mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

utils: fix coding style to match PEP8

Browse source 
Annotate exceptions with '  # noqa: ERROR'

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-05-17 13:53:42 +02:00
parent e1bda6d1a2
commit cec9ae6dff
47 changed files with 674 additions and 583 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
utils/aa-genprof
View file

@ -191,7 +191,7 @@ for p in sorted(apparmor.helpers.keys()):
aaui.UI_Info(_('\nReloaded AppArmor profiles in enforce mode.'))
aaui.UI_Info(_('\nPlease consider contributing your new profile!\n'
'See the following wiki page for more information:')
+ '\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n')
'See the following wiki page for more information:')
+ '\nhttps://gitlab.com/apparmor/apparmor/wikis/Profiles\n') # noqa: W503
aaui.UI_Info(_('Finished generating profile for %s.') % program)
sys.exit(0)

8
utils/aa-mergeprof
View file

@ -120,10 +120,10 @@ class Merge(object):
# ask about preamble rules
apparmor.aa.ask_rule_questions(
other.active_profiles.files[other.filename], # prof_events aka log_dict
'[preamble]', # displayed profile name
self.user.active_profiles.files[self.user.filename], # profile to update
['abi', 'inc_ie'] # rule types - TODO: don't hardcode
other.active_profiles.files[other.filename], # prof_events aka log_dict
'[preamble]', # displayed profile name
self.user.active_profiles.files[self.user.filename], # profile to update
['abi', 'inc_ie'] # rule types - TODO: don't hardcode
)
apparmor.aa.ask_the_questions(log_dict)

12
utils/aa-notify
View file

@ -52,7 +52,6 @@ from apparmor.notify import get_last_login_timestamp
from apparmor.translations import init_translation
def get_user_login():
"""Portable function to get username.
@ -152,12 +151,11 @@ def show_entries_since_epoch(logfile, epoch_since, filters):
print() # Print a newline after each entry for better readability
aaui.UI_Info(_('AppArmor denials: {count} (since {date})').format(
**{
'count': count,
'date': time.strftime(timeformat, time.localtime(epoch_since))
}
)
)
**{
'count': count,
'date': time.strftime(timeformat, time.localtime(epoch_since))
}
))
if args.verbose:
if 'message_footer' in config['']:

15
utils/apparmor/aa.py
View file

@ -64,7 +64,6 @@ debug_logger = DebugLogger('aa')
# The database for severity
sev_db = None
# The file to read log messages from
### Was our
logfile = None
CONFDIR = None
@ -76,7 +75,7 @@ profile_dir = None
extra_profile_dir = None
use_abstractions = True
### end our
# To keep track of previously included profile fragments
include = dict()
@ -92,12 +91,10 @@ transitions = {}
aa = {} # Profiles originally in sd, replace by aa
original_aa = hasher()
### end our
changed = dict()
created = []
helpers = dict() # Preserve this between passes # was our
### logprof ends
def reset_aa():
@ -293,7 +290,7 @@ def set_enforce(filename, program):
aaui.UI_Info(_('Setting %s to enforce mode.') % (filename if program is None else program))
delete_symlink('force-complain', filename)
delete_symlink('disable', filename)
change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt','default_allow'], False) # remove conflicting and complain mode flags
change_profile_flags(filename, program, ['complain', 'kill', 'unconfined', 'prompt', 'default_allow'], False) # remove conflicting and complain mode flags
def disable_abstractions():
@ -979,9 +976,9 @@ def ask_exec(hashlog):
# Check profile exists for px
if exec_target.startswith(('/', '@', '{')):
prof_filename = get_profile_filename_from_attachment(exec_target, True)
prof_filename = get_profile_filename_from_attachment(exec_target, True)
else: # named exec
prof_filename = get_profile_filename_from_profile_name(exec_target, True)
prof_filename = get_profile_filename_from_profile_name(exec_target, True)
if not os.path.exists(prof_filename):
ynans = 'y'
@ -1029,6 +1026,7 @@ def ask_exec(hashlog):
else:
raise AppArmorBug('Unhandled ans %s, please open a bugreport!' % ans)
def order_globs(globs, original_path):
"""Returns the globs in sorted order, more specific behind"""
# To-Do
@ -2124,7 +2122,6 @@ def parse_pivot_root_rule(line):
return aarules.Raw_Pivot_Root_Rule(line)
def write_piece(profile_data, depth, name, nhat):
pre = ' ' * depth
data = []
@ -2517,7 +2514,7 @@ def logger_path():
return logger
######Initialisations######
# ------ Initialisations ------ #
def init_aa(confdir=None, profiledir=None):
global CONFDIR

4
utils/apparmor/easyprof.py
View file

@ -316,7 +316,7 @@ class AppArmorEasyProfile:
self.policy_version)
if not os.path.isdir(d):
raise AppArmorException(
"Could not find %s directory '%s'" % (i, d))
"Could not find %s directory '%s'" % (i, d))
self.dirs[i] = d
if 'templates' not in self.dirs:
@ -743,7 +743,7 @@ def print_basefilenames(files):
def print_files(files):
for i in files:
with open(i) as f:
sys.stdout.write(f.read()+"\n")
sys.stdout.write(f.read() + "\n")
def check_manifest_conflict_args(option, opt_str, value, parser):

20
utils/apparmor/logparser.py
View file

@ -135,7 +135,7 @@ class ReadLog:
ev['peer'] = event.peer
ev['peer_profile'] = event.peer_profile
else:
ev['addr'] = event.net_local_addr
ev['addr'] = event.net_local_addr
ev['peer_addr'] = event.net_foreign_addr
elif ev['operation'] and ev['operation'].startswith('dbus_'):
@ -214,7 +214,7 @@ class ReadLog:
elif e['class'] and e['class'] == 'namespace':
if e['denied_mask'].startswith('userns_'):
self.hashlog[aamode][full_profile]['userns'][ e['denied_mask'][7:] ] = True # [7:] removes the 'userns_' prefix
self.hashlog[aamode][full_profile]['userns'][e['denied_mask'][7:]] = True # [7:] removes the 'userns_' prefix
return
elif e['class'] and e['class'].endswith('mqueue'):
@ -227,9 +227,9 @@ class ReadLog:
return
elif e['class'] and e['class'] == 'mount' or e['operation'] == 'mount':
if e['flags'] != None:
if e['flags'] is not None:
e['flags'] = ('=', e['flags'])
if e['fs_type'] != None:
if e['fs_type'] is not None:
e['fs_type'] = ('=', e['fs_type'])
if e['operation'] == 'mount':
@ -239,9 +239,9 @@ class ReadLog:
return
elif e['class'] and e['class'] == 'net' and e['family'] and e['family'] == 'unix':
rule = (e['sock_type'], None) # Protocol is not supported yet.
rule = (e['sock_type'], None) # Protocol is not supported yet.
local = (e['addr'], None, e['attr'], None)
peer = (e['peer_addr'], e['peer_profile'])
peer = (e['peer_addr'], e['peer_profile'])
self.hashlog[aamode][full_profile]['unix'][e['denied_mask']][rule][local][peer] = True
return
@ -285,7 +285,7 @@ class ReadLog:
elif self.op_type(e) == 'net':
local = (e['addr'], e['port'])
peer = (e['peer_addr'], e['remote_port'])
peer = (e['peer_addr'], e['remote_port'])
self.hashlog[aamode][full_profile]['network'][e['accesses']][e['family']][e['sock_type']][e['protocol']][local][peer] = True
return
@ -399,9 +399,9 @@ class ReadLog:
def op_type(self, event):
"""Returns the operation type if known, unknown otherwise"""
if event['operation'] and (event['operation'].startswith('file_') or
event['operation'].startswith('inode_') or
event['operation'] in self.OP_TYPE_FILE_OR_NET):
if event['operation'] and (event['operation'].startswith('file_')
or event['operation'].startswith('inode_')
or event['operation'] in self.OP_TYPE_FILE_OR_NET):
# file or network event?
if event['family'] and event['protocol'] and event['sock_type']:
# 'unix' events also use keywords like 'connect', but protocol is 0 and should therefore be filtered out

1
utils/apparmor/profile_storage.py
View file

@ -311,6 +311,7 @@ def var_transform(ref):
data.append(quote_if_needed(value))
return ' '.join(data)
def write_pivot_root_rules(prof_data, depth, allow):
pre = ' ' * depth
data = []

4
utils/apparmor/regex.py
View file

@ -70,7 +70,7 @@ RE_HAS_COMMENT_SPLIT = re.compile(
RE_PROFILE_START = re.compile(
r'^(?P<leadingspace>\s*)'
+ '('
+ RE_PROFILE_PATH_OR_VAR % 'plainprofile' # just a path
+ RE_PROFILE_PATH_OR_VAR % 'plainprofile' # just a path # noqa: E131
+ '|' # or
+ '(' + 'profile' + r'\s+' + RE_PROFILE_NAME % 'namedprofile' + r'(\s+' + RE_PROFILE_PATH_OR_VAR % 'attachment' + ')?' + ')' # 'profile', profile name, optionally attachment
+ ')'
@ -97,7 +97,7 @@ RE_PROFILE_FILE_ENTRY = re.compile(
RE_AUDIT_DENY
+ r'(?P<owner>owner\s+)?' # optionally: <owner>
+ '('
+ '(?P<bare_file>file)' # bare 'file,'
+ '(?P<bare_file>file)' # bare 'file,' # noqa: E131
+ '|' # or
+ r'(?P<file_keyword>file\s+)?' # optional 'file' keyword
+ '('

2
utils/apparmor/rule/capability.py
View file

@ -58,7 +58,7 @@ class CapabilityRule(BaseRule):
self.capability = set()
else:
if isinstance(cap_list, str):
cap_list = [ cap_list ]
cap_list = [cap_list]
if isinstance(cap_list, list):
if not cap_list:

60
utils/apparmor/rule/dbus.py
View file

@ -43,24 +43,24 @@ RE_FLAG = r'(?P<%s>(\S+|"[^"]+"|\(\s*\S+\s*\)|\(\s*"[^"]+"\)\s*))' # string wit
RE_DBUS_DETAILS = re.compile(
'^'
+ r'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' # optional access keyword(s)
+ '('
+ r'(\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?|' # optional bus= system | session | AARE, (...) optional
+ r'(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?|' # optional path=AARE, (...) optional
+ r'(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?|' # optional name=AARE, (...) optional
+ '(' # noqa: E131
+ r'(\s+(bus\s*=\s*' + RE_FLAG % 'bus' + '))?|' # optional bus= system | session | AARE, (...) optional # noqa: E131,E221
+ r'(\s+(path\s*=\s*' + RE_FLAG % 'path' + '))?|' # optional path=AARE, (...) optional # noqa: E221
+ r'(\s+(name\s*=\s*' + RE_FLAG % 'name' + '))?|' # optional name=AARE, (...) optional # noqa: E221
+ r'(\s+(interface\s*=\s*' + RE_FLAG % 'interface' + '))?|' # optional interface=AARE, (...) optional
+ r'(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?|' # optional member=AARE, (...) optional
+ r'(\s+(member\s*=\s*' + RE_FLAG % 'member' + '))?|' # optional member=AARE, (...) optional # noqa: E221
+ r'(\s+(peer\s*=\s*\((,|\s)*' # optional peer=(name=AARE and/or label=AARE), (...) required
+ '('
+ '(' + r'(,|\s)*' + ')' # empty peer=()
+ '|' # or
+ '(' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername1' + ')' # only peer name (match group peername1)
+ '|' # or
+ '(' r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel1' + ')' # only peer label (match group peerlabel1)
+ '|' # or
+ '(' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername2' + r'(,|\s)+' + r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel2' + ')' # peer name + label (match name peername2/peerlabel2)
+ '|' # or
+ '(' + r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel3' + r'(,|\s)+' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername3' + ')' # peer label + name (match name peername3/peerlabel3)
+ ')'
+ '(' # noqa: E131
+ '(' + r'(,|\s)*' + ')' # empty peer=() # noqa: E131
+ '|' # or # noqa: E131
+ '(' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername1' + ')' # only peer name (match group peername1) # noqa: E131
+ '|' # or # noqa: E131
+ '(' r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel1' + ')' # only peer label (match group peerlabel1) # noqa: E131
+ '|' # or # noqa: E131
+ '(' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername2' + r'(,|\s)+' + r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel2' + ')' # peer name + label (match name peername2/peerlabel2) # noqa: E131,E221
+ '|' # or # noqa: E131
+ '(' + r'label\s*=\s*' + RE_PROFILE_NAME % 'peerlabel3' + r'(,|\s)+' + r'name\s*=\s*' + RE_PROFILE_NAME % 'peername3' + ')' # peer label + name (match name peername3/peerlabel3) # noqa: E131,E221
+ ')' # noqa: E131
+ r'(,|\s)*\)))?'
+ '){0,6}'
+ r'\s*$')
@ -90,13 +90,13 @@ class DbusRule(BaseRule):
raise AppArmorException(_('Passed unknown access keyword to %s: %s') % (type(self).__name__, ' '.join(unknown_items)))
# rulepart partname is_path log_event
self.bus, self.all_buses = self._aare_or_all(bus, 'bus', False, log_event)
self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event)
self.name, self.all_names = self._aare_or_all(name, 'name', False, log_event)
self.interface, self.all_interfaces = self._aare_or_all(interface, 'interface', False, log_event)
self.member, self.all_members = self._aare_or_all(member, 'member', False, log_event)
self.peername, self.all_peernames = self._aare_or_all(peername, 'peer name', False, log_event)
self.peerlabel, self.all_peerlabels = self._aare_or_all(peerlabel, 'peer label', False, log_event)
self.bus, self.all_buses = self._aare_or_all(bus, 'bus', False, log_event) # noqa: E221
self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event) # noqa: E221
self.name, self.all_names = self._aare_or_all(name, 'name', False, log_event) # noqa: E221
self.interface, self.all_interfaces = self._aare_or_all(interface, 'interface', False, log_event) # noqa: E221
self.member, self.all_members = self._aare_or_all(member, 'member', False, log_event) # noqa: E221
self.peername, self.all_peernames = self._aare_or_all(peername, 'peer name', False, log_event) # noqa: E221
self.peerlabel, self.all_peerlabels = self._aare_or_all(peerlabel, 'peer label', False, log_event) # noqa: E221
# not all combinations are allowed
if self.access and 'bind' in self.access and (self.path or self.interface or self.member or self.peername or self.peerlabel):
@ -203,14 +203,14 @@ class DbusRule(BaseRule):
else:
raise AppArmorBug('Empty access in dbus rule')
bus = self._get_aare_rule_part('bus', self.bus, self.all_buses)
path = self._get_aare_rule_part('path', self.path, self.all_paths)
name = self._get_aare_rule_part('name', self.name, self.all_names)
interface = self._get_aare_rule_part('interface', self.interface, self.all_interfaces)
member = self._get_aare_rule_part('member', self.member, self.all_members)
bus = self._get_aare_rule_part('bus', self.bus, self.all_buses) # noqa: E221
path = self._get_aare_rule_part('path', self.path, self.all_paths) # noqa: E221
name = self._get_aare_rule_part('name', self.name, self.all_names) # noqa: E221
interface = self._get_aare_rule_part('interface', self.interface, self.all_interfaces) # noqa: E221
member = self._get_aare_rule_part('member', self.member, self.all_members) # noqa: E221
peername = self._get_aare_rule_part('name', self.peername, self.all_peernames)
peerlabel = self._get_aare_rule_part('label', self.peerlabel, self.all_peerlabels)
peername = self._get_aare_rule_part('name', self.peername, self.all_peernames) # noqa: E221
peerlabel = self._get_aare_rule_part('label', self.peerlabel, self.all_peerlabels) # noqa: E221
peer = peername + peerlabel
if peer:
peer = ' peer=(%s)' % peer.strip()

4
utils/apparmor/rule/file.py
View file

@ -63,7 +63,7 @@ class FileRule(BaseRule):
comment=comment, log_event=log_event)
# rulepart partperms is_path log_event
self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event)
self.path, self.all_paths = self._aare_or_all(path, 'path', True, log_event) # noqa: E221
self.target, self.all_targets = self._aare_or_all(target, 'target', False, log_event)
self.can_glob = not self.all_paths
@ -564,7 +564,7 @@ def perms_with_a(perms):
- perms: the original permissions
"""
if not perms or 'w' not in perms:
return perms # no need to change anything
return perms # no need to change anything
perms_with_a = set(perms)
perms_with_a.add('a')

19
utils/apparmor/rule/io_uring.py
View file

@ -26,15 +26,15 @@ _ = init_translation()
access_keywords = ['sqpoll', 'override_creds']
joint_access_keyword = r'\s*(' + '|'.join(access_keywords) + r')\s*'
RE_ACCESS_KEYWORDS = (joint_access_keyword + # one of the access_keyword or
'|' + # or
r'\(' + joint_access_keyword + '(' + r'(\s|,)+' + joint_access_keyword + ')*' + r'\)' # one or more access_keyword in (...)
RE_ACCESS_KEYWORDS = (joint_access_keyword # one of the access_keyword or
+ '|' # or
+ r'\(' + joint_access_keyword + '(' + r'(\s|,)+' + joint_access_keyword + ')*' + r'\)' # one or more access_keyword in (...)
)
RE_IO_URING_DETAILS = re.compile(
r'^' +
r'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + r'))?' + # optional access keyword(s)
r'(\s+(label\s*=\s*' + RE_PROFILE_NAME % 'label' + r'))?' + # optional label
r'\s*$')
r'^'
+ r'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + r'))?' # optional access keyword(s)
+ r'(\s+(label\s*=\s*' + RE_PROFILE_NAME % 'label' + r'))?' # optional label
+ r'\s*$')
class IOUringRule(BaseRule):
@ -119,7 +119,7 @@ class IOUringRule(BaseRule):
else:
raise AppArmorBug('Empty label in io_uring rule')
return('%s%sio_uring%s%s,%s' % (space, self.modifiers_str(), access, label, self.comment))
return '%s%sio_uring%s%s,%s' % (space, self.modifiers_str(), access, label, self.comment)
def _is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
@ -136,8 +136,7 @@ class IOUringRule(BaseRule):
def _is_equal_localvars(self, rule_obj, strict):
'''compare if rule-specific variables are equal'''
if (self.access != rule_obj.access or
self.all_access != rule_obj.all_access):
if (self.access != rule_obj.access or self.all_access != rule_obj.all_access):
return False
if not self._is_equal_aare(self.label, self.all_labels, rule_obj.label, rule_obj.all_labels, 'label'):

5
utils/apparmor/rule/mount.py
View file

@ -100,8 +100,8 @@ class MountRule(BaseRule):
else:
self.all_fstype = False
for it in fstype[1]:
l, unused = parse_aare(it, 0, 'fstype')
if l != len(it):
aare_len, unused = parse_aare(it, 0, 'fstype')
if aare_len != len(it):
raise AppArmorException(f'Invalid aare : {it}')
self.fstype = fstype[1]
self.is_fstype_equal = fstype[0]
@ -294,7 +294,6 @@ class MountRuleset(BaseRuleset):
'''Class to handle and store a collection of Mount rules'''
def parse_aare(s, offset, param):
parsed = ''
brace_count = 0

23
utils/apparmor/rule/mqueue.py
View file

@ -30,21 +30,21 @@ access_keywords_other = ['create', 'open', 'delete', 'getattr', 'setattr']
access_keywords = access_keywords_read + access_keywords_write + access_keywords_rw + access_keywords_other
joint_access_keyword = r'\s*(' + '|'.join(access_keywords) + r')\s*'
RE_ACCESS_KEYWORDS = (joint_access_keyword + # one of the access_keyword or
'|' + # or
r'\(' + joint_access_keyword + '(' + r'(\s|,)+' + joint_access_keyword + ')*' + r'\)' # one or more access_keyword in (...)
RE_ACCESS_KEYWORDS = (joint_access_keyword # one of the access_keyword or
+ '|' # or
+ r'\(' + joint_access_keyword + '(' + r'(\s|,)+' + joint_access_keyword + ')*' + r'\)' # one or more access_keyword in (...)
)
RE_MQUEUE_NAME = r'(?P<%s>(/\S+|\d*))' # / + string for posix, or digits for sys
RE_MQUEUE_TYPE = r'(?P<%s>(sysv|posix))' # type can be sysv or posix
RE_MQUEUE_DETAILS = re.compile(
'^' +
r'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' + # optional access keyword(s)
r'(\s+(type=' + RE_MQUEUE_TYPE % 'mqueue_type' + '))?' + # optional type
r'(\s+(label=' + RE_PROFILE_NAME % 'label' + '))?' + # optional label
r'(\s+(' + RE_MQUEUE_NAME % 'mqueue_name' + '))?' + # optional mqueue name
r'\s*$')
'^'
+ r'(\s+(?P<access>' + RE_ACCESS_KEYWORDS + '))?' # optional access keyword(s)
+ r'(\s+(type=' + RE_MQUEUE_TYPE % 'mqueue_type' + '))?' # optional type
+ r'(\s+(label=' + RE_PROFILE_NAME % 'label' + '))?' # optional label
+ r'(\s+(' + RE_MQUEUE_NAME % 'mqueue_name' + '))?' # optional mqueue name
+ r'\s*$')
class MessageQueueRule(BaseRule):
@ -169,7 +169,7 @@ class MessageQueueRule(BaseRule):
else:
raise AppArmorBug('Empty mqueue_name in mqueue rule')
return('%s%smqueue%s%s%s%s,%s' % (space, self.modifiers_str(), access, mqueue_type, label, mqueue_name, self.comment))
return '%s%smqueue%s%s%s%s,%s' % (space, self.modifiers_str(), access, mqueue_type, label, mqueue_name, self.comment)
def _is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
@ -192,8 +192,7 @@ class MessageQueueRule(BaseRule):
def _is_equal_localvars(self, rule_obj, strict):
'''compare if rule-specific variables are equal'''
if (self.access != rule_obj.access or
self.all_access != rule_obj.all_access):
if (self.access != rule_obj.access or self.all_access != rule_obj.all_access):
return False
if not self._is_equal_aare(self.mqueue_type, self.all_mqueue_types, rule_obj.mqueue_type, rule_obj.all_mqueue_types, 'mqueue_type'):

27
utils/apparmor/rule/network.py
View file

@ -35,10 +35,8 @@ network_domain_keywords = [
network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw', 'packet']
network_protocol_keywords = ['tcp', 'udp', 'icmp']
byte = r"(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"
network_ipv4 = f"{byte}\.{byte}\.{byte}\.{byte}"
byte = r'(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)'
network_ipv4 = fr'{byte}\.{byte}\.{byte}\.{byte}'
network_ipv6 = (
r'('
@ -60,8 +58,8 @@ network_ipv6 = (
network_port = r'(port\s*=\s*(?P<%s>\d+))\s*'
ip_cond = fr'\s*ip\s*=\s*(?P<%s>(({network_ipv4})|({network_ipv6})|none))\s*'
RE_LOCAL_EXPR = f'((({ip_cond % "ip" })|({network_port % "port"}))*)'
RE_PEER_EXPR = fr'(peer\s*=\s*\(\s*(({ip_cond % "ip_peer"})|({network_port % "port_peer"}))+\s*\))'
RE_LOCAL_EXPR = f'((({ip_cond % "ip"})|({network_port % "port"}))*)'
RE_PEER_EXPR = fr'(peer\s*=\s*\(\s*(({ip_cond % "ip_peer"})|({network_port % "port_peer"}))+\s*\))'
RE_NETWORK_DOMAIN = '(' + '|'.join(network_domain_keywords) + ')'
@ -72,9 +70,9 @@ RE_NETWORK_DETAILS = re.compile(
r'^\s*'
+ r'(\s*' + network_accesses + r')?\s*'
+ '(?P<domain>' + RE_NETWORK_DOMAIN + r')?\s*' # optional domain
+ r'(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?\s*' # optional type or protocol
+ r'(\s+(?P<type_or_protocol>' + RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + r'))?\s*' # optional type or protocol
+ '(' + RE_LOCAL_EXPR + r')?\s*'
+ '(' + RE_PEER_EXPR + ')?\s*'
+ '(' + RE_PEER_EXPR + r')?\s*'
+ r'$')
@ -94,7 +92,6 @@ class NetworkRule(BaseRule):
def __init__(self, accesses, domain, type_or_protocol, local_expr, peer_expr, audit=False, deny=False,
allow_keyword=False, comment='', log_event=None):
super().__init__(audit=audit, deny=deny, allow_keyword=allow_keyword,
comment=comment, log_event=log_event)
@ -115,14 +112,14 @@ class NetworkRule(BaseRule):
self.peer_expr = check_dict_keys(peer_expr, {'ip', 'port'}, self.ALL)
if self.local_expr != self.ALL and 'port' in self.local_expr and int(self.local_expr['port']) > 65535:
raise AppArmorException(f"Invalid port: {self.local_expr['port']}")
raise AppArmorException(f'Invalid port: {self.local_expr["port"]}')
if self.peer_expr != self.ALL and 'port' in self.peer_expr and int(self.peer_expr['port']) > 65535:
raise AppArmorException(f"Invalid remote port: {self.peer_expr['port']}")
raise AppArmorException(f'Invalid remote port: {self.peer_expr["port"]}')
if self.local_expr != self.ALL and 'ip' in self.local_expr and not is_valid_ip(self.local_expr['ip']):
raise AppArmorException(f"Invalid ip: {self.local_expr['ip']}")
raise AppArmorException(f'Invalid ip: {self.local_expr["ip"]}')
if self.peer_expr != self.ALL and 'ip' in self.peer_expr and not is_valid_ip(self.peer_expr['ip']):
raise AppArmorException(f"Invalid ip: {self.peer_expr['ip']}")
raise AppArmorException(f'Invalid ip: {self.peer_expr["ip"]}')
if not self.all_accesses and self.peer_expr != self.ALL and self.accesses & {'create', 'bind', 'listen', 'shutdown', 'getattr', 'setattr', 'getopt', 'setopt'}:
raise AppArmorException('Cannot use a peer_expr and an access in {create, bind, listen, shutdown, getattr, setattr, getopt, setopt} simultaneously')
@ -156,7 +153,6 @@ class NetworkRule(BaseRule):
else:
raise AppArmorBug('Passed unknown object to %s: %s' % (type(self).__name__, str(type_or_protocol)))
@classmethod
def _create_instance(cls, raw_rule, matches):
"""parse raw_rule and return instance of this class"""
@ -170,7 +166,7 @@ class NetworkRule(BaseRule):
if rule_details:
details = RE_NETWORK_DETAILS.search(rule_details)
if not details:
raise AppArmorException(_("Invalid or unknown keywords in 'network %s" % rule_details))
raise AppArmorException(_("Invalid or unknown keywords in 'network %s'" % rule_details))
r = details.groupdict()
@ -257,7 +253,6 @@ class NetworkRule(BaseRule):
return True
def _is_equal_localvars(self, rule_obj, strict):
"""compare if rule-specific variables are equal"""

2
utils/apparmor/rule/unix.py
View file

@ -114,7 +114,6 @@ class UnixRule(BaseRule):
else:
accesses = cls.ALL
rule_conds = initialize_cond_dict(r, ['type', 'protocol'], '_cond_set', cls.ALL)
local_expr = initialize_cond_dict(r, ['addr', 'label', 'attr', 'opt'], '_cond', cls.ALL)
peer_expr = initialize_cond_dict(r, ['addr', 'label'], '_peer_cond', cls.ALL)
@ -202,5 +201,6 @@ class UnixRule(BaseRule):
return True
class UnixRuleset(BaseRuleset):
'''Class to handle and store a collection of Unix rules'''

11
utils/apparmor/rule/userns.py
View file

@ -25,9 +25,9 @@ _ = init_translation()
access_keyword = 'create'
RE_USERNS_DETAILS = re.compile(
'^' +
r'\s+(?P<access>' + access_keyword + ')?' + # optional access keyword
r'\s*$')
'^'
+ r'\s+(?P<access>' + access_keyword + ')?' # optional access keyword
+ r'\s*$')
class UserNamespaceRule(BaseRule):
@ -89,7 +89,7 @@ class UserNamespaceRule(BaseRule):
else:
raise AppArmorBug('Empty access in userns rule')
return('%s%suserns%s,%s' % (space, self.modifiers_str(), access, self.comment))
return '%s%suserns%s,%s' % (space, self.modifiers_str(), access, self.comment)
def _is_covered_localvars(self, other_rule):
'''check if other_rule is covered by this rule object'''
@ -103,8 +103,7 @@ class UserNamespaceRule(BaseRule):
def _is_equal_localvars(self, rule_obj, strict):
'''compare if rule-specific variables are equal'''
if (self.access != rule_obj.access or
self.all_access != rule_obj.all_access):
if (self.access != rule_obj.access or self.all_access != rule_obj.all_access):
return False
return True

2
utils/apparmor/tools.py
View file

@ -104,7 +104,7 @@ class aa_tools:
if program is None:
program = profile
if not program or not(os.path.exists(program) or profile in apparmor.aa):
if not program or not (os.path.exists(program) or profile in apparmor.aa):
if program and not program.startswith('/'):
program = aaui.UI_GetString(_('The given program cannot be found, please try with the fully qualified path name of the program: '), '')
else:

3
utils/apparmor/ui.py
View file

@ -100,7 +100,7 @@ def getkey():
key = readkey()
if key == '[':
key = readkey()
if(ARROWS.get(key, False)):
if ARROWS.get(key, False):
key = ARROWS[key]
return key.strip()
@ -540,7 +540,6 @@ class PromptQuestion:
selected += 1
ans = 'XXXINVALIDXXX'
# elif keys.get(ans, False) == 'CMD_HELP':
# sys.stdout.write('\n%s\n' %helptext)
# ans = 'XXXINVALIDXXX'

16
utils/test/test-aa-decode.py
View file

@ -107,7 +107,7 @@ class AADecodeTest(unittest.TestCase):
expected_string = 'name="/tmp/foo bar"'
content = \
'''type=AVC msg=audit(1348982151.183:2934): apparmor="DENIED" operation="open" parent=30751 profile="/usr/lib/firefox/firefox{,*[^s] [^h]}" name=2F746D702F666F6F20626172 pid=30833 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
'''
''' # noqa: E128
self._run_file_test(content, (expected_string,))
@ -123,7 +123,7 @@ class AADecodeTest(unittest.TestCase):
''' type=LOGIN msg=audit(1348980001.155:2925): login pid=17875 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2762
type=AVC msg=audit(1348982151.183:2934): apparmor="DENIED" operation="open" parent=30751 profile="/usr/lib/firefox/firefox{,*[^s] [^h]}" name=2F746D702F666F6F20626172 pid=30833 comm="plugin-containe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock" parent=5490 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name=2F686F6D652F73746576652F746D702F6D7920746573742066696C65 pid=30737 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -135,7 +135,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
'name="/lib/x86_64-linux-gnu/libdl-2.13.so"', 'profile="/test space"')
content = \
'''[289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=2F74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -147,7 +147,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
'profile="/home/steve/tmp/my prog.sh"')
content = \
'''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile=2F686F6D652F73746576652F746D702F6D792070726F672E7368 name=2F686F6D652F73746576652F746D702F6D7920746573742066696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -157,7 +157,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
expected_strings = ('name="/home/steve/tmp/my test ^file"',)
content = \
'''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374205E66696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -167,7 +167,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
expected_strings = (r'name="/home/steve/tmp/my test \^file"',)
content = \
'''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374205C5E66696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -177,7 +177,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
expected_strings = ('name="/home/steve/tmp/my test \'file"',)
content = \
'''type=AVC msg=audit(1349805073.402:6857): apparmor="DENIED" operation="mknod" parent=5890 profile="/usr/bin/test_profile" name=2F686F6D652F73746576652F746D702F6D792074657374202766696C65 pid=5891 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)
@ -187,7 +187,7 @@ type=AVC msg=audit(1348982148.195:2933): apparmor="DENIED" operation="file_lock"
expected_strings = ('name="/lib/x86_64-linux-gnu/libdl-2.13.so"', 'profile="test space"')
content = \
'''[289763.843292] type=1400 audit(1322614912.304:857): apparmor="ALLOWED" operation="getattr" parent=16001 profile=74657374207370616365 name="/lib/x86_64-linux-gnu/libdl-2.13.so" pid=17011 comm="bash" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
'''
''' # noqa: E128
self._run_file_test(content, expected_strings)

36
utils/test/test-aa-easyprof.py
View file

@ -911,10 +911,10 @@ POLICYGROUPS_DIR="{}/templates"
def test_genpolicy_abstractions_bad(self):
"""Test genpolicy (abstractions - bad values)"""
bad = (
"nonexistent",
"/../../../../etc/passwd",
"abstraction with spaces",
)
"nonexistent",
"/../../../../etc/passwd",
"abstraction with spaces",
)
for s in bad:
try:
self._gen_policy(extra_args=['--abstractions=' + s])
@ -1322,16 +1322,16 @@ POLICYGROUPS_DIR="{}/templates"
def test_genpolicy_templatevar_bad(self):
"""Test genpolicy (template-var - bad values)"""
bad = [
"{FOO}=bar",
"@FOO}=bar",
"@{FOO=bar",
"FOO=bar",
"@FOO=bar",
"@{FOO}=/../../../etc/passwd",
"@{FOO}=bar=foo",
"@{FOO;BAZ}=bar",
'@{FOO}=bar"baz',
]
"{FOO}=bar",
"@FOO}=bar",
"@{FOO=bar",
"FOO=bar",
"@FOO=bar",
"@{FOO}=/../../../etc/passwd",
"@{FOO}=bar=foo",
"@{FOO;BAZ}=bar",
'@{FOO}=bar"baz',
]
for s in bad:
try:
self._gen_policy(extra_args=['--template-var=' + s])
@ -2339,9 +2339,11 @@ POLICYGROUPS_DIR="{}/templates"
}
}
}
}''' % (files["com.example.foo"],
files["com.ubuntu.developer.myusername.MyCoolApp"],
files["usr.bin.baz"])
}''' % (
files["com.example.foo"],
files["com.ubuntu.developer.myusername.MyCoolApp"],
files["usr.bin.baz"]
)
out_dir = os.path.join(self.tmpdir, "output")

14
utils/test/test-aa-notify.py
View file

@ -81,7 +81,7 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835421] audit: type=1400 audit({epoc
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835696] audit: type=1400 audit({epoch}:120): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/bin/uname" name="/usr/lib/locale/locale-archive" pid=4097 comm="uname" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.875891] audit: type=1400 audit({epoch}:121): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/file" pid=4111 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 target="libreoffice-soffice//null-/usr/bin/file"
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoch}:122): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice//null-/usr/bin/file" name="/usr/bin/file" pid=4111 comm="file" requested_mask="rm" denied_mask="rm" fsuid=1001 ouid=0
'''.format(epoch=round(_time, 3) - 60 * 60 * 24 * 999)
'''.format(epoch=round(_time, 3) - 60 * 60 * 24 * 999) # noqa: E128
test_logfile_contents_30_days_old = \
'''Feb 4 13:40:38 XPS-13-9370 kernel: [128552.834382] audit: type=1400 audit({epoch}:113): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/bin/uname" pid=4097 comm="sh" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 target="libreoffice-soffice//null-/bin/uname"
@ -94,13 +94,13 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835421] audit: type=1400 audit({epoc
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835696] audit: type=1400 audit({epoch}:120): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/bin/uname" name="/usr/lib/locale/locale-archive" pid=4097 comm="uname" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.875891] audit: type=1400 audit({epoch}:121): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/file" pid=4111 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 target="libreoffice-soffice//null-/usr/bin/file"
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoch}:122): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice//null-/usr/bin/file" name="/usr/bin/file" pid=4111 comm="file" requested_mask="rm" denied_mask="rm" fsuid=1001 ouid=0
'''.format(epoch=round(_time, 3) - 60 * 60 * 24 * 30)
'''.format(epoch=round(_time, 3) - 60 * 60 * 24 * 30) # noqa: E128
test_logfile_contents_unrelevant_entries = \
'''Feb 1 19:35:44 XPS-13-9370 kernel: [99848.048761] audit: type=1400 audit(1549042544.968:72): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/6350/usr/lib/snapd/snap-confine" pid=12871 comm="apparmor_parser"
Feb 2 00:40:09 XPS-13-9370 kernel: [103014.549071] audit: type=1400 audit(1549060809.600:89): apparmor="STATUS" operation="profile_load" profile="unconfined" name="docker-default" pid=17195 comm="apparmor_parser"
Feb 4 20:05:42 XPS-13-9370 kernel: [132557.202931] audit: type=1400 audit(1549303542.661:136): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="snap.atom.apm" pid=11306 comm="apparmor_parser"
'''
''' # noqa: E128
test_logfile_contents_0_seconds_old = \
'''Feb 4 13:40:38 XPS-13-9370 kernel: [128552.834382] audit: type=1400 audit({epoch}:113): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/bin/uname" pid=4097 comm="sh" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 target="libreoffice-soffice//null-/bin/uname"
@ -113,7 +113,7 @@ Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835421] audit: type=1400 audit({epoc
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.835696] audit: type=1400 audit({epoch}:120): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice//null-/bin/uname" name="/usr/lib/locale/locale-archive" pid=4097 comm="uname" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.875891] audit: type=1400 audit({epoch}:121): apparmor="ALLOWED" operation="exec" profile="libreoffice-soffice" name="/usr/bin/file" pid=4111 comm="soffice.bin" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0 target="libreoffice-soffice//null-/usr/bin/file"
Feb 4 13:40:38 XPS-13-9370 kernel: [128552.880347] audit: type=1400 audit({epoch}:122): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice//null-/usr/bin/file" name="/usr/bin/file" pid=4111 comm="file" requested_mask="rm" denied_mask="rm" fsuid=1001 ouid=0
'''.format(epoch=round(_time, 3))
'''.format(epoch=round(_time, 3)) # noqa: E128
return test_logfile_contents_999_days_old \
+ test_logfile_contents_30_days_old \
@ -190,7 +190,7 @@ class AANotifyTest(AANotifyBase):
[--filter.socket SOCKET]
Display AppArmor notifications or messages for DENIED entries.
'''
''' # noqa: E128
expected_output_2 = \
'''
@ -224,7 +224,7 @@ Filtering options:
regular expression to match the network family
--filter.socket SOCKET
regular expression to match the network socket type
'''
''' # noqa: E128
return_code, output = cmd(aanotify_bin + ['--help'])
result = 'Got return code {}, expected {}\n'.format(return_code, expected_return_code)
@ -326,7 +326,7 @@ Name: /usr/bin/file
Denied: rm
Logfile: {logfile}
AppArmor denials: 10 (since'''.format(logfile=self.test_logfile_last_login)
AppArmor denials: 10 (since'''.format(logfile=self.test_logfile_last_login) # noqa: E128
return_code, output = cmd(aanotify_bin + ['-f', self.test_logfile_last_login, '-l', '-v'])
if "ERROR: Could not find last login" in output:

53
utils/test/test-aa.py
View file

@ -78,7 +78,6 @@ class AaTest_check_for_apparmor(AaTestWithTempdir):
self.assertEqual(self.tmpdir + '/security/apparmor', check_for_apparmor(filesystems, mounts))
class AaTest_create_new_profile(AATest):
tests = (
# file content filename expected interpreter expected abstraction (besides 'base') expected profiles
@ -118,7 +117,7 @@ class AaTest_create_new_profile(AATest):
if exp_interpreter_path:
self.assertEqual(
set(profile[program]['file'].get_clean()),
{'{} ix,'.format(exp_interpreter_path), '{} r,'.format(program), '' })
{'{} ix,'.format(exp_interpreter_path), '{} r,'.format(program), ''})
else:
self.assertEqual(set(profile[program]['file'].get_clean()), {'{} mr,'.format(program), ''})
@ -178,21 +177,27 @@ class AaTest_get_profile_flags(AaTestWithTempdir):
def test_get_flags_01(self):
self._test_get_flags('/foo', None)
def test_get_flags_02(self):
self._test_get_flags('/foo ( complain )', ' complain ')
def test_get_flags_04(self):
self._test_get_flags('/foo (complain)', 'complain')
def test_get_flags_05(self):
self._test_get_flags('/foo flags=(complain)', 'complain')
def test_get_flags_06(self):
self._test_get_flags('/foo flags=(complain, audit)', 'complain, audit')
def test_get_flags_invalid_01(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/foo ()', None)
def test_get_flags_invalid_02(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/foo flags=()', None)
def test_get_flags_invalid_03(self):
with self.assertRaises(AppArmorException):
self._test_get_flags('/foo ( )', ' ')
@ -234,24 +239,34 @@ class AaTest_change_profile_flags(AaTestWithTempdir):
# tests that actually don't change the flags
def test_change_profile_flags_nochange_02(self):
self._test_change_profile_flags('/foo', '( complain )', 'complain', True, 'complain', whitespace=' ')
def test_change_profile_flags_nochange_03(self):
self._test_change_profile_flags('/foo', '(complain)', 'complain', True, 'complain')
def test_change_profile_flags_nochange_04(self):
self._test_change_profile_flags('/foo', 'flags=(complain)', 'complain', True, 'complain')
def test_change_profile_flags_nochange_05(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', True, 'audit, complain', whitespace=' ')
def test_change_profile_flags_nochange_06(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', True, 'audit, complain', whitespace=' ', comment='# a comment')
def test_change_profile_flags_nochange_07(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'audit', True, 'audit, complain', whitespace=' ', more_rules=' # a comment\n#another comment')
def test_change_profile_flags_nochange_08(self):
self._test_change_profile_flags('profile /foo', 'flags=(complain)', 'complain', True, 'complain')
def test_change_profile_flags_nochange_09(self):
self._test_change_profile_flags('profile xy /foo', 'flags=(complain)', 'complain', True, 'complain', profile_name='xy')
def test_change_profile_flags_nochange_10(self):
self._test_change_profile_flags('profile "/foo bar"', 'flags=(complain)', 'complain', True, 'complain', profile_name='/foo bar')
def test_change_profile_flags_nochange_11(self):
self._test_change_profile_flags('/foo', '(complain)', 'complain', True, 'complain', profile_name=None)
def test_change_profile_flags_nochange_12(self):
# XXX changes the flags for the child profile (which happens to have the same profile name) to 'complain'
self._test_change_profile_flags('/foo', 'flags=(complain)', 'complain', True, 'complain', more_rules=' profile /foo {\n}', expected_more_rules=' profile /foo flags=(complain) {\n}')
@ -259,26 +274,37 @@ class AaTest_change_profile_flags(AaTestWithTempdir):
# tests that change the flags
def test_change_profile_flags_01(self):
self._test_change_profile_flags('/foo', '', 'audit', True, 'audit')
def test_change_profile_flags_02(self):
self._test_change_profile_flags('/foo', '( complain )', 'audit', True, 'audit, complain', whitespace=' ')
def test_change_profile_flags_04(self):
self._test_change_profile_flags('/foo', '(complain)', 'audit', True, 'audit, complain')
def test_change_profile_flags_05(self):
self._test_change_profile_flags('/foo', 'flags=(complain)', 'audit', True, 'audit, complain')
def test_change_profile_flags_06(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'complain', False, 'audit', whitespace=' ')
def test_change_profile_flags_07(self):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', 'audit', False, 'complain')
def test_change_profile_flags_08(self):
self._test_change_profile_flags('/foo', '( complain )', 'audit', True, 'audit, complain', whitespace=' ', profile_name=None)
def test_change_profile_flags_09(self):
self._test_change_profile_flags('profile /foo', 'flags=(complain)', 'audit', True, 'audit, complain')
def test_change_profile_flags_10(self):
self._test_change_profile_flags('profile xy /foo', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='xy')
def test_change_profile_flags_11(self):
self._test_change_profile_flags('profile "/foo bar"', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='/foo bar')
def test_change_profile_flags_12(self):
self._test_change_profile_flags('profile xy "/foo bar"', 'flags=(complain)', 'audit', True, 'audit, complain', profile_name='xy')
def test_change_profile_flags_13(self):
self._test_change_profile_flags('/foo', '(audit)', 'audit', False, '')
@ -339,12 +365,15 @@ class AaTest_change_profile_flags(AaTestWithTempdir):
def test_change_profile_flags_invalid_01(self):
with self.assertRaises(AppArmorBug):
self._test_change_profile_flags('/foo', '()', None, False, '', check_new_flags=False)
def test_change_profile_flags_invalid_02(self):
with self.assertRaises(AppArmorBug):
self._test_change_profile_flags('/foo', 'flags=()', None, True, '', check_new_flags=False)
def test_change_profile_flags_invalid_03(self):
with self.assertRaises(AppArmorBug):
self._test_change_profile_flags('/foo', '( )', '', True, '', check_new_flags=False)
def test_change_profile_flags_invalid_04(self):
with self.assertRaises(AppArmorBug):
self._test_change_profile_flags('/foo', 'flags=(complain, audit)', ' ', True, 'audit, complain', check_new_flags=False) # whitespace-only newflags
@ -411,48 +440,68 @@ class AaTest_set_options_owner_mode(AATest):
class AaTest_is_skippable_file(AATest):
def test_not_skippable_01(self):
self.assertFalse(is_skippable_file('bin.ping'))
def test_not_skippable_02(self):
self.assertFalse(is_skippable_file('usr.lib.dovecot.anvil'))
def test_not_skippable_03(self):
self.assertFalse(is_skippable_file('bin.~ping'))
def test_not_skippable_04(self):
self.assertFalse(is_skippable_file('bin.rpmsave.ping'))
def test_not_skippable_05(self):
# normally is_skippable_file should be called without directory, but it shouldn't hurt too much
self.assertFalse(is_skippable_file('/etc/apparmor.d/bin.ping'))
def test_not_skippable_06(self):
self.assertFalse(is_skippable_file('bin.pingrej'))
def test_skippable_01(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-new'))
def test_skippable_02(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-old'))
def test_skippable_03(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-dist'))
def test_skippable_04(self):
self.assertTrue(is_skippable_file('bin.ping..dpkg-bak'))
def test_skippable_05(self):
self.assertTrue(is_skippable_file('bin.ping.dpkg-remove'))
def test_skippable_06(self):
self.assertTrue(is_skippable_file('bin.ping.pacsave'))
def test_skippable_07(self):
self.assertTrue(is_skippable_file('bin.ping.pacnew'))
def test_skippable_08(self):
self.assertTrue(is_skippable_file('bin.ping.rpmnew'))
def test_skippable_09(self):
self.assertTrue(is_skippable_file('bin.ping.rpmsave'))
def test_skippable_10(self):
self.assertTrue(is_skippable_file('bin.ping.orig'))
def test_skippable_11(self):
self.assertTrue(is_skippable_file('bin.ping.rej'))
def test_skippable_12(self):
self.assertTrue(is_skippable_file('bin.ping~'))
def test_skippable_13(self):
self.assertTrue(is_skippable_file('.bin.ping'))
def test_skippable_14(self):
self.assertTrue(is_skippable_file('')) # empty filename
def test_skippable_15(self):
self.assertTrue(is_skippable_file('/etc/apparmor.d/')) # directory without filename
def test_skippable_16(self):
self.assertTrue(is_skippable_file('README'))

4
utils/test/test-abi.py
View file

@ -25,7 +25,7 @@ _ = init_translation()
exp = namedtuple(
'exp', ( # 'audit', 'allow_keyword', 'deny',
'comment', 'path', 'ifexists', 'ismagic'))
'comment', 'path', 'ifexists', 'ismagic'))
# --- tests for single AbiRule --- #
@ -290,7 +290,7 @@ class AbiLogprofHeaderTest(AATest):
self.assertEqual(obj.logprof_header(), expected)
## --- tests for AbiRuleset --- #
# --- tests for AbiRuleset --- #
class AbiRulesTest(AATest):
def test_empty_ruleset(self):

2
utils/test/test-alias.py
View file

@ -218,6 +218,7 @@ class AliasCoveredTest_Invalid(AATest):
def test_invalid_is_covered_3(self):
raw_rule = 'alias /foo -> /bar,'
class SomeOtherClass(AliasRule):
pass
@ -228,6 +229,7 @@ class AliasCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'alias /foo -> /bar,'
class SomeOtherClass(AliasRule):
pass

28
utils/test/test-all.py
View file

@ -44,10 +44,10 @@ class AllTest(AATest):
class AllTestParse(AllTest):
tests = (
# rawrule audit allow deny comment
('all,', exp(False, False, False, '', )),
('deny all, # comment', exp(False, False, True, ' # comment', )),
('audit allow all,', exp(True, True, False, '', )),
('audit allow all,', exp(True, True, False, '', )),
('all,', exp(False, False, False, '')),
('deny all, # comment', exp(False, False, True, ' # comment')),
('audit allow all,', exp(True, True, False, '')),
('audit allow all,', exp(True, True, False, '')),
)
def _run_test(self, rawrule, expected):
@ -77,8 +77,8 @@ class AllTestParseInvalid(AllTest):
class AllFromInit(AllTest):
tests = (
# AllRule object audit allow deny comment
(AllRule(deny=True), exp(False, False, True, '', )),
(AllRule(), exp(False, False, False, '', )),
(AllRule(deny=True), exp(False, False, True, '')),
(AllRule(), exp(False, False, False, '')),
)
def _run_test(self, obj, expected):
@ -168,7 +168,7 @@ class AllCoveredTest_02(AllCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'all,', (False, False, True, False)),
(' all,', (False, False, True, False)),
('audit all,', (True, True, True, True)),
)
@ -178,15 +178,16 @@ class AllCoveredTest_03(AllCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny all,', (True, True, True, True)),
(' deny all,', (True, True, True, True)),
('audit deny all,', (False, False, False, False)),
( 'all,', (False, False, False, False)), # XXX should covered be true here?
(' all,', (False, False, False, False)), # XXX should covered be true here?
)
class AllCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'all,'
class SomeOtherClass(AllRule):
pass
@ -197,6 +198,7 @@ class AllCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'all,'
class SomeOtherClass(AllRule):
pass
@ -220,10 +222,10 @@ class AllSeverityTest(AATest):
class AllLogprofHeaderTest(AATest):
tests = (
('all,', [ 'All', _('Allow everything'), ]),
('deny all,', [_('Qualifier'), 'deny', 'All', _('Allow everything'), ]),
('allow all,', [_('Qualifier'), 'allow', 'All', _('Allow everything'), ]),
('audit deny all,', [_('Qualifier'), 'audit deny', 'All', _('Allow everything'), ]),
('all,', [ 'All', _('Allow everything')]), # noqa: E201
('deny all,', [_('Qualifier'), 'deny', 'All', _('Allow everything')]),
('allow all,', [_('Qualifier'), 'allow', 'All', _('Allow everything')]),
('audit deny all,', [_('Qualifier'), 'audit deny', 'All', _('Allow everything')]),
)
def _run_test(self, params, expected):

15
utils/test/test-baserule.py
View file

@ -22,15 +22,20 @@ class TestBaserule(AATest):
class ValidSubclass(BaseRule):
@classmethod
def _create_instance(cls, raw_rule, matches): pass
def _create_instance(cls, raw_rule, matches):
pass
def get_clean(self, depth=0): pass
def get_clean(self, depth=0):
pass
def _is_covered_localvars(self, other_rule): pass
def _is_covered_localvars(self, other_rule):
pass
def _is_equal_localvars(self, other_rule, strict): pass
def _is_equal_localvars(self, other_rule, strict):
pass
def _logprof_header_localvars(self): pass
def _logprof_header_localvars(self):
pass
def test_implemented_abstract_methods(self):
self.ValidSubclass()

2
utils/test/test-boolean.py
View file

@ -227,6 +227,7 @@ class BooleanCoveredTest_Invalid(AATest):
def test_invalid_is_covered_3(self):
raw_rule = '$foo = true'
class SomeOtherClass(BooleanRule):
pass
@ -237,6 +238,7 @@ class BooleanCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = '$foo = true'
class SomeOtherClass(BooleanRule):
pass

34
utils/test/test-capability.py
View file

@ -46,8 +46,8 @@ class CapabilityKeywordsTest(AATest):
'on an newer kernel and will require updating the list of capability keywords in '
'utils/apparmor/rule/capability.py')
# --- tests for single CapabilityRule --- #
# --- tests for single CapabilityRule --- #
class CapabilityTest(AATest):
def _compare_obj_with_rawrule(self, rawrule, expected):
@ -414,6 +414,7 @@ class CapabilityCoveredTest(AATest):
def test_invalid_is_covered(self):
raw_rule = 'capability sys_admin,'
class SomeOtherClass(CapabilityRule):
pass
@ -433,6 +434,7 @@ class CapabilityCoveredTest(AATest):
def test_invalid_is_equal(self):
raw_rule = 'capability sys_admin,'
class SomeOtherClass(CapabilityRule):
pass
@ -490,9 +492,9 @@ class CapabiliySeverityTest(AATest):
class CapabilityLogprofHeaderTest(AATest):
tests = (
('capability,', [ _('Capability'), _('ALL')]),
('capability chown,', [ _('Capability'), 'chown']),
('capability chown fsetid,', [ _('Capability'), 'chown fsetid']),
('capability,', [ _('Capability'), _('ALL')]), # noqa: E201
('capability chown,', [ _('Capability'), 'chown']), # noqa: E201
('capability chown fsetid,', [ _('Capability'), 'chown fsetid']), # noqa: E201
('audit capability,', [_('Qualifier'), 'audit', _('Capability'), _('ALL')]),
('deny capability chown,', [_('Qualifier'), 'deny', _('Capability'), 'chown']),
('allow capability chown fsetid,', [_('Qualifier'), 'allow', _('Capability'), 'chown fsetid']),
@ -505,7 +507,6 @@ class CapabilityLogprofHeaderTest(AATest):
# --- tests for CapabilityRuleset --- #
class CapabilityRulesTest(AATest):
def test_empty_ruleset(self):
ruleset = CapabilityRuleset()
@ -602,53 +603,76 @@ class CapabilityRulesCoveredTest(AATest):
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability chown,')))
def test_ruleset_is_covered_2(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability sys_admin,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('allow capability sys_admin,')))
def test_ruleset_is_covered_4(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability setuid,')))
def test_ruleset_is_covered_5(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('allow capability setgid,')))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability setgid setuid,')))
def test_ruleset_is_covered_7(self):
pass # self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability sys_admin chown,'))) # fails because it is split over two rule objects internally
def test_ruleset_is_covered_8(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability kill,')))
# deny
def test_ruleset_is_covered_9(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability chown,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability sys_admin,')))
def test_ruleset_is_covered_11(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability sys_admin chown,')))
def test_ruleset_is_covered_12(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability setgid,')))
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability kill,')))
# audit
def test_ruleset_is_covered_14(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability chown,')))
def test_ruleset_is_covered_15(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability sys_admin,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability sys_admin chown,')))
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability setgid,')))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability kill,')))
# combined flags
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability fowner,')))
def test_ruleset_is_covered_20(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit deny capability fowner,')))
def test_ruleset_is_covered_21(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('audit capability fowner,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('capability fowner,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.create_instance('capability fowner,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.create_instance('deny capability chown,'), check_allow_deny=False))

56
utils/test/test-change_profile.py
View file

@ -287,12 +287,12 @@ class ChangeProfileCoveredTest_02(ChangeProfileCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'change_profile /foo,', (False, False, True, False)),
(' change_profile /foo,', (False, False, True, False)),
('audit change_profile /foo,', (True, True, True, True)),
( 'change_profile /foo -> /bar,', (False, False, True, False)),
( 'change_profile safe /foo -> /bar,', (False, False, True, False)),
(' change_profile /foo -> /bar,', (False, False, True, False)),
(' change_profile safe /foo -> /bar,', (False, False, True, False)),
('audit change_profile /foo -> /bar,', (False, False, True, True)), # XXX is "covered exact" correct here?
( 'change_profile,', (False, False, False, False)),
(' change_profile,', (False, False, False, False)),
('audit change_profile,', (False, False, False, False)),
(' change_profile -> /bar,', (False, False, False, False)),
)
@ -303,15 +303,15 @@ class ChangeProfileCoveredTest_03(ChangeProfileCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'change_profile /foo -> /bar,', (True, True, True, True)),
(' change_profile /foo -> /bar,', (True, True, True, True)),
('allow change_profile /foo -> /bar,', (True, False, True, True)),
( 'change_profile /foo,', (False, False, False, False)),
( 'change_profile,', (False, False, False, False)),
( 'change_profile /foo -> /xyz,', (False, False, False, False)),
(' change_profile /foo,', (False, False, False, False)),
(' change_profile,', (False, False, False, False)),
(' change_profile /foo -> /xyz,', (False, False, False, False)),
('audit change_profile,', (False, False, False, False)),
('audit change_profile /foo -> /bar,', (False, False, False, False)),
( 'change_profile -> /bar,', (False, False, False, False)),
( 'change_profile,', (False, False, False, False)),
(' change_profile -> /bar,', (False, False, False, False)),
(' change_profile,', (False, False, False, False)),
)
@ -320,12 +320,12 @@ class ChangeProfileCoveredTest_04(ChangeProfileCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'change_profile,', (True, True, True, True)),
(' change_profile,', (True, True, True, True)),
('allow change_profile,', (True, False, True, True)),
( 'change_profile /foo,', (False, False, True, True)),
( 'change_profile /xyz -> bar,', (False, False, True, True)),
( 'change_profile -> /bar,', (False, False, True, True)),
( 'change_profile /foo -> /bar,', (False, False, True, True)),
(' change_profile /foo,', (False, False, True, True)),
(' change_profile /xyz -> bar,', (False, False, True, True)),
(' change_profile -> /bar,', (False, False, True, True)),
(' change_profile /foo -> /bar,', (False, False, True, True)),
('audit change_profile,', (False, False, False, False)),
('deny change_profile,', (False, False, False, False)),
)
@ -336,11 +336,11 @@ class ChangeProfileCoveredTest_05(ChangeProfileCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny change_profile /foo,', (True, True, True, True)),
(' deny change_profile /foo,', (True, True, True, True)),
('audit deny change_profile /foo,', (False, False, False, False)),
( 'change_profile /foo,', (False, False, False, False)), # XXX should covered be true here?
( 'deny change_profile /bar,', (False, False, False, False)),
( 'deny change_profile,', (False, False, False, False)),
(' change_profile /foo,', (False, False, False, False)), # XXX should covered be true here?
(' deny change_profile /bar,', (False, False, False, False)),
(' deny change_profile,', (False, False, False, False)),
)
@ -349,11 +349,11 @@ class ChangeProfileCoveredTest_06(ChangeProfileCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny change_profile /foo,', (False, False, False, False)),
(' deny change_profile /foo,', (False, False, False, False)),
('audit deny change_profile /foo,', (False, False, False, False)),
( 'change_profile /foo,', (True, False, True, True)),
( 'deny change_profile /bar,', (False, False, False, False)),
( 'deny change_profile,', (False, False, False, False)),
(' change_profile /foo,', (True, False, True, True)),
(' deny change_profile /bar,', (False, False, False, False)),
(' deny change_profile,', (False, False, False, False)),
)
@ -378,6 +378,7 @@ class ChangeProfileCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'change_profile /foo,'
class SomeOtherClass(ChangeProfileRule):
pass
@ -388,6 +389,7 @@ class ChangeProfileCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'change_profile -> /bar,'
class SomeOtherClass(ChangeProfileRule):
pass
@ -399,10 +401,10 @@ class ChangeProfileCoveredTest_Invalid(AATest):
class ChangeProfileLogprofHeaderTest(AATest):
tests = (
('change_profile,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), _('ALL')]),
('change_profile -> /bin/ping,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), '/bin/ping']),
('change_profile /bar -> /bin/bar,', [ _('Exec Condition'), '/bar', _('Target Profile'), '/bin/bar']),
('change_profile safe /foo,', [ _('Exec Mode'), 'safe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL')]),
('change_profile,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), _('ALL')]), # noqa: E201
('change_profile -> /bin/ping,', [ _('Exec Condition'), _('ALL'), _('Target Profile'), '/bin/ping']), # noqa: E201
('change_profile /bar -> /bin/bar,', [ _('Exec Condition'), '/bar', _('Target Profile'), '/bin/bar']), # noqa: E201
('change_profile safe /foo,', [ _('Exec Mode'), 'safe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL')]), # noqa: E201
('audit change_profile -> /bin/ping,', [_('Qualifier'), 'audit', _('Exec Condition'), _('ALL'), _('Target Profile'), '/bin/ping']),
('deny change_profile /bar -> /bin/bar,', [_('Qualifier'), 'deny', _('Exec Condition'), '/bar', _('Target Profile'), '/bin/bar']),
('allow change_profile unsafe /foo,', [_('Qualifier'), 'allow', _('Exec Mode'), 'unsafe', _('Exec Condition'), '/foo', _('Target Profile'), _('ALL')]),

68
utils/test/test-dbus.py
View file

@ -181,18 +181,18 @@ class DbusFromInit(DbusTest):
tests = (
# access bus path name interface member peername peerlabel audit=, deny=, allow_keyword, comment=, log_event)
(DbusRule('send', 'session', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', {'send'}, False, 'session', False, None, True, None, True, None, True, None, True, None, True, None, True)),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', {'send'}, False, 'session', False, None, True, None, True, None, True, None, True, None, True, None, True)),
# access bus path name interface member peername peerlabel audit=, deny=, allow_keyword, comment=, log_event)
(DbusRule(('send', 'receive'), 'session', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', {'send', 'receive'}, False, 'session', False, None, True, None, True, None, True, None, True, None, True, None, True)),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', {'send', 'receive'}, False, 'session', False, None, True, None, True, None, True, None, True, None, True, None, True)),
# access bus path name interface member peername peerlabel audit=, deny=, allow_keyword, comment=, log_event)
(DbusRule(DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label'),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', None, True, None, True, None, True, None, True, '/int/face', False, '/mem/ber', False, '/peer/name', False, '/peer/label', False)),
# audit allow deny comment access all? bus all? path all? name all? interface all? member all? peername all? peerlabel all?
exp(False, False, False, '', None, True, None, True, None, True, None, True, '/int/face', False, '/mem/ber', False, '/peer/name', False, '/peer/label', False)),
)
def _run_test(self, obj, expected):
@ -475,11 +475,11 @@ class DbusCoveredTest_02(DbusCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'dbus send,', (False, False, True, False)),
(' dbus send,', (False, False, True, False)),
('audit dbus send,', (True, True, True, True)),
( 'dbus send bus=session,', (False, False, True, False)),
(' dbus send bus=session,', (False, False, True, False)),
('audit dbus send bus=session,', (False, False, True, True)),
( 'dbus,', (False, False, False, False)),
(' dbus,', (False, False, False, False)),
('audit dbus,', (False, False, False, False)),
('dbus receive,', (False, False, False, False)),
)
@ -490,16 +490,16 @@ class DbusCoveredTest_03(DbusCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'dbus send bus=session,', (True, True, True, True)),
(' dbus send bus=session,', (True, True, True, True)),
('allow dbus send bus=session,', (True, False, True, True)),
( 'dbus send,', (False, False, False, False)),
( 'dbus,', (False, False, False, False)),
( 'dbus send member=(label=foo),', (False, False, False, False)),
(' dbus send,', (False, False, False, False)),
(' dbus,', (False, False, False, False)),
(' dbus send member=(label=foo),', (False, False, False, False)),
('audit dbus,', (False, False, False, False)),
('audit dbus send bus=session,', (False, False, False, False)),
('audit dbus bus=session,', (False, False, False, False)),
( 'dbus send,', (False, False, False, False)),
( 'dbus,', (False, False, False, False)),
(' dbus send,', (False, False, False, False)),
(' dbus,', (False, False, False, False)),
)
@ -508,12 +508,12 @@ class DbusCoveredTest_04(DbusCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'dbus,', (True, True, True, True)),
(' dbus,', (True, True, True, True)),
('allow dbus,', (True, False, True, True)),
( 'dbus send,', (False, False, True, True)),
( 'dbus receive bus=session,', (False, False, True, True)),
( 'dbus member=(label=foo),', (False, False, True, True)),
( 'dbus send bus=session,', (False, False, True, True)),
(' dbus send,', (False, False, True, True)),
(' dbus receive bus=session,', (False, False, True, True)),
(' dbus member=(label=foo),', (False, False, True, True)),
(' dbus send bus=session,', (False, False, True, True)),
('audit dbus,', (False, False, False, False)),
('deny dbus,', (False, False, False, False)),
)
@ -524,11 +524,11 @@ class DbusCoveredTest_05(DbusCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny dbus send,', (True, True, True, True)),
(' deny dbus send,', (True, True, True, True)),
('audit deny dbus send,', (False, False, False, False)),
( 'dbus send,', (False, False, False, False)), # XXX should covered be true here?
( 'deny dbus receive,', (False, False, False, False)),
( 'deny dbus,', (False, False, False, False)),
(' dbus send,', (False, False, False, False)), # XXX should covered be true here?
(' deny dbus receive,', (False, False, False, False)),
(' deny dbus,', (False, False, False, False)),
)
@ -711,7 +711,7 @@ class DbusCoveredTest_11(DbusCoveredTest):
class DbusCoveredTest_Invalid(AATest):
def AASetup(self):
# access bus path name interface member peername peerlabel
self.obj = DbusRule(('send', 'receive'), 'session', '/org/test', DbusRule.ALL, '/int/face', DbusRule.ALL, '/peer/name', '/peer/label', allow_keyword=True)
self.obj = DbusRule(('send', 'receive'), 'session', '/org/test', DbusRule.ALL, '/int/face', DbusRule.ALL, '/peer/name', '/peer/label', allow_keyword=True) # noqa: E221
self.testobj = DbusRule(('send'), 'session', '/org/test', DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label', allow_keyword=True)
def test_borked_obj_is_covered_1(self):
@ -734,7 +734,7 @@ class DbusCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_4(self):
# we need a different 'victim' because dbus send doesn't allow the name conditional we want to test here
self.obj = DbusRule( ('bind'), 'session', DbusRule.ALL, '/name', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, allow_keyword=True)
self.obj = DbusRule(('bind'), 'session', DbusRule.ALL, '/name', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, allow_keyword=True) # noqa: E221
self.testobj = DbusRule(('bind'), 'session', DbusRule.ALL, '/name', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, allow_keyword=True)
self.testobj.name = ''
@ -767,6 +767,7 @@ class DbusCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'dbus send,'
class SomeOtherClass(DbusRule):
pass
@ -777,6 +778,7 @@ class DbusCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'dbus send,'
class SomeOtherClass(DbusRule):
pass
@ -788,17 +790,17 @@ class DbusCoveredTest_Invalid(AATest):
class DbusLogprofHeaderTest(AATest):
tests = (
('dbus,', [ _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('dbus (send receive),', [ _('Access mode'), 'receive send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('dbus send bus=session,', [ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('dbus,', [ _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), # noqa: E201
('dbus (send receive),', [ _('Access mode'), 'receive send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), # noqa: E201
('dbus send bus=session,', [ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), # noqa: E201
('deny dbus,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('allow dbus send,', [_('Qualifier'), 'allow', _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('audit dbus send bus=session,', [_('Qualifier'), 'audit', _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('audit deny dbus send,', [_('Qualifier'), 'audit deny', _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('dbus bind name=bind.name,', [ _('Access mode'), 'bind', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), 'bind.name', _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]),
('dbus bind name=bind.name,', [ _('Access mode'), 'bind', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), 'bind.name', _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), # noqa: E201
('dbus send bus=session path=/path interface=aa.test member=ExMbr peer=(name=(peer.name)),',
[ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), '/path', _('Name'), _('ALL'), _('Interface'), 'aa.test', _('Member'), 'ExMbr', _('Peer name'), 'peer.name', _('Peer label'), _('ALL')]),
('dbus send peer=(label=foo),', [ _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), 'foo']),
[ _('Access mode'), 'send', _('Bus'), 'session', _('Path'), '/path', _('Name'), _('ALL'), _('Interface'), 'aa.test', _('Member'), 'ExMbr', _('Peer name'), 'peer.name', _('Peer label'), _('ALL')]), # noqa: E201,E127
('dbus send peer=(label=foo),', [ _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), _('Peer name'), _('ALL'), _('Peer label'), 'foo']), # noqa: E201
)
def _run_test(self, params, expected):
@ -806,7 +808,7 @@ class DbusLogprofHeaderTest(AATest):
self.assertEqual(obj.logprof_header(), expected)
## --- tests for DbusRuleset --- #
# --- tests for DbusRuleset --- #
class DbusRulesTest(AATest):
def test_empty_ruleset(self):

170
utils/test/test-file.py
View file

@ -200,18 +200,18 @@ class FileFromInit(FileTest):
# path, perms, exec_perms, target, owner, file_keyword, leading_perms
(FileRule('/foo', 'rw', None, FileRule.ALL, False, False, False, audit=True, deny=True),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(True, False, True, '', '/foo', False, {'r', 'w'}, False, None, None, True, False, False, False)),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(True, False, True, '', '/foo', False, {'r', 'w'}, False, None, None, True, False, False, False)),
# path, perms, exec_perms, target, owner, file_keyword, leading_perms
(FileRule('/foo', None, 'Pix', 'bar_prof', True, True, True, allow_keyword=True),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(False, True, False, '', '/foo', False, set(), False, 'Pix', 'bar_prof', False, True, True, True)),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(False, True, False, '', '/foo', False, set(), False, 'Pix', 'bar_prof', False, True, True, True)),
# path, perms, exec_perms, target, owner, file_keyword, leading_perms
(FileRule('/foo', {'link', 'subset'}, None, '/bar', False, False, True, audit=True, deny=True),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(True, False, True, '', '/foo', False, {'link', 'subset'}, False, None, '/bar', False, False, False, True)),
# audit allow deny comment path all_paths perms all? exec_perms target all? owner file keyword leading perms
exp(True, False, True, '', '/foo', False, {'link', 'subset'}, False, None, '/bar', False, False, False, True)),
)
@ -224,55 +224,55 @@ class InvalidFileInit(AATest):
# path, perms, exec_perms, target, owner, file_keyword, leading_perms expected exception
# empty fields
( ('', 'rw', 'ix', '/bar', False, False, False), AppArmorBug),
# OK ('/foo', '', 'ix', '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', '', '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '', False, False, False), AppArmorBug),
( ('', 'rw', 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
# OK ('/foo', '', 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', '', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '', False, False, False), AppArmorBug), # noqa: E201
# whitespace fields
( (' ', 'rw', 'ix', '/bar', False, False, False), AppArmorBug),
( ('/foo', ' ', 'ix', '/bar', False, False, False), AppArmorException),
( ('/foo', 'rw', ' ', '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', ' ', False, False, False), AppArmorBug),
( (' ', 'rw', 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', ' ', 'ix', '/bar', False, False, False), AppArmorException), # noqa: E201
( ('/foo', 'rw', ' ', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', ' ', False, False, False), AppArmorBug), # noqa: E201
# wrong type - dict()
( (dict(), 'rw', 'ix', '/bar', False, False, False), AppArmorBug),
( ('/foo', dict(), 'ix', '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', dict(), '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', dict(), False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', dict(), False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', False, dict(), False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', False, False, dict()), AppArmorBug),
( (dict(), 'rw', 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', dict(), 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', dict(), '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', dict(), False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', dict(), False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', False, dict(), False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', False, False, dict()), AppArmorBug), # noqa: E201
# wrong type - None
( (None, 'rw', 'ix', '/bar', False, False, False), AppArmorBug),
# OK ('/foo', None, 'ix', '/bar', False, False, False), AppArmorBug),
# OK ('/foo', 'rw', None, '/bar', False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', None, False, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', None, False, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', False, None, False), AppArmorBug),
( ('/foo', 'rw', 'ix', '/bar', False, False, None), AppArmorBug),
( (None, 'rw', 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
# OK ('/foo', None, 'ix', '/bar', False, False, False), AppArmorBug), # noqa: E201
# OK ('/foo', 'rw', None, '/bar', False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', None, False, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', None, False, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', False, None, False), AppArmorBug), # noqa: E201
( ('/foo', 'rw', 'ix', '/bar', False, False, None), AppArmorBug), # noqa: E201
# misc
( ('/foo', 'rwa', 'ix', '/bar', False, False, False), AppArmorException), # 'r' and 'a' conflict
( ('/foo', None, 'rw', '/bar', False, False, False), AppArmorBug), # file perms in exec perms parameter
( ('/foo', 'ix', None, '/bar', False, False, False), AppArmorBug), # exec perms in file perms parameter
( ('foo', 'rw', 'ix', '/bar', False, False, False), AppArmorException), # path doesn't start with /
( ('/foo', 'rb', 'ix', '/bar', False, False, False), AppArmorException), # invalid file mode 'b' (str)
( ('/foo', {'b'}, 'ix', '/bar', False, False, False), AppArmorBug), # invalid file mode 'b' (str)
( ('/foo', 'rw', 'ax', '/bar', False, False, False), AppArmorBug), # invalid exec mode 'ax'
( ('/foo', 'rw', 'x', '/bar', False, False, False), AppArmorException), # plain 'x' is only allowed in deny rules
( (FileRule.ALL, FileRule.ALL, None, '/bar', False, False, False), AppArmorBug), # plain 'file,' doesn't allow exec target
( ('/foo', 'rwa', 'ix', '/bar', False, False, False), AppArmorException), # 'r' and 'a' conflict # noqa: E201
( ('/foo', None, 'rw', '/bar', False, False, False), AppArmorBug), # file perms in exec perms parameter # noqa: E201
( ('/foo', 'ix', None, '/bar', False, False, False), AppArmorBug), # exec perms in file perms parameter # noqa: E201
( ('foo', 'rw', 'ix', '/bar', False, False, False), AppArmorException), # path doesn't start with / # noqa: E201
( ('/foo', 'rb', 'ix', '/bar', False, False, False), AppArmorException), # invalid file mode 'b' (str) # noqa: E201
( ('/foo', {'b'}, 'ix', '/bar', False, False, False), AppArmorBug), # invalid file mode 'b' (str) # noqa: E201
( ('/foo', 'rw', 'ax', '/bar', False, False, False), AppArmorBug), # invalid exec mode 'ax' # noqa: E201
( ('/foo', 'rw', 'x', '/bar', False, False, False), AppArmorException), # plain 'x' is only allowed in deny rules # noqa: E201
( (FileRule.ALL, FileRule.ALL, None, '/bar', False, False, False), AppArmorBug), # plain 'file,' doesn't allow exec target # noqa: E201
# link rules
( (None, {'link'}, None, None, False, False, False), AppArmorBug), # missing path and target
( ('/foo', {'link'}, None, None, False, False, False), AppArmorBug), # missing target
( ( None, {'link'}, None, '/bar', False, False, False), AppArmorBug), # missing path
( ('/foo', {'subset'}, None, '/bar', False, False, False), AppArmorBug), # subset without link
( ('/foo', {'link'}, 'ix', '/bar', False, False, False), AppArmorBug), # link rule with exec perms
( ('/foo', {'link', 'subset'}, 'ix', '/bar', False, False, False), AppArmorBug), # link subset rule with exec perms
( (None, {'link'}, None, None, False, False, False), AppArmorBug), # missing path and target # noqa: E201
( ('/foo', {'link'}, None, None, False, False, False), AppArmorBug), # missing target # noqa: E201
( ( None, {'link'}, None, '/bar', False, False, False), AppArmorBug), # missing path # noqa: E201
( ('/foo', {'subset'}, None, '/bar', False, False, False), AppArmorBug), # subset without link # noqa: E201
( ('/foo', {'link'}, 'ix', '/bar', False, False, False), AppArmorBug), # link rule with exec perms # noqa: E201
( ('/foo', {'link', 'subset'}, 'ix', '/bar', False, False, False), AppArmorBug), # link subset rule with exec perms # noqa: E201
)
def _run_test(self, params, expected):
@ -473,34 +473,34 @@ class FileCoveredTest(AATest):
class FileCoveredTest_01(FileCoveredTest):
rule = 'file /foo r,'
tests = (
# rule equal strict equal covered covered exact
('file /foo r,', (True, True, True, True)),
('file /foo r ,', (True, False, True, True)),
('allow file /foo r,', (True, False, True, True)),
('allow /foo r, # comment', (True, False, True, True)),
('allow owner /foo r,', (False, False, True, True)),
('/foo r -> bar,', (False, False, True, True)),
('file r /foo,', (True, False, True, True)),
('allow file r /foo,', (True, False, True, True)),
('allow r /foo, # comment', (True, False, True, True)),
('allow owner r /foo,', (False, False, True, True)),
('r /foo -> bar,', (False, False, True, True)),
('file,', (False, False, False, False)),
('file /foo w,', (False, False, False, False)),
('file /foo rw,', (False, False, False, False)),
('file /bar r,', (False, False, False, False)),
('audit /foo r,', (False, False, False, False)),
('audit file,', (False, False, False, False)),
('audit deny /foo r,', (False, False, False, False)),
('deny file /foo r,', (False, False, False, False)),
('/foo rPx,', (False, False, False, False)),
('/foo Pxr,', (False, False, False, False)),
('/foo Px,', (False, False, False, False)),
('/foo ix,', (False, False, False, False)),
('/foo ix -> bar,', (False, False, False, False)),
('/foo rPx -> bar,', (False, False, False, False)),
)
tests = (
# rule equal strict equal covered covered exact
('file /foo r,', (True, True, True, True)),
('file /foo r ,', (True, False, True, True)),
('allow file /foo r,', (True, False, True, True)),
('allow /foo r, # comment', (True, False, True, True)),
('allow owner /foo r,', (False, False, True, True)),
('/foo r -> bar,', (False, False, True, True)),
('file r /foo,', (True, False, True, True)),
('allow file r /foo,', (True, False, True, True)),
('allow r /foo, # comment', (True, False, True, True)),
('allow owner r /foo,', (False, False, True, True)),
('r /foo -> bar,', (False, False, True, True)),
('file,', (False, False, False, False)),
('file /foo w,', (False, False, False, False)),
('file /foo rw,', (False, False, False, False)),
('file /bar r,', (False, False, False, False)),
('audit /foo r,', (False, False, False, False)),
('audit file,', (False, False, False, False)),
('audit deny /foo r,', (False, False, False, False)),
('deny file /foo r,', (False, False, False, False)),
('/foo rPx,', (False, False, False, False)),
('/foo Pxr,', (False, False, False, False)),
('/foo Px,', (False, False, False, False)),
('/foo ix,', (False, False, False, False)),
('/foo ix -> bar,', (False, False, False, False)),
('/foo rPx -> bar,', (False, False, False, False)),
)
class FileCoveredTest_02(FileCoveredTest):
@ -791,6 +791,7 @@ class FileCoveredTest_ManualOrInvalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'file,'
class SomeOtherClass(FileRule):
pass
@ -801,6 +802,7 @@ class FileCoveredTest_ManualOrInvalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'file,'
class SomeOtherClass(FileRule):
pass
@ -836,21 +838,21 @@ class FileSeverityTest(AATest):
class FileLogprofHeaderTest(AATest):
tests = (
# log event old perms ALL / owner
(('file,', set(), set()), [ _('Path'), _('ALL'), _('New Mode'), _('ALL')]),
(('/foo r,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'r']),
(('file /bar Px -> foo,', set(), set()), [ _('Path'), '/bar', _('New Mode'), 'Px -> foo']),
(('file,', set(), set()), [ _('Path'), _('ALL'), _('New Mode'), _('ALL')]), # noqa: E201
(('/foo r,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'r']), # noqa: E201
(('file /bar Px -> foo,', set(), set()), [ _('Path'), '/bar', _('New Mode'), 'Px -> foo']), # noqa: E201
(('deny file,', set(), set()), [_('Qualifier'), 'deny', _('Path'), _('ALL'), _('New Mode'), _('ALL')]),
(('allow file /baz rwk,', set(), set()), [_('Qualifier'), 'allow', _('Path'), '/baz', _('New Mode'), 'rwk']),
(('audit file /foo mr,', set(), set()), [_('Qualifier'), 'audit', _('Path'), '/foo', _('New Mode'), 'mr']),
(('audit deny /foo wk,', set(), set()), [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'wk']),
(('owner file /foo ix,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'owner ix']),
(('owner file /foo ix,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'owner ix']), # noqa: E201
(('audit deny file /foo rlx -> /baz,', set(), set()), [_('Qualifier'), 'audit deny', _('Path'), '/foo', _('New Mode'), 'rlx -> /baz']),
(('/foo rw,', set('r'), set()), [ _('Path'), '/foo', _('Old Mode'), _('r'), _('New Mode'), _('rw')]),
(('/foo rw,', set(), set('rw')), [ _('Path'), '/foo', _('Old Mode'), _('owner rw'), _('New Mode'), _('rw')]),
(('/foo mrw,', set('r'), set('k')), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw')]),
(('/foo mrw,', set('r'), set('rk')), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw')]),
(('link /foo -> /bar,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'link -> /bar']),
(('link subset /foo -> /bar,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'link subset -> /bar']),
(('/foo rw,', set('r'), set()), [ _('Path'), '/foo', _('Old Mode'), _('r'), _('New Mode'), _('rw')]), # noqa: E201
(('/foo rw,', set(), set('rw')), [ _('Path'), '/foo', _('Old Mode'), _('owner rw'), _('New Mode'), _('rw')]), # noqa: E201
(('/foo mrw,', set('r'), set('k')), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw')]), # noqa: E201
(('/foo mrw,', set('r'), set('rk')), [ _('Path'), '/foo', _('Old Mode'), _('r + owner k'), _('New Mode'), _('mrw')]), # noqa: E201
(('link /foo -> /bar,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'link -> /bar']), # noqa: E201
(('link subset /foo -> /bar,', set(), set()), [ _('Path'), '/foo', _('New Mode'), 'link subset -> /bar']), # noqa: E201
)
def _run_test(self, params, expected):
@ -923,7 +925,7 @@ class FileValidateAndStoreEditTest(AATest):
rule_obj.store_edit('/foo/bar')
## --- tests for FileRuleset --- #
# --- tests for FileRuleset --- #
class FileRulesTest(AATest):
def test_empty_ruleset(self):
@ -1047,9 +1049,9 @@ class FileGetRulesForPath(AATest):
(('/etc/foo/dovecot-database.conf.ext', False, False), ['/etc/foo/* r,', '/etc/foo/dovecot-database.conf.ext w,', '']),
(('/etc/foo/auth.d/authfoo.conf', False, False), ['/etc/foo/{auth,conf}.d/*.conf r,', '/etc/foo/{auth,conf}.d/authfoo.conf w,', '']),
(('/etc/foo/dovecot-deny.conf', False, False), ['deny /etc/foo/dovecot-deny.conf r,', '', '/etc/foo/* r,', '']),
(('/foo/bar', False, True), [ ]),
(('/foo/bar', False, True), [ ]), # noqa: E201,E202
(('/etc/foo/dovecot-deny.conf', False, True), ['deny /etc/foo/dovecot-deny.conf r,', '']),
(('/etc/foo/foo.conf', False, True), [ ]),
(('/etc/foo/foo.conf', False, True), [ ]), # noqa: E201,E202
(('/etc/foo/owner.conf', False, False), ['/etc/foo/* r,', 'owner /etc/foo/owner.conf w,', '']),
)

14
utils/test/test-include.py
View file

@ -27,7 +27,7 @@ _ = init_translation()
exp = namedtuple(
'exp', ( # 'audit', 'allow_keyword', 'deny',
'comment', 'path', 'ifexists', 'ismagic'))
'comment', 'path', 'ifexists', 'ismagic'))
# --- tests for single IncludeRule --- #
@ -94,10 +94,10 @@ class IncludeTestParse(IncludeTest):
class IncludeTestParseInvalid(IncludeTest):
tests = (
# (' some #include if exists <abstractions/base>', AppArmorException),
# (' /etc/fstab r,', AppArmorException),
# ('/usr/include r,', AppArmorException),
# ('/include r,', AppArmorException),
# (' some #include if exists <abstractions/base>', AppArmorException),
# (' /etc/fstab r,', AppArmorException),
# ('/usr/include r,', AppArmorException),
# ('/include r,', AppArmorException),
)
def _run_test(self, rawrule, expected):
@ -297,6 +297,7 @@ class IncludeCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'include <abstractions/base>'
class SomeOtherClass(IncludeRule):
pass
@ -307,6 +308,7 @@ class IncludeCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'include <abstractions/base>'
class SomeOtherClass(IncludeRule):
pass
@ -367,7 +369,7 @@ class IncludeFullPathsTest(AATest):
self.assertEqual(obj.get_full_paths(self.profile_dir), exp2)
## --- tests for IncludeRuleset --- #
# --- tests for IncludeRuleset --- #
class IncludeRulesTest(AATest):
def AASetup(self):

28
utils/test/test-io_uring.py
View file

@ -37,7 +37,7 @@ class IOUringTestParse(AATest):
('deny io_uring (sqpoll, override_creds),', IOUringRule(('sqpoll', 'override_creds'), IOUringRule.ALL, False, True, False, '')),
('audit allow io_uring,', IOUringRule(IOUringRule.ALL, IOUringRule.ALL, True, False, True, '')),
('io_uring override_creds, # cmt', IOUringRule(('override_creds'), IOUringRule.ALL, False, False, False, ' # cmt')),
)
)
def _run_test(self, rawrule, expected):
self.assertTrue(IOUringRule.match(rawrule))
@ -82,16 +82,16 @@ class IOUringTestParseInvalid(AATest):
class InvalidIOUringInit(AATest):
tests = (
# init params expected exception
(('', 'label'), AppArmorBug), # empty access
((' ', 'label'), AppArmorBug), # whitespace access
(('xyxy', 'label'), AppArmorException), # invalid access
((dict(), 'label'), AppArmorBug), # wrong type for access
((None, 'label'), AppArmorBug), # wrong type for access
(('sqpoll', ''), AppArmorBug), # empty label
(('sqpoll', ' '), AppArmorBug), # whitespace label
(('sqpoll', dict()), AppArmorBug), # wrong type for label
(('sqpoll', None), AppArmorBug), # wrong type for label
# access label expected exception
(('', 'label'), AppArmorBug), # empty access
((' ', 'label'), AppArmorBug), # whitespace access
(('xyxy', 'label'), AppArmorException), # invalid access
((dict(), 'label'), AppArmorBug), # wrong type for access
((None, 'label'), AppArmorBug), # wrong type for access
(('sqpoll', ''), AppArmorBug), # empty label
(('sqpoll', ' '), AppArmorBug), # whitespace label
(('sqpoll', dict()), AppArmorBug), # wrong type for label
(('sqpoll', None), AppArmorBug), # wrong type for label
)
def _run_test(self, params, expected):
@ -116,7 +116,7 @@ class WriteIOUringTestAATest(AATest):
(' audit io_uring (sqpoll , override_creds ),', 'audit io_uring (override_creds sqpoll),'),
(' deny io_uring sqpoll label=bar,# foo bar', 'deny io_uring sqpoll label=bar, # foo bar'),
(' deny io_uring override_creds ,# foo bar', 'deny io_uring override_creds, # foo bar'),
(' allow io_uring label=tst ,# foo bar' , 'allow io_uring label=tst, # foo bar'),
(' allow io_uring label=tst ,# foo bar', 'allow io_uring label=tst, # foo bar'),
('io_uring,', 'io_uring,'),
('io_uring (override_creds),', 'io_uring override_creds,'),
('io_uring (sqpoll),', 'io_uring sqpoll,'),
@ -171,10 +171,10 @@ class IOUringIsCoveredTest(AATest):
class IOUringLogprofHeaderTest(AATest):
tests = (
('io_uring,', [_('Access mode'), _('ALL'), _('Label'), _('ALL')]),
('io_uring sqpoll,', [_('Access mode'), 'sqpoll' , _('Label'), _('ALL')]),
('io_uring sqpoll,', [_('Access mode'), 'sqpoll', _('Label'), _('ALL')]),
('io_uring override_creds,', [_('Access mode'), 'override_creds', _('Label'), _('ALL')]),
('io_uring (sqpoll,override_creds),', [_('Access mode'), 'override_creds sqpoll', _('Label'), _('ALL')]),
('io_uring sqpoll label=/foo,', [_('Access mode'), 'sqpoll' , _('Label'), '/foo']),
('io_uring sqpoll label=/foo,', [_('Access mode'), 'sqpoll', _('Label'), '/foo']),
('io_uring override_creds label=bar,', [_('Access mode'), 'override_creds', _('Label'), 'bar']),
('io_uring (sqpoll,override_creds) label=baz,', [_('Access mode'), 'override_creds sqpoll', _('Label'), 'baz']),
)

3
utils/test/test-logprof.py
View file

@ -56,7 +56,7 @@ class TestLogprof(AATest):
env={'LANG': 'C',
'PYTHONPATH': os.environ.get('PYTHONPATH', ''),
'LD_LIBRARY_PATH': os.environ.get('LD_LIBRARY_PATH', ''),
},
},
)
return process
@ -129,6 +129,7 @@ class TestLogprof(AATest):
self.process.wait(timeout=0.3)
self.assertEqual(self.process.returncode, 0)
# if you import apparmor.aa and call init_aa() in your tests, uncomment this
# setup_aa(aa)
setup_all_loops(__name__)

79
utils/test/test-mount.py
View file

@ -29,37 +29,37 @@ class MountTestParse(AATest):
tests = (
# Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment
('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '' )),
('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '' )),
('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )),
('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
('mount -> **,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '**', False, False, False, '')),
('mount options=(rw, shared) -> **,', MountRule('mount', MountRule.ALL, ('=', ('rw', 'shared')), MountRule.ALL, '**', False, False, False, '')),
('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '')),
('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.obex*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '')),
('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ['fuse.*']), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '')),
('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ['bpf']), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '')),
('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '')),
('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '')),
('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '')),
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '')),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '')),
('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/a', '/b', False, False, False, '')),
('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '')),
('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
('mount fstype=({ext3,ext4}) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ['{ext3,ext4}']), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '')),
('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ['ext3', 'ext4']), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,',
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
'/tmp/snap.rootfs_*{,/usr}/lib/modules/',
False, False, False, '' )),
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )),
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/', # noqa: E127
'/tmp/snap.rootfs_*{,/usr}/lib/modules/', # noqa: E127
False, False, False, '')), # noqa: E127
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('umount fstype=ext3,', MountRule('umount', ('=', ['ext3']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '')),
('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )),
('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('remount fstype=ext4,', MountRule('remount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '')),
('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '')),
)
def _run_test(self, rawrule, expected):
@ -99,8 +99,8 @@ class MountTestParseInvalid(AATest):
def test_diff_invalid_fstype_aare(self):
tests = [
'mount fstype=({unclosed_regex),',
'mount fstype=({closed}twice}),',
'mount fstype=({unclosed_regex),',
'mount fstype=({closed}twice}),',
]
for t in tests:
@ -109,9 +109,9 @@ class MountTestParseInvalid(AATest):
def test_diff_invalid_fstype_aare_2(self):
fslists = [
['invalid_{_regex'],
['ext4', 'invalid_}_regex'],
['ext4', '{invalid} {regex}']
['invalid_{_regex'],
['ext4', 'invalid_}_regex'],
['ext4', '{invalid} {regex}']
]
for fslist in fslists:
with self.assertRaises(AppArmorException):
@ -227,6 +227,7 @@ class MountIsCoveredTest(AATest):
for test in tests:
self.assertTrue(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_covered_aare_2(self):
obj = MountRule('mount', ('=', ['ext{3,4}', '{cgroup*,fuse.*}']), ('=', ('ro')), 'tmpfs', MountRule.ALL)
tests = [
@ -240,15 +241,15 @@ class MountIsCoveredTest(AATest):
def test_is_notcovered(self):
obj = MountRule('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/b*')
tests = [
('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar' ),
('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar' ),
('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar' ),
('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ),
('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar' ),
('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar' ),
('mount', ('in', ['ext3', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar'),
('mount', ('=', ['procfs', 'ext4']), ('=', ('ro')), '/foo/bar', '/bar'),
('mount', ('=', ['ext3']), ('=', ('rw')), '/foo/bar', '/bar'),
('mount', ('=', ['ext3', 'ext4']), MountRule.ALL, '/foo/b*', '/bar'),
('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar'),
('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/invalid/bar', '/bar'),
('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar'),
('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar'),
('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), 'tmpfs', '/bar'),
('mount', ('=', ['ext3', 'ext4']), ('=', ('ro')), '/foo/b*', '/invalid'),
]
for test in tests:

102
utils/test/test-mqueue.py
View file

@ -26,25 +26,25 @@ _ = init_translation()
class MessageQueueTestParse(AATest):
tests = (
# access type label mqueue_name audit deny allow comment
('mqueue,' , MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue create,' , MessageQueueRule(('create'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (create,open,delete),' , MessageQueueRule(('create', 'open', 'delete'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (getattr,setattr),' , MessageQueueRule(('getattr', 'setattr'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (write,read),' , MessageQueueRule(('write', 'read'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (open,delete),' , MessageQueueRule(('open', 'delete'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue write label=foo,' , MessageQueueRule(('write'), MessageQueueRule.ALL, 'foo', MessageQueueRule.ALL, False, False, False, '')),
('mqueue read label=foo /queue,' , MessageQueueRule(('read'), MessageQueueRule.ALL, 'foo', '/queue', False, False, False, '')),
('audit mqueue read label=foo /queue,' , MessageQueueRule(('read'), MessageQueueRule.ALL, 'foo', '/queue', True, False, False, '')),
('deny mqueue rw label=foo /queue,' , MessageQueueRule(('rw'), MessageQueueRule.ALL, 'foo', '/queue', False, True, False, '')),
('mqueue,', MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue create,', MessageQueueRule(('create'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (create,open,delete),', MessageQueueRule(('create', 'open', 'delete'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (getattr,setattr),', MessageQueueRule(('getattr', 'setattr'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (write,read),', MessageQueueRule(('write', 'read'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue (open,delete),', MessageQueueRule(('open', 'delete'), MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue write label=foo,', MessageQueueRule(('write'), MessageQueueRule.ALL, 'foo', MessageQueueRule.ALL, False, False, False, '')),
('mqueue read label=foo /queue,', MessageQueueRule(('read'), MessageQueueRule.ALL, 'foo', '/queue', False, False, False, '')),
('audit mqueue read label=foo /queue,', MessageQueueRule(('read'), MessageQueueRule.ALL, 'foo', '/queue', True, False, False, '')),
('deny mqueue rw label=foo /queue,', MessageQueueRule(('rw'), MessageQueueRule.ALL, 'foo', '/queue', False, True, False, '')),
('audit allow mqueue r label=foo /queue,', MessageQueueRule(('r'), MessageQueueRule.ALL, 'foo', '/queue', True, False, True, '')),
('mqueue w label=foo 1234, # cmt' , MessageQueueRule(('w'), MessageQueueRule.ALL, 'foo', '1234', False, False, False, ' # cmt')),
('mqueue wr 1234,' , MessageQueueRule(('wr'), MessageQueueRule.ALL, MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue 1234,' , MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue type=sysv,' , MessageQueueRule(MessageQueueRule.ALL, 'sysv', MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue type=posix,' , MessageQueueRule(MessageQueueRule.ALL, 'posix', MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue type=sysv 1234,' , MessageQueueRule(MessageQueueRule.ALL, 'sysv', MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue type=posix /queue,' , MessageQueueRule(MessageQueueRule.ALL, 'posix', MessageQueueRule.ALL, '/queue', False, False, False, '')),
('mqueue open type=sysv label=foo 1234,' , MessageQueueRule(('open'), 'sysv', 'foo', '1234', False, False, False, '')),
('mqueue w label=foo 1234, # cmt', MessageQueueRule(('w'), MessageQueueRule.ALL, 'foo', '1234', False, False, False, ' # cmt')),
('mqueue wr 1234,', MessageQueueRule(('wr'), MessageQueueRule.ALL, MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue 1234,', MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue type=sysv,', MessageQueueRule(MessageQueueRule.ALL, 'sysv', MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue type=posix,', MessageQueueRule(MessageQueueRule.ALL, 'posix', MessageQueueRule.ALL, MessageQueueRule.ALL, False, False, False, '')),
('mqueue type=sysv 1234,', MessageQueueRule(MessageQueueRule.ALL, 'sysv', MessageQueueRule.ALL, '1234', False, False, False, '')),
('mqueue type=posix /queue,', MessageQueueRule(MessageQueueRule.ALL, 'posix', MessageQueueRule.ALL, '/queue', False, False, False, '')),
('mqueue open type=sysv label=foo 1234,', MessageQueueRule(('open'), 'sysv', 'foo', '1234', False, False, False, '')),
)
def _run_test(self, rawrule, expected):
@ -56,14 +56,14 @@ class MessageQueueTestParse(AATest):
class MessageQueueTestParseInvalid(AATest):
tests = (
('mqueue label=,' , AppArmorException),
('mqueue label=,', AppArmorException),
('mqueue invalidaccess /queuename,', AppArmorException),
('mqueue invalidqueuename,' , AppArmorException),
('mqueue invalidqueuename1234,' , AppArmorException),
('mqueue foo label foo bar,' , AppArmorException),
('mqueue type=,' , AppArmorException),
('mqueue type=sysv /foo,' , AppArmorException),
('mqueue type=posix 1234,' , AppArmorException),
('mqueue invalidqueuename,', AppArmorException),
('mqueue invalidqueuename1234,', AppArmorException),
('mqueue foo label foo bar,', AppArmorException),
('mqueue type=,', AppArmorException),
('mqueue type=sysv /foo,', AppArmorException),
('mqueue type=posix 1234,', AppArmorException),
)
def _run_test(self, rawrule, expected):
@ -148,28 +148,28 @@ class InvalidMessageQueueInit(AATest):
class WriteMessageQueueTestAATest(AATest):
tests = (
# raw rule clean rule
(' mqueue , # foo ' , 'mqueue, # foo'),
(' audit mqueue create,' , 'audit mqueue create,'),
(' audit mqueue (open ),' , 'audit mqueue open,'),
(' audit mqueue (delete , read ),' , 'audit mqueue (delete read),'),
(' mqueue , # foo ', 'mqueue, # foo'),
(' audit mqueue create,', 'audit mqueue create,'),
(' audit mqueue (open ),', 'audit mqueue open,'),
(' audit mqueue (delete , read ),', 'audit mqueue (delete read),'),
(' deny mqueue write label=bar,# foo bar', 'deny mqueue write label=bar, # foo bar'),
(' deny mqueue open ,# foo bar' , 'deny mqueue open, # foo bar'),
(' allow mqueue label=tst ,# foo bar' , 'allow mqueue label=tst, # foo bar'),
('mqueue,' , 'mqueue,'),
('mqueue (read),' , 'mqueue read,'),
('mqueue (create),' , 'mqueue create,'),
('mqueue (write read),' , 'mqueue (read write),'),
('mqueue (open,create,open,delete,write,read),' , 'mqueue (create delete open read write),'),
('mqueue r,' , 'mqueue r,'),
('mqueue w,' , 'mqueue w,'),
('mqueue rw,' , 'mqueue rw,'),
('mqueue delete label="tst",' , 'mqueue delete label="tst",'),
('mqueue (getattr) label=bar,' , 'mqueue getattr label=bar,'),
('mqueue getattr /foo,' , 'mqueue getattr /foo,'),
('mqueue (setattr getattr) 1234,' , 'mqueue (getattr setattr) 1234,'),
('mqueue wr label=tst 1234,' , 'mqueue wr label=tst 1234,'),
('mqueue wr type=sysv label=tst 1234,' , 'mqueue wr type=sysv label=tst 1234,'),
('mqueue wr type=posix label=tst /foo,' , 'mqueue wr type=posix label=tst /foo,'),
(' deny mqueue open ,# foo bar', 'deny mqueue open, # foo bar'),
(' allow mqueue label=tst ,# foo bar', 'allow mqueue label=tst, # foo bar'),
('mqueue,', 'mqueue,'),
('mqueue (read),', 'mqueue read,'),
('mqueue (create),', 'mqueue create,'),
('mqueue (write read),', 'mqueue (read write),'),
('mqueue (open,create,open,delete,write,read),', 'mqueue (create delete open read write),'),
('mqueue r,', 'mqueue r,'),
('mqueue w,', 'mqueue w,'),
('mqueue rw,', 'mqueue rw,'),
('mqueue delete label="tst",', 'mqueue delete label="tst",'),
('mqueue (getattr) label=bar,', 'mqueue getattr label=bar,'),
('mqueue getattr /foo,', 'mqueue getattr /foo,'),
('mqueue (setattr getattr) 1234,', 'mqueue (getattr setattr) 1234,'),
('mqueue wr label=tst 1234,', 'mqueue wr label=tst 1234,'),
('mqueue wr type=sysv label=tst 1234,', 'mqueue wr type=sysv label=tst 1234,'),
('mqueue wr type=posix label=tst /foo,', 'mqueue wr type=posix label=tst /foo,'),
)
def _run_test(self, rawrule, expected):
@ -232,11 +232,11 @@ class MessageQueueIsCoveredTest(AATest):
class MessageQueueLogprofHeaderTest(AATest):
tests = (
('mqueue,', [ _('Access mode'), _('ALL'), _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]),
('mqueue (create,getattr) 12,', [ _('Access mode'), 'create getattr', _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), '12', ]),
('mqueue write label=bar,', [ _('Access mode'), 'write', _('Type'), _('ALL'), _('Label'), 'bar', _('Message queue name'), _('ALL'), ]),
('mqueue write type=sysv,', [ _('Access mode'), 'write', _('Type'), 'sysv', _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]),
('mqueue read type=posix,', [ _('Access mode'), 'read', _('Type'), 'posix', _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]),
('mqueue,', [ _('Access mode'), _('ALL'), _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]), # noqa: E201
('mqueue (create,getattr) 12,', [ _('Access mode'), 'create getattr', _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), '12', ]), # noqa: E201
('mqueue write label=bar,', [ _('Access mode'), 'write', _('Type'), _('ALL'), _('Label'), 'bar', _('Message queue name'), _('ALL'), ]), # noqa: E201
('mqueue write type=sysv,', [ _('Access mode'), 'write', _('Type'), 'sysv', _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]), # noqa: E201
('mqueue read type=posix,', [ _('Access mode'), 'read', _('Type'), 'posix', _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]), # noqa: E201
('deny mqueue read /foo,', [_('Qualifier'), 'deny', _('Access mode'), 'read', _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), '/foo', ]),
('allow mqueue setattr,', [_('Qualifier'), 'allow', _('Access mode'), 'setattr', _('Type'), _('ALL'), _('Label'), _('ALL'), _('Message queue name'), _('ALL'), ]),
('audit mqueue r label=ba 12,', [_('Qualifier'), 'audit', _('Access mode'), 'r', _('Type'), _('ALL'), _('Label'), 'ba', _('Message queue name'), '12', ]),

194
utils/test/test-network.py
View file

@ -25,9 +25,9 @@ import re
_ = init_translation()
exp = namedtuple(
'exp', ('audit', 'allow_keyword', 'deny', 'comment',
'accesses' ,'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols', 'local_expr', 'peer_expr'))
exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment',
'accesses', 'domain', 'all_domains', 'type_or_protocol',
'all_type_or_protocols', 'local_expr', 'peer_expr'))
# --- check if the keyword list is up to date --- #
@ -57,6 +57,7 @@ class NetworkKeywordsTest(AATest):
'on an newer kernel and will require updating the list of network domain keywords in '
'utils/apparmor/rule/network.py')
class NetworkPV6Test(AATest):
def test_ipv6(self):
tests = [
@ -75,10 +76,7 @@ class NetworkPV6Test(AATest):
self.assertEqual(bool(re.match(network_ipv6, test[0])), test[1])
# --- tests for single NetworkRule --- #
class NetworkTest(AATest):
def _compare_obj(self, obj, expected):
self.assertEqual(expected.allow_keyword, obj.allow_keyword)
@ -93,20 +91,21 @@ class NetworkTest(AATest):
self.assertEqual(expected.local_expr, obj.local_expr)
self.assertEqual(expected.peer_expr, obj.peer_expr)
class NetworkTestParse(NetworkTest):
tests = (
# rawrule audit allow deny comment access domain all? type/proto all? local_expr peer_expr
('network,', exp(False, False, False, '', None, None, True, None, True, NetworkRule.ALL, NetworkRule.ALL )),
('network inet,', exp(False, False, False, '', None, 'inet', False, None, True, NetworkRule.ALL, NetworkRule.ALL )),
('network inet stream,', exp(False, False, False, '', None, 'inet', False, 'stream', False, NetworkRule.ALL, NetworkRule.ALL )),
('deny network inet stream, # comment', exp(False, False, True, ' # comment', None, 'inet', False, 'stream', False, NetworkRule.ALL, NetworkRule.ALL )),
('audit allow network tcp,', exp(True, True, False, '', None, None, True, 'tcp', False, NetworkRule.ALL, NetworkRule.ALL )),
('network stream,', exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL )),
('network stream peer=(ip=::1 port=22),', exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {"ip": "::1", 'port':'22'}, )),
('network stream ip=::1 port=22,', exp(False, False, False, '', None, None, True, 'stream', False, {"ip": "::1", 'port': '22'}, NetworkRule.ALL )),
('network (bind,listen) stream,', exp(False, False, False, '', {'listen', 'bind'}, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL )),
# rawrule audit allow deny comment access domain all? type/proto all? local_expr peer_expr
('network,', exp(False, False, False, '', None, None, True, None, True, NetworkRule.ALL, NetworkRule.ALL)),
('network inet,', exp(False, False, False, '', None, 'inet', False, None, True, NetworkRule.ALL, NetworkRule.ALL)),
('network inet stream,', exp(False, False, False, '', None, 'inet', False, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
('deny network inet stream, # comment', exp(False, False, True, ' # comment', None, 'inet', False, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
('audit allow network tcp,', exp(True, True, False, '', None, None, True, 'tcp', False, NetworkRule.ALL, NetworkRule.ALL)),
('network stream,', exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
('network stream peer=(ip=::1 port=22),', exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {"ip": "::1", 'port': '22'},)),
('network stream ip=::1 port=22,', exp(False, False, False, '', None, None, True, 'stream', False, {"ip": "::1", 'port': '22'}, NetworkRule.ALL)),
('network (bind,listen) stream,', exp(False, False, False, '', {'listen', 'bind'}, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
('network (connect, rw) stream ip=192.168.122.2 port=22 peer=(ip=192.168.122.3 port=22),',
exp(False, False, False, '', {'connect', 'rw'}, None, True, 'stream', False, {'ip': '192.168.122.2', 'port': '22'},{"ip": "192.168.122.3", 'port': '22'} )),
exp(False, False, False, '', {'connect', 'rw'}, None, True, 'stream', False, {'ip': '192.168.122.2', 'port': '22'}, {"ip": "192.168.122.3", 'port': '22'})), # noqa: E127
)
def _run_test(self, rawrule, expected):
@ -162,7 +161,7 @@ class NetworkTestParseFromLog(NetworkTest):
'accesses': None,
'addr': None,
'peer_addr': None,
'port' : 1234,
'port': 1234,
'remote_port': None,
'time': 1428699242,
'active_hat': None,
@ -186,17 +185,17 @@ class NetworkTestParseFromLog(NetworkTest):
class NetworkFromInit(NetworkTest):
tests = (
# NetworkRule object audit allow deny comment access domain all? type/proto all? Local expr Peer expr
(NetworkRule(NetworkRule.ALL, 'inet', 'raw', NetworkRule.ALL, NetworkRule.ALL, deny=True), exp(False, False, True, '', None, 'inet', False, 'raw', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, 'inet', 'raw', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, 'inet', False, 'raw', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, 'inet', NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, 'inet', False, None, True, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, None, True, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'tcp', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, 'tcp', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule('bind', NetworkRule.ALL, 'stream', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', {'bind'}, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule({'bind', 'listen'}, NetworkRule.ALL, 'stream', {'port': '22'}, NetworkRule.ALL), exp(False, False, False, '', {'bind', 'listen'},None, True, 'stream', False, {'port' : '22'}, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, {'port': '22'}), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {'port':'22'})),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, {'ip': '::1', 'port':'22'}), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {'ip': '::1', 'port':'22'})),
# NetworkRule object audit allow deny comment access domain all? type/proto all? Local expr Peer expr
(NetworkRule(NetworkRule.ALL, 'inet', 'raw', NetworkRule.ALL, NetworkRule.ALL, deny=True), exp(False, False, True, '', None, 'inet', False, 'raw', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, 'inet', 'raw', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, 'inet', False, 'raw', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, 'inet', NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, 'inet', False, None, True, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, None, True, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'tcp', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, 'tcp', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule('bind', NetworkRule.ALL, 'stream', NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', {'bind'}, None, True, 'stream', False, NetworkRule.ALL, NetworkRule.ALL)),
(NetworkRule({'bind', 'listen'}, NetworkRule.ALL, 'stream', {'port': '22'}, NetworkRule.ALL), exp(False, False, False, '', {'bind', 'listen'}, None, True, 'stream', False, {'port': '22'}, NetworkRule.ALL)),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, {'port': '22'}), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {'port': '22'})),
(NetworkRule(NetworkRule.ALL, NetworkRule.ALL, 'stream', NetworkRule.ALL, {'ip': '::1', 'port': '22'}), exp(False, False, False, '', None, None, True, 'stream', False, NetworkRule.ALL, {'ip': '::1', 'port': '22'})),
)
def _run_test(self, obj, expected):
@ -206,22 +205,22 @@ class NetworkFromInit(NetworkTest):
class InvalidNetworkInit(AATest):
tests = (
# init params expected exception
((NetworkRule.ALL, 'inet', '', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # empty type_or_protocol
((NetworkRule.ALL, '', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # empty domain
((NetworkRule.ALL, ' ', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # whitespace domain
((NetworkRule.ALL, 'inet', ' ', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # whitespace type_or_protocol
((NetworkRule.ALL, 'xyxy', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # invalid domain
((NetworkRule.ALL, 'inet', 'xyxy', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # invalid type_or_protocol
((NetworkRule.ALL, dict(), 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for domain
((NetworkRule.ALL, None, 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for domain
((NetworkRule.ALL, 'inet', dict(), NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for type_or_protocol
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for type_or_protocol
(('invalid_access', 'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorException), # Invalid Access
(({'bind', 'invld'},'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorException), # Invalid Access
((NetworkRule.ALL, 'inet', None, {'ip': ':::::'}, NetworkRule.ALL), AppArmorException), # Invalid ip in local expression
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, {'ip': ':::::'}), AppArmorException), # Invalid ip in peer expression
((NetworkRule.ALL, 'inet', None, {'invld': '0'}, NetworkRule.ALL), AppArmorException), # Invalid keyword in local expression
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, {'invld': '0'}), AppArmorException), # Invalid keyword in peer expression
((NetworkRule.ALL, 'inet', '', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # empty type_or_protocol
((NetworkRule.ALL, '', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # empty domain
((NetworkRule.ALL, ' ', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # whitespace domain
((NetworkRule.ALL, 'inet', ' ', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # whitespace type_or_protocol
((NetworkRule.ALL, 'xyxy', 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # invalid domain
((NetworkRule.ALL, 'inet', 'xyxy', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # invalid type_or_protocol
((NetworkRule.ALL, dict(), 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for domain
((NetworkRule.ALL, None, 'tcp', NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for domain
((NetworkRule.ALL, 'inet', dict(), NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for type_or_protocol
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorBug), # wrong type for type_or_protocol
(('invalid_access', 'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorException), # Invalid Access
(({'bind', 'invld'}, 'inet', None, NetworkRule.ALL, NetworkRule.ALL), AppArmorException), # Invalid Access
((NetworkRule.ALL, 'inet', None, {'ip': ':::::'}, NetworkRule.ALL), AppArmorException), # Invalid ip in local expression
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, {'ip': ':::::'}), AppArmorException), # Invalid ip in peer expression
((NetworkRule.ALL, 'inet', None, {'invld': '0'}, NetworkRule.ALL), AppArmorException), # Invalid keyword in local expression
((NetworkRule.ALL, 'inet', None, NetworkRule.ALL, {'invld': '0'}), AppArmorException), # Invalid keyword in peer expression
)
def _run_test(self, params, expected):
@ -252,7 +251,6 @@ class InvalidNetworkTest(AATest):
def test_invalid_net_non_NetworkRule(self):
self._check_invalid_rawrule('dbus,') # not a network rule
def test_empty_net_data_1(self):
obj = NetworkRule(NetworkRule.ALL, 'inet', 'stream', NetworkRule.ALL, NetworkRule.ALL)
obj.domain = ''
@ -261,7 +259,7 @@ class InvalidNetworkTest(AATest):
obj.get_clean(1)
def test_empty_net_data_2(self):
obj = NetworkRule(NetworkRule.ALL, 'inet', 'stream',NetworkRule.ALL, NetworkRule.ALL)
obj = NetworkRule(NetworkRule.ALL, 'inet', 'stream', NetworkRule.ALL, NetworkRule.ALL)
obj.type_or_protocol = ''
# no type_or_protocol set, and ALL not set
with self.assertRaises(AppArmorBug):
@ -279,15 +277,15 @@ class WriteNetworkTestAATest(AATest):
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
tests = (
# raw rule clean rule
(' network , # foo ', 'network, # foo'),
(' audit network inet,', 'audit network inet,'),
(' deny network inet stream,# foo bar', 'deny network inet stream, # foo bar'),
(' deny network inet ,# foo bar', 'deny network inet, # foo bar'),
(' allow network tcp ,# foo bar', 'allow network tcp, # foo bar'),
(' network stream peer = ( ip=::1 port=22 ) ,', 'network stream peer=(ip=::1 port=22),'),
(' network ( bind , listen ) stream ip = ::1 port = 22 ,','network (bind, listen) stream ip=::1 port=22,'),
(' allow network tcp ,# foo bar', 'allow network tcp, # foo bar'),
# raw rule clean rule
(' network , # foo ', 'network, # foo'),
(' audit network inet,', 'audit network inet,'),
(' deny network inet stream,# foo bar', 'deny network inet stream, # foo bar'),
(' deny network inet ,# foo bar', 'deny network inet, # foo bar'),
(' allow network tcp ,# foo bar', 'allow network tcp, # foo bar'),
(' network stream peer = ( ip=::1 port=22 ) ,', 'network stream peer=(ip=::1 port=22),'),
(' network ( bind , listen ) stream ip = ::1 port = 22 ,', 'network (bind, listen) stream ip=::1 port=22,'),
(' allow network tcp ,# foo bar', 'allow network tcp, # foo bar'),
)
@ -348,13 +346,13 @@ class NetworkCoveredTest_02(NetworkCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'network inet,', (False, False, True, False)),
(' network inet,', (False, False, True, False)),
('audit network inet,', (True, True, True, True)),
( 'network inet stream,', (False, False, True, False)),
(' network inet stream,', (False, False, True, False)),
('audit network inet stream,', (False, False, True, True)),
( 'network,', (False, False, False, False)),
(' network,', (False, False, False, False)),
('audit network,', (False, False, False, False)),
('network unix,', (False, False, False, False)),
(' network unix,', (False, False, False, False)),
)
@ -363,15 +361,15 @@ class NetworkCoveredTest_03(NetworkCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'network inet stream,', (True, True, True, True)),
(' network inet stream,', (True, True, True, True)),
('allow network inet stream,', (True, False, True, True)),
( 'network inet,', (False, False, False, False)),
( 'network,', (False, False, False, False)),
( 'network inet tcp,', (False, False, False, False)),
(' network inet,', (False, False, False, False)),
(' network,', (False, False, False, False)),
(' network inet tcp,', (False, False, False, False)),
('audit network,', (False, False, False, False)),
('audit network inet stream,', (False, False, False, False)),
( 'network unix,', (False, False, False, False)),
( 'network,', (False, False, False, False)),
(' network unix,', (False, False, False, False)),
(' network,', (False, False, False, False)),
)
@ -380,12 +378,12 @@ class NetworkCoveredTest_04(NetworkCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'network,', (True, True, True, True)),
(' network,', (True, True, True, True)),
('allow network,', (True, False, True, True)),
( 'network inet,', (False, False, True, True)),
( 'network inet6 stream,', (False, False, True, True)),
( 'network tcp,', (False, False, True, True)),
( 'network inet raw,', (False, False, True, True)),
(' network inet,', (False, False, True, True)),
(' network inet6 stream,', (False, False, True, True)),
(' network tcp,', (False, False, True, True)),
(' network inet raw,', (False, False, True, True)),
('audit network,', (False, False, False, False)),
('deny network,', (False, False, False, False)),
)
@ -396,28 +394,29 @@ class NetworkCoveredTest_05(NetworkCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny network inet,', (True, True, True, True)),
(' deny network inet,', (True, True, True, True)),
('audit deny network inet,', (False, False, False, False)),
( 'network inet,', (False, False, False, False)), # XXX should covered be true here?
( 'deny network unix,', (False, False, False, False)),
( 'deny network,', (False, False, False, False)),
(' network inet,', (False, False, False, False)), # XXX should covered be true here?
(' deny network unix,', (False, False, False, False)),
(' deny network,', (False, False, False, False)),
)
class NetworkCoveredTest_06(NetworkCoveredTest):
rule = 'network (rw, connect) port=127 peer=(ip=192.168.122.3),'
tests = (
# rule equal strict equal covered covered exact
('network (rw, connect) port=127 peer=(ip=192.168.122.3),', (True, True, True, True)),
('network (rw, connect) port=127 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, True, True)),
('network (rw, connect) inet port=127 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, True, True)),
('network (rw, connect) port=127 ip=192.168.122.2 peer=(ip=192.168.122.3 port=12345),', (False, False, True, True)),
('network (rw, connect) inet port=127 ip=192.168.122.2 peer=(ip=192.168.122.3 port=12345),',(False, False, True, True)),
('network connect port=12345 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (r, connect) port=12345 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (r, connect) port=128 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (rw, connect) port=127 peer=(ip=127.0.0.1),', (False, False, False, False)),
('network (rw, connect) port=127,', (False, False, False, False)),
('network (rw, connect) port=127 peer=(ip=192.168.122.3),', (True, True, True, True)),
('network (rw, connect) port=127 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, True, True)),
('network (rw, connect) inet port=127 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, True, True)),
('network (rw, connect) port=127 ip=192.168.122.2 peer=(ip=192.168.122.3 port=12345),', (False, False, True, True)),
('network (rw, connect) inet port=127 ip=192.168.122.2 peer=(ip=192.168.122.3 port=12345),', (False, False, True, True)),
('network connect port=12345 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (r, connect) port=12345 ip=192.168.122.2 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (r, connect) port=128 peer=(ip=192.168.122.3),', (False, False, False, False)),
('network (rw, connect) port=127 peer=(ip=127.0.0.1),', (False, False, False, False)),
('network (rw, connect) port=127,', (False, False, False, False)),
)
@ -434,7 +433,7 @@ class NetworkCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_2(self):
obj = NetworkRule.create_instance('network inet,')
testobj = NetworkRule( NetworkRule.ALL,'inet', 'stream', NetworkRule.ALL, NetworkRule.ALL)
testobj = NetworkRule(NetworkRule.ALL, 'inet', 'stream', NetworkRule.ALL, NetworkRule.ALL)
testobj.type_or_protocol = ''
with self.assertRaises(AppArmorBug):
@ -442,6 +441,7 @@ class NetworkCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'network inet,'
class SomeOtherClass(NetworkRule):
pass
@ -452,6 +452,7 @@ class NetworkCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'network inet,'
class SomeOtherClass(NetworkRule):
pass
@ -463,15 +464,15 @@ class NetworkCoveredTest_Invalid(AATest):
class NetworkLogprofHeaderTest(AATest):
tests = (
('network,', [ _('Accesses'), _('ALL'), _('Network Family'), _('ALL'), _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('network inet,', [ _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('network inet stream,', [ _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), 'stream', _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('deny network,', [_('Qualifier'), 'deny', _('Accesses'), _('ALL'), _('Network Family'), _('ALL'), _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('allow network inet,', [_('Qualifier'), 'allow', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('audit network inet stream,', [_('Qualifier'), 'audit', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), 'stream', _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('audit deny network inet,', [_('Qualifier'), 'audit deny', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('network (bind, listen) stream ip=::1 port=22,', [ _('Accesses'), 'bind listen',_('Network Family'), _('ALL'), _('Socket Type'), 'stream', _('Local'), {'ip': '::1', 'port': '22'}, _('Peer'), _('ALL')]),
('audit deny network inet peer=(ip=::1),', [_('Qualifier'), 'audit deny', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), {'ip': '::1'}]),
('network,', [ _('Accesses'), _('ALL'), _('Network Family'), _('ALL'), _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('network inet,', [ _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('network inet stream,', [ _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), 'stream', _('Local'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('deny network,', [_('Qualifier'), 'deny', _('Accesses'), _('ALL'), _('Network Family'), _('ALL'), _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('allow network inet,', [_('Qualifier'), 'allow', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('audit network inet stream,', [_('Qualifier'), 'audit', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), 'stream', _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('audit deny network inet,', [_('Qualifier'), 'audit deny', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), _('ALL')]),
('network (bind, listen) stream ip=::1 port=22,', [ _('Accesses'), 'bind listen', _('Network Family'), _('ALL'), _('Socket Type'), 'stream', _('Local'), {'ip': '::1', 'port': '22'}, _('Peer'), _('ALL')]), # noqa: E201
('audit deny network inet peer=(ip=::1),', [_('Qualifier'), 'audit deny', _('Accesses'), _('ALL'), _('Network Family'), 'inet', _('Socket Type'), _('ALL'), _('Local'), _('ALL'), _('Peer'), {'ip': '::1'}]),
)
def _run_test(self, params, expected):
@ -489,8 +490,7 @@ class NetworkRuleReprTest(AATest):
self.assertEqual(str(params), expected)
## --- tests for NetworkRuleset --- #
# --- tests for NetworkRuleset --- #
class NetworkRulesTest(AATest):
def test_empty_ruleset(self):
ruleset = NetworkRuleset()

1
utils/test/test-profile-list.py
View file

@ -154,6 +154,7 @@ class TestFilename_from_attachment(AATest):
with self.assertRaises(AppArmorBug):
self.pl.filename_from_attachment('foo')
class TestProfile_from_attachment(TestFilename_from_attachment):
# uses AASetup from TestFilename_from_attachment
tests = (

8
utils/test/test-profile-storage.py
View file

@ -85,10 +85,10 @@ class AaTest_get_header(AATest):
class AaTest_get_header_01(AATest):
tests = (
({'name': '/foo', 'depth': 1, 'flags': 'complain' }, ' /foo flags=(complain) {'),
({'name': '/foo', 'depth': 1, 'flags': 'complain', 'profile_keyword': True }, ' profile /foo flags=(complain) {'),
({'name': '/foo', 'flags': 'complain' }, '/foo flags=(complain) {'),
({'name': '/foo', 'xattrs': 'user.foo=bar', 'flags': 'complain' }, '/foo xattrs=(user.foo=bar) flags=(complain) {'),
({'name': '/foo', 'depth': 1, 'flags': 'complain'}, ' /foo flags=(complain) {'),
({'name': '/foo', 'depth': 1, 'flags': 'complain', 'profile_keyword': True}, ' profile /foo flags=(complain) {'),
({'name': '/foo', 'flags': 'complain'}, '/foo flags=(complain) {'),
({'name': '/foo', 'xattrs': 'user.foo=bar', 'flags': 'complain'}, '/foo xattrs=(user.foo=bar) flags=(complain) {'),
({'name': '/foo', 'xattrs': 'user.foo=bar', 'embedded_hat': True}, 'profile /foo xattrs=(user.foo=bar) {'),
)

30
utils/test/test-ptrace.py
View file

@ -292,9 +292,9 @@ class PtraceCoveredTest_02(PtraceCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'ptrace read,', (False, False, True, False)),
(' ptrace read,', (False, False, True, False)),
('audit ptrace read,', (True, True, True, True)),
( 'ptrace,', (False, False, False, False)),
(' ptrace,', (False, False, False, False)),
('audit ptrace,', (False, False, False, False)),
('ptrace tracedby,', (False, False, False, False)),
)
@ -305,10 +305,10 @@ class PtraceCoveredTest_03(PtraceCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'ptrace,', (True, True, True, True)),
(' ptrace,', (True, True, True, True)),
('allow ptrace,', (True, False, True, True)),
( 'ptrace read,', (False, False, True, True)),
( 'ptrace w,', (False, False, True, True)),
(' ptrace read,', (False, False, True, True)),
(' ptrace w,', (False, False, True, True)),
('audit ptrace,', (False, False, False, False)),
('deny ptrace,', (False, False, False, False)),
)
@ -319,11 +319,11 @@ class PtraceCoveredTest_04(PtraceCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny ptrace read,', (True, True, True, True)),
(' deny ptrace read,', (True, True, True, True)),
('audit deny ptrace read,', (False, False, False, False)),
( 'ptrace read,', (False, False, False, False)), # XXX should covered be true here?
( 'deny ptrace tracedby,', (False, False, False, False)),
( 'deny ptrace,', (False, False, False, False)),
(' ptrace read,', (False, False, False, False)), # XXX should covered be true here?
(' deny ptrace tracedby,', (False, False, False, False)),
(' deny ptrace,', (False, False, False, False)),
)
@ -455,6 +455,7 @@ class PtraceCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'ptrace read,'
class SomeOtherClass(PtraceRule):
pass
@ -465,6 +466,7 @@ class PtraceCoveredTest_Invalid(AATest):
def test_invalid_is_equal_1(self):
raw_rule = 'ptrace read,'
class SomeOtherClass(PtraceRule):
pass
@ -485,13 +487,13 @@ class PtraceCoveredTest_Invalid(AATest):
class PtraceLogprofHeaderTest(AATest):
tests = (
('ptrace,', [ _('Access mode'), _('ALL'), _('Peer'), _('ALL')]),
('ptrace read,', [ _('Access mode'), 'read', _('Peer'), _('ALL')]),
('deny ptrace,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Peer'), _('ALL')]),
('ptrace,', [ _('Access mode'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('ptrace read,', [ _('Access mode'), 'read', _('Peer'), _('ALL')]), # noqa: E201
('deny ptrace,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('allow ptrace read,', [_('Qualifier'), 'allow', _('Access mode'), 'read', _('Peer'), _('ALL')]),
('audit ptrace read,', [_('Qualifier'), 'audit', _('Access mode'), 'read', _('Peer'), _('ALL')]),
('audit deny ptrace read,', [_('Qualifier'), 'audit deny', _('Access mode'), 'read', _('Peer'), _('ALL')]),
('ptrace (read, tracedby) peer=/foo,', [ _('Access mode'), 'read tracedby', _('Peer'), '/foo']),
('ptrace (read, tracedby) peer=/foo,', [ _('Access mode'), 'read tracedby', _('Peer'), '/foo']), # noqa: E201
)
def _run_test(self, params, expected):
@ -499,7 +501,7 @@ class PtraceLogprofHeaderTest(AATest):
self.assertEqual(obj.logprof_header(), expected)
## --- tests for PtraceRuleset --- #
# --- tests for PtraceRuleset --- #
class PtraceRulesTest(AATest):
def test_empty_ruleset(self):

4
utils/test/test-regex_matches.py
View file

@ -350,8 +350,8 @@ class AARegexUnix(AARegexTest):
('unix (receive) peer=(label=unconfined),', (None, None, 'unix (receive) peer=(label=unconfined),', '(receive) peer=(label=unconfined)', None)),
(' unix (getattr, shutdown) peer=(addr=none),', (None, None, 'unix (getattr, shutdown) peer=(addr=none),', '(getattr, shutdown) peer=(addr=none)', None)),
('unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),', (None, None, 'unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),',
'(connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*")',
None)),
'(connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*")', # noqa: E127
None)), # noqa: E127
('unixlike', False),
('deny unixlike,', False),
)

10
utils/test/test-rlimit.py
View file

@ -354,6 +354,7 @@ class RlimitCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'set rlimit cpu <= 1024,'
class SomeOtherClass(RlimitRule):
pass
@ -364,6 +365,7 @@ class RlimitCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'set rlimit cpu <= 1024,'
class SomeOtherClass(RlimitRule):
pass
@ -492,10 +494,10 @@ class RlimitTime_to_intTest(AATest):
('30us', 0.00003),
('40ms', 0.04),
('40seconds', 40),
('2minutes', 2*60),
('2hours', 2*60*60),
('1 day', 1*60*60*24),
('2 weeks', 2*60*60*24*7),
('2minutes', 2 * 60),
('2hours', 2 * 60 * 60),
('1 day', 1 * 60 * 60 * 24),
('2 weeks', 2 * 60 * 60 * 24 * 7),
)
def _run_test(self, params, expected):

52
utils/test/test-signal.py
View file

@ -319,11 +319,11 @@ class SignalCoveredTest_02(SignalCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'signal send,', (False, False, True, False)),
(' signal send,', (False, False, True, False)),
('audit signal send,', (True, True, True, True)),
( 'signal send set=quit,', (False, False, True, False)),
(' signal send set=quit,', (False, False, True, False)),
('audit signal send set=quit,', (False, False, True, True)),
( 'signal,', (False, False, False, False)),
(' signal,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
)
@ -334,16 +334,16 @@ class SignalCoveredTest_03(SignalCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'signal send set=quit,', (True, True, True, True)),
(' signal send set=quit,', (True, True, True, True)),
('allow signal send set=quit,', (True, False, True, True)),
( 'signal send,', (False, False, False, False)),
( 'signal,', (False, False, False, False)),
( 'signal send set=int,', (False, False, False, False)),
(' signal send,', (False, False, False, False)),
(' signal,', (False, False, False, False)),
(' signal send set=int,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('audit signal send set=quit,', (False, False, False, False)),
('audit signal set=quit,', (False, False, False, False)),
( 'signal send,', (False, False, False, False)),
( 'signal,', (False, False, False, False)),
(' signal send,', (False, False, False, False)),
(' signal,', (False, False, False, False)),
)
@ -352,12 +352,12 @@ class SignalCoveredTest_04(SignalCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'signal,', (True, True, True, True)),
(' signal,', (True, True, True, True)),
('allow signal,', (True, False, True, True)),
( 'signal send,', (False, False, True, True)),
( 'signal w set=quit,', (False, False, True, True)),
( 'signal set=int,', (False, False, True, True)),
( 'signal send set=quit,', (False, False, True, True)),
(' signal send,', (False, False, True, True)),
(' signal w set=quit,', (False, False, True, True)),
(' signal set=int,', (False, False, True, True)),
(' signal send set=quit,', (False, False, True, True)),
('audit signal,', (False, False, False, False)),
('deny signal,', (False, False, False, False)),
)
@ -368,11 +368,11 @@ class SignalCoveredTest_05(SignalCoveredTest):
tests = (
# rule equal strict equal covered covered exact
( 'deny signal send,', (True, True, True, True)),
(' deny signal send,', (True, True, True, True)),
('audit deny signal send,', (False, False, False, False)),
( 'signal send,', (False, False, False, False)), # XXX should covered be true here?
( 'deny signal receive,', (False, False, False, False)),
( 'deny signal,', (False, False, False, False)),
(' signal send,', (False, False, False, False)), # XXX should covered be true here?
(' deny signal receive,', (False, False, False, False)),
(' deny signal,', (False, False, False, False)),
)
@ -526,6 +526,7 @@ class SignalCoveredTest_Invalid(AATest):
def test_invalid_is_covered(self):
raw_rule = 'signal send,'
class SomeOtherClass(SignalRule):
pass
@ -536,6 +537,7 @@ class SignalCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = 'signal send,'
class SomeOtherClass(SignalRule):
pass
@ -547,16 +549,16 @@ class SignalCoveredTest_Invalid(AATest):
class SignalLogprofHeaderTest(AATest):
tests = (
('signal,', [ _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal send,', [ _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal send set=quit,', [ _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL')]),
('signal,', [ _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('signal send,', [ _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]), # noqa: E201
('signal send set=quit,', [ _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL')]), # noqa: E201
('deny signal,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('allow signal send,', [_('Qualifier'), 'allow', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('audit signal send set=quit,', [_('Qualifier'), 'audit', _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL')]),
('audit deny signal send,', [_('Qualifier'), 'audit deny', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal set=(int, quit),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]),
('signal set=( quit, int),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]),
('signal (send, receive) set=( quit, int) peer=/foo,', [ _('Access mode'), 'receive send', _('Signal'), 'int quit', _('Peer'), '/foo']),
('signal set=(int, quit),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]), # noqa: E201
('signal set=( quit, int),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]), # noqa: E201
('signal (send, receive) set=( quit, int) peer=/foo,', [_('Access mode'), 'receive send', _('Signal'), 'int quit', _('Peer'), '/foo']),
)
def _run_test(self, params, expected):
@ -564,7 +566,7 @@ class SignalLogprofHeaderTest(AATest):
self.assertEqual(obj.logprof_header(), expected)
## --- tests for SignalRuleset --- #
# --- tests for SignalRuleset --- #
class SignalRulesTest(AATest):
def test_empty_ruleset(self):

3
utils/test/test-unix.py
View file

@ -38,7 +38,7 @@ class UnixTestParse(AATest):
('unix shutdown addr=@srv,', UnixRule('shutdown', UnixRule.ALL, {'addr': '@srv'}, UnixRule.ALL, False, False, False, '')),
('unix send addr=@foo{a,b} peer=(label=splat),', UnixRule('send', UnixRule.ALL, {'addr': '@foo{a,b}'}, {'label': 'splat'}, False, False, False, '')),
('unix (accept, rw) protocol=AA type=BB opt=AA label=bb peer=(addr=a label=bb),',
UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'}, False, False, False, '')),
UnixRule(('accept', 'rw'), {'type': 'BB', 'protocol': 'AA'}, {'opt': 'AA', 'label': 'bb'}, {'addr': 'a', 'label': 'bb'}, False, False, False, '')), # noqa: E127
)
def _run_test(self, rawrule, expected):
@ -85,7 +85,6 @@ class UnixTestParseInvalid(AATest):
with self.assertRaises(AppArmorException):
UnixRule(('rw', 'invalid'), UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, False, False, False, '')
def test_invalid_peer_expr(self):
with self.assertRaises(AppArmorException):
UnixRule('create', UnixRule.ALL, UnixRule.ALL, {'addr': 'foo'}, False, False, False, '')

3
utils/test/test-userns.py
View file

@ -32,7 +32,7 @@ class UserNamespaceTestParse(AATest):
('deny userns,', UserNamespaceRule(UserNamespaceRule.ALL, False, True, False, '')),
('audit allow userns,', UserNamespaceRule(UserNamespaceRule.ALL, True, False, True, '')),
('userns create, # cmt', UserNamespaceRule(('create'), False, False, False, ' # cmt')),
)
)
def _run_test(self, rawrule, expected):
self.assertTrue(UserNamespaceRule.match(rawrule))
@ -85,6 +85,7 @@ class InvalidUserNamespaceInit(AATest):
with self.assertRaises(TypeError):
UserNamespaceRule()
class WriteUserNamespaceTestAATest(AATest):
tests = (
# raw rule clean rule

2
utils/test/test-variable.py
View file

@ -298,6 +298,7 @@ class VariableCoveredTest_Invalid(AATest):
def test_invalid_is_covered_3(self):
raw_rule = '@{foo} = /bar'
class SomeOtherClass(VariableRule):
pass
@ -308,6 +309,7 @@ class VariableCoveredTest_Invalid(AATest):
def test_invalid_is_equal(self):
raw_rule = '@{foo} = /bar'
class SomeOtherClass(VariableRule):
pass