconfined),' , [ True , True , True , True ]), - ('dbus peer=(label=unconfined),' , [ False , False , False , False ]), - ('dbus send, # comment' , [ False , False , False , False ]), - ('allow dbus send,' , [ False , False , False , False ]), - ('allow dbus send peer=(label=unconfined),' , [ True , False , True , True ]), - ('allow dbus send peer=(label=/foo/bar),' , [ False , False , False , False ]), - ('allow dbus send peer=(label=/**),' , [ False , False , False , False ]), - ('allow dbus send peer=(label=**),' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send peer=(label=unconfined),' , [ True , False , True , True ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send peer=(label=unconfined name=foo),' , [ False , False , True , True ]), - ('audit dbus send peer=(label=unconfined),' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus peer=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send peer=(label=unconfined),' , ( True , True , True , True )), + ('dbus peer=(label=unconfined),' , ( False , False , False , False )), + ('dbus send, # comment' , ( False , False , False , False )), + ('allow dbus send,' , ( False , False , False , False )), + ('allow dbus send peer=(label=unconfined),' , ( True , False , True , True )), + ('allow dbus send peer=(label=/foo/bar),' , ( False , False , False , False )), + ('allow dbus send peer=(label=/**),' , ( False , False , False , False )), + ('allow dbus send peer=(label=**),' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send peer=(label=unconfined),' , ( True , False , True , True )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send peer=(label=unconfined name=foo),' , ( False , False , True , True )), + ('audit dbus send peer=(label=unconfined),' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus peer=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_08(DbusCoveredTest): rule = 'dbus send path=/foo/bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send path=/foo/bar,' , [ True , True , True , True ]), - ('dbus send path=/foo/*,' , [ False , False , False , False ]), - ('dbus send path=/**,' , [ False , False , False , False ]), - ('dbus send path=/what/*,' , [ False , False , False , False ]), - ('dbus path=/foo/bar,' , [ False , False , False , False ]), - ('dbus send, # comment' , [ False , False , False , False ]), - ('allow dbus send,' , [ False , False , False , False ]), - ('allow dbus send path=/foo/bar,' , [ True , False , True , True ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send path=/foo/bar,' , [ True , False , True , True ]), - ('dbus send path=/what/ever,' , [ False , False , False , False ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send path=/foo/bar peer=(label=foo),' , [ False , False , True , True ]), - ('audit dbus send path=/foo/bar,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus peer=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send path=/foo/bar,' , ( True , True , True , True )), + ('dbus send path=/foo/*,' , ( False , False , False , False )), + ('dbus send path=/**,' , ( False , False , False , False )), + ('dbus send path=/what/*,' , ( False , False , False , False )), + ('dbus path=/foo/bar,' , ( False , False , False , False )), + ('dbus send, # comment' , ( False , False , False , False )), + ('allow dbus send,' , ( False , False , False , False )), + ('allow dbus send path=/foo/bar,' , ( True , False , True , True )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send path=/foo/bar,' , ( True , False , True , True )), + ('dbus send path=/what/ever,' , ( False , False , False , False )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send path=/foo/bar peer=(label=foo),' , ( False , False , True , True )), + ('audit dbus send path=/foo/bar,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus peer=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_09(DbusCoveredTest): rule = 'dbus send member=**,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send member=/foo/bar,' , [ False , False , True , True ]), - ('dbus send member=/foo/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('dbus send member=/**,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('dbus send member=/what/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('dbus member=/foo/bar,' , [ False , False , False , False ]), - ('dbus send, # comment' , [ False , False , False , False ]), - ('allow dbus send,' , [ False , False , False , False ]), - ('allow dbus send member=/foo/bar,' , [ False , False , True , True ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send member=/foo/bar,' , [ False , False , True , True ]), - ('dbus send member=/what/ever,' , [ False , False , True , True ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send member=/foo/bar peer=(label=foo),' , [ False , False , True , True ]), - ('audit dbus send member=/foo/bar,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus member=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send member=/foo/bar,' , ( False , False , True , True )), + ('dbus send member=/foo/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('dbus send member=/**,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('dbus send member=/what/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('dbus member=/foo/bar,' , ( False , False , False , False )), + ('dbus send, # comment' , ( False , False , False , False )), + ('allow dbus send,' , ( False , False , False , False )), + ('allow dbus send member=/foo/bar,' , ( False , False , True , True )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send member=/foo/bar,' , ( False , False , True , True )), + ('dbus send member=/what/ever,' , ( False , False , True , True )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send member=/foo/bar peer=(label=foo),' , ( False , False , True , True )), + ('audit dbus send member=/foo/bar,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus member=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_10(DbusCoveredTest): rule = 'dbus (send, receive) interface=foo,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send interface=foo,' , [ False , False , True , True ]), - ('dbus receive bus=session interface=foo,' , [ False , False , True , True ]), - ('dbus (receive,send) interface=foo,' , [ True , False , True , True ]), - ('dbus (receive,send),' , [ False , False , False , False ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send member=/foo/bar,' , [ False , False , False , False ]), - ('dbus send member=/foo/*,' , [ False , False , False , False ]), - ('dbus send member=/**,' , [ False , False , False , False ]), - ('dbus send member=/what/*,' , [ False , False , False , False ]), - ('dbus member=/foo/bar,' , [ False , False , False , False ]), - ('dbus send, # comment' , [ False , False , False , False ]), - ('allow dbus send,' , [ False , False , False , False ]), - ('allow dbus send member=/foo/bar,' , [ False , False , False , False ]), - ('dbus send,' , [ False , False , False , False ]), - ('dbus send member=/foo/bar,' , [ False , False , False , False ]), - ('dbus send member=/what/ever,' , [ False , False , False , False ]), - ('dbus send bus=session,' , [ False , False , False , False ]), - ('dbus send bus=session interface=foo,' , [ False , False , True , True ]), - ('dbus send member=/foo/bar peer=(label=foo),' , [ False , False , False , False ]), - ('audit dbus send member=/foo/bar,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus peer=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus send,' , [ False , False , False , False ]), - ('deny dbus send,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send interface=foo,' , ( False , False , True , True )), + ('dbus receive bus=session interface=foo,' , ( False , False , True , True )), + ('dbus (receive,send) interface=foo,' , ( True , False , True , True )), + ('dbus (receive,send),' , ( False , False , False , False )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send member=/foo/bar,' , ( False , False , False , False )), + ('dbus send member=/foo/*,' , ( False , False , False , False )), + ('dbus send member=/**,' , ( False , False , False , False )), + ('dbus send member=/what/*,' , ( False , False , False , False )), + ('dbus member=/foo/bar,' , ( False , False , False , False )), + ('dbus send, # comment' , ( False , False , False , False )), + ('allow dbus send,' , ( False , False , False , False )), + ('allow dbus send member=/foo/bar,' , ( False , False , False , False )), + ('dbus send,' , ( False , False , False , False )), + ('dbus send member=/foo/bar,' , ( False , False , False , False )), + ('dbus send member=/what/ever,' , ( False , False , False , False )), + ('dbus send bus=session,' , ( False , False , False , False )), + ('dbus send bus=session interface=foo,' , ( False , False , True , True )), + ('dbus send member=/foo/bar peer=(label=foo),' , ( False , False , False , False )), + ('audit dbus send member=/foo/bar,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus peer=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus send,' , ( False , False , False , False )), + ('deny dbus send,' , ( False , False , False , False )), + ) class DbusCoveredTest_11(DbusCoveredTest): rule = 'dbus name=/foo/bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('dbus,' , [ False , False , False , False ]), - ('dbus name=/foo/bar,' , [ True , True , True , True ]), - ('dbus name=/foo/*,' , [ False , False , False , False ]), - ('dbus name=/**,' , [ False , False , False , False ]), - ('dbus name=/what/*,' , [ False , False , False , False ]), - ('dbus, # comment' , [ False , False , False , False ]), - ('allow dbus,' , [ False , False , False , False ]), - ('allow dbus name=/foo/bar,' , [ True , False , True , True ]), - ('dbus ,' , [ False , False , False , False ]), - ('dbus name=/foo/bar,' , [ True , False , True , True ]), - ('dbus name=/what/ever,' , [ False , False , False , False ]), - ('dbus bus=session,' , [ False , False , False , False ]), - ('dbus name=/foo/bar peer=(label=foo),' , [ False , False , True , True ]), - ('audit dbus name=/foo/bar,' , [ False , False , False , False ]), - ('audit dbus,' , [ False , False , False , False ]), - ('dbus receive,' , [ False , False , False , False ]), - ('dbus peer=(label=foo),' , [ False , False , False , False ]), - ('audit deny dbus,' , [ False , False , False , False ]), - ('deny dbus,' , [ False , False , False , False ]), - ] + ('dbus,' , ( False , False , False , False )), + ('dbus name=/foo/bar,' , ( True , True , True , True )), + ('dbus name=/foo/*,' , ( False , False , False , False )), + ('dbus name=/**,' , ( False , False , False , False )), + ('dbus name=/what/*,' , ( False , False , False , False )), + ('dbus, # comment' , ( False , False , False , False )), + ('allow dbus,' , ( False , False , False , False )), + ('allow dbus name=/foo/bar,' , ( True , False , True , True )), + ('dbus ,' , ( False , False , False , False )), + ('dbus name=/foo/bar,' , ( True , False , True , True )), + ('dbus name=/what/ever,' , ( False , False , False , False )), + ('dbus bus=session,' , ( False , False , False , False )), + ('dbus name=/foo/bar peer=(label=foo),' , ( False , False , True , True )), + ('audit dbus name=/foo/bar,' , ( False , False , False , False )), + ('audit dbus,' , ( False , False , False , False )), + ('dbus receive,' , ( False , False , False , False )), + ('dbus peer=(label=foo),' , ( False , False , False , False )), + ('audit deny dbus,' , ( False , False , False , False )), + ('deny dbus,' , ( False , False , False , False )), + ) @@ -764,7 +764,7 @@ class DbusCoveredTest_Invalid(AATest): obj.is_equal(testobj) class DbusLogprofHeaderTest(AATest): - tests = [ + tests = ( ('dbus,', [ _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), ('dbus (send receive),', [ _('Access mode'), 'receive send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), ('dbus send bus=session,', [ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), @@ -776,7 +776,7 @@ class DbusLogprofHeaderTest(AATest): ('dbus send bus=session path=/path interface=aa.test member=ExMbr peer=(name=(peer.name)),', [ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), '/path', _('Name'), _('ALL'), _('Interface'), 'aa.test', _('Member'), 'ExMbr', _('Peer name'), 'peer.name',_('Peer label'), _('ALL')]), ('dbus send peer=(label=foo),', [ _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), 'foo' ]), - ] + ) def _run_test(self, params, expected): obj = DbusRule.parse(params) diff --git a/utils/test/test-example.py b/utils/test/test-example.py index 84b28c964..997ed993d 100644 --- a/utils/test/test-example.py +++ b/utils/test/test-example.py @@ -14,20 +14,20 @@ from common_test import AATest, setup_all_loops # , setup_aa # import apparmor.aa as aa # see the setup_aa() call for details class TestFoo(AATest): - tests = [ + tests = ( (0, 0 ), (42, 42), - ] + ) def _run_test(self, params, expected): self.assertEqual(params, expected) class TestBar(AATest): - tests = [ + tests = ( ('a', 'foo'), ('b', 'bar'), ('c', 'baz'), - ] + ) def _run_test(self, params, expected): self.assertNotEqual(params, expected) diff --git a/utils/test/test-file.py b/utils/test/test-file.py index 3061d41f8..74494aacf 100644 --- a/utils/test/test-file.py +++ b/utils/test/test-file.py @@ -25,8 +25,8 @@ from apparmor.logparser import ReadLog from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'path', 'all_paths', 'perms', 'all_perms', 'exec_perms', 'target', 'all_targets', 'owner', 'file_keyword', 'leading_perms']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'path', 'all_paths', 'perms', 'all_perms', 'exec_perms', 'target', 'all_targets', 'owner', 'file_keyword', 'leading_perms')) # --- tests for single FileRule --- # @@ -57,7 +57,7 @@ class FileTest(AATest): self.assertEqual(obj, expected) class FileTestParse(FileTest): - tests = [ + tests = ( # FileRule object audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms # bare file rules @@ -96,7 +96,7 @@ class FileTestParse(FileTest): # link rules ('link /foo -> /bar,' , exp(False, False, False, '', '/foo', False, {'link'}, False, None, '/bar', False, False, False, True )), ('link subset /foo -> /bar,' , exp(False, False, False, '', '/foo', False, {'link', 'subset'}, False, None, '/bar', False, False, False, True )), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(FileRule.match(rawrule)) @@ -105,7 +105,7 @@ class FileTestParse(FileTest): self._compare_obj(obj, expected) class FileTestParseInvalid(FileTest): - tests = [ + tests = ( ('/foo x,' , AppArmorException), # should be *x ('/foo raw,' , AppArmorException), # r and a conflict ('deny /foo ix,' , AppArmorException), # endy only allows x, but not *x @@ -117,7 +117,7 @@ class FileTestParseInvalid(FileTest): ('/foo PxUx,' , AppArmorException), # exec mode conflict ('/foo PUxPix,' , AppArmorException), # exec mode conflict ('/foo Pi,' , AppArmorException), # missing 'x' - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(FileRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -125,7 +125,7 @@ class FileTestParseInvalid(FileTest): FileRule.parse(rawrule) class FileTestNonMatch(AATest): - tests = [ + tests = ( ('file /foo,' , False ), ('file rw,' , False ), ('file -> bar,' , False ), @@ -136,7 +136,7 @@ class FileTestNonMatch(AATest): ('link -> /bar,' , False ), # missing path ('/foo -> bar link,', False ), # link has to be leading keyword ('link,' , False ), # link isn't available as bare keyword - ] + ) def _run_test(self, rawrule, expected): self.assertFalse(FileRule.match(rawrule)) @@ -187,7 +187,7 @@ class FileTestParseFromLog(FileTest): # TODO: add logparser example for link event class FileFromInit(FileTest): - tests = [ + tests = ( #FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms (FileRule( '/foo', 'rw', None, FileRule.ALL, False, False, False, audit=True, deny=True ), @@ -204,13 +204,13 @@ class FileFromInit(FileTest): #exp# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms exp( True, False, True, '', '/foo', False, {'link', 'subset'}, False, None, '/bar', False, False, False, True )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidFileInit(AATest): - tests = [ + tests = ( #FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms # empty fields @@ -263,11 +263,11 @@ class InvalidFileInit(AATest): ( ( '/foo', {'subset'}, None, '/bar', False, False, False, ), AppArmorBug), # subset without link ( ( '/foo', {'link'}, 'ix', '/bar', False, False, False, ), AppArmorBug), # link rule with exec perms ( ( '/foo', {'link', 'subset'}, 'ix', '/bar', False, False, False, ), AppArmorBug), # link subset rule with exec perms - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): - FileRule(params[0], params[1], params[2], params[3], params[4], params[5], params[6]) + FileRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -362,7 +362,7 @@ class FileGlobTest(AATest): # These tests are meant to ensure AARE integration in FileRule works as expected. # test-aare.py has more comprehensive globbing tests. - tests = [ + tests = ( # rule can glob can glob_ext globbed rule globbed_ext rule ('/foo/bar r,', (True, True, '/foo/* r,', '/foo/bar r,')), ('/foo/* r,', (True, True, '/** r,', '/foo/* r,')), @@ -370,7 +370,7 @@ class FileGlobTest(AATest): ('/foo/*.xy r,', (True, True, '/foo/* r,', '/**.xy r,')), ('file,', (False, False, 'file,', 'file,')), # bare 'file,' rules can't be globbed ('link /a/b -> /c,', (True, True, 'link /a/* -> /c,', 'link /a/b -> /c,')), - ] + ) class WriteFileTest(AATest): def _run_test(self, rawrule, expected): @@ -382,7 +382,7 @@ class WriteFileTest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule ('file,' , 'file,'), (' file , # foo ' , 'file, # foo'), @@ -417,7 +417,7 @@ class WriteFileTest(AATest): (' link /foo -> /bar,' , 'link /foo -> /bar,'), (' audit deny owner link subset /foo -> /bar,' , 'audit deny owner link subset /foo -> /bar,'), (' link subset /foo -> /bar,' , 'link subset /foo -> /bar,') - ] + ) def test_write_manually_1(self): #FileRule# path, perms, exec_perms, target, owner, file_keyword, leading_perms @@ -458,212 +458,212 @@ class FileCoveredTest(AATest): class FileCoveredTest_01(FileCoveredTest): rule = 'file /foo r,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('file /foo r,' , [ True , True , True , True ]), - ('file /foo r ,' , [ True , False , True , True ]), - ('allow file /foo r,' , [ True , False , True , True ]), - ('allow /foo r, # comment' , [ True , False , True , True ]), - ('allow owner /foo r,' , [ False , False , True , True ]), - ('/foo r -> bar,' , [ False , False , True , True ]), - ('file r /foo,' , [ True , False , True , True ]), - ('allow file r /foo,' , [ True , False , True , True ]), - ('allow r /foo, # comment' , [ True , False , True , True ]), - ('allow owner r /foo,' , [ False , False , True , True ]), - ('r /foo -> bar,' , [ False , False , True , True ]), - ('file,' , [ False , False , False , False ]), - ('file /foo w,' , [ False , False , False , False ]), - ('file /foo rw,' , [ False , False , False , False ]), - ('file /bar r,' , [ False , False , False , False ]), - ('audit /foo r,' , [ False , False , False , False ]), - ('audit file,' , [ False , False , False , False ]), - ('audit deny /foo r,' , [ False , False , False , False ]), - ('deny file /foo r,' , [ False , False , False , False ]), - ('/foo rPx,' , [ False , False , False , False ]), - ('/foo Pxr,' , [ False , False , False , False ]), - ('/foo Px,' , [ False , False , False , False ]), - ('/foo ix,' , [ False , False , False , False ]), - ('/foo ix -> bar,' , [ False , False , False , False ]), - ('/foo rPx -> bar,' , [ False , False , False , False ]), - ] + ('file /foo r,' , ( True , True , True , True )), + ('file /foo r ,' , ( True , False , True , True )), + ('allow file /foo r,' , ( True , False , True , True )), + ('allow /foo r, # comment' , ( True , False , True , True )), + ('allow owner /foo r,' , ( False , False , True , True )), + ('/foo r -> bar,' , ( False , False , True , True )), + ('file r /foo,' , ( True , False , True , True )), + ('allow file r /foo,' , ( True , False , True , True )), + ('allow r /foo, # comment' , ( True , False , True , True )), + ('allow owner r /foo,' , ( False , False , True , True )), + ('r /foo -> bar,' , ( False , False , True , True )), + ('file,' , ( False , False , False , False )), + ('file /foo w,' , ( False , False , False , False )), + ('file /foo rw,' , ( False , False , False , False )), + ('file /bar r,' , ( False , False , False , False )), + ('audit /foo r,' , ( False , False , False , False )), + ('audit file,' , ( False , False , False , False )), + ('audit deny /foo r,' , ( False , False , False , False )), + ('deny file /foo r,' , ( False , False , False , False )), + ('/foo rPx,' , ( False , False , False , False )), + ('/foo Pxr,' , ( False , False , False , False )), + ('/foo Px,' , ( False , False , False , False )), + ('/foo ix,' , ( False , False , False , False )), + ('/foo ix -> bar,' , ( False , False , False , False )), + ('/foo rPx -> bar,' , ( False , False , False , False )), + ) class FileCoveredTest_02(FileCoveredTest): rule = 'audit /foo r,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('file /foo r,' , [ False , False , True , False ]), - ('allow file /foo r,' , [ False , False , True , False ]), - ('allow /foo r, # comment' , [ False , False , True , False ]), - ('allow owner /foo r,' , [ False , False , True , False ]), - ('/foo r -> bar,' , [ False , False , True , False ]), - ('file r /foo,' , [ False , False , True , False ]), - ('allow file r /foo,' , [ False , False , True , False ]), - ('allow r /foo, # comment' , [ False , False , True , False ]), - ('allow owner r /foo,' , [ False , False , True , False ]), - ('r /foo -> bar,' , [ False , False , True , False ]), # XXX exact - ('file,' , [ False , False , False , False ]), - ('file /foo w,' , [ False , False , False , False ]), - ('file /foo rw,' , [ False , False , False , False ]), - ('file /bar r,' , [ False , False , False , False ]), - ('audit /foo r,' , [ True , True , True , True ]), - ('audit file,' , [ False , False , False , False ]), - ('audit deny /foo r,' , [ False , False , False , False ]), - ('deny file /foo r,' , [ False , False , False , False ]), - ('/foo rPx,' , [ False , False , False , False ]), - ('/foo Pxr,' , [ False , False , False , False ]), - ('/foo Px,' , [ False , False , False , False ]), - ('/foo ix,' , [ False , False , False , False ]), - ('/foo ix -> bar,' , [ False , False , False , False ]), - ('/foo rPx -> bar,' , [ False , False , False , False ]), - ] + ('file /foo r,' , ( False , False , True , False )), + ('allow file /foo r,' , ( False , False , True , False )), + ('allow /foo r, # comment' , ( False , False , True , False )), + ('allow owner /foo r,' , ( False , False , True , False )), + ('/foo r -> bar,' , ( False , False , True , False )), + ('file r /foo,' , ( False , False , True , False )), + ('allow file r /foo,' , ( False , False , True , False )), + ('allow r /foo, # comment' , ( False , False , True , False )), + ('allow owner r /foo,' , ( False , False , True , False )), + ('r /foo -> bar,' , ( False , False , True , False )), # XXX exact + ('file,' , ( False , False , False , False )), + ('file /foo w,' , ( False , False , False , False )), + ('file /foo rw,' , ( False , False , False , False )), + ('file /bar r,' , ( False , False , False , False )), + ('audit /foo r,' , ( True , True , True , True )), + ('audit file,' , ( False , False , False , False )), + ('audit deny /foo r,' , ( False , False , False , False )), + ('deny file /foo r,' , ( False , False , False , False )), + ('/foo rPx,' , ( False , False , False , False )), + ('/foo Pxr,' , ( False , False , False , False )), + ('/foo Px,' , ( False , False , False , False )), + ('/foo ix,' , ( False , False , False , False )), + ('/foo ix -> bar,' , ( False , False , False , False )), + ('/foo rPx -> bar,' , ( False , False , False , False )), + ) class FileCoveredTest_03(FileCoveredTest): rule = '/foo mrwPx,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('file /foo r,' , [ False , False , True , True ]), - ('allow file /foo r,' , [ False , False , True , True ]), - ('allow /foo r, # comment' , [ False , False , True , True ]), - ('allow owner /foo r,' , [ False , False , True , True ]), - ('/foo r -> bar,' , [ False , False , True , True ]), - ('file r /foo,' , [ False , False , True , True ]), - ('allow file r /foo,' , [ False , False , True , True ]), - ('allow r /foo, # comment' , [ False , False , True , True ]), - ('allow owner r /foo,' , [ False , False , True , True ]), - ('r /foo -> bar,' , [ False , False , True , True ]), - ('file,' , [ False , False , False , False ]), - ('file /foo w,' , [ False , False , True , True ]), - ('file /foo rw,' , [ False , False , True , True ]), - ('file /bar r,' , [ False , False , False , False ]), - ('audit /foo r,' , [ False , False , False , False ]), - ('audit file,' , [ False , False , False , False ]), - ('audit deny /foo r,' , [ False , False , False , False ]), - ('deny file /foo r,' , [ False , False , False , False ]), - ('/foo mrwPx,' , [ True , True , True , True ]), - ('/foo wPxrm,' , [ True , False , True , True ]), - ('/foo rm,' , [ False , False , True , True ]), - ('/foo Px,' , [ False , False , True , True ]), - ('/foo ix,' , [ False , False , False , False ]), - ('/foo ix -> bar,' , [ False , False , False , False ]), - ('/foo mrwPx -> bar,' , [ False , False , False , False ]), - ] + ('file /foo r,' , ( False , False , True , True )), + ('allow file /foo r,' , ( False , False , True , True )), + ('allow /foo r, # comment' , ( False , False , True , True )), + ('allow owner /foo r,' , ( False , False , True , True )), + ('/foo r -> bar,' , ( False , False , True , True )), + ('file r /foo,' , ( False , False , True , True )), + ('allow file r /foo,' , ( False , False , True , True )), + ('allow r /foo, # comment' , ( False , False , True , True )), + ('allow owner r /foo,' , ( False , False , True , True )), + ('r /foo -> bar,' , ( False , False , True , True )), + ('file,' , ( False , False , False , False )), + ('file /foo w,' , ( False , False , True , True )), + ('file /foo rw,' , ( False , False , True , True )), + ('file /bar r,' , ( False , False , False , False )), + ('audit /foo r,' , ( False , False , False , False )), + ('audit file,' , ( False , False , False , False )), + ('audit deny /foo r,' , ( False , False , False , False )), + ('deny file /foo r,' , ( False , False , False , False )), + ('/foo mrwPx,' , ( True , True , True , True )), + ('/foo wPxrm,' , ( True , False , True , True )), + ('/foo rm,' , ( False , False , True , True )), + ('/foo Px,' , ( False , False , True , True )), + ('/foo ix,' , ( False , False , False , False )), + ('/foo ix -> bar,' , ( False , False , False , False )), + ('/foo mrwPx -> bar,' , ( False , False , False , False )), + ) class FileCoveredTest_04(FileCoveredTest): rule = '/foo mrwPx -> bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('file /foo r,' , [ False , False , True , True ]), - ('allow file /foo r,' , [ False , False , True , True ]), - ('allow /foo r, # comment' , [ False , False , True , True ]), - ('allow owner /foo r,' , [ False , False , True , True ]), - ('/foo r -> bar,' , [ False , False , True , True ]), - ('file r /foo,' , [ False , False , True , True ]), - ('allow file r /foo,' , [ False , False , True , True ]), - ('allow r /foo, # comment' , [ False , False , True , True ]), - ('allow owner r /foo,' , [ False , False , True , True ]), - ('r /foo -> bar,' , [ False , False , True , True ]), - ('file,' , [ False , False , False , False ]), - ('file /foo w,' , [ False , False , True , True ]), - ('file /foo rw,' , [ False , False , True , True ]), - ('file /bar r,' , [ False , False , False , False ]), - ('audit /foo r,' , [ False , False , False , False ]), - ('audit file,' , [ False , False , False , False ]), - ('audit deny /foo r,' , [ False , False , False , False ]), - ('deny file /foo r,' , [ False , False , False , False ]), - ('/foo mrwPx,' , [ False , False , False , False ]), - ('/foo wPxrm,' , [ False , False , False , False ]), - ('/foo rm,' , [ False , False , True , True ]), - ('/foo Px,' , [ False , False , False , False ]), - ('/foo ix,' , [ False , False , False , False ]), - ('/foo ix -> bar,' , [ False , False , False , False ]), - ('/foo mrwPx -> bar,' , [ True , True , True , True ]), - ] + ('file /foo r,' , ( False , False , True , True )), + ('allow file /foo r,' , ( False , False , True , True )), + ('allow /foo r, # comment' , ( False , False , True , True )), + ('allow owner /foo r,' , ( False , False , True , True )), + ('/foo r -> bar,' , ( False , False , True , True )), + ('file r /foo,' , ( False , False , True , True )), + ('allow file r /foo,' , ( False , False , True , True )), + ('allow r /foo, # comment' , ( False , False , True , True )), + ('allow owner r /foo,' , ( False , False , True , True )), + ('r /foo -> bar,' , ( False , False , True , True )), + ('file,' , ( False , False , False , False )), + ('file /foo w,' , ( False , False , True , True )), + ('file /foo rw,' , ( False , False , True , True )), + ('file /bar r,' , ( False , False , False , False )), + ('audit /foo r,' , ( False , False , False , False )), + ('audit file,' , ( False , False , False , False )), + ('audit deny /foo r,' , ( False , False , False , False )), + ('deny file /foo r,' , ( False , False , False , False )), + ('/foo mrwPx,' , ( False , False , False , False )), + ('/foo wPxrm,' , ( False , False , False , False )), + ('/foo rm,' , ( False , False , True , True )), + ('/foo Px,' , ( False , False , False , False )), + ('/foo ix,' , ( False , False , False , False )), + ('/foo ix -> bar,' , ( False , False , False , False )), + ('/foo mrwPx -> bar,' , ( True , True , True , True )), + ) class FileCoveredTest_05(FileCoveredTest): rule = 'file,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('file /foo r,' , [ False , False , True , True ]), - ('allow file /foo r,' , [ False , False , True , True ]), - ('allow /foo r, # comment' , [ False , False , True , True ]), - ('allow owner /foo r,' , [ False , False , True , True ]), - ('/foo r -> bar,' , [ False , False , True , True ]), - ('file r /foo,' , [ False , False , True , True ]), - ('allow file r /foo,' , [ False , False , True , True ]), - ('allow r /foo, # comment' , [ False , False , True , True ]), - ('allow owner r /foo,' , [ False , False , True , True ]), - ('r /foo -> bar,' , [ False , False , True , True ]), - ('file,' , [ True , True , True , True ]), - ('file /foo w,' , [ False , False , True , True ]), - ('file /foo rw,' , [ False , False , True , True ]), - ('file /bar r,' , [ False , False , True , True ]), - ('audit /foo r,' , [ False , False , False , False ]), - ('audit file,' , [ False , False , False , False ]), - ('audit deny /foo r,' , [ False , False , False , False ]), - ('deny file /foo r,' , [ False , False , False , False ]), - ('/foo mrwPx,' , [ False , False , False , False ]), - ('/foo wPxrm,' , [ False , False , False , False ]), - ('/foo rm,' , [ False , False , True , True ]), - ('/foo Px,' , [ False , False , False , False ]), - ('/foo ix,' , [ False , False , False , False ]), - ('/foo ix -> bar,' , [ False , False , False , False ]), - ('/foo mrwPx -> bar,' , [ False , False , False , False ]), - ] + ('file /foo r,' , ( False , False , True , True )), + ('allow file /foo r,' , ( False , False , True , True )), + ('allow /foo r, # comment' , ( False , False , True , True )), + ('allow owner /foo r,' , ( False , False , True , True )), + ('/foo r -> bar,' , ( False , False , True , True )), + ('file r /foo,' , ( False , False , True , True )), + ('allow file r /foo,' , ( False , False , True , True )), + ('allow r /foo, # comment' , ( False , False , True , True )), + ('allow owner r /foo,' , ( False , False , True , True )), + ('r /foo -> bar,' , ( False , False , True , True )), + ('file,' , ( True , True , True , True )), + ('file /foo w,' , ( False , False , True , True )), + ('file /foo rw,' , ( False , False , True , True )), + ('file /bar r,' , ( False , False , True , True )), + ('audit /foo r,' , ( False , False , False , False )), + ('audit file,' , ( False , False , False , False )), + ('audit deny /foo r,' , ( False , False , False , False )), + ('deny file /foo r,' , ( False , False , False , False )), + ('/foo mrwPx,' , ( False , False , False , False )), + ('/foo wPxrm,' , ( False , False , False , False )), + ('/foo rm,' , ( False , False , True , True )), + ('/foo Px,' , ( False , False , False , False )), + ('/foo ix,' , ( False , False , False , False )), + ('/foo ix -> bar,' , ( False , False , False , False )), + ('/foo mrwPx -> bar,' , ( False , False , False , False )), + ) class FileCoveredTest_06(FileCoveredTest): rule = 'deny /foo w,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('/foo w,' , [ False , False , False , False ]), - ('/foo a,' , [ False , False , False , False ]), - ('deny /foo w,' , [ True , True , True , True ]), - ('deny /foo a,' , [ False , False , True , True ]), - ] + ('/foo w,' , ( False , False , False , False )), + ('/foo a,' , ( False , False , False , False )), + ('deny /foo w,' , ( True , True , True , True )), + ('deny /foo a,' , ( False , False , True , True )), + ) class FileCoveredTest_07(FileCoveredTest): rule = '/foo w,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('/foo w,' , [ True , True , True , True ]), - ('/foo a,' , [ False , False , True , True ]), - ('deny /foo w,' , [ False , False , False , False ]), - ('deny /foo a,' , [ False , False , False , False ]), - ] + ('/foo w,' , ( True , True , True , True )), + ('/foo a,' , ( False , False , True , True )), + ('deny /foo w,' , ( False , False , False , False )), + ('deny /foo a,' , ( False , False , False , False )), + ) class FileCoveredTest_08(FileCoveredTest): rule = 'link /foo -> /bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('link /foo -> /bar,' , [ True , True , True , True ]), - ('link /asdf -> /bar,' , [ False , False , False , False ]), - ('link /foo -> /asdf,' , [ False , False , False , False ]), - ('deny link /foo -> /bar,' , [ False , False , False , False ]), - ('deny link /foo -> /bar,' , [ False , False , False , False ]), - ('link subset /foo -> /bar,' , [ False , False , True , True ]), # subset makes the rule more strict - # ('/foo l -> /bar,' , [ ? , ? , ? , ? ]), # TODO - # ('l /foo -> /bar,' , [ ? , ? , ? , ? ]), # TODO - ] + ('link /foo -> /bar,' , ( True , True , True , True )), + ('link /asdf -> /bar,' , ( False , False , False , False )), + ('link /foo -> /asdf,' , ( False , False , False , False )), + ('deny link /foo -> /bar,' , ( False , False , False , False )), + ('deny link /foo -> /bar,' , ( False , False , False , False )), + ('link subset /foo -> /bar,' , ( False , False , True , True )), # subset makes the rule more strict + # ('/foo l -> /bar,' , ( ? , ? , ? , ? )), # TODO + # ('l /foo -> /bar,' , ( ? , ? , ? , ? )), # TODO + ) class FileCoveredTest_09(FileCoveredTest): rule = 'link subset /foo -> /bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('link subset /foo -> /bar,' , [ True , True , True , True ]), - ('link subset /asdf -> /bar,' , [ False , False , False , False ]), - ('link subset /foo -> /asdf,' , [ False , False , False , False ]), - ('deny link subset /foo -> /bar,' , [ False , False , False , False ]), - ('deny link subset /foo -> /bar,' , [ False , False , False , False ]), - ('link /foo -> /bar,' , [ False , False , False , False ]), # no subset means more permissions - # ('/foo l -> /bar,' , [ ? , ? , ? , ? ]), # TODO - # ('l /foo -> /bar,' , [ ? , ? , ? , ? ]), # TODO - ] + ('link subset /foo -> /bar,' , ( True , True , True , True )), + ('link subset /asdf -> /bar,' , ( False , False , False , False )), + ('link subset /foo -> /asdf,' , ( False , False , False , False )), + ('deny link subset /foo -> /bar,' , ( False , False , False , False )), + ('deny link subset /foo -> /bar,' , ( False , False , False , False )), + ('link /foo -> /bar,' , ( False , False , False , False )), # no subset means more permissions + # ('/foo l -> /bar,' , ( ? , ? , ? , ? )), # TODO + # ('l /foo -> /bar,' , ( ? , ? , ? , ? )), # TODO + ) class FileCoveredTest_ManualOrInvalid(AATest): def AASetup(self): @@ -782,7 +782,7 @@ class FileCoveredTest_ManualOrInvalid(AATest): obj.is_equal(testobj) class FileSeverityTest(AATest): - tests = [ + tests = ( ('/usr/bin/whatis ix,', 5), ('/etc ix,', 'unknown'), ('/dev/doublehit ix,', 0), @@ -795,7 +795,7 @@ class FileSeverityTest(AATest): ('/usr/foo@bar r,', 'unknown'), # filename containing @ ('/home/foo@bar rw,', 6), # filename containing @ ('file,', 'unknown'), # bare file rule XXX should return maximum severity - ] + ) def _run_test(self, params, expected): sev_db = severity.Severity('../severity.db', 'unknown') @@ -804,24 +804,24 @@ class FileSeverityTest(AATest): self.assertEqual(rank, expected) class FileLogprofHeaderTest(AATest): - tests = [ + tests = ( # log event old perms ALL / owner - (['file,', set(), set() ], [ _('Path'), _('ALL'), _('New Mode'), _('ALL') ]), - (['/foo r,', set(), set() ], [ _('Path'), '/foo', _('New Mode'), 'r' ]), - (['file /bar Px -> foo,', set(), set() ], [ _('Path'), '/bar', _('New Mode'), 'Px -> foo' ]), - (['deny file,', set(), set() ], [_('Qualifier'), 'deny', _('Path'), _('ALL'), _('New Mode'), _('ALL') ]), - (['allow file /baz rwk,', set(), set() ], [_('Qualifier'), 'allow', _('Path'), '/baz', _('New Mode'), 'rwk' ]), - (['audit file /foo mr,', set(), set() ], [_('Qualifier'), 'audit', _('Path'), '/foo', _('New Mode'), 'mr' ]), - (['audit deny /foo wk,', set(), set() ], [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'wk' ]), - (['owner file /foo ix,', set(), set() ], [ _('Path'), '/foo', _('New Mode'), 'owner ix' ]), - (['audit deny file /foo rlx -> /baz,', set(), set() ], [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'rlx -> /baz' ]), - (['/foo rw,', set('r'), set() ], [ _('Path'), '/foo', _('Old Mode'), _('r'), _('New Mode'), _('rw') ]), - (['/foo rw,', set(), set('rw') ], [ _('Path'), '/foo', _('Old Mode'), _('owner rw'), _('New Mode'), _('rw') ]), - (['/foo mrw,', set('r'), set('k') ], [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw') ]), - (['/foo mrw,', set('r'), set('rk') ], [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw') ]), - (['link /foo -> /bar,', set(), set() ], [ _('Path'), '/foo', _('New Mode'), 'link -> /bar' ]), - (['link subset /foo -> /bar,', set(), set() ], [ _('Path'), '/foo', _('New Mode'), 'link subset -> /bar' ]), - ] + (('file,', set(), set() ), [ _('Path'), _('ALL'), _('New Mode'), _('ALL') ]), + (('/foo r,', set(), set() ), [ _('Path'), '/foo', _('New Mode'), 'r' ]), + (('file /bar Px -> foo,', set(), set() ), [ _('Path'), '/bar', _('New Mode'), 'Px -> foo' ]), + (('deny file,', set(), set() ), [_('Qualifier'), 'deny', _('Path'), _('ALL'), _('New Mode'), _('ALL') ]), + (('allow file /baz rwk,', set(), set() ), [_('Qualifier'), 'allow', _('Path'), '/baz', _('New Mode'), 'rwk' ]), + (('audit file /foo mr,', set(), set() ), [_('Qualifier'), 'audit', _('Path'), '/foo', _('New Mode'), 'mr' ]), + (('audit deny /foo wk,', set(), set() ), [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'wk' ]), + (('owner file /foo ix,', set(), set() ), [ _('Path'), '/foo', _('New Mode'), 'owner ix' ]), + (('audit deny file /foo rlx -> /baz,', set(), set() ), [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'rlx -> /baz' ]), + (('/foo rw,', set('r'), set() ), [ _('Path'), '/foo', _('Old Mode'), _('r'), _('New Mode'), _('rw') ]), + (('/foo rw,', set(), set('rw') ), [ _('Path'), '/foo', _('Old Mode'), _('owner rw'), _('New Mode'), _('rw') ]), + (('/foo mrw,', set('r'), set('k') ), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw') ]), + (('/foo mrw,', set('r'), set('rk') ), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw') ]), + (('link /foo -> /bar,', set(), set() ), [ _('Path'), '/foo', _('New Mode'), 'link -> /bar' ]), + (('link subset /foo -> /bar,', set(), set() ), [ _('Path'), '/foo', _('New Mode'), 'link subset -> /bar' ]), + ) def _run_test(self, params, expected): obj = FileRule.parse(params[0]) @@ -841,11 +841,11 @@ class FileEditHeaderTest(AATest): prompt, path_to_edit = rule_obj.edit_header() self.assertEqual(path_to_edit, expected) - tests = [ + tests = ( ('/foo/bar/baz r,', '/foo/bar/baz'), ('/foo/**/baz r,', '/foo/**/baz'), ('link /foo/** -> /bar,', '/foo/**'), - ] + ) def test_edit_header_bare_file(self): rule_obj = FileRule.parse('file,') @@ -862,14 +862,14 @@ class FileValidateAndStoreEditTest(AATest): rule_obj.store_edit(params) self.assertEqual(rule_obj.get_raw(), '%s r,' % params) - tests = [ + tests = ( # edited path match ('/foo/bar/baz', True), ('/foo/bar/*', True), ('/foo/bar/???', True), ('/foo/xy**', False), ('/foo/bar/baz/', False), - ] + ) def test_validate_not_a_path(self): rule_obj = FileRule.parse('/foo/bar/baz r,') @@ -1008,7 +1008,7 @@ class FileRulesTest(AATest): # pass class FileGetRulesForPath(AATest): - tests = [ + tests = ( # path audit deny expected (('/etc/foo/dovecot.conf', False, False), ['/etc/foo/* r,', '/etc/foo/dovecot.conf rw,', '']), (('/etc/foo/foo.conf', False, False), ['/etc/foo/* r,', '']), @@ -1019,10 +1019,10 @@ class FileGetRulesForPath(AATest): (('/etc/foo/dovecot-deny.conf', False, True ), ['deny /etc/foo/dovecot-deny.conf r,', '']), (('/etc/foo/foo.conf', False, True ), [ ]), (('/etc/foo/owner.conf', False, False), ['/etc/foo/* r,', 'owner /etc/foo/owner.conf w,', '']), - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/etc/foo/* r,', '/etc/foo/dovecot.conf rw,', '/etc/foo/{auth,conf}.d/*.conf r,', @@ -1030,18 +1030,18 @@ class FileGetRulesForPath(AATest): '/etc/foo/dovecot-database.conf.ext w,', 'owner /etc/foo/owner.conf w,', 'deny /etc/foo/dovecot-deny.conf r,', - ] + ) ruleset = FileRuleset() for rule in rules: ruleset.add(FileRule.parse(rule)) - matching = ruleset.get_rules_for_path(params[0], params[1], params[2]) + matching = ruleset.get_rules_for_path(*params) self. assertEqual(matching.get_clean(), expected) class FileGetPermsForPath_1(AATest): - tests = [ + tests = ( # path audit deny expected (('/etc/foo/dovecot.conf', False, False), {'allow': {'all': {'r', 'w'}, 'owner': set() }, 'deny': {'all': set(), 'owner': set() }, 'paths': {'/etc/foo/*', '/etc/foo/dovecot.conf' } }), (('/etc/foo/foo.conf', False, False), {'allow': {'all': {'r' }, 'owner': set() }, 'deny': {'all': set(), 'owner': set() }, 'paths': {'/etc/foo/*' } }), @@ -1052,10 +1052,10 @@ class FileGetPermsForPath_1(AATest): (('/etc/foo/dovecot-deny.conf', False, True ), {'allow': {'all': set(), 'owner': set() }, 'deny': {'all': {'r' }, 'owner': set() }, 'paths': {'/etc/foo/dovecot-deny.conf' } }), (('/etc/foo/foo.conf', False, True ), {'allow': {'all': set(), 'owner': set() }, 'deny': {'all': set(), 'owner': set() }, 'paths': set() }), (('/usr/lib/dovecot/config', False, False), {'allow': {'all': set(), 'owner': set() }, 'deny': {'all': set(), 'owner': set() }, 'paths': set() }), # exec perms are not honored by get_perms_for_path() - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/etc/foo/* r,', '/etc/foo/dovecot.conf rw,', '/etc/foo/{auth,conf}.d/*.conf r,', @@ -1063,17 +1063,17 @@ class FileGetPermsForPath_1(AATest): '/etc/foo/dovecot-database.conf.ext w,', 'deny /etc/foo/dovecot-deny.conf r,', '/usr/lib/dovecot/config ix,', - ] + ) ruleset = FileRuleset() for rule in rules: ruleset.add(FileRule.parse(rule)) - perms = ruleset.get_perms_for_path(params[0], params[1], params[2]) + perms = ruleset.get_perms_for_path(*params) self. assertEqual(perms, expected) class FileGetPermsForPath_2(AATest): - tests = [ + tests = ( # path audit deny expected (('/etc/foo/dovecot.conf', False, False), {'allow': {'all': FileRule.ALL, 'owner': set() }, 'deny': {'all': FileRule.ALL, 'owner': set() }, 'paths': {'/etc/foo/*', '/etc/foo/dovecot.conf' } }), (('/etc/foo/dovecot.conf', True, False), {'allow': {'all': {'r', 'w'}, 'owner': set() }, 'deny': {'all': set(), 'owner': set() }, 'paths': {'/etc/foo/dovecot.conf' } }), @@ -1086,10 +1086,10 @@ class FileGetPermsForPath_2(AATest): (('/etc/foo/dovecot-deny.conf', False, True ), {'allow': {'all': set(), 'owner': set() }, 'deny': {'all': FileRule.ALL, 'owner': set() }, 'paths': {'/etc/foo/dovecot-deny.conf' } }), (('/etc/foo/foo.conf', False, True ), {'allow': {'all': set(), 'owner': set() }, 'deny': {'all': FileRule.ALL, 'owner': set() }, 'paths': set() }), # (('/etc/foo/owner.conf', False, True ), {'allow': {'all': set(), 'owner': {'w'} }, 'deny': {'all': FileRule.ALL, 'owner': set() }, 'paths': {'/etc/foo/owner.conf' } }), # XXX doesn't work yet - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/etc/foo/* r,', 'audit /etc/foo/dovecot.conf rw,', '/etc/foo/{auth,conf}.d/*.conf r,', @@ -1099,29 +1099,29 @@ class FileGetPermsForPath_2(AATest): 'file,', 'owner /etc/foo/owner.conf w,', 'deny file,', - ] + ) ruleset = FileRuleset() for rule in rules: ruleset.add(FileRule.parse(rule)) - perms = ruleset.get_perms_for_path(params[0], params[1], params[2]) + perms = ruleset.get_perms_for_path(*params) self. assertEqual(perms, expected) class FileGetExecRulesForPath_1(AATest): - tests = [ + tests = ( ('/bin/foo', ['audit /bin/foo ix,', ''] ), ('/bin/bar', ['deny /bin/bar x,', ''] ), ('/foo', [] ), - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/foo r,', 'audit /bin/foo ix,', '/bin/b* Px,', 'deny /bin/bar x,', - ] + ) ruleset = FileRuleset() for rule in rules: @@ -1132,19 +1132,19 @@ class FileGetExecRulesForPath_1(AATest): self. assertEqual(matches, expected) class FileGetExecRulesForPath_2(AATest): - tests = [ + tests = ( ('/bin/foo', ['audit /bin/foo ix,', ''] ), ('/bin/bar', ['deny /bin/bar x,', '', '/bin/b* Px,', ''] ), ('/foo', [] ), - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/foo r,', 'audit /bin/foo ix,', '/bin/b* Px,', 'deny /bin/bar x,', - ] + ) ruleset = FileRuleset() for rule in rules: @@ -1155,22 +1155,22 @@ class FileGetExecRulesForPath_2(AATest): self. assertEqual(matches, expected) class FileGetExecConflictRules_1(AATest): - tests = [ + tests = ( ('/bin/foo ix,', ['/bin/foo Px,', ''] ), ('/bin/bar Px,', ['deny /bin/bar x,', '', '/bin/bar cx,', ''] ), ('/bin/bar cx,', ['deny /bin/bar x,','',] ), ('/bin/foo r,', [] ), - ] + ) def _run_test(self, params, expected): - rules = [ + rules = ( '/foo r,', 'audit /bin/foo ix,', '/bin/foo Px,', '/bin/b* Px,', '/bin/bar cx,', 'deny /bin/bar x,', - ] + ) ruleset = FileRuleset() for rule in rules: diff --git a/utils/test/test-include.py b/utils/test/test-include.py index 80d37860a..d705a37ab 100644 --- a/utils/test/test-include.py +++ b/utils/test/test-include.py @@ -27,9 +27,9 @@ from apparmor.common import AppArmorException, AppArmorBug from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', [ # 'audit', 'allow_keyword', 'deny', +exp = namedtuple('exp', ( # 'audit', 'allow_keyword', 'deny', 'comment', - 'path', 'ifexists', 'ismagic']) + 'path', 'ifexists', 'ismagic')) # --- tests for single IncludeRule --- # @@ -45,7 +45,7 @@ class IncludeTest(AATest): self.assertEqual(expected.ismagic, obj.ismagic) class IncludeTestParse(IncludeTest): - tests = [ + tests = ( # IncludeRule object comment path if exists ismagic # #include ('#include ', exp('', 'abstractions/base', False, True )), # magic path @@ -83,7 +83,7 @@ class IncludeTestParse(IncludeTest): ('include if exists "/foo/bar" # comment', exp(' # comment', '/foo/bar', True, False)), ('include if exists "/foo/bar"#comment', exp(' #comment', '/foo/bar', True, False)), (' include if exists "/foo/bar" ', exp('', '/foo/bar', True, False)), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(IncludeRule.match(rawrule)) @@ -92,12 +92,12 @@ class IncludeTestParse(IncludeTest): self._compare_obj(obj, expected) class IncludeTestParseInvalid(IncludeTest): - tests = [ + tests = ( # (' some #include if exists ', AppArmorException), # (' /etc/fstab r,', AppArmorException), # ('/usr/include r,', AppArmorException), # ('/include r,', AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(IncludeRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -107,34 +107,34 @@ class IncludeTestParseInvalid(IncludeTest): # class IncludeTestParseFromLog(IncludeTest): # we'll never have log events for includes class IncludeFromInit(IncludeTest): - tests = [ + tests = ( # IncludeRule object ifexists ismagic comment path ifexists ismagic (IncludeRule('abstractions/base', False, False) , exp('', 'abstractions/base', False, False )), (IncludeRule('foo', True, False) , exp('', 'foo', True, False )), (IncludeRule('bar', False, True) , exp('', 'bar', False, True )), (IncludeRule('baz', True, True) , exp('', 'baz', True, True )), (IncludeRule('comment', False, False, comment='# cmt') , exp('# cmt', 'comment', False, False )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidIncludeInit(AATest): - tests = [ + tests = ( # init params expected exception - ([False, False, False ] , AppArmorBug), # wrong type for path - (['', False, False ] , AppArmorBug), # empty path - ([None, False, False ] , AppArmorBug), # wrong type for path -# ([' ', False, False ] , AppArmorBug), # whitespace-only path - (['foo', None, False ] , AppArmorBug), # wrong type for ifexists - (['foo', '', False ] , AppArmorBug), # wrong type for ifexists - (['foo', False, None ] , AppArmorBug), # wrong type for ismagic - (['foo', False, '' ] , AppArmorBug), # wrong type for ismagic - ] + ((False, False, False ) , AppArmorBug), # wrong type for path + (('', False, False ) , AppArmorBug), # empty path + ((None, False, False ) , AppArmorBug), # wrong type for path +# ((' ', False, False ) , AppArmorBug), # whitespace-only path + (('foo', None, False ) , AppArmorBug), # wrong type for ifexists + (('foo', '', False ) , AppArmorBug), # wrong type for ifexists + (('foo', False, None ) , AppArmorBug), # wrong type for ismagic + (('foo', False, '' ) , AppArmorBug), # wrong type for ismagic + ) def _run_test(self, params, expected): with self.assertRaises(expected): - IncludeRule(params[0], params[1], params[2]) + IncludeRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -188,7 +188,7 @@ class WriteIncludeTestAATest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule (' include ', 'include ' ), # (' include foo ', 'include "foo"' ), # several test cases disabled due to implementation restrictions, see re_match_include_parse() @@ -226,7 +226,7 @@ class WriteIncludeTestAATest(AATest): # (' #include if exists "foo" ', 'include if exists "foo"' ), # (' #include if exists /foo ', 'include if exists "/foo"' ), (' #include if exists "/foo" ', 'include if exists "/foo"' ), - ] + ) def test_write_manually(self): obj = IncludeRule('abs/foo', False, True, comment=' # cmt') @@ -253,29 +253,29 @@ class IncludeCoveredTest(AATest): class IncludeCoveredTest_01(IncludeCoveredTest): rule = 'include ' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('include ' , [ True , True , True , True ]), - ('#include ' , [ True , False , True , True ]), - ('include if exists ' , [ False , False , True , True ]), - ('#include if exists ' , [ False , False , True , True ]), - ('include ' , [ False , False , False , False ]), -# ('include "foo"' , [ False , False , False , False ]), # disabled due to implementation restrictions, see re_match_include_parse() -# ('include if exists "foo"' , [ False , False , False , False ]), - ] + ('include ' , ( True , True , True , True )), + ('#include ' , ( True , False , True , True )), + ('include if exists ' , ( False , False , True , True )), + ('#include if exists ' , ( False , False , True , True )), + ('include ' , ( False , False , False , False )), +# ('include "foo"' , ( False , False , False , False )), # disabled due to implementation restrictions, see re_match_include_parse() +# ('include if exists "foo"' , ( False , False , False , False )), + ) class IncludeCoveredTest_02(IncludeCoveredTest): rule = 'include if exists ' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('include ' , [ False , False , False , False ]), - ('#include ' , [ False , False , False , False ]), - ('#include if exists ' , [ True , False , True , True ]), - ('include ' , [ False , False , False , False ]), -# ('include "foo"' , [ False , False , False , False ]), # disabled due to implementation restrictions, see re_match_include_parse() -# ('include if exists "foo"' , [ False , False , False , False ]), - ] + ('include ' , ( False , False , False , False )), + ('#include ' , ( False , False , False , False )), + ('#include if exists ' , ( True , False , True , True )), + ('include ' , ( False , False , False , False )), +# ('include "foo"' , ( False , False , False , False )), # disabled due to implementation restrictions, see re_match_include_parse() +# ('include if exists "foo"' , ( False , False , False , False )), + ) class IncludeCoveredTest_Invalid(AATest): # def test_borked_obj_is_covered_1(self): @@ -304,10 +304,10 @@ class IncludeCoveredTest_Invalid(AATest): obj.is_equal(testobj) class IncludeLogprofHeaderTest(AATest): - tests = [ + tests = ( ('include ', [_('Include'), 'include ' ]), ('include "/what/ever"', [_('Include'), 'include "/what/ever"', ]), - ] + ) def _run_test(self, params, expected): obj = IncludeRule.parse(params) @@ -333,16 +333,16 @@ class IncludeFullPathsTest(AATest): empty_dir = os.path.join(self.profile_dir, 'abstractions/empty.d') os.mkdir(empty_dir, 0o755) - tests = [ + tests = ( # @@ will be replaced with self.profile_dir - ('include ', ['@@/abstractions/base'] ), -# ('include "foo"', ['@@/foo'] ), # TODO: adjust logic to honor quoted vs. magic paths (and allow quoted relative paths in re_match_include_parse()) - ('include "/foo/bar"', ['/foo/bar'] ), - ('include ', ['@@/abstractions/inc.d/incbar', '@@/abstractions/inc.d/incfoo'] ), - ('include ', [] ), - ('include ', ['@@/abstractions/not_found'] ), - ('include if exists ', [] ), - ] + ('include ', ('@@/abstractions/base',) ), +# ('include "foo"', ('@@/foo',) ), # TODO: adjust logic to honor quoted vs. magic paths (and allow quoted relative paths in re_match_include_parse()) + ('include "/foo/bar"', ('/foo/bar',) ), + ('include ', ('@@/abstractions/inc.d/incbar', '@@/abstractions/inc.d/incfoo') ), + ('include ', () ), + ('include ', ('@@/abstractions/not_found',) ), + ('include if exists ', () ), + ) def _run_test(self, params, expected): exp2 = [] @@ -376,10 +376,10 @@ class IncludeRulesTest(AATest): def test_ruleset_1(self): ruleset = IncludeRuleset() - rules = [ + rules = ( ' include ', ' #include "/bar" ', - ] + ) expected_raw = [ 'include ', @@ -414,12 +414,12 @@ class IncludeRulesTest(AATest): def test_ruleset_2(self): ruleset = IncludeRuleset() - rules = [ + rules = ( ' include if exists ', ' include ', ' #include "/bar" ', '#include if exists "/asdf" ', - ] + ) expected_raw = [ 'include if exists ', diff --git a/utils/test/test-libapparmor-test_multi.py b/utils/test/test-libapparmor-test_multi.py index c93d7bc5c..53939f804 100644 --- a/utils/test/test-libapparmor-test_multi.py +++ b/utils/test/test-libapparmor-test_multi.py @@ -52,7 +52,7 @@ class TestLibapparmorTestMulti(AATest): raise Exception("Log event doesn't match RE_LOG_ALL") for label in expected: - if label in [ + if label in ( 'file', # filename of the *.in file 'event_type', # mapped to aamode 'audit_id', 'audit_sub_id', # not set nor relevant @@ -66,9 +66,9 @@ class TestLibapparmorTestMulti(AATest): 'src_name', # pivotroot 'dbus_bus', 'dbus_interface', 'dbus_member', 'dbus_path', # dbus 'peer_pid', 'peer_profile', # dbus - ]: + ): pass - elif parsed_items['operation'] == 'exec' and label in ['sock_type', 'family', 'protocol']: + elif parsed_items['operation'] == 'exec' and label in ('sock_type', 'family', 'protocol'): pass # XXX 'exec' + network? really? elif parsed_items['operation'] == 'ptrace' and label == 'name2' and params.endswith('/ptrace_garbage_lp1689667_1'): pass # libapparmor would better qualify this case as invalid event @@ -215,10 +215,10 @@ def logfile_to_profile(logfile): aamode = parsed_event['aamode'] - if aamode in['AUDIT', 'STATUS', 'HINT']: # ignore some event types # XXX maybe we shouldn't ignore AUDIT events? + if aamode in ('AUDIT', 'STATUS', 'HINT'): # ignore some event types # XXX maybe we shouldn't ignore AUDIT events? return None, aamode - if aamode not in ['PERMITTING', 'REJECTING']: + if aamode not in ('PERMITTING', 'REJECTING'): raise Exception('Unexpected aamode %s' % parsed_event['aamode']) # cleanup apparmor.aa storage @@ -288,7 +288,7 @@ def find_test_multi(log_dir): for file in files: if file.endswith('.in'): file_with_path = os.path.join(root, file[:-3]) # filename without '.in' - tests.append([file_with_path, True]) # True is a dummy testresult, parsing of the *.out files is done while running the tests + tests.append((file_with_path, True)) # True is a dummy testresult, parsing of the *.out files is done while running the tests elif file.endswith('.out') or file.endswith('.err') or file.endswith('.profile'): pass diff --git a/utils/test/test-logparser.py b/utils/test/test-logparser.py index b3d8e105a..e351cf0e3 100644 --- a/utils/test/test-logparser.py +++ b/utils/test/test-logparser.py @@ -20,7 +20,7 @@ from common_test import AATest, setup_all_loops # , setup_aa from apparmor.common import AppArmorException class TestParseEvent(AATest): - tests = [] + tests = () def setUp(self): self.parser = ReadLog('', '', '') @@ -100,10 +100,10 @@ class TestParseEvent(AATest): self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event)) class TestParseEventForTreeInvalid(AATest): - tests = [ + tests = ( ('type=AVC msg=audit(1556742870.707:3614): apparmor="ALLOWED" operation="open" profile="/bin/hello" name="/dev/tty" pid=12856 comm="hello" requested_mask="wr" denied_mask="foo" fsuid=1000 ouid=0', AppArmorException), # invalid file permissions "foo" ('type=AVC msg=audit(1556742870.707:3614): apparmor="ALLOWED" operation="open" profile="/bin/hello" name="/dev/tty" pid=12856 comm="hello" requested_mask="wr" denied_mask="wr::w" fsuid=1000 ouid=0', AppArmorException), # "wr::w" mixes owner and other - ] + ) def _fake_profile_exists(self, program): return True diff --git a/utils/test/test-mount_parse.py b/utils/test/test-mount_parse.py index 3ebb57709..bdb68f821 100644 --- a/utils/test/test-mount_parse.py +++ b/utils/test/test-mount_parse.py @@ -18,26 +18,26 @@ class BaseAAParseMountTest(AAParseTest): self.parse_function = aa.parse_mount_rule class AAParseMountTest(BaseAAParseMountTest): - tests = [ + tests = ( ('mount,', 'mount base keyword rule'), ('mount -o ro,', 'mount ro rule'), ('mount -o rw /dev/sdb1 -> /mnt/external,', 'mount rw with mount point'), - ] + ) class AAParseRemountTest(BaseAAParseMountTest): - tests = [ + tests = ( ('remount,', 'remount base keyword rule'), ('remount -o ro,', 'remount ro rule'), ('remount -o ro /,', 'remount ro with mountpoint'), - ] + ) class AAParseUmountTest(BaseAAParseMountTest): - tests = [ + tests = ( ('umount,', 'umount base keyword rule'), ('umount /mnt/external,', 'umount with mount point'), ('unmount,', 'unmount base keyword rule'), ('unmount /mnt/external,', 'unmount with mount point'), - ] + ) setup_aa(aa) if __name__ == '__main__': diff --git a/utils/test/test-network.py b/utils/test/test-network.py index 0470cf715..360a07568 100644 --- a/utils/test/test-network.py +++ b/utils/test/test-network.py @@ -24,8 +24,8 @@ from apparmor.logparser import ReadLog from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols')) # --- check if the keyword list is up to date --- # @@ -65,7 +65,7 @@ class NetworkTest(AATest): self.assertEqual(expected.comment, obj.comment) class NetworkTestParse(NetworkTest): - tests = [ + tests = ( # rawrule audit allow deny comment domain all? type/proto all? ('network,' , exp(False, False, False, '' , None , True , None , True )), ('network inet,' , exp(False, False, False, '' , 'inet', False, None , True )), @@ -73,7 +73,7 @@ class NetworkTestParse(NetworkTest): ('deny network inet stream, # comment' , exp(False, False, True , ' # comment' , 'inet', False, 'stream' , False)), ('audit allow network tcp,' , exp(True , True , False, '' , None , True , 'tcp' , False)), ('network stream,' , exp(False, False, False, '' , None , True , 'stream' , False)), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match(rawrule)) @@ -82,12 +82,12 @@ class NetworkTestParse(NetworkTest): self._compare_obj(obj, expected) class NetworkTestParseInvalid(NetworkTest): - tests = [ + tests = ( ('network foo,' , AppArmorException), ('network foo bar,' , AppArmorException), ('network foo tcp,' , AppArmorException), ('network inet bar,' , AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -135,7 +135,7 @@ class NetworkTestParseFromLog(NetworkTest): class NetworkFromInit(NetworkTest): - tests = [ + tests = ( # NetworkRule object audit allow deny comment domain all? type/proto all? (NetworkRule('inet', 'raw', deny=True) , exp(False, False, True , '' , 'inet', False, 'raw' , False)), (NetworkRule('inet', 'raw') , exp(False, False, False, '' , 'inet', False, 'raw' , False)), @@ -143,30 +143,30 @@ class NetworkFromInit(NetworkTest): (NetworkRule(NetworkRule.ALL, NetworkRule.ALL) , exp(False, False, False, '' , None , True , None , True )), (NetworkRule(NetworkRule.ALL, 'tcp') , exp(False, False, False, '' , None , True , 'tcp' , False)), (NetworkRule(NetworkRule.ALL, 'stream') , exp(False, False, False, '' , None , True , 'stream' , False)), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidNetworkInit(AATest): - tests = [ + tests = ( # init params expected exception - (['inet', '' ] , AppArmorBug), # empty type_or_protocol - (['' , 'tcp' ] , AppArmorBug), # empty domain - ([' ', 'tcp' ] , AppArmorBug), # whitespace domain - (['inet', ' ' ] , AppArmorBug), # whitespace type_or_protocol - (['xyxy', 'tcp' ] , AppArmorBug), # invalid domain - (['inet', 'xyxy' ] , AppArmorBug), # invalid type_or_protocol - ([dict(), 'tcp' ] , AppArmorBug), # wrong type for domain - ([None , 'tcp' ] , AppArmorBug), # wrong type for domain - (['inet', dict() ] , AppArmorBug), # wrong type for type_or_protocol - (['inet', None ] , AppArmorBug), # wrong type for type_or_protocol - ] + (('inet', '' ) , AppArmorBug), # empty type_or_protocol + (('' , 'tcp' ) , AppArmorBug), # empty domain + ((' ', 'tcp' ) , AppArmorBug), # whitespace domain + (('inet', ' ' ) , AppArmorBug), # whitespace type_or_protocol + (('xyxy', 'tcp' ) , AppArmorBug), # invalid domain + (('inet', 'xyxy' ) , AppArmorBug), # invalid type_or_protocol + ((dict(), 'tcp' ) , AppArmorBug), # wrong type for domain + ((None , 'tcp' ) , AppArmorBug), # wrong type for domain + (('inet', dict() ) , AppArmorBug), # wrong type for type_or_protocol + (('inet', None ) , AppArmorBug), # wrong type for type_or_protocol + ) def _run_test(self, params, expected): with self.assertRaises(expected): - NetworkRule(params[0], params[1]) + NetworkRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -217,14 +217,14 @@ class WriteNetworkTestAATest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule (' network , # foo ' , 'network, # foo'), (' audit network inet,' , 'audit network inet,'), (' deny network inet stream,# foo bar' , 'deny network inet stream, # foo bar'), (' deny network inet ,# foo bar' , 'deny network inet, # foo bar'), (' allow network tcp ,# foo bar' , 'allow network tcp, # foo bar'), - ] + ) def test_write_manually(self): obj = NetworkRule('inet', 'stream', allow_keyword=True) @@ -251,80 +251,80 @@ class NetworkCoveredTest(AATest): class NetworkCoveredTest_01(NetworkCoveredTest): rule = 'network inet,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('network,' , [ False , False , False , False ]), - ('network inet,' , [ True , True , True , True ]), - ('network inet, # comment' , [ True , False , True , True ]), - ('allow network inet,' , [ True , False , True , True ]), - ('network inet,' , [ True , False , True , True ]), - ('network inet stream,' , [ False , False , True , True ]), - ('network inet tcp,' , [ False , False , True , True ]), - ('audit network inet,' , [ False , False , False , False ]), - ('audit network,' , [ False , False , False , False ]), - ('network unix,' , [ False , False , False , False ]), - ('network tcp,' , [ False , False , False , False ]), - ('audit deny network inet,' , [ False , False , False , False ]), - ('deny network inet,' , [ False , False , False , False ]), - ] + ('network,' , ( False , False , False , False )), + ('network inet,' , ( True , True , True , True )), + ('network inet, # comment' , ( True , False , True , True )), + ('allow network inet,' , ( True , False , True , True )), + ('network inet,' , ( True , False , True , True )), + ('network inet stream,' , ( False , False , True , True )), + ('network inet tcp,' , ( False , False , True , True )), + ('audit network inet,' , ( False , False , False , False )), + ('audit network,' , ( False , False , False , False )), + ('network unix,' , ( False , False , False , False )), + ('network tcp,' , ( False , False , False , False )), + ('audit deny network inet,' , ( False , False , False , False )), + ('deny network inet,' , ( False , False , False , False )), + ) class NetworkCoveredTest_02(NetworkCoveredTest): rule = 'audit network inet,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'network inet,' , [ False , False , True , False ]), - ('audit network inet,' , [ True , True , True , True ]), - ( 'network inet stream,' , [ False , False , True , False ]), - ('audit network inet stream,' , [ False , False , True , True ]), - ( 'network,' , [ False , False , False , False ]), - ('audit network,' , [ False , False , False , False ]), - ('network unix,' , [ False , False , False , False ]), - ] + ( 'network inet,' , ( False , False , True , False )), + ('audit network inet,' , ( True , True , True , True )), + ( 'network inet stream,' , ( False , False , True , False )), + ('audit network inet stream,' , ( False , False , True , True )), + ( 'network,' , ( False , False , False , False )), + ('audit network,' , ( False , False , False , False )), + ('network unix,' , ( False , False , False , False )), + ) class NetworkCoveredTest_03(NetworkCoveredTest): rule = 'network inet stream,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'network inet stream,' , [ True , True , True , True ]), - ('allow network inet stream,' , [ True , False , True , True ]), - ( 'network inet,' , [ False , False , False , False ]), - ( 'network,' , [ False , False , False , False ]), - ( 'network inet tcp,' , [ False , False , False , False ]), - ('audit network,' , [ False , False , False , False ]), - ('audit network inet stream,' , [ False , False , False , False ]), - ( 'network unix,' , [ False , False , False , False ]), - ( 'network,' , [ False , False , False , False ]), - ] + ( 'network inet stream,' , ( True , True , True , True )), + ('allow network inet stream,' , ( True , False , True , True )), + ( 'network inet,' , ( False , False , False , False )), + ( 'network,' , ( False , False , False , False )), + ( 'network inet tcp,' , ( False , False , False , False )), + ('audit network,' , ( False , False , False , False )), + ('audit network inet stream,' , ( False , False , False , False )), + ( 'network unix,' , ( False , False , False , False )), + ( 'network,' , ( False , False , False , False )), + ) class NetworkCoveredTest_04(NetworkCoveredTest): rule = 'network,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'network,' , [ True , True , True , True ]), - ('allow network,' , [ True , False , True , True ]), - ( 'network inet,' , [ False , False , True , True ]), - ( 'network inet6 stream,' , [ False , False , True , True ]), - ( 'network tcp,' , [ False , False , True , True ]), - ( 'network inet raw,' , [ False , False , True , True ]), - ('audit network,' , [ False , False , False , False ]), - ('deny network,' , [ False , False , False , False ]), - ] + ( 'network,' , ( True , True , True , True )), + ('allow network,' , ( True , False , True , True )), + ( 'network inet,' , ( False , False , True , True )), + ( 'network inet6 stream,' , ( False , False , True , True )), + ( 'network tcp,' , ( False , False , True , True )), + ( 'network inet raw,' , ( False , False , True , True )), + ('audit network,' , ( False , False , False , False )), + ('deny network,' , ( False , False , False , False )), + ) class NetworkCoveredTest_05(NetworkCoveredTest): rule = 'deny network inet,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny network inet,' , [ True , True , True , True ]), - ('audit deny network inet,' , [ False , False , False , False ]), - ( 'network inet,' , [ False , False , False , False ]), # XXX should covered be true here? - ( 'deny network unix,' , [ False , False , False , False ]), - ( 'deny network,' , [ False , False , False , False ]), - ] + ( 'deny network inet,' , ( True , True , True , True )), + ('audit deny network inet,' , ( False , False , False , False )), + ( 'network inet,' , ( False , False , False , False )), # XXX should covered be true here? + ( 'deny network unix,' , ( False , False , False , False )), + ( 'deny network,' , ( False , False , False , False )), + ) class NetworkCoveredTest_Invalid(AATest): @@ -363,7 +363,7 @@ class NetworkCoveredTest_Invalid(AATest): obj.is_equal(testobj) class NetworkLogprofHeaderTest(AATest): - tests = [ + tests = ( ('network,', [ _('Network Family'), _('ALL'), _('Socket Type'), _('ALL'), ]), ('network inet,', [ _('Network Family'), 'inet', _('Socket Type'), _('ALL'), ]), ('network inet stream,', [ _('Network Family'), 'inet', _('Socket Type'), 'stream', ]), @@ -371,17 +371,17 @@ class NetworkLogprofHeaderTest(AATest): ('allow network inet,', [_('Qualifier'), 'allow', _('Network Family'), 'inet', _('Socket Type'), _('ALL'), ]), ('audit network inet stream,', [_('Qualifier'), 'audit', _('Network Family'), 'inet', _('Socket Type'), 'stream', ]), ('audit deny network inet,', [_('Qualifier'), 'audit deny', _('Network Family'), 'inet', _('Socket Type'), _('ALL'), ]), - ] + ) def _run_test(self, params, expected): obj = NetworkRule.parse(params) self.assertEqual(obj.logprof_header(), expected) class NetworkRuleReprTest(AATest): - tests = [ + tests = ( (NetworkRule('inet', 'stream'), ' network inet stream,'), (NetworkRule.parse(' allow network inet stream, # foo'), ' allow network inet stream, # foo'), - ] + ) def _run_test(self, params, expected): self.assertEqual(str(params), expected) @@ -399,10 +399,10 @@ class NetworkRulesTest(AATest): def test_ruleset_1(self): ruleset = NetworkRuleset() - rules = [ + rules = ( 'network tcp,', 'network inet,', - ] + ) expected_raw = [ 'network tcp,', @@ -424,11 +424,11 @@ class NetworkRulesTest(AATest): def test_ruleset_2(self): ruleset = NetworkRuleset() - rules = [ + rules = ( 'network inet6 raw,', 'allow network inet,', 'deny network udp, # example comment', - ] + ) expected_raw = [ ' network inet6 raw,', diff --git a/utils/test/test-notify.py b/utils/test/test-notify.py index f82bf68e0..b00b40686 100644 --- a/utils/test/test-notify.py +++ b/utils/test/test-notify.py @@ -16,27 +16,27 @@ from apparmor.common import AppArmorBug from apparmor.notify import get_last_login_timestamp, sane_timestamp class TestSane_timestamp(AATest): - tests = [ + tests = ( (2524704400, False), # Sun Jan 2 03:46:40 CET 2050 ( 944780400, False), # Fri Dec 10 00:00:00 CET 1999 (1635026400, True ), # Sun Oct 24 00:00:00 CEST 2021 - ] + ) def _run_test(self, params, expected): self.assertEqual(sane_timestamp(params), expected) class TestGet_last_login_timestamp(AATest): - tests = [ - (['wtmp-x86_64', 'root' ], 1635070346), # Sun Oct 24 12:12:26 CEST 2021 - (['wtmp-x86_64', 'whoever' ], 0), - (['wtmp-s390x', 'root' ], 1626368763), # Thu Jul 15 19:06:03 CEST 2021 - (['wtmp-s390x', 'linux1' ], 1626368772), # Thu Jul 15 19:06:12 CEST 2021 - (['wtmp-s390x', 'whoever' ], 0), - (['wtmp-aarch64', 'guillaume' ], 1611562789), # Mon Jan 25 09:19:49 CET 2021 - (['wtmp-aarch64', 'whoever' ], 0), - (['wtmp-truncated', 'root' ], 0), - (['wtmp-truncated', 'whoever' ], 0), - ] + tests = ( + (('wtmp-x86_64', 'root' ), 1635070346), # Sun Oct 24 12:12:26 CEST 2021 + (('wtmp-x86_64', 'whoever' ), 0), + (('wtmp-s390x', 'root' ), 1626368763), # Thu Jul 15 19:06:03 CEST 2021 + (('wtmp-s390x', 'linux1' ), 1626368772), # Thu Jul 15 19:06:12 CEST 2021 + (('wtmp-s390x', 'whoever' ), 0), + (('wtmp-aarch64', 'guillaume' ), 1611562789), # Mon Jan 25 09:19:49 CET 2021 + (('wtmp-aarch64', 'whoever' ), 0), + (('wtmp-truncated', 'root' ), 0), + (('wtmp-truncated', 'whoever' ), 0), + ) def _run_test(self, params, expected): filename, user = params diff --git a/utils/test/test-parser-simple-tests.py b/utils/test/test-parser-simple-tests.py index 901b41cfb..763c824fb 100644 --- a/utils/test/test-parser-simple-tests.py +++ b/utils/test/test-parser-simple-tests.py @@ -38,7 +38,7 @@ skip_startswith = ( ) # testcases that should raise an exception, but don't -exception_not_raised = [ +exception_not_raised = ( # most abi/bad_* aren't detected as bad by the basic implementation in the tools 'abi/bad_10.sd', 'abi/bad_11.sd', @@ -218,10 +218,10 @@ exception_not_raised = [ 'xtrans/simple_bad_conflicting_x_6.sd', 'xtrans/simple_bad_conflicting_x_8.sd', 'xtrans/x-conflict.sd', -] +) # testcases with lines that don't match any regex and end up as "unknown line" -unknown_line = [ +unknown_line = ( # 'other' keyword 'file/allow/ok_other_1.sd', 'file/allow/ok_other_2.sd', @@ -298,10 +298,10 @@ unknown_line = [ 'bare_include_tests/ok_84.sd', 'bare_include_tests/ok_85.sd', 'bare_include_tests/ok_86.sd', -] +) # testcases with various unexpected failures -syntax_failure = [ +syntax_failure = ( # missing profile keywords 'profile/re_named_ok2.sd', @@ -404,7 +404,7 @@ syntax_failure = [ 'vars/vars_dbus_8.sd', # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}} 'vars/vars_simple_assignment_12.sd', # Redefining existing variable @{BAR} ('\' not handled) 'bare_include_tests/ok_2.sd', # two #include<...> in one line -] +) class TestParseParserTests(AATest): tests = [] # filled by parse_test_profiles() diff --git a/utils/test/test-pivot_root_parse.py b/utils/test/test-pivot_root_parse.py index 30701b90b..14f75e624 100644 --- a/utils/test/test-pivot_root_parse.py +++ b/utils/test/test-pivot_root_parse.py @@ -17,12 +17,12 @@ class AAParsePivotRootTest(AAParseTest): def setUp(self): self.parse_function = aa.parse_pivot_root_rule - tests = [ + tests = ( ('pivot_root,', 'pivot_root base keyword'), ('pivot_root /old,', 'pivot_root oldroot rule'), ('pivot_root /old /new,', 'pivot_root old and new root rule'), ('pivot_root /old /new -> /usr/bin/child,', 'pivot_root child rule'), - ] + ) setup_aa(aa) if __name__ == '__main__': diff --git a/utils/test/test-profile-list.py b/utils/test/test-profile-list.py index cdaf291bc..79c7ca148 100644 --- a/utils/test/test-profile-list.py +++ b/utils/test/test-profile-list.py @@ -99,13 +99,13 @@ class TestAdd_profile(AATest): self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo', 'wrong_type') class TestFilename_from_profile_name(AATest): - tests = [ + tests = ( ('foo', '/etc/apparmor.d/bin.foo'), ('/bin/foo', None), ('bar', None), ('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'), ('/usr/lib/wine/bin/wine-preloader-staging-foo', None), # no AARE matching for profile names - ] + ) def AASetup(self): self.pl = ProfileList() @@ -117,7 +117,7 @@ class TestFilename_from_profile_name(AATest): self.assertEqual(self.pl.filename_from_profile_name(params), expected) class TestFilename_from_attachment(AATest): - tests = [ + tests = ( ('/bin/foo', '/etc/apparmor.d/bin.foo'), ('/bin/baz', '/etc/apparmor.d/bin.baz'), ('/bin/foobar', '/etc/apparmor.d/bin.foobar'), @@ -125,7 +125,7 @@ class TestFilename_from_attachment(AATest): ('/bin/404', None), ('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'), # XXX should this really match, or should attachment matching only use AARE? ('/usr/lib/wine/bin/wine-preloader-staging-foo', '/etc/apparmor.d/usr.bin.wine'), # AARE match - ] + ) def AASetup(self): self.pl = ProfileList() @@ -331,7 +331,7 @@ class TestGet(AATest): self.pl.get_raw('/etc/apparmor.d/not.found') class AaTest_get_all_merged_variables(AATest): - tests = [] + tests = () def AASetup(self): self.createTmpdir() diff --git a/utils/test/test-profile-storage.py b/utils/test/test-profile-storage.py index 5653b381f..6906b001e 100644 --- a/utils/test/test-profile-storage.py +++ b/utils/test/test-profile-storage.py @@ -36,33 +36,33 @@ class TestUnknownKey(AATest): self.storage['foo'] = 'bar' class AaTest_get_header(AATest): - tests = [ + tests = ( # name embedded_hat depth flags attachment xattrs prof.keyw. comment expected - (['/foo', False, 1, 'complain', '', '', False, '' ], ' /foo flags=(complain) {'), - (['/foo', True, 1, 'complain', '', '', False, '' ], ' profile /foo flags=(complain) {'), - (['/foo sp', False, 2, 'complain', '', '', False, '' ], ' "/foo sp" flags=(complain) {'), - (['/foo', True, 2, 'complain', '', '', False, '' ], ' profile /foo flags=(complain) {'), - (['/foo', False, 0, None, '', '', False, '' ], '/foo {'), - (['/foo', False, 0, None, '', 'user.foo=bar', False, '' ], '/foo xattrs=(user.foo=bar) {'), - (['/foo', True, 0, None, '', '', False, '' ], 'profile /foo {'), - (['bar', False, 1, 'complain', '', '', False, '' ], ' profile bar flags=(complain) {'), - (['bar', False, 1, 'complain', '/foo', '', False, '' ], ' profile bar /foo flags=(complain) {'), - (['bar', True, 1, 'complain', '/foo', '', False, '' ], ' profile bar /foo flags=(complain) {'), - (['bar baz', False, 1, None, '/foo', '', False, '' ], ' profile "bar baz" /foo {'), - (['bar', True, 1, None, '/foo', '', False, '' ], ' profile bar /foo {'), - (['bar baz', False, 1, 'complain', '/foo sp', '', False, '' ], ' profile "bar baz" "/foo sp" flags=(complain) {'), - (['bar baz', False, 1, 'complain', '/foo sp', 'user.foo=bar', False, '' ], ' profile "bar baz" "/foo sp" xattrs=(user.foo=bar) flags=(complain) {'), - (['^foo', False, 1, 'complain', '', '', False, '' ], ' profile ^foo flags=(complain) {'), - (['^foo', True, 1, 'complain', '', '', False, '' ], ' ^foo flags=(complain) {'), - (['^foo', True, 1.5, 'complain', '', '', False, '' ], ' ^foo flags=(complain) {'), - (['^foo', True, 1.3, 'complain', '', '', False, '' ], ' ^foo flags=(complain) {'), - (['/foo', False, 1, 'complain', '', '', True, '' ], ' profile /foo flags=(complain) {'), - (['/foo', True, 1, 'complain', '', '', True, '' ], ' profile /foo flags=(complain) {'), - (['/foo', False, 1, 'complain', '', '', False, '# x' ], ' /foo flags=(complain) { # x'), - (['/foo', True, 1, None, '', '', False, '# x' ], ' profile /foo { # x'), - (['/foo', False, 1, None, '', '', True, '# x' ], ' profile /foo { # x'), - (['/foo', True, 1, 'complain', '', '', True, '# x' ], ' profile /foo flags=(complain) { # x'), - ] + (('/foo', False, 1, 'complain', '', '', False, '' ), ' /foo flags=(complain) {'), + (('/foo', True, 1, 'complain', '', '', False, '' ), ' profile /foo flags=(complain) {'), + (('/foo sp', False, 2, 'complain', '', '', False, '' ), ' "/foo sp" flags=(complain) {'), + (('/foo', True, 2, 'complain', '', '', False, '' ), ' profile /foo flags=(complain) {'), + (('/foo', False, 0, None, '', '', False, '' ), '/foo {'), + (('/foo', False, 0, None, '', 'user.foo=bar', False, '' ), '/foo xattrs=(user.foo=bar) {'), + (('/foo', True, 0, None, '', '', False, '' ), 'profile /foo {'), + (('bar', False, 1, 'complain', '', '', False, '' ), ' profile bar flags=(complain) {'), + (('bar', False, 1, 'complain', '/foo', '', False, '' ), ' profile bar /foo flags=(complain) {'), + (('bar', True, 1, 'complain', '/foo', '', False, '' ), ' profile bar /foo flags=(complain) {'), + (('bar baz', False, 1, None, '/foo', '', False, '' ), ' profile "bar baz" /foo {'), + (('bar', True, 1, None, '/foo', '', False, '' ), ' profile bar /foo {'), + (('bar baz', False, 1, 'complain', '/foo sp', '', False, '' ), ' profile "bar baz" "/foo sp" flags=(complain) {'), + (('bar baz', False, 1, 'complain', '/foo sp', 'user.foo=bar', False, '' ), ' profile "bar baz" "/foo sp" xattrs=(user.foo=bar) flags=(complain) {'), + (('^foo', False, 1, 'complain', '', '', False, '' ), ' profile ^foo flags=(complain) {'), + (('^foo', True, 1, 'complain', '', '', False, '' ), ' ^foo flags=(complain) {'), + (('^foo', True, 1.5, 'complain', '', '', False, '' ), ' ^foo flags=(complain) {'), + (('^foo', True, 1.3, 'complain', '', '', False, '' ), ' ^foo flags=(complain) {'), + (('/foo', False, 1, 'complain', '', '', True, '' ), ' profile /foo flags=(complain) {'), + (('/foo', True, 1, 'complain', '', '', True, '' ), ' profile /foo flags=(complain) {'), + (('/foo', False, 1, 'complain', '', '', False, '# x' ), ' /foo flags=(complain) { # x'), + (('/foo', True, 1, None, '', '', False, '# x' ), ' profile /foo { # x'), + (('/foo', False, 1, None, '', '', True, '# x' ), ' profile /foo { # x'), + (('/foo', True, 1, 'complain', '', '', True, '# x' ), ' profile /foo flags=(complain) { # x'), + ) def _run_test(self, params, expected): name = params[0] @@ -80,13 +80,13 @@ class AaTest_get_header(AATest): self.assertEqual(result, [expected]) class AaTest_get_header_01(AATest): - tests = [ + tests = ( ({'name': '/foo', 'depth': 1, 'flags': 'complain' }, ' /foo flags=(complain) {', ), ({'name': '/foo', 'depth': 1, 'flags': 'complain', 'profile_keyword': True }, ' profile /foo flags=(complain) {', ), ({'name': '/foo', 'flags': 'complain' }, '/foo flags=(complain) {', ), ({'name': '/foo', 'xattrs': 'user.foo=bar', 'flags': 'complain' }, '/foo xattrs=(user.foo=bar) flags=(complain) {', ), ({'name': '/foo', 'xattrs': 'user.foo=bar', 'embedded_hat': True }, 'profile /foo xattrs=(user.foo=bar) {', ), - ] + ) def _run_test(self, params, expected): name = params['name'] @@ -96,7 +96,7 @@ class AaTest_get_header_01(AATest): prof_storage = ProfileStorage(name, '', 'test') - for param in ['flags', 'attachment', 'profile_keyword', 'header_comment', 'xattrs']: + for param in ('flags', 'attachment', 'profile_keyword', 'header_comment', 'xattrs'): if params.get(param) is not None: prof_storage[param] = params[param] @@ -105,14 +105,14 @@ class AaTest_get_header_01(AATest): class TestSetInvalid(AATest): - tests = [ + tests = ( (('profile_keyword', None), AppArmorBug), # expects bool (('profile_keyword', 'foo'), AppArmorBug), (('attachment', False), AppArmorBug), # expects string (('attachment', None), AppArmorBug), (('filename', True), AppArmorBug), # expects string or None (('allow', None), AppArmorBug), # doesn't allow overwriting at all - ] + ) def _run_test(self, params, expected): self.storage = ProfileStorage('/test/foo', 'hat', 'TEST') @@ -120,7 +120,7 @@ class TestSetInvalid(AATest): self.storage[params[0]] = params[1] class AaTest_parse_profile_start(AATest): - tests = [ + tests = ( # profile start line profile hat profile hat attachment xattrs flags pps_set_hat_external (('/foo {', None, None), ('/foo', '/foo', '', '', None, False)), (('/foo (complain) {', None, None), ('/foo', '/foo', '', '', 'complain', False)), @@ -131,7 +131,7 @@ class AaTest_parse_profile_start(AATest): (('profile "/foo" xattrs=(user.bar=bar) {', None, None), ('/foo', '/foo', '', 'user.bar=bar', None, False)), (('profile "/foo" xattrs=(user.bar=bar user.foo=*) {', None, None), ('/foo', '/foo', '', 'user.bar=bar user.foo=*', None, False)), (('/usr/bin/xattrs-test xattrs=(myvalue="foo.bar") {', None, None), ('/usr/bin/xattrs-test', '/usr/bin/xattrs-test', '', 'myvalue="foo.bar"', None, False)), - ] + ) def _run_test(self, params, expected): (profile, hat, prof_storage) = ProfileStorage.parse(params[0], 'somefile', 1, params[1], params[2]) @@ -145,14 +145,14 @@ class AaTest_parse_profile_start(AATest): self.assertEqual(prof_storage['external'], expected[5]) class AaTest_parse_profile_start_errors(AATest): - tests = [ + tests = ( (('/foo///bar///baz {', None, None), AppArmorException), # XXX deeply nested external hat (('profile asdf {', '/foo', '/bar'), AppArmorException), # nested child profile (('/foo {', '/bar', None), AppArmorException), # child profile without profile keyword (('/foo {', '/bar', '/bar'), AppArmorException), # child profile without profile keyword (('xy', '/bar', None), AppArmorBug), # not a profile start (('xy', '/bar', '/bar'), AppArmorBug), # not a profile start - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): @@ -160,36 +160,36 @@ class AaTest_parse_profile_start_errors(AATest): class AaTest_add_or_remove_flag(AATest): - tests = [ + tests = ( # existing flag(s) flag to change add or remove? expected flags - ([ [], 'complain', True ], ['complain'] ), - ([ [], 'complain', False ], [] ), - ([ ['complain'], 'complain', True ], ['complain'] ), - ([ ['complain'], 'complain', False ], [] ), - ([ [], 'audit', True ], ['audit'] ), - ([ [], 'audit', False ], [] ), - ([ ['complain'], 'audit', True ], ['audit', 'complain'] ), - ([ ['complain'], 'audit', False ], ['complain'] ), - ([ '', 'audit', True ], ['audit'] ), - ([ None, 'audit', False ], [] ), - ([ 'complain', 'audit', True ], ['audit', 'complain'] ), - ([ ' complain ', 'audit', False ], ['complain'] ), - ([ 'audit complain', ['audit', 'complain'], False ], [] ), - ([ 'audit complain', 'audit complain', False ], [] ), - ([ 'audit complain', ['audit', 'enforce'], False ], ['complain'] ), - ([ 'audit complain', 'audit enforce', False ], ['complain'] ), - ([ '', ['audit', 'complain'], True ], ['audit', 'complain'] ), - ([ '', 'audit complain', True ], ['audit', 'complain'] ), - ([ 'audit', ['audit', 'enforce'], True ], ['audit', 'enforce'] ), - ([ 'audit', 'audit enforce', True ], ['audit', 'enforce'] ), - ] + (( [], 'complain', True ), ['complain'] ), + (( [], 'complain', False ), [] ), + (( ['complain'], 'complain', True ), ['complain'] ), + (( ['complain'], 'complain', False ), [] ), + (( [], 'audit', True ), ['audit'] ), + (( [], 'audit', False ), [] ), + (( ['complain'], 'audit', True ), ['audit', 'complain'] ), + (( ['complain'], 'audit', False ), ['complain'] ), + (( '', 'audit', True ), ['audit'] ), + (( None, 'audit', False ), [] ), + (( 'complain', 'audit', True ), ['audit', 'complain'] ), + (( ' complain ', 'audit', False ), ['complain'] ), + (( 'audit complain', ('audit', 'complain'), False ), [] ), + (( 'audit complain', 'audit complain', False ), [] ), + (( 'audit complain', ('audit', 'enforce'), False ), ['complain'] ), + (( 'audit complain', 'audit enforce', False ), ['complain'] ), + (( '', ('audit', 'complain'), True ), ['audit', 'complain'] ), + (( '', 'audit complain', True ), ['audit', 'complain'] ), + (( 'audit', ('audit', 'enforce'), True ), ['audit', 'enforce'] ), + (( 'audit', 'audit enforce', True ), ['audit', 'enforce'] ), + ) def _run_test(self, params, expected): - new_flags = add_or_remove_flag(params[0], params[1], params[2]) + new_flags = add_or_remove_flag(*params) self.assertEqual(new_flags, expected) class AaTest_split_flags(AATest): - tests = [ + tests = ( (None , [] ), ('' , [] ), (' ' , [] ), @@ -198,19 +198,19 @@ class AaTest_split_flags(AATest): (' complain attach_disconnected' , ['attach_disconnected', 'complain'] ), (' complain , attach_disconnected' , ['attach_disconnected', 'complain'] ), (' complain , , audit , , ' , ['audit', 'complain'] ), - ] + ) def _run_test(self, params, expected): split = split_flags(params) self.assertEqual(split, expected) class AaTest_var_transform(AATest): - tests = [ - (['foo', ''], '"" foo' ), - (['foo', 'bar'], 'bar foo' ), - ([''], '""' ), - (['bar baz', 'foo'], '"bar baz" foo' ), - ] + tests = ( + (('foo', ''), '"" foo' ), + (('foo', 'bar'), 'bar foo' ), + (('',), '""' ), + (('bar baz', 'foo'), '"bar baz" foo' ), + ) def _run_test(self, params, expected): self.assertEqual(var_transform(params), expected) diff --git a/utils/test/test-ptrace.py b/utils/test/test-ptrace.py index 64817f8ef..c3f5b3d4e 100644 --- a/utils/test/test-ptrace.py +++ b/utils/test/test-ptrace.py @@ -24,8 +24,8 @@ from apparmor.logparser import ReadLog from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'access', 'all_access', 'peer', 'all_peers']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'access', 'all_access', 'peer', 'all_peers')) # # --- tests for single PtraceRule --- # @@ -44,7 +44,7 @@ class PtraceTest(AATest): self.assertEqual(expected.comment, obj.comment) class PtraceTestParse(PtraceTest): - tests = [ + tests = ( # PtraceRule object audit allow deny comment access all? peer all? ('ptrace,' , exp(False, False, False, '', None , True , None, True )), # ('ptrace (),' , exp(False, False, False, '', None , True , None, True )), # XXX also broken in SignalRule? @@ -59,7 +59,7 @@ class PtraceTestParse(PtraceTest): ('ptrace peer=/foo,' , exp(False, False, False, '', None , True , '/foo', False )), ('ptrace r peer=/foo,' , exp(False, False, False, '', {'r'}, False, '/foo', False )), ('ptrace r peer="/foo bar",' , exp(False, False, False, '', {'r'}, False, '/foo bar', False )), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(PtraceRule.match(rawrule)) @@ -68,14 +68,14 @@ class PtraceTestParse(PtraceTest): self._compare_obj(obj, expected) class PtraceTestParseInvalid(PtraceTest): - tests = [ + tests = ( ('ptrace foo,' , AppArmorException), ('ptrace foo bar,' , AppArmorException), ('ptrace foo int,' , AppArmorException), ('ptrace read bar,' , AppArmorException), ('ptrace read tracedby,' , AppArmorException), ('ptrace peer=,' , AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(PtraceRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -124,7 +124,7 @@ class PtraceTestParseFromLog(PtraceTest): self.assertEqual(obj.get_raw(1), ' ptrace tracedby peer=/home/ubuntu/bzr/apparmor/tests/regression/apparmor/ptrace,') class PtraceFromInit(PtraceTest): - tests = [ + tests = ( # PtraceRule object audit allow deny comment access all? peer all? (PtraceRule('r', 'unconfined', deny=True) , exp(False, False, True , '' , {'r'}, False, 'unconfined', False)), (PtraceRule(('r', 'read'), '/bin/foo') , exp(False, False, False, '' , {'r', 'read'},False, '/bin/foo', False)), @@ -132,29 +132,29 @@ class PtraceFromInit(PtraceTest): (PtraceRule('rw', '/bin/foo') , exp(False, False, False, '' , {'rw'}, False, '/bin/foo', False )), (PtraceRule('rw', PtraceRule.ALL) , exp(False, False, False, '' , {'rw'}, False, None, True )), (PtraceRule(PtraceRule.ALL, PtraceRule.ALL) , exp(False, False, False, '' , None , True, None, True )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidPtraceInit(AATest): - tests = [ + tests = ( # init params expected exception - (['' , '/foo' ] , AppArmorBug), # empty access - (['read', '' ] , AppArmorBug), # empty peer - ([' ', '/foo' ] , AppArmorBug), # whitespace access - (['read', ' ' ] , AppArmorBug), # whitespace peer - (['xyxy', '/foo' ] , AppArmorException), # invalid access + (('' , '/foo' ) , AppArmorBug), # empty access + (('read', '' ) , AppArmorBug), # empty peer + ((' ', '/foo' ) , AppArmorBug), # whitespace access + (('read', ' ' ) , AppArmorBug), # whitespace peer + (('xyxy', '/foo' ) , AppArmorException), # invalid access # XXX is 'invalid peer' possible at all? - ([dict(), '/foo' ] , AppArmorBug), # wrong type for access - ([None , '/foo' ] , AppArmorBug), # wrong type for access - (['read', dict() ] , AppArmorBug), # wrong type for peer - (['read', None ] , AppArmorBug), # wrong type for peer - ] + ((dict(), '/foo' ) , AppArmorBug), # wrong type for access + ((None , '/foo' ) , AppArmorBug), # wrong type for access + (('read', dict() ) , AppArmorBug), # wrong type for peer + (('read', None ) , AppArmorBug), # wrong type for peer + ) def _run_test(self, params, expected): with self.assertRaises(expected): - PtraceRule(params[0], params[1]) + PtraceRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -204,7 +204,7 @@ class WritePtraceTestAATest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule ('ptrace,' , 'ptrace,'), (' ptrace , # foo ' , 'ptrace, # foo'), @@ -232,7 +232,7 @@ class WritePtraceTestAATest(AATest): ('ptrace (read tracedby) peer=/usr/bin/bar,' , 'ptrace (read tracedby) peer=/usr/bin/bar,'), ('ptrace (trace read) peer=/usr/bin/bar,' , 'ptrace (read trace) peer=/usr/bin/bar,'), ('ptrace wr peer=/sbin/baz,' , 'ptrace wr peer=/sbin/baz,'), - ] + ) def test_write_manually(self): obj = PtraceRule('read', '/foo', allow_keyword=True) @@ -259,160 +259,160 @@ class PtraceCoveredTest(AATest): class PtraceCoveredTest_01(PtraceCoveredTest): rule = 'ptrace read,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('ptrace,' , [ False , False , False , False ]), - ('ptrace read,' , [ True , True , True , True ]), - ('ptrace read peer=unconfined,' , [ False , False , True , True ]), - ('ptrace read, # comment' , [ True , False , True , True ]), - ('allow ptrace read,' , [ True , False , True , True ]), - ('ptrace read,' , [ True , False , True , True ]), - ('audit ptrace read,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ('audit deny ptrace read,' , [ False , False , False , False ]), - ('deny ptrace read,' , [ False , False , False , False ]), - ] + ('ptrace,' , ( False , False , False , False )), + ('ptrace read,' , ( True , True , True , True )), + ('ptrace read peer=unconfined,' , ( False , False , True , True )), + ('ptrace read, # comment' , ( True , False , True , True )), + ('allow ptrace read,' , ( True , False , True , True )), + ('ptrace read,' , ( True , False , True , True )), + ('audit ptrace read,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ('audit deny ptrace read,' , ( False , False , False , False )), + ('deny ptrace read,' , ( False , False , False , False )), + ) class PtraceCoveredTest_02(PtraceCoveredTest): rule = 'audit ptrace read,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'ptrace read,' , [ False , False , True , False ]), - ('audit ptrace read,' , [ True , True , True , True ]), - ( 'ptrace,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ] + ( 'ptrace read,' , ( False , False , True , False )), + ('audit ptrace read,' , ( True , True , True , True )), + ( 'ptrace,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ) class PtraceCoveredTest_03(PtraceCoveredTest): rule = 'ptrace,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'ptrace,' , [ True , True , True , True ]), - ('allow ptrace,' , [ True , False , True , True ]), - ( 'ptrace read,' , [ False , False , True , True ]), - ( 'ptrace w,' , [ False , False , True , True ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('deny ptrace,' , [ False , False , False , False ]), - ] + ( 'ptrace,' , ( True , True , True , True )), + ('allow ptrace,' , ( True , False , True , True )), + ( 'ptrace read,' , ( False , False , True , True )), + ( 'ptrace w,' , ( False , False , True , True )), + ('audit ptrace,' , ( False , False , False , False )), + ('deny ptrace,' , ( False , False , False , False )), + ) class PtraceCoveredTest_04(PtraceCoveredTest): rule = 'deny ptrace read,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny ptrace read,' , [ True , True , True , True ]), - ('audit deny ptrace read,' , [ False , False , False , False ]), - ( 'ptrace read,' , [ False , False , False , False ]), # XXX should covered be true here? - ( 'deny ptrace tracedby,' , [ False , False , False , False ]), - ( 'deny ptrace,' , [ False , False , False , False ]), - ] + ( 'deny ptrace read,' , ( True , True , True , True )), + ('audit deny ptrace read,' , ( False , False , False , False )), + ( 'ptrace read,' , ( False , False , False , False )), # XXX should covered be true here? + ( 'deny ptrace tracedby,' , ( False , False , False , False )), + ( 'deny ptrace,' , ( False , False , False , False )), + ) class PtraceCoveredTest_05(PtraceCoveredTest): rule = 'ptrace read peer=unconfined,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('ptrace,' , [ False , False , False , False ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=unconfined,' , [ True , True , True , True ]), - ('ptrace peer=unconfined,' , [ False , False , False , False ]), - ('ptrace read, # comment' , [ False , False , False , False ]), - ('allow ptrace read,' , [ False , False , False , False ]), - ('allow ptrace read peer=unconfined,' , [ True , False , True , True ]), - ('allow ptrace read peer=/foo/bar,' , [ False , False , False , False ]), - ('allow ptrace read peer=/**,' , [ False , False , False , False ]), - ('allow ptrace read peer=**,' , [ False , False , False , False ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=unconfined,' , [ True , False , True , True ]), - ('audit ptrace read peer=unconfined,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ('audit deny ptrace read,' , [ False , False , False , False ]), - ('deny ptrace read,' , [ False , False , False , False ]), - ] + ('ptrace,' , ( False , False , False , False )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=unconfined,' , ( True , True , True , True )), + ('ptrace peer=unconfined,' , ( False , False , False , False )), + ('ptrace read, # comment' , ( False , False , False , False )), + ('allow ptrace read,' , ( False , False , False , False )), + ('allow ptrace read peer=unconfined,' , ( True , False , True , True )), + ('allow ptrace read peer=/foo/bar,' , ( False , False , False , False )), + ('allow ptrace read peer=/**,' , ( False , False , False , False )), + ('allow ptrace read peer=**,' , ( False , False , False , False )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=unconfined,' , ( True , False , True , True )), + ('audit ptrace read peer=unconfined,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ('audit deny ptrace read,' , ( False , False , False , False )), + ('deny ptrace read,' , ( False , False , False , False )), + ) class PtraceCoveredTest_06(PtraceCoveredTest): rule = 'ptrace read peer=/foo/bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('ptrace,' , [ False , False , False , False ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=/foo/bar,' , [ True , True , True , True ]), - ('ptrace read peer=/foo/*,' , [ False , False , False , False ]), - ('ptrace read peer=/**,' , [ False , False , False , False ]), - ('ptrace read peer=/what/*,' , [ False , False , False , False ]), - ('ptrace peer=/foo/bar,' , [ False , False , False , False ]), - ('ptrace read, # comment' , [ False , False , False , False ]), - ('allow ptrace read,' , [ False , False , False , False ]), - ('allow ptrace read peer=/foo/bar,' , [ True , False , True , True ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=/foo/bar,' , [ True , False , True , True ]), - ('ptrace read peer=/what/ever,' , [ False , False , False , False ]), - ('audit ptrace read peer=/foo/bar,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ('audit deny ptrace read,' , [ False , False , False , False ]), - ('deny ptrace read,' , [ False , False , False , False ]), - ] + ('ptrace,' , ( False , False , False , False )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=/foo/bar,' , ( True , True , True , True )), + ('ptrace read peer=/foo/*,' , ( False , False , False , False )), + ('ptrace read peer=/**,' , ( False , False , False , False )), + ('ptrace read peer=/what/*,' , ( False , False , False , False )), + ('ptrace peer=/foo/bar,' , ( False , False , False , False )), + ('ptrace read, # comment' , ( False , False , False , False )), + ('allow ptrace read,' , ( False , False , False , False )), + ('allow ptrace read peer=/foo/bar,' , ( True , False , True , True )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=/foo/bar,' , ( True , False , True , True )), + ('ptrace read peer=/what/ever,' , ( False , False , False , False )), + ('audit ptrace read peer=/foo/bar,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ('audit deny ptrace read,' , ( False , False , False , False )), + ('deny ptrace read,' , ( False , False , False , False )), + ) class PtraceCoveredTest_07(PtraceCoveredTest): rule = 'ptrace read peer=**,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('ptrace,' , [ False , False , False , False ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace read peer=/foo/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('ptrace read peer=/**,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('ptrace read peer=/what/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('ptrace peer=/foo/bar,' , [ False , False , False , False ]), - ('ptrace read, # comment' , [ False , False , False , False ]), - ('allow ptrace read,' , [ False , False , False , False ]), - ('allow ptrace read peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace read,' , [ False , False , False , False ]), - ('ptrace read peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace read peer=/what/ever,' , [ False , False , True , True ]), - ('audit ptrace read peer=/foo/bar,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ('audit deny ptrace read,' , [ False , False , False , False ]), - ('deny ptrace read,' , [ False , False , False , False ]), - ] + ('ptrace,' , ( False , False , False , False )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace read peer=/foo/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('ptrace read peer=/**,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('ptrace read peer=/what/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('ptrace peer=/foo/bar,' , ( False , False , False , False )), + ('ptrace read, # comment' , ( False , False , False , False )), + ('allow ptrace read,' , ( False , False , False , False )), + ('allow ptrace read peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace read,' , ( False , False , False , False )), + ('ptrace read peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace read peer=/what/ever,' , ( False , False , True , True )), + ('audit ptrace read peer=/foo/bar,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ('audit deny ptrace read,' , ( False , False , False , False )), + ('deny ptrace read,' , ( False , False , False , False )), + ) class PtraceCoveredTest_08(PtraceCoveredTest): rule = 'ptrace (trace, tracedby) peer=/foo/*,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('ptrace,' , [ False , False , False , False ]), - ('ptrace trace,' , [ False , False , False , False ]), - ('ptrace (tracedby, trace),' , [ False , False , False , False ]), - ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace (tracedby trace) peer=/foo/bar,',[ False , False , True , True ]), - ('ptrace (tracedby, trace) peer=/foo/*,', [ True , False , True , True ]), - ('ptrace tracedby peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace trace peer=/foo/*,' , [ False , False , True , True ]), - ('ptrace trace peer=/**,' , [ False , False , False , False ]), - ('ptrace trace peer=/what/*,' , [ False , False , False , False ]), - ('ptrace peer=/foo/bar,' , [ False , False , False , False ]), - ('ptrace trace, # comment' , [ False , False , False , False ]), - ('allow ptrace trace,' , [ False , False , False , False ]), - ('allow ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace trace,' , [ False , False , False , False ]), - ('ptrace trace peer=/foo/bar,' , [ False , False , True , True ]), - ('ptrace trace peer=/what/ever,' , [ False , False , False , False ]), - ('audit ptrace trace peer=/foo/bar,' , [ False , False , False , False ]), - ('audit ptrace,' , [ False , False , False , False ]), - ('ptrace tracedby,' , [ False , False , False , False ]), - ('audit deny ptrace trace,' , [ False , False , False , False ]), - ('deny ptrace trace,' , [ False , False , False , False ]), - ] + ('ptrace,' , ( False , False , False , False )), + ('ptrace trace,' , ( False , False , False , False )), + ('ptrace (tracedby, trace),' , ( False , False , False , False )), + ('ptrace trace peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace (tracedby trace) peer=/foo/bar,',( False , False , True , True )), + ('ptrace (tracedby, trace) peer=/foo/*,', ( True , False , True , True )), + ('ptrace tracedby peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace trace peer=/foo/*,' , ( False , False , True , True )), + ('ptrace trace peer=/**,' , ( False , False , False , False )), + ('ptrace trace peer=/what/*,' , ( False , False , False , False )), + ('ptrace peer=/foo/bar,' , ( False , False , False , False )), + ('ptrace trace, # comment' , ( False , False , False , False )), + ('allow ptrace trace,' , ( False , False , False , False )), + ('allow ptrace trace peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace trace,' , ( False , False , False , False )), + ('ptrace trace peer=/foo/bar,' , ( False , False , True , True )), + ('ptrace trace peer=/what/ever,' , ( False , False , False , False )), + ('audit ptrace trace peer=/foo/bar,' , ( False , False , False , False )), + ('audit ptrace,' , ( False , False , False , False )), + ('ptrace tracedby,' , ( False , False , False , False )), + ('audit deny ptrace trace,' , ( False , False , False , False )), + ('deny ptrace trace,' , ( False , False , False , False )), + ) @@ -462,7 +462,7 @@ class PtraceCoveredTest_Invalid(AATest): class PtraceLogprofHeaderTest(AATest): - tests = [ + tests = ( ('ptrace,', [ _('Access mode'), _('ALL'), _('Peer'), _('ALL'), ]), ('ptrace read,', [ _('Access mode'), 'read', _('Peer'), _('ALL'), ]), ('deny ptrace,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Peer'), _('ALL'), ]), @@ -470,7 +470,7 @@ class PtraceLogprofHeaderTest(AATest): ('audit ptrace read,', [_('Qualifier'), 'audit', _('Access mode'), 'read', _('Peer'), _('ALL'), ]), ('audit deny ptrace read,', [_('Qualifier'), 'audit deny', _('Access mode'), 'read', _('Peer'), _('ALL'), ]), ('ptrace (read, tracedby) peer=/foo,', [ _('Access mode'), 'read tracedby', _('Peer'), '/foo', ]), - ] + ) def _run_test(self, params, expected): obj = PtraceRule.parse(params) @@ -493,10 +493,10 @@ class PtraceRulesTest(AATest): def test_ruleset_1(self): ruleset = PtraceRuleset() - rules = [ + rules = ( 'ptrace peer=/foo,', 'ptrace read,', - ] + ) expected_raw = [ 'ptrace peer=/foo,', @@ -522,11 +522,11 @@ class PtraceRulesTest(AATest): def test_ruleset_2(self): ruleset = PtraceRuleset() - rules = [ + rules = ( 'ptrace read peer=/foo,', 'allow ptrace read,', 'deny ptrace peer=/bar, # example comment', - ] + ) expected_raw = [ ' ptrace read peer=/foo,', diff --git a/utils/test/test-regex_matches.py b/utils/test/test-regex_matches.py index dfe25960c..8584ac174 100644 --- a/utils/test/test-regex_matches.py +++ b/utils/test/test-regex_matches.py @@ -57,7 +57,7 @@ class AARegexHasComma(AATest): else: self.assertEqual(None, result, 'Found an unexpected comma in "%s"' % line) -regex_has_comma_testcases = [ +regex_has_comma_testcases = ( ('dbus send%s', 'simple'), ('dbus (r, w, bind, eavesdrop)%s', 'embedded parens 01'), ('dbus (r, w,, bind, eavesdrop) %s', 'embedded parens 02'), @@ -112,7 +112,7 @@ regex_has_comma_testcases = [ # ('@{BAR}={bar,baz,blort, %s', 'tricksy variable declaration') # The following fails the comma test, because it's really a no comma situation # ('@{BAR}="{bar,baz,blort%s" ', 'tricksy variable declaration') -] +) def setup_has_comma_testcases(): i = 0 @@ -145,7 +145,7 @@ class AARegexSplitComment(AATest): # Tuples of (string, expected result), where expected result is False if # the string should not be considered as having a comment, or a second # tuple of the not comment and comment sections split apart -regex_split_comment_testcases = [ +regex_split_comment_testcases = ( ('dbus send # this is a comment', ('dbus send ', '# this is a comment')), ('dbus send member=no_comment', False), ('dbus send member=no_comment, ', False), @@ -160,7 +160,7 @@ regex_split_comment_testcases = [ ('ptrace (trace read) peer=/usr/bin/foo,', False), ('pivot_root, # comment', ('pivot_root, ', '# comment')), ('pivot_root /old /new -> child,', False), -] +) def setup_split_comment_testcases(): i = 0 @@ -208,13 +208,13 @@ class AARegexCapability(AARegexTest): def AASetup(self): self.regex = RE_PROFILE_CAP - tests = [ + tests = ( (' capability net_raw,', (None, None, 'net_raw', 'net_raw', None)), ('capability net_raw , ', (None, None, 'net_raw', 'net_raw', None)), (' capability,', (None, None, None, None, None)), (' capability , ', (None, None, None, None, None)), (' capabilitynet_raw,', False) - ] + ) class AARegexDbus(AARegexTest): '''Tests for RE_PROFILE_DBUS''' @@ -222,7 +222,7 @@ class AARegexDbus(AARegexTest): def AASetup(self): self.regex = RE_PROFILE_DBUS - tests = [ + tests = ( (' dbus,', (None, None, 'dbus,', None, None)), (' audit dbus,', ('audit', None, 'dbus,', None, None)), (' dbus send member=no_comment,', (None, None, 'dbus send member=no_comment,', 'send member=no_comment', None)), @@ -230,7 +230,7 @@ class AARegexDbus(AARegexTest): (' dbusdriver,', False), (' audit dbusdriver,', False), - ] + ) class AARegexMount(AARegexTest): '''Tests for RE_PROFILE_MOUNT''' @@ -238,7 +238,7 @@ class AARegexMount(AARegexTest): def AASetup(self): self.regex = aa.RE_PROFILE_MOUNT - tests = [ + tests = ( (' mount,', (None, None, 'mount,', 'mount', None, None)), (' audit mount,', ('audit', None, 'mount,', 'mount', None, None)), (' umount,', (None, None, 'umount,', 'umount', None, None)), @@ -252,7 +252,7 @@ class AARegexMount(AARegexTest): (' mountain,', False), (' audit mountain,', False), - ] + ) @@ -262,7 +262,7 @@ class AARegexSignal(AARegexTest): def AASetup(self): self.regex = RE_PROFILE_SIGNAL - tests = [ + tests = ( (' signal,', (None, None, 'signal,', None, None)), (' audit signal,', ('audit', None, 'signal,', None, None)), (' signal receive,', (None, None, 'signal receive,', 'receive', None)), @@ -275,7 +275,7 @@ class AARegexSignal(AARegexTest): (' signalling,', False), (' audit signalling,', False), (' signalling receive,', False), - ] + ) class AARegexPtrace(AARegexTest): @@ -284,7 +284,7 @@ class AARegexPtrace(AARegexTest): def AASetup(self): self.regex = RE_PROFILE_PTRACE - tests = [ + tests = ( # audit allow rule rule details comment (' ptrace,', (None, None, 'ptrace,', None, None)), (' audit ptrace,', ('audit', None, 'ptrace,', None, None)), @@ -296,7 +296,7 @@ class AARegexPtrace(AARegexTest): (' ptraceback,', False), (' audit ptraceback,', False), (' ptraceback trace,', False), - ] + ) class AARegexPivotRoot(AARegexTest): @@ -305,7 +305,7 @@ class AARegexPivotRoot(AARegexTest): def AASetup(self): self.regex = aa.RE_PROFILE_PIVOT_ROOT - tests = [ + tests = ( (' pivot_root,', (None, None, 'pivot_root,', None)), (' audit pivot_root,', ('audit', None, 'pivot_root,', None)), (' pivot_root oldroot=/new/old,', @@ -324,7 +324,7 @@ class AARegexPivotRoot(AARegexTest): ('pivot_rootbeer, # comment', False), ('pivot_rootbeer /new, ', False), ('pivot_rootbeer /new, # comment', False), - ] + ) class AARegexUnix(AARegexTest): '''Tests for RE_PROFILE_UNIX''' @@ -332,7 +332,7 @@ class AARegexUnix(AARegexTest): def AASetup(self): self.regex = aa.RE_PROFILE_UNIX - tests = [ + tests = ( (' unix,', (None, None, 'unix,', None)), (' audit unix,', ('audit', None, 'unix,', None)), (' unix accept,', (None, None, 'unix accept,', None)), @@ -349,7 +349,7 @@ class AARegexUnix(AARegexTest): (None, None, 'unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),', None)), ('unixlike', False), ('deny unixlike,', False), - ] + ) class AANamedRegexProfileStart_2(AANamedRegexTest): '''Tests for RE_PROFILE_START''' @@ -357,7 +357,7 @@ class AANamedRegexProfileStart_2(AANamedRegexTest): def AASetup(self): self.regex = RE_PROFILE_START - tests = [ + tests = ( ('/bin/foo ', False), # no '{' ('/bin/foo /bin/bar', False), # missing 'profile' keyword ('profile {', False), # no attachment @@ -387,11 +387,11 @@ class AANamedRegexProfileStart_2(AANamedRegexTest): ('/foo {', { 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': '' }), (' profile foo {', { 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': ' ' }), ('profile foo {', { 'plainprofile': None, 'namedprofile': 'foo', 'leadingspace': '' }), - ] + ) class Test_parse_profile_start_line(AATest): - tests = [ + tests = ( (' /foo {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' "/foo" {', { 'profile': '/foo', 'profile_keyword': False, 'plainprofile': '/foo', 'namedprofile': None, 'attachment': None, 'flags': None, 'comment': None }), (' profile /foo {', { 'profile': '/foo', 'profile_keyword': True, 'plainprofile': None, 'namedprofile': '/foo', 'attachment': None, 'flags': None, 'comment': None }), @@ -414,7 +414,7 @@ class Test_parse_profile_start_line(AATest): (' profile @{foo} /bar {', { 'profile': '@{foo}', 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '/bar', 'flags': None, 'comment': None }), (' profile foo @{bar} {', { 'profile': 'foo', 'plainprofile': None, 'namedprofile': 'foo', 'attachment': '@{bar}', 'flags': None, 'comment': None }), (' profile @{foo} @{bar} {', { 'profile': '@{foo}', 'plainprofile': None, 'namedprofile': '@{foo}', 'attachment': '@{bar}', 'flags': None, 'comment': None }), - ] + ) def _run_test(self, line, expected): matches = parse_profile_start_line(line, 'somefile') @@ -425,19 +425,19 @@ class Test_parse_profile_start_line(AATest): self.assertEqual(matches[exp], expected[exp], 'Group %s mismatch in rule %s' % (exp,line)) class TestInvalid_parse_profile_start_line(AATest): - tests = [ + tests = ( ('/bin/foo ', False), # no '{' ('/bin/foo /bin/bar', False), # missing 'profile' keyword ('profile {', False), # no attachment (' profile foo bar /foo {', False), # missing quotes around "foo bar" - ] + ) def _run_test(self, line, expected): with self.assertRaises(AppArmorBug): parse_profile_start_line(line, 'somefile') class Test_re_match_include(AATest): - tests = [ + tests = ( # #include ('#include ', 'abstractions/base' ), # magic path ('#include # comment', 'abstractions/base' ), @@ -463,13 +463,13 @@ class Test_re_match_include(AATest): ('/include r,', None, ), (' #include if exists ', None, ), # include if exists (' #include if exists "/foo/bar"', None, ), - ] + ) def _run_test(self, params, expected): self.assertEqual(re_match_include(params), expected) class TestInvalid_re_match_include(AATest): - tests = [ + tests = ( ('#include <>', AppArmorException ), # '#include' ('#include < >', AppArmorException ), ('#include ""', AppArmorException ), @@ -517,14 +517,14 @@ class TestInvalid_re_match_include(AATest): ('include /foo bar', AppArmorException ), ('include "/foo bar"', AppArmorException ), ('include "foo bar/baz"', AppArmorException ), - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): re_match_include(params) class Test_re_match_include_parse(AATest): - tests = [ + tests = ( # path if exists magic path # #include ('#include ', ('abstractions/base', False, True ) ), # magic path @@ -568,13 +568,13 @@ class Test_re_match_include_parse(AATest): ('/usr/include r,', (None, None, None ) ), ('/include r,', (None, None, None ) ), ('abi ,', (None, None, None ) ), # abi rule - ] + ) def _run_test(self, params, expected): self.assertEqual(re_match_include_parse(params, 'include'), expected) class Test_re_match_include_parse_abi(AATest): - tests = [ + tests = ( # path if exists magic path ('abi ,', ('abi/4.19', False, True ) ), # magic path ('abi , # comment', ('abi/4.19', False, True ) ), @@ -589,13 +589,13 @@ class Test_re_match_include_parse_abi(AATest): ('/usr/abi r,', (None, None, None ) ), ('/abi r,', (None, None, None ) ), ('#include ', (None, None, None ) ), # include rule path - ] + ) def _run_test(self, params, expected): self.assertEqual(re_match_include_parse(params, 'abi'), expected) class Test_re_match_include_parse_errors(AATest): - tests = [ + tests = ( (('include <>', 'include'), AppArmorException), # various rules with empty filename (('include ""', 'include'), AppArmorException), (('include ', 'include'), AppArmorException), @@ -603,7 +603,7 @@ class Test_re_match_include_parse_errors(AATest): (('abi "",', 'abi'), AppArmorException), (('abi ,', 'abi'), AppArmorException), (('abi ,', 'invalid'), AppArmorBug), # invalid rule name - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): @@ -611,7 +611,7 @@ class Test_re_match_include_parse_errors(AATest): re_match_include_parse(rule, rule_name) class TestStripParenthesis(AATest): - tests = [ + tests = ( ('foo', 'foo' ), ('(foo)', 'foo' ), ('( foo )', 'foo' ), @@ -623,13 +623,13 @@ class TestStripParenthesis(AATest): ('(())', '()' ), (' (foo)', '(foo)' ), # parenthesis not first char, whitespace stripped nevertheless ('(foo) ', '(foo)' ), # parenthesis not last char, whitespace stripped nevertheless - ] + ) def _run_test(self, params, expected): self.assertEqual(strip_parenthesis(params), expected) class TestStripQuotes(AATest): - tests = [ + tests = ( ('foo', 'foo'), ('"foo"', 'foo'), ('"foo', '"foo'), @@ -641,7 +641,7 @@ class TestStripQuotes(AATest): ('', ''), ('/', '/'), ('"', '"'), - ] + ) def _run_test(self, params, expected): self.assertEqual(strip_quotes(params), expected) diff --git a/utils/test/test-rlimit.py b/utils/test/test-rlimit.py index ef981e399..6e46daf72 100644 --- a/utils/test/test-rlimit.py +++ b/utils/test/test-rlimit.py @@ -24,8 +24,8 @@ from apparmor.common import AppArmorException, AppArmorBug from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', - 'rlimit', 'value', 'all_values']) +exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment', + 'rlimit', 'value', 'all_values')) # --- tests for single RlimitRule --- # @@ -40,7 +40,7 @@ class RlimitTest(AATest): self.assertEqual(expected.comment, obj.comment) class RlimitTestParse(RlimitTest): - tests = [ + tests = ( # rawrule audit allow deny comment rlimit value all/infinity? ('set rlimit as <= 2047MB,' , exp(False, False, False, '' , 'as' , '2047MB' , False)), ('set rlimit as <= 2047 MB,' , exp(False, False, False, '' , 'as' , '2047 MB' , False)), @@ -64,7 +64,7 @@ class RlimitTestParse(RlimitTest): ('set rlimit rss <= infinity, # cmt' , exp(False, False, False, ' # cmt' , 'rss' , None , True )), ('set rlimit memlock <= 10240,' , exp(False, False, False, '' , 'memlock' , '10240' , False)), ('set rlimit sigpending <= 42,' , exp(False, False, False, '' , 'sigpending' , '42' , False)), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(RlimitRule.match(rawrule)) @@ -73,7 +73,7 @@ class RlimitTestParse(RlimitTest): self._compare_obj(obj, expected) class RlimitTestParseInvalid(RlimitTest): - tests = [ + tests = ( ('set rlimit,' , AppArmorException), # missing parts ('set rlimit <= 5,' , AppArmorException), ('set rlimit cpu <= ,' , AppArmorException), @@ -86,7 +86,7 @@ class RlimitTestParseInvalid(RlimitTest): ('set rlimit cpu <= 20MB,' , AppArmorException), ('set rlimit data <= 20seconds,' , AppArmorException), ('set rlimit locks <= 20seconds,' , AppArmorException), - ] + ) def _run_test(self, rawrule, expected): #self.assertFalse(RlimitRule.match(rawrule)) # the main regex isn't very strict @@ -117,7 +117,7 @@ class RlimitTestParseFromLog(RlimitTest): class RlimitFromInit(RlimitTest): - tests = [ + tests = ( # RlimitRule object audit allow deny comment rlimit value all/infinity? (RlimitRule('as', '2047MB') , exp(False, False, False, '' , 'as' , '2047MB' , False)), (RlimitRule('as', '2047 MB') , exp(False, False, False, '' , 'as' , '2047 MB' , False)), @@ -125,30 +125,30 @@ class RlimitFromInit(RlimitTest): (RlimitRule('rttime', '60minutes') , exp(False, False, False, '' , 'rttime' , '60minutes', False)), (RlimitRule('nice', '-10') , exp(False, False, False, '' , 'nice' , '-10' , False)), (RlimitRule('rss', RlimitRule.ALL) , exp(False, False, False, '' , 'rss' , None , True )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidRlimitInit(AATest): - tests = [ + tests = ( # init params expected exception - (['as' , '' ] , AppArmorBug), # empty value - (['' , '1024' ] , AppArmorException), # empty rlimit - ([' ', '1024' ] , AppArmorException), # whitespace rlimit - (['as' , ' ' ] , AppArmorBug), # whitespace value - (['xyxy', '1024' ] , AppArmorException), # invalid rlimit - ([dict(), '1024' ] , AppArmorBug), # wrong type for rlimit - ([None , '1024' ] , AppArmorBug), # wrong type for rlimit - (['as' , dict() ] , AppArmorBug), # wrong type for value - (['as' , None ] , AppArmorBug), # wrong type for value - (['cpu' , '100xy2' ] , AppArmorException), # invalid unit - ] + (('as' , '' ) , AppArmorBug), # empty value + (('' , '1024' ) , AppArmorException), # empty rlimit + ((' ', '1024' ) , AppArmorException), # whitespace rlimit + (('as' , ' ' ) , AppArmorBug), # whitespace value + (('xyxy', '1024' ) , AppArmorException), # invalid rlimit + ((dict(), '1024' ) , AppArmorBug), # wrong type for rlimit + ((None , '1024' ) , AppArmorBug), # wrong type for rlimit + (('as' , dict() ) , AppArmorBug), # wrong type for value + (('as' , None ) , AppArmorBug), # wrong type for value + (('cpu' , '100xy2' ) , AppArmorException), # invalid unit + ) def _run_test(self, params, expected): with self.assertRaises(expected): - RlimitRule(params[0], params[1]) + RlimitRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -202,7 +202,7 @@ class InvalidRlimitTest(AATest): class WriteRlimitTest(AATest): - tests = [ + tests = ( # raw rule clean rule (' set rlimit cpu <= 1024 , # foo ' , 'set rlimit cpu <= 1024, # foo'), (' set rlimit stack <= 1024GB ,' , 'set rlimit stack <= 1024GB,'), @@ -211,7 +211,7 @@ class WriteRlimitTest(AATest): (' set rlimit msgqueue <= 4444 , ' , 'set rlimit msgqueue <= 4444,'), (' set rlimit nice <= 5 , # foo bar' , 'set rlimit nice <= 5, # foo bar'), (' set rlimit nice <= -5 , # cmt' , 'set rlimit nice <= -5, # cmt'), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(RlimitRule.match(rawrule)) @@ -247,73 +247,73 @@ class RlimitCoveredTest(AATest): class RlimitCoveredTest_01(RlimitCoveredTest): rule = 'set rlimit cpu <= 150,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('set rlimit as <= 100MB,' , [ False , False , False , False ]), - ('set rlimit rttime <= 150,' , [ False , False , False , False ]), - ('set rlimit cpu <= 100,' , [ False , False , True , True ]), - ('set rlimit cpu <= 150,' , [ True , True , True , True ]), - ('set rlimit cpu <= 300,' , [ False , False , False , False ]), - ('set rlimit cpu <= 10seconds,' , [ False , False , True , True ]), - ('set rlimit cpu <= 150seconds,', [ True , False , True , True ]), - ('set rlimit cpu <= 300seconds,', [ False , False , False , False ]), - ('set rlimit cpu <= 1minutes,' , [ False , False , True , True ]), - ('set rlimit cpu <= 1min,' , [ False , False , True , True ]), - ('set rlimit cpu <= 3minutes,' , [ False , False , False , False ]), - ('set rlimit cpu <= 1hour,' , [ False , False , False , False ]), - ('set rlimit cpu <= 2 days,' , [ False , False , False , False ]), - ('set rlimit cpu <= 1 week,' , [ False , False , False , False ]), - ] + ('set rlimit as <= 100MB,' , ( False , False , False , False )), + ('set rlimit rttime <= 150,' , ( False , False , False , False )), + ('set rlimit cpu <= 100,' , ( False , False , True , True )), + ('set rlimit cpu <= 150,' , ( True , True , True , True )), + ('set rlimit cpu <= 300,' , ( False , False , False , False )), + ('set rlimit cpu <= 10seconds,' , ( False , False , True , True )), + ('set rlimit cpu <= 150seconds,', ( True , False , True , True )), + ('set rlimit cpu <= 300seconds,', ( False , False , False , False )), + ('set rlimit cpu <= 1minutes,' , ( False , False , True , True )), + ('set rlimit cpu <= 1min,' , ( False , False , True , True )), + ('set rlimit cpu <= 3minutes,' , ( False , False , False , False )), + ('set rlimit cpu <= 1hour,' , ( False , False , False , False )), + ('set rlimit cpu <= 2 days,' , ( False , False , False , False )), + ('set rlimit cpu <= 1 week,' , ( False , False , False , False )), + ) class RlimitCoveredTest_02(RlimitCoveredTest): rule = 'set rlimit data <= 4MB,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('set rlimit data <= 100,' , [ False , False , True , True ]), - ('set rlimit data <= 2KB,' , [ False , False , True , True ]), - ('set rlimit data <= 2MB,' , [ False , False , True , True ]), - ('set rlimit data <= 4194304,' , [ True , False , True , True ]), - ('set rlimit data <= 4096KB,' , [ True , False , True , True ]), - ('set rlimit data <= 4MB,' , [ True , True , True , True ]), - ('set rlimit data <= 4 MB,' , [ True , False , True , True ]), - ('set rlimit data <= 6MB,' , [ False , False , False , False ]), - ('set rlimit data <= 6 MB,' , [ False , False , False , False ]), - ('set rlimit data <= 1GB,' , [ False , False , False , False ]), - ] + ('set rlimit data <= 100,' , ( False , False , True , True )), + ('set rlimit data <= 2KB,' , ( False , False , True , True )), + ('set rlimit data <= 2MB,' , ( False , False , True , True )), + ('set rlimit data <= 4194304,' , ( True , False , True , True )), + ('set rlimit data <= 4096KB,' , ( True , False , True , True )), + ('set rlimit data <= 4MB,' , ( True , True , True , True )), + ('set rlimit data <= 4 MB,' , ( True , False , True , True )), + ('set rlimit data <= 6MB,' , ( False , False , False , False )), + ('set rlimit data <= 6 MB,' , ( False , False , False , False )), + ('set rlimit data <= 1GB,' , ( False , False , False , False )), + ) class RlimitCoveredTest_03(RlimitCoveredTest): rule = 'set rlimit nice <= -1,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('set rlimit nice <= 5,' , [ False , False , True , True ]), - ('set rlimit nice <= 0,' , [ False , False , True , True ]), - ('set rlimit nice <= -1,' , [ True , True , True , True ]), - ('set rlimit nice <= -3,' , [ False , False , False , False ]), - ] + ('set rlimit nice <= 5,' , ( False , False , True , True )), + ('set rlimit nice <= 0,' , ( False , False , True , True )), + ('set rlimit nice <= -1,' , ( True , True , True , True )), + ('set rlimit nice <= -3,' , ( False , False , False , False )), + ) class RlimitCoveredTest_04(RlimitCoveredTest): rule = 'set rlimit locks <= 42,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('set rlimit locks <= 20,' , [ False , False , True , True ]), - ('set rlimit locks <= 40,' , [ False , False , True , True ]), - ('set rlimit locks <= 42,' , [ True , True , True , True ]), - ('set rlimit locks <= 60,' , [ False , False , False , False ]), - ('set rlimit locks <= infinity,', [ False , False , False , False ]), - ] + ('set rlimit locks <= 20,' , ( False , False , True , True )), + ('set rlimit locks <= 40,' , ( False , False , True , True )), + ('set rlimit locks <= 42,' , ( True , True , True , True )), + ('set rlimit locks <= 60,' , ( False , False , False , False )), + ('set rlimit locks <= infinity,', ( False , False , False , False )), + ) class RlimitCoveredTest_05(RlimitCoveredTest): rule = 'set rlimit locks <= infinity,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('set rlimit locks <= 20,' , [ False , False , True , True ]), - ('set rlimit cpu <= 40,' , [ False , False , False , False ]), - ('set rlimit locks <= infinity,', [ True , True , True , True ]), - ] + ('set rlimit locks <= 20,' , ( False , False , True , True )), + ('set rlimit cpu <= 40,' , ( False , False , False , False )), + ('set rlimit locks <= infinity,', ( True , True , True , True )), + ) class RlimitCoveredTest_Invalid(AATest): def test_borked_obj_is_covered_1(self): @@ -351,12 +351,12 @@ class RlimitCoveredTest_Invalid(AATest): obj.is_equal(testobj) class RlimitLogprofHeaderTest(AATest): - tests = [ + tests = ( ('set rlimit cpu <= infinity,', [_('Rlimit'), 'cpu', _('Value'), 'infinity', ]), ('set rlimit as <= 200MB,', [_('Rlimit'), 'as', _('Value'), '200MB', ]), ('set rlimit rttime <= 200ms,', [_('Rlimit'), 'rttime', _('Value'), '200ms', ]), ('set rlimit nproc <= 1,', [_('Rlimit'), 'nproc', _('Value'), '1', ]), - ] + ) def _run_test(self, params, expected): obj = RlimitRule.parse(params) @@ -424,11 +424,11 @@ class RlimitDeleteTestAATest(AATest): # --- other tests --- # class RlimitSplit_unitTest(AATest): - tests = [ + tests = ( ('40MB' , ( 40, 'MB',)), ('40 MB' , ( 40, 'MB',)), ('40' , ( 40, '', )), - ] + ) def _run_test(self, params, expected): self.assertEqual(split_unit(params), expected) @@ -441,12 +441,12 @@ class RlimitSize_to_intTest(AATest): def AASetup(self): self.obj = RlimitRule('cpu', '1') - tests = [ + tests = ( ('40GB' , 40 * 1024 * 1024 * 1024), ('40MB' , 41943040), ('40KB' , 40960), ('40' , 40), - ] + ) def _run_test(self, params, expected): self.assertEqual(self.obj.size_to_int(params), expected) @@ -459,7 +459,7 @@ class RlimitTime_to_intTest(AATest): def AASetup(self): self.obj = RlimitRule('cpu', '1') - tests = [ + tests = ( ('40' , 0.00004), ('30us' , 0.00003), ('40ms' , 0.04), @@ -468,7 +468,7 @@ class RlimitTime_to_intTest(AATest): ('2hours' , 2*60*60), ('1 day' , 1*60*60*24), ('2 weeks' , 2*60*60*24*7), - ] + ) def _run_test(self, params, expected): self.assertEqual(self.obj.time_to_int(params, 'us'), expected) diff --git a/utils/test/test-severity.py b/utils/test/test-severity.py index e3114ab5f..812b5ee2f 100755 --- a/utils/test/test-severity.py +++ b/utils/test/test-severity.py @@ -36,22 +36,22 @@ class SeverityBaseTest(AATest): 'expected rank %s, got %s' % (expected_rank, rank)) class SeverityTest(SeverityBaseTest): - tests = [ - (['/usr/bin/whatis', 'x' ], 5), - (['/etc', 'x' ], 'unknown'), - (['/dev/doublehit', 'x' ], 0), - (['/dev/doublehit', 'rx' ], 4), - (['/dev/doublehit', 'rwx' ], 8), - (['/dev/tty10', 'rwx' ], 9), - (['/var/adm/foo/**', 'rx' ], 3), - (['/etc/apparmor/**', 'r' ], 6), - (['/etc/**', 'r' ], 'unknown'), - (['/usr/foo@bar', 'r' ], 'unknown'), ## filename containing @ - (['/home/foo@bar', 'rw' ], 6), ## filename containing @ - (['/etc/apache2/ssl.key/bar', 'r' ], 7), # /etc/apache2/** (3) vs. /etc/apache2/**ssl** (7) - (['/etc/apache2/foo/ssl/bar', 'r' ], 7), # additional path level triggers otherwise untested branch - (['/proc/sys/kernel/hotplug', 'rwx' ], 10), # non-glob filename, severity depends on mode - ] + tests = ( + (('/usr/bin/whatis', 'x' ), 5), + (('/etc', 'x' ), 'unknown'), + (('/dev/doublehit', 'x' ), 0), + (('/dev/doublehit', 'rx' ), 4), + (('/dev/doublehit', 'rwx'), 8), + (('/dev/tty10', 'rwx'), 9), + (('/var/adm/foo/**', 'rx' ), 3), + (('/etc/apparmor/**', 'r' ), 6), + (('/etc/**', 'r' ), 'unknown'), + (('/usr/foo@bar', 'r' ), 'unknown'), ## filename containing @ + (('/home/foo@bar', 'rw' ), 6), ## filename containing @ + (('/etc/apache2/ssl.key/bar', 'r' ), 7), # /etc/apache2/** (3) vs. /etc/apache2/**ssl** (7) + (('/etc/apache2/foo/ssl/bar', 'r' ), 7), # additional path level triggers otherwise untested branch + (('/proc/sys/kernel/hotplug', 'rwx'), 10), # non-glob filename, severity depends on mode + ) def _run_test(self, params, expected): self._simple_severity_w_perm(params[0], params[1], expected) ## filename containing @ @@ -61,14 +61,14 @@ class SeverityTest(SeverityBaseTest): self._simple_severity_w_perm('unexpected_unput', 'rw', 6) class SeverityTestCap(SeverityBaseTest): - tests = [ + tests = ( ('KILL', 8), ('SETPCAP', 9), ('setpcap', 9), ('UNKNOWN', 'unknown'), ('K*', 'unknown'), ('__ALL__', 10), - ] + ) def _run_test(self, params, expected): self._capability_severity_test(params, expected) @@ -78,14 +78,14 @@ class SeverityTestCap(SeverityBaseTest): class SeverityVarsTest(SeverityBaseTest): - tests = [ - (['@{PROC}/sys/vm/overcommit_memory', 'r'], 6), - (['@{HOME}/sys/@{PROC}/overcommit_memory', 'r'], 4), - (['/overco@{multiarch}mmit_memory', 'r'], 'unknown'), - (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'], 6), - (['@{somepaths}/somefile', 'r'], 7), - (['@{strangevar}/somefile', 'r'], 6), - ] + tests = ( + (('@{PROC}/sys/vm/overcommit_memory', 'r'), 6), + (('@{HOME}/sys/@{PROC}/overcommit_memory', 'r'), 4), + (('/overco@{multiarch}mmit_memory', 'r'), 'unknown'), + (('@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'), 6), + (('@{somepaths}/somefile', 'r'), 7), + (('@{strangevar}/somefile', 'r'), 6), + ) def _run_test(self, params, expected): vars = { @@ -107,7 +107,7 @@ class SeverityDBTest(AATest): self.sev_db = severity.Severity(self.db_file) return self.sev_db - tests = [ + tests = ( ("CAP_LEASE 18\n" , AppArmorException), # out of range ("CAP_LEASE -1\n" , AppArmorException), # out of range ("/etc/passwd* 0 4\n" , AppArmorException), # insufficient vals @@ -119,7 +119,7 @@ class SeverityDBTest(AATest): ("/etc/passwd 2 4 -12\n" , AppArmorException), # out of range ("/etc/passwd 2 4 4294967297\n" , AppArmorException), # out of range ("garbage line\n" , AppArmorException), - ] + ) def _run_test(self, params, expected): with self.assertRaises(expected): diff --git a/utils/test/test-signal.py b/utils/test/test-signal.py index 27b3216b9..95a858c7c 100644 --- a/utils/test/test-signal.py +++ b/utils/test/test-signal.py @@ -46,7 +46,7 @@ class SignalTest(AATest): self.assertEqual(expected.comment, obj.comment) class SignalTestParse(SignalTest): - tests = [ + tests = ( # SignalRule object audit allow deny comment access all? signal all? peer all? ('signal,' , exp(False, False, False, '', None , True , None, True, None, True )), ('signal send,' , exp(False, False, False, '', {'send'}, False, None, True, None, True )), @@ -61,7 +61,7 @@ class SignalTestParse(SignalTest): ('signal send set = ( quit , int ) ,' , exp(False, False, False, '', {'send'}, False, {'quit', 'int'}, False, None, True )), ('signal peer=/foo,' , exp(False, False, False, '', None , True , None, True, '/foo', False )), ('signal r set=quit set=int peer=/foo,' , exp(False, False, False, '', {'r'}, False, {'quit', 'int'}, False, '/foo', False )), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(SignalRule.match(rawrule)) @@ -70,7 +70,7 @@ class SignalTestParse(SignalTest): self._compare_obj(obj, expected) class SignalTestParseInvalid(SignalTest): - tests = [ + tests = ( ('signal foo,' , AppArmorException), ('signal foo bar,' , AppArmorException), ('signal foo int,' , AppArmorException), @@ -80,7 +80,7 @@ class SignalTestParseInvalid(SignalTest): ('signal set=int set=,' , AppArmorException), ('signal set=invalid,' , AppArmorException), ('signal peer=,' , AppArmorException), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(SignalRule.match(rawrule)) # the above invalid rules still match the main regex! @@ -129,7 +129,7 @@ class SignalTestParseFromLog(SignalTest): self.assertEqual(obj.get_raw(1), ' signal send set=term peer=/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper,') class SignalFromInit(SignalTest): - tests = [ + tests = ( # SignalRule object audit allow deny comment access all? signal all? peer all? (SignalRule('r', 'hup', 'unconfined', deny=True) , exp(False, False, True , '' , {'r'}, False, {'hup'}, False, 'unconfined', False)), (SignalRule(('r', 'send'), ('hup', 'int'), '/bin/foo') , exp(False, False, False, '' , {'r', 'send'},False, {'hup', 'int'}, False, '/bin/foo', False)), @@ -137,34 +137,34 @@ class SignalFromInit(SignalTest): (SignalRule('rw', SignalRule.ALL, '/bin/foo') , exp(False, False, False, '' , {'rw'}, False, None, True, '/bin/foo', False )), (SignalRule('rw', ('int'), SignalRule.ALL) , exp(False, False, False, '' , {'rw'}, False, {'int'}, False, None, True )), (SignalRule(SignalRule.ALL, SignalRule.ALL, SignalRule.ALL) , exp(False, False, False, '' , None , True, None, True, None, True )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidSignalInit(AATest): - tests = [ + tests = ( # init params expected exception - (['send', '' , '/foo' ] , AppArmorBug), # empty signal - (['' , 'int' , '/foo' ] , AppArmorBug), # empty access - (['send', 'int' , '' ] , AppArmorBug), # empty peer - ([' ', 'int' , '/foo' ] , AppArmorBug), # whitespace access - (['send', ' ' , '/foo' ] , AppArmorBug), # whitespace signal - (['send', 'int' , ' ' ] , AppArmorBug), # whitespace peer - (['xyxy', 'int' , '/foo' ] , AppArmorException), # invalid access - (['send', 'xyxy', '/foo' ] , AppArmorException), # invalid signal + (('send', '' , '/foo' ) , AppArmorBug), # empty signal + (('' , 'int' , '/foo' ) , AppArmorBug), # empty access + (('send', 'int' , '' ) , AppArmorBug), # empty peer + ((' ', 'int' , '/foo' ) , AppArmorBug), # whitespace access + (('send', ' ' , '/foo' ) , AppArmorBug), # whitespace signal + (('send', 'int' , ' ' ) , AppArmorBug), # whitespace peer + (('xyxy', 'int' , '/foo' ) , AppArmorException), # invalid access + (('send', 'xyxy', '/foo' ) , AppArmorException), # invalid signal # XXX is 'invalid peer' possible at all? - ([dict(), 'int' , '/foo' ] , AppArmorBug), # wrong type for access - ([None , 'int' , '/foo' ] , AppArmorBug), # wrong type for access - (['send', dict(), '/foo' ] , AppArmorBug), # wrong type for signal - (['send', None , '/foo' ] , AppArmorBug), # wrong type for signal - (['send', 'int' , dict() ] , AppArmorBug), # wrong type for peer - (['send', 'int' , None ] , AppArmorBug), # wrong type for peer - ] + ((dict(), 'int' , '/foo' ) , AppArmorBug), # wrong type for access + ((None , 'int' , '/foo' ) , AppArmorBug), # wrong type for access + (('send', dict(), '/foo' ) , AppArmorBug), # wrong type for signal + (('send', None , '/foo' ) , AppArmorBug), # wrong type for signal + (('send', 'int' , dict() ) , AppArmorBug), # wrong type for peer + (('send', 'int' , None ) , AppArmorBug), # wrong type for peer + ) def _run_test(self, params, expected): with self.assertRaises(expected): - SignalRule(params[0], params[1], params[2]) + SignalRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -225,7 +225,7 @@ class WriteSignalTestAATest(AATest): self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') - tests = [ + tests = ( # raw rule clean rule (' signal , # foo ' , 'signal, # foo'), (' audit signal send,' , 'audit signal send,'), @@ -250,7 +250,7 @@ class WriteSignalTestAATest(AATest): ('signal receive peer=foo,' , 'signal receive peer=foo,'), ('signal (send receive) peer=/usr/bin/bar,' , 'signal (receive send) peer=/usr/bin/bar,'), ('signal wr set=(pipe, usr1) peer=/sbin/baz,' , 'signal wr set=(pipe usr1) peer=/sbin/baz,'), - ] + ) def test_write_manually(self): obj = SignalRule('send', 'quit', '/foo', allow_keyword=True) @@ -277,197 +277,197 @@ class SignalCoveredTest(AATest): class SignalCoveredTest_01(SignalCoveredTest): rule = 'signal send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('signal,' , [ False , False , False , False ]), - ('signal send,' , [ True , True , True , True ]), - ('signal send peer=unconfined,' , [ False , False , True , True ]), - ('signal send, # comment' , [ True , False , True , True ]), - ('allow signal send,' , [ True , False , True , True ]), - ('signal send,' , [ True , False , True , True ]), - ('signal send set=quit,' , [ False , False , True , True ]), - ('signal send set=int,' , [ False , False , True , True ]), - ('audit signal send,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ('signal set=int,' , [ False , False , False , False ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ('deny signal send,' , [ False , False , False , False ]), - ] + ('signal,' , ( False , False , False , False )), + ('signal send,' , ( True , True , True , True )), + ('signal send peer=unconfined,' , ( False , False , True , True )), + ('signal send, # comment' , ( True , False , True , True )), + ('allow signal send,' , ( True , False , True , True )), + ('signal send,' , ( True , False , True , True )), + ('signal send set=quit,' , ( False , False , True , True )), + ('signal send set=int,' , ( False , False , True , True )), + ('audit signal send,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ('signal set=int,' , ( False , False , False , False )), + ('audit deny signal send,' , ( False , False , False , False )), + ('deny signal send,' , ( False , False , False , False )), + ) class SignalCoveredTest_02(SignalCoveredTest): rule = 'audit signal send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'signal send,' , [ False , False , True , False ]), - ('audit signal send,' , [ True , True , True , True ]), - ( 'signal send set=quit,' , [ False , False , True , False ]), - ('audit signal send set=quit,' , [ False , False , True , True ]), - ( 'signal,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ] + ( 'signal send,' , ( False , False , True , False )), + ('audit signal send,' , ( True , True , True , True )), + ( 'signal send set=quit,' , ( False , False , True , False )), + ('audit signal send set=quit,' , ( False , False , True , True )), + ( 'signal,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ) class SignalCoveredTest_03(SignalCoveredTest): rule = 'signal send set=quit,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'signal send set=quit,' , [ True , True , True , True ]), - ('allow signal send set=quit,' , [ True , False , True , True ]), - ( 'signal send,' , [ False , False , False , False ]), - ( 'signal,' , [ False , False , False , False ]), - ( 'signal send set=int,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('audit signal send set=quit,' , [ False , False , False , False ]), - ('audit signal set=quit,' , [ False , False , False , False ]), - ( 'signal send,' , [ False , False , False , False ]), - ( 'signal,' , [ False , False , False , False ]), - ] + ( 'signal send set=quit,' , ( True , True , True , True )), + ('allow signal send set=quit,' , ( True , False , True , True )), + ( 'signal send,' , ( False , False , False , False )), + ( 'signal,' , ( False , False , False , False )), + ( 'signal send set=int,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('audit signal send set=quit,' , ( False , False , False , False )), + ('audit signal set=quit,' , ( False , False , False , False )), + ( 'signal send,' , ( False , False , False , False )), + ( 'signal,' , ( False , False , False , False )), + ) class SignalCoveredTest_04(SignalCoveredTest): rule = 'signal,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'signal,' , [ True , True , True , True ]), - ('allow signal,' , [ True , False , True , True ]), - ( 'signal send,' , [ False , False , True , True ]), - ( 'signal w set=quit,' , [ False , False , True , True ]), - ( 'signal set=int,' , [ False , False , True , True ]), - ( 'signal send set=quit,' , [ False , False , True , True ]), - ('audit signal,' , [ False , False , False , False ]), - ('deny signal,' , [ False , False , False , False ]), - ] + ( 'signal,' , ( True , True , True , True )), + ('allow signal,' , ( True , False , True , True )), + ( 'signal send,' , ( False , False , True , True )), + ( 'signal w set=quit,' , ( False , False , True , True )), + ( 'signal set=int,' , ( False , False , True , True )), + ( 'signal send set=quit,' , ( False , False , True , True )), + ('audit signal,' , ( False , False , False , False )), + ('deny signal,' , ( False , False , False , False )), + ) class SignalCoveredTest_05(SignalCoveredTest): rule = 'deny signal send,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ( 'deny signal send,' , [ True , True , True , True ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ( 'signal send,' , [ False , False , False , False ]), # XXX should covered be true here? - ( 'deny signal receive,' , [ False , False , False , False ]), - ( 'deny signal,' , [ False , False , False , False ]), - ] + ( 'deny signal send,' , ( True , True , True , True )), + ('audit deny signal send,' , ( False , False , False , False )), + ( 'signal send,' , ( False , False , False , False )), # XXX should covered be true here? + ( 'deny signal receive,' , ( False , False , False , False )), + ( 'deny signal,' , ( False , False , False , False )), + ) class SignalCoveredTest_06(SignalCoveredTest): rule = 'signal send peer=unconfined,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('signal,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=unconfined,' , [ True , True , True , True ]), - ('signal peer=unconfined,' , [ False , False , False , False ]), - ('signal send, # comment' , [ False , False , False , False ]), - ('allow signal send,' , [ False , False , False , False ]), - ('allow signal send peer=unconfined,' , [ True , False , True , True ]), - ('allow signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('allow signal send peer=/**,' , [ False , False , False , False ]), - ('allow signal send peer=**,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=unconfined,' , [ True , False , True , True ]), - ('signal send set=quit,' , [ False , False , False , False ]), - ('signal send set=int peer=unconfined,',[ False , False , True , True ]), - ('audit signal send peer=unconfined,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ('signal set=int,' , [ False , False , False , False ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ('deny signal send,' , [ False , False , False , False ]), - ] + ('signal,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=unconfined,' , ( True , True , True , True )), + ('signal peer=unconfined,' , ( False , False , False , False )), + ('signal send, # comment' , ( False , False , False , False )), + ('allow signal send,' , ( False , False , False , False )), + ('allow signal send peer=unconfined,' , ( True , False , True , True )), + ('allow signal send peer=/foo/bar,' , ( False , False , False , False )), + ('allow signal send peer=/**,' , ( False , False , False , False )), + ('allow signal send peer=**,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=unconfined,' , ( True , False , True , True )), + ('signal send set=quit,' , ( False , False , False , False )), + ('signal send set=int peer=unconfined,',( False , False , True , True )), + ('audit signal send peer=unconfined,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ('signal set=int,' , ( False , False , False , False )), + ('audit deny signal send,' , ( False , False , False , False )), + ('deny signal send,' , ( False , False , False , False )), + ) class SignalCoveredTest_07(SignalCoveredTest): rule = 'signal send peer=/foo/bar,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('signal,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=/foo/bar,' , [ True , True , True , True ]), - ('signal send peer=/foo/*,' , [ False , False , False , False ]), - ('signal send peer=/**,' , [ False , False , False , False ]), - ('signal send peer=/what/*,' , [ False , False , False , False ]), - ('signal peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send, # comment' , [ False , False , False , False ]), - ('allow signal send,' , [ False , False , False , False ]), - ('allow signal send peer=/foo/bar,' , [ True , False , True , True ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=/foo/bar,' , [ True , False , True , True ]), - ('signal send peer=/what/ever,' , [ False , False , False , False ]), - ('signal send set=quit,' , [ False , False , False , False ]), - ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]), - ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ('signal set=int,' , [ False , False , False , False ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ('deny signal send,' , [ False , False , False , False ]), - ] + ('signal,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=/foo/bar,' , ( True , True , True , True )), + ('signal send peer=/foo/*,' , ( False , False , False , False )), + ('signal send peer=/**,' , ( False , False , False , False )), + ('signal send peer=/what/*,' , ( False , False , False , False )), + ('signal peer=/foo/bar,' , ( False , False , False , False )), + ('signal send, # comment' , ( False , False , False , False )), + ('allow signal send,' , ( False , False , False , False )), + ('allow signal send peer=/foo/bar,' , ( True , False , True , True )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=/foo/bar,' , ( True , False , True , True )), + ('signal send peer=/what/ever,' , ( False , False , False , False )), + ('signal send set=quit,' , ( False , False , False , False )), + ('signal send set=int peer=/foo/bar,' , ( False , False , True , True )), + ('audit signal send peer=/foo/bar,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ('signal set=int,' , ( False , False , False , False )), + ('audit deny signal send,' , ( False , False , False , False )), + ('deny signal send,' , ( False , False , False , False )), + ) class SignalCoveredTest_08(SignalCoveredTest): rule = 'signal send peer=**,' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('signal,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=/foo/bar,' , [ False , False , True , True ]), - ('signal send peer=/foo/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('signal send peer=/**,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('signal send peer=/what/*,' , [ False , False , False , False ]), # TODO: wildcard vs. wildcard never matches in is_covered_aare() - ('signal peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send, # comment' , [ False , False , False , False ]), - ('allow signal send,' , [ False , False , False , False ]), - ('allow signal send peer=/foo/bar,' , [ False , False , True , True ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=/foo/bar,' , [ False , False , True , True ]), - ('signal send peer=/what/ever,' , [ False , False , True , True ]), - ('signal send set=quit,' , [ False , False , False , False ]), - ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]), - ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ('signal set=int,' , [ False , False , False , False ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ('deny signal send,' , [ False , False , False , False ]), - ] + ('signal,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=/foo/bar,' , ( False , False , True , True )), + ('signal send peer=/foo/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('signal send peer=/**,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('signal send peer=/what/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare() + ('signal peer=/foo/bar,' , ( False , False , False , False )), + ('signal send, # comment' , ( False , False , False , False )), + ('allow signal send,' , ( False , False , False , False )), + ('allow signal send peer=/foo/bar,' , ( False , False , True , True )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=/foo/bar,' , ( False , False , True , True )), + ('signal send peer=/what/ever,' , ( False , False , True , True )), + ('signal send set=quit,' , ( False , False , False , False )), + ('signal send set=int peer=/foo/bar,' , ( False , False , True , True )), + ('audit signal send peer=/foo/bar,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ('signal set=int,' , ( False , False , False , False )), + ('audit deny signal send,' , ( False , False , False , False )), + ('deny signal send,' , ( False , False , False , False )), + ) class SignalCoveredTest_09(SignalCoveredTest): rule = 'signal (send, receive) set=(int, quit),' - tests = [ + tests = ( # rule equal strict equal covered covered exact - ('signal,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send set=int,' , [ False , False , True , True ]), - ('signal receive set=quit,' , [ False , False , True , True ]), - ('signal (receive,send) set=int,' , [ False , False , True , True ]), - ('signal (receive,send) set=(int quit),',[True , False , True , True ]), - ('signal send set=(quit int),' , [ False , False , True , True ]), - ('signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send peer=/foo/*,' , [ False , False , False , False ]), - ('signal send peer=/**,' , [ False , False , False , False ]), - ('signal send peer=/what/*,' , [ False , False , False , False ]), - ('signal peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send, # comment' , [ False , False , False , False ]), - ('allow signal send,' , [ False , False , False , False ]), - ('allow signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send,' , [ False , False , False , False ]), - ('signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('signal send peer=/what/ever,' , [ False , False , False , False ]), - ('signal send set=quit,' , [ False , False , True , True ]), - ('signal send set=int peer=/foo/bar,' , [ False , False , True , True ]), - ('audit signal send peer=/foo/bar,' , [ False , False , False , False ]), - ('audit signal,' , [ False , False , False , False ]), - ('signal receive,' , [ False , False , False , False ]), - ('signal set=int,' , [ False , False , False , False ]), - ('audit deny signal send,' , [ False , False , False , False ]), - ('deny signal send,' , [ False , False , False , False ]), - ] + ('signal,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send set=int,' , ( False , False , True , True )), + ('signal receive set=quit,' , ( False , False , True , True )), + ('signal (receive,send) set=int,' , ( False , False , True , True )), + ('signal (receive,send) set=(int quit),',(True , False , True , True )), + ('signal send set=(quit int),' , ( False , False , True , True )), + ('signal send peer=/foo/bar,' , ( False , False , False , False )), + ('signal send peer=/foo/*,' , ( False , False , False , False )), + ('signal send peer=/**,' , ( False , False , False , False )), + ('signal send peer=/what/*,' , ( False , False , False , False )), + ('signal peer=/foo/bar,' , ( False , False , False , False )), + ('signal send, # comment' , ( False , False , False , False )), + ('allow signal send,' , ( False , False , False , False )), + ('allow signal send peer=/foo/bar,' , ( False , False , False , False )), + ('signal send,' , ( False , False , False , False )), + ('signal send peer=/foo/bar,' , ( False , False , False , False )), + ('signal send peer=/what/ever,' , ( False , False , False , False )), + ('signal send set=quit,' , ( False , False , True , True )), + ('signal send set=int peer=/foo/bar,' , ( False , False , True , True )), + ('audit signal send peer=/foo/bar,' , ( False , False , False , False )), + ('audit signal,' , ( False , False , False , False )), + ('signal receive,' , ( False , False , False , False )), + ('signal set=int,' , ( False , False , False , False )), + ('audit deny signal send,' , ( False , False , False , False )), + ('deny signal send,' , ( False , False , False , False )), + ) @@ -516,7 +516,7 @@ class SignalCoveredTest_Invalid(AATest): obj.is_equal(testobj) class SignalLogprofHeaderTest(AATest): - tests = [ + tests = ( ('signal,', [ _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]), ('signal send,', [ _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]), ('signal send set=quit,', [ _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL'), ]), @@ -527,7 +527,7 @@ class SignalLogprofHeaderTest(AATest): ('signal set=(int, quit),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL'), ]), ('signal set=( quit, int),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL'), ]), ('signal (send, receive) set=( quit, int) peer=/foo,', [ _('Access mode'), 'receive send', _('Signal'), 'int quit', _('Peer'), '/foo', ]), - ] + ) def _run_test(self, params, expected): obj = SignalRule.parse(params) @@ -546,10 +546,10 @@ class SignalRulesTest(AATest): def test_ruleset_1(self): ruleset = SignalRuleset() - rules = [ + rules = ( 'signal set=int,', 'signal send,', - ] + ) expected_raw = [ 'signal set=int,', @@ -571,11 +571,11 @@ class SignalRulesTest(AATest): def test_ruleset_2(self): ruleset = SignalRuleset() - rules = [ + rules = ( 'signal send set=int,', 'allow signal send,', 'deny signal set=quit, # example comment', - ] + ) expected_raw = [ ' signal send set=int,', diff --git a/utils/test/test-translations.py b/utils/test/test-translations.py index e1b91623d..6f7eae454 100644 --- a/utils/test/test-translations.py +++ b/utils/test/test-translations.py @@ -20,24 +20,24 @@ from apparmor.ui import CMDS, get_translated_hotkey class TestHotkeyConflicts(AATest): # check if there are any hotkey conflicts in one of the apparmor-utils translations - tests = [ - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_OFF - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_NEW - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_ON', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_ON - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_OFF - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_ON', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_ON - (['CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_OFF - (['CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'], True), # aa.py save_profiles() - (['CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'], True), # aa.py get_profile() - (['CMD_ix', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_EXEC_IX_OFF', 'CMD_ux', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py build_x_functions() with exec_toggle - (['CMD_ix', 'CMD_cx', 'CMD_px', 'CMD_nx', 'CMD_ux', 'CMD_EXEC_IX_ON', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py build_x_functions() without exec_toggle - (['CMD_ADDHAT', 'CMD_USEDEFAULT', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa.py ask_addhat() - (['CMD_YES', 'CMD_NO', 'CMD_CANCEL'], True), # ui.py UI_YesNo() and UI_YesNoCancel - (['CMD_SAVE_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ABORT', 'CMD_IGNORE_ENTRY'], True), # aa-mergeprof act() - (['CMD_ALLOW', 'CMD_ABORT'], True), # aa-mergeprof conflict_mode() - (['CMD_ADDSUBPROFILE', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa-mergeprof ask_the_questions() - new subprofile - (['CMD_ADDHAT', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'], True), # aa-mergeprof ask_the_questions() - new hat - ] + tests = ( + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_OFF + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_NEW + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_ON', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_ON + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_OFF', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_OFF and CMD_USER_OFF + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_ON', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_ON + (('CMD_ALLOW', 'CMD_DENY', 'CMD_IGNORE_ENTRY', 'CMD_GLOB', 'CMD_GLOBEXT', 'CMD_NEW', 'CMD_AUDIT_NEW', 'CMD_USER_OFF', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py available_buttons() with CMD_AUDIT_NEW and CMD_USER_OFF + (('CMD_SAVE_CHANGES', 'CMD_SAVE_SELECTED', 'CMD_VIEW_CHANGES', 'CMD_VIEW_CHANGES_CLEAN', 'CMD_ABORT'), True), # aa.py save_profiles() + (('CMD_VIEW_PROFILE', 'CMD_USE_PROFILE', 'CMD_CREATE_PROFILE', 'CMD_ABORT'), True), # aa.py get_profile() + (('CMD_ix', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_EXEC_IX_OFF', 'CMD_ux', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py build_x_functions() with exec_toggle + (('CMD_ix', 'CMD_cx', 'CMD_px', 'CMD_nx', 'CMD_ux', 'CMD_EXEC_IX_ON', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py build_x_functions() without exec_toggle + (('CMD_ADDHAT', 'CMD_USEDEFAULT', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa.py ask_addhat() + (('CMD_YES', 'CMD_NO', 'CMD_CANCEL'), True), # ui.py UI_YesNo() and UI_YesNoCancel + (('CMD_SAVE_CHANGES', 'CMD_VIEW_CHANGES', 'CMD_ABORT', 'CMD_IGNORE_ENTRY'), True), # aa-mergeprof act() + (('CMD_ALLOW', 'CMD_ABORT'), True), # aa-mergeprof conflict_mode() + (('CMD_ADDSUBPROFILE', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa-mergeprof ask_the_questions() - new subprofile + (('CMD_ADDHAT', 'CMD_DENY', 'CMD_ABORT', 'CMD_FINISHED'), True), # aa-mergeprof ask_the_questions() - new hat + ) def _run_test(self, params, expected): self.createTmpdir() diff --git a/utils/test/test-unix_parse.py b/utils/test/test-unix_parse.py index 2e73b4113..7a82a8387 100644 --- a/utils/test/test-unix_parse.py +++ b/utils/test/test-unix_parse.py @@ -18,7 +18,7 @@ class AAParseUnixTest(AAParseTest): def setUp(self): self.parse_function = aa.parse_unix_rule - tests = [ + tests = ( ('unix,', 'unix base keyword'), ('unix r,', 'unix r rule'), ('unix w,', 'unix w rule'), @@ -32,7 +32,7 @@ class AAParseUnixTest(AAParseTest): ('unix (receive),', 'unix (receive) rule'), ('unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/.X11-unix/X[0-9]*"),', 'complex unix rule'), - ] + ) setup_aa(aa) if __name__ == '__main__': diff --git a/utils/test/test-variable.py b/utils/test/test-variable.py index 9e6c1e5c5..54d3fd7f2 100644 --- a/utils/test/test-variable.py +++ b/utils/test/test-variable.py @@ -23,8 +23,8 @@ from apparmor.common import AppArmorException, AppArmorBug from apparmor.translations import init_translation _ = init_translation() -exp = namedtuple('exp', ['comment', - 'varname', 'mode', 'values']) +exp = namedtuple('exp', ('comment', + 'varname', 'mode', 'values')) # --- tests for single VariableRule --- # @@ -41,7 +41,7 @@ class VariableTest(AATest): self.assertEqual(expected.comment, obj.comment) class AaTest_separate_vars(AATest): - tests = [ + tests = ( ('' , set() ), (' ' , set() ), (' foo bar' , {'foo', 'bar' }), @@ -59,7 +59,7 @@ class AaTest_separate_vars(AATest): ('"" foo' , {'', 'foo' }), # empty value + 'foo' ('"" foo "bar"' , {'', 'foo', 'bar' }), # empty value + 'foo' + 'bar' (bar has superfluous quotes) ('"bar"' , {'bar' }), # 'bar' with superfluous quotes - ] + ) def _run_test(self, params, expected): if expected == AppArmorException: @@ -70,7 +70,7 @@ class AaTest_separate_vars(AATest): self.assertEqual(result, expected) class VariableTestParse(VariableTest): - tests = [ + tests = ( # rawrule comment varname mode values ('@{foo}=/bar', exp('', '@{foo}', '=', {'/bar'} )), ('@{foo}+=/bar', exp('', '@{foo}', '+=', {'/bar'} )), @@ -80,7 +80,7 @@ class VariableTestParse(VariableTest): (' @{foo} += /bar # comment', exp(' # comment', '@{foo}', '+=', {'/bar'} )), ('@{foo}=/bar /baz', exp('', '@{foo}', '=', {'/bar', '/baz'} )), ('@{foo} = "/bar," # comment', exp(' # comment', '@{foo}', '=', {'/bar,'} )), # value with trailing comma, needs to be quoted - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(VariableRule.match(rawrule)) @@ -89,7 +89,7 @@ class VariableTestParse(VariableTest): self._compare_obj(obj, expected) class VariableTestParseInvalid(VariableTest): - tests = [ + tests = ( # rawrule matches regex exception ('@{foo} =', (False, AppArmorException)), ('@ {foo} = # comment', (False, AppArmorException)), @@ -99,7 +99,7 @@ class VariableTestParseInvalid(VariableTest): ('@{foo} = /foo, # comment', (True, AppArmorException)), # trailing comma ('@{foo} = /foo, /bar', (True, AppArmorException)), # trailing comma in first value ('@{foo = /foo f', (True, AppArmorException)), # variable name broken, missing } - ] + ) def _run_test(self, rawrule, expected): self.assertEqual(VariableRule.match(rawrule), expected[0]) @@ -107,7 +107,7 @@ class VariableTestParseInvalid(VariableTest): VariableRule.parse(rawrule) class VariableFromInit(VariableTest): - tests = [ + tests = ( # VariableRule object comment varname mode values (VariableRule('@{foo}', '=', {'/bar'}), exp('', '@{foo}', '=', {'/bar'} )), (VariableRule('@{foo}', '+=', {'/bar'}), exp('', '@{foo}', '+=', {'/bar'} )), @@ -115,32 +115,32 @@ class VariableFromInit(VariableTest): (VariableRule('@{foo}', '+=', {'/bar', '/baz'}), exp('', '@{foo}', '+=', {'/bar', '/baz'} )), (VariableRule('@{foo}', '=', {'/bar'}, comment='# cmt'), exp('# cmt', '@{foo}', '=', {'/bar'} )), (VariableRule('@{foo}', '+=', {'/bar'}, comment='# cmt'), exp('# cmt', '@{foo}', '+=', {'/bar'} )), - ] + ) def _run_test(self, obj, expected): self._compare_obj(obj, expected) class InvalidVariableInit(AATest): - tests = [ + tests = ( # init params expected exception - ([None, '=', ['/bar'] ], AppArmorBug), # varname not a str - (['', '=', ['/bar'] ], AppArmorException), # empty varname - (['foo', '=', ['/bar'] ], AppArmorException), # varname not starting with '@{' - (['foo', '=', ['/bar'] ], AppArmorException), # varname not starting with '@{' + ((None, '=', ['/bar']), AppArmorBug), # varname not a str + (('', '=', ['/bar']), AppArmorException), # empty varname + (('foo', '=', ['/bar']), AppArmorException), # varname not starting with '@{' + (('foo', '=', ['/bar']), AppArmorException), # varname not starting with '@{' - (['@{foo}', '', ['/bar'] ], AppArmorBug), # mode not '=' or '+=' - (['@{foo}', '-=', ['/bar'] ], AppArmorBug), # mode not '=' or '+=' - (['@{foo}', ' ', ['/bar'] ], AppArmorBug), # mode not '=' or '+=' - (['@{foo}', None, ['/bar'] ], AppArmorBug), # mode not '=' or '+=' + (('@{foo}', '', ['/bar']), AppArmorBug), # mode not '=' or '+=' + (('@{foo}', '-=', ['/bar']), AppArmorBug), # mode not '=' or '+=' + (('@{foo}', ' ', ['/bar']), AppArmorBug), # mode not '=' or '+=' + (('@{foo}', None, ['/bar']), AppArmorBug), # mode not '=' or '+=' - (['@{foo}', '=', None ], AppArmorBug), # values not a set - (['@{foo}', '=', set() ], AppArmorException), # empty values - ] + (('@{foo}', '=', None ), AppArmorBug), # values not a set + (('@{foo}', '=', set() ), AppArmorException), # empty values + ) def _run_test(self, params, expected): with self.assertRaises(expected): - VariableRule(params[0], params[1], params[2]) + VariableRule(*params) def test_missing_params_1(self): with self.assertRaises(TypeError): @@ -180,7 +180,7 @@ class InvalidVariableTest(AATest): class WriteVariableTestAATest(AATest): - tests = [ + tests = ( # raw rule clean rule (' @{foo} = /bar ', '@{foo} = /bar'), (' @{foo} = /bar # comment', '@{foo} = /bar'), @@ -191,7 +191,7 @@ class WriteVariableTestAATest(AATest): (' @{foo} += /bar /baz', '@{foo} += /bar /baz'), (' @{foo} += /bar @{baz}', '@{foo} += /bar @{baz}'), (' @{foo} += /bar @{baz}', '@{foo} += /bar @{baz}'), - ] + ) def _run_test(self, rawrule, expected): self.assertTrue(VariableRule.match(rawrule)) @@ -235,40 +235,40 @@ class VariableCoveredTest(AATest): class VariableCoveredTest_01(VariableCoveredTest): rule = '@{foo} = /bar' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' @{foo} = /bar' , [ True , True , True , True ]), - (' @{foo} += /bar' , [ False , False , False , False ]), - (' @{foo} = /bar # comment' , [ True , False , True , True ]), - (' @{foo} += /bar # comment' , [ False , False , False , False ]), - (' @{foo} = /baz /bar' , [ False , False , False , False ]), - (' @{foo} += /baz /bar' , [ False , False , False , False ]), - (' @{foo} = /baz /bar # cmt' , [ False , False , False , False ]), - (' @{foo} += /baz /bar # cmt' , [ False , False , False , False ]), - (' @{bar} = /bar' , [ False , False , False , False ]), # different variable name - ] + (' @{foo} = /bar' , ( True , True , True , True )), + (' @{foo} += /bar' , ( False , False , False , False )), + (' @{foo} = /bar # comment' , ( True , False , True , True )), + (' @{foo} += /bar # comment' , ( False , False , False , False )), + (' @{foo} = /baz /bar' , ( False , False , False , False )), + (' @{foo} += /baz /bar' , ( False , False , False , False )), + (' @{foo} = /baz /bar # cmt' , ( False , False , False , False )), + (' @{foo} += /baz /bar # cmt' , ( False , False , False , False )), + (' @{bar} = /bar' , ( False , False , False , False )), # different variable name + ) class VariableCoveredTest_02(VariableCoveredTest): rule = '@{foo} = /bar /baz' - tests = [ + tests = ( # rule equal strict equal covered covered exact - (' @{foo} = /bar /baz' , [ True , True , True , True ]), - (' @{foo} += /bar /baz' , [ False , False , False , False ]), - (' @{foo} = /bar /baz # cmt' , [ True , False , True , True ]), - (' @{foo} += /bar /baz # cmt' , [ False , False , False , False ]), + (' @{foo} = /bar /baz' , ( True , True , True , True )), + (' @{foo} += /bar /baz' , ( False , False , False , False )), + (' @{foo} = /bar /baz # cmt' , ( True , False , True , True )), + (' @{foo} += /bar /baz # cmt' , ( False , False , False , False )), # changed order of values - (' @{foo} = /baz /bar' , [ True , False , True , True ]), - (' @{foo} += /baz /bar' , [ False , False , False , False ]), - (' @{foo} = /baz /bar # cmt' , [ True , False , True , True ]), - (' @{foo} += /baz /bar # cmt' , [ False , False , False , False ]), + (' @{foo} = /baz /bar' , ( True , False , True , True )), + (' @{foo} += /baz /bar' , ( False , False , False , False )), + (' @{foo} = /baz /bar # cmt' , ( True , False , True , True )), + (' @{foo} += /baz /bar # cmt' , ( False , False , False , False )), # only one value - (' @{foo} = /bar' , [ False , False , True , True ]), - (' @{foo} += /bar' , [ False , False , False , False ]), - (' @{foo} = /bar # comment' , [ False , False , True , True ]), - (' @{foo} += /bar # comment' , [ False , False , False , False ]), - (' @{bar} = /bar' , [ False , False , False , False ]), # different variable name - ] + (' @{foo} = /bar' , ( False , False , True , True )), + (' @{foo} += /bar' , ( False , False , False , False )), + (' @{foo} = /bar # comment' , ( False , False , True , True )), + (' @{foo} += /bar # comment' , ( False , False , False , False )), + (' @{bar} = /bar' , ( False , False , False , False )), # different variable name + ) class VariableCoveredTest_Invalid(AATest): # def test_borked_obj_is_covered_1(self): @@ -306,9 +306,9 @@ class VariableCoveredTest_Invalid(AATest): obj.is_equal(testobj) class VariableLogprofHeaderTest(AATest): - tests = [ + tests = ( ('@{foo} = /bar', [_('Variable'), '@{foo} = /bar' ]), - ] + ) def _run_test(self, params, expected): obj = VariableRule.parse(params) @@ -328,12 +328,12 @@ class VariableRulesTest(AATest): def test_ruleset_1(self): ruleset = VariableRuleset() - rules = [ + rules = ( '@{foo} = /bar', '@{baz}= /asdf', '@{foo} += /whatever', '@{foo} += /morestuff', - ] + ) expected_raw = [ '@{foo} = /bar', diff --git a/utils/vim/create-apparmor.vim.py b/utils/vim/create-apparmor.vim.py index 8a17bb43e..babce469c 100644 --- a/utils/vim/create-apparmor.vim.py +++ b/utils/vim/create-apparmor.vim.py @@ -15,14 +15,14 @@ import subprocess import sys # dangerous capabilities -danger_caps = ["audit_control", +danger_caps = ("audit_control", "audit_write", "mac_override", "mac_admin", "setfcap", "sys_admin", "sys_module", - "sys_rawio"] + "sys_rawio") def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, stdin=None, timeout=None): @@ -32,7 +32,7 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s try: sp = subprocess.Popen(command, stdin=stdin, stdout=stdout, stderr=stderr, close_fds=True, universal_newlines=True) except OSError as ex: - return [127, str(ex)] + return 127, str(ex) out, outerr = sp.communicate(input) @@ -42,10 +42,10 @@ def cmd(command, input=None, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, s # Handle redirection of stderr if outerr is None: outerr = '' - return [sp.returncode, out, outerr] + return sp.returncode, out, outerr # get capabilities list -(rc, output, outerr) = cmd(['../../common/list_capabilities.sh']) +(rc, output, outerr) = cmd(('../../common/list_capabilities.sh',)) if rc != 0: sys.stderr.write("make list_capabilities failed: " + output + outerr) exit(rc) @@ -57,7 +57,7 @@ for cap in capabilities: benign_caps.append(cap) # get network protos list -(rc, output, outerr) = cmd(['../../common/list_af_names.sh']) +(rc, output, outerr) = cmd(('../../common/list_af_names.sh',)) if rc != 0: sys.stderr.write("make list_af_names failed: " + output + outerr) exit(rc) @@ -76,7 +76,7 @@ for af_pair in af_pairs: aa_network_types = r'\s+tcp|\s+udp|\s+icmp' -aa_flags = ['complain', +aa_flags = ('complain', 'audit', 'attach_disconnected', 'no_attach_disconnected', @@ -85,7 +85,7 @@ aa_flags = ['complain', 'chroot_relative', 'namespace_relative', 'mediate_deleted', - 'delegate_deleted'] + 'delegate_deleted') filename = r'(\/|\@\{\S*\})\S*'