mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add some tests for complex profile names

Browse source 
Add some tests with the complex profile name (including alternations and
wildcards) to ensure we don't break such cases in the future.

These tests are based on the log from the (invalid) bugreport
https://gitlab.com/apparmor/apparmor/issues/26
This commit is contained in:
Christian Boltz 2019-03-31 17:34:55 +02:00
parent 2b091491b0
commit 9feebc4363
Failed to generate hash of commit
5 changed files with 26 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
libraries/libapparmor/testsuite/test_multi/complex_profile_name.err Normal file
View file

1
libraries/libapparmor/testsuite/test_multi/complex_profile_name.in Normal file
View file

@ -0,0 +1 @@
type=AVC msg=audit(1553903266.854:518): apparmor="DENIED" operation="open" profile="/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}" name="/sys/class/scsi_device/" pid=543 comm="wine" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

15
libraries/libapparmor/testsuite/test_multi/complex_profile_name.out Normal file
View file

@ -0,0 +1,15 @@
START
File: complex_profile_name.in
Event type: AA_RECORD_DENIED
Audit ID: 1553903266.854:518
Operation: open
Mask: r
Denied Mask: r
fsuid: 1000
ouid: 0
Profile: /usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}
Name: /sys/class/scsi_device/
Command: wine
PID: 543
Epoch: 1553903266
Audit subid: 518

4
libraries/libapparmor/testsuite/test_multi/complex_profile_name.profile Normal file
View file

@ -0,0 +1,4 @@
/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*} {
/sys/class/scsi_device/ r,
}

6
utils/test/test-profile-list.py
View file

@ -77,11 +77,14 @@ class TestFilename_from_profile_name(AATest):
('foo', '/etc/apparmor.d/bin.foo'),
('/bin/foo', None),
('bar', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'),
('/usr/lib/wine/bin/wine-preloader-staging-foo', None), # no AARE matching for profile names
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add('/etc/apparmor.d/usr.bin.wine', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_profile_name(params), expected)
@ -93,6 +96,8 @@ class TestFilename_from_attachment(AATest):
('/bin/foobar', '/etc/apparmor.d/bin.foobar'),
('@{foo}', None), # XXX variables not supported yet (and @{foo} isn't defined in this test)
('/bin/404', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'), # XXX should this really match, or should attachment matching only use AARE?
('/usr/lib/wine/bin/wine-preloader-staging-foo', '/etc/apparmor.d/usr.bin.wine'), # AARE match
]
def AASetup(self):
@ -100,6 +105,7 @@ class TestFilename_from_attachment(AATest):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add('/etc/apparmor.d/bin.baz', 'baz', '/bin/ba*')
self.pl.add('/etc/apparmor.d/bin.foobar', 'foobar', '/bin/foo{bar,baz}')
self.pl.add('/etc/apparmor.d/usr.bin.wine', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_attachment(params), expected)