mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

spread: Add support for EXPECT_DENIALS in profile tests

Browse source 
Introduce the EXPECT_DENIALS environment variable for profile tests.
Each line of EXPECT_DENIALS is a regex that must match an AppArmor
denial for the corresponding test, and conversely.

This ensures that problematic behaviors are correctly blocked and logged.

Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This commit is contained in:
Maxime Bélair 2025-01-31 07:56:14 +01:00
parent 54561af112
commit fc3f27e255
1 changed files with 32 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
spread.yaml
View file

@ -191,11 +191,39 @@ suites:
# Check if running the test resulted in any logged denials.
if dmesg | grep DENIED > denials.txt; then
echo "Denials were emitted during the test"
cat denials.txt
exit 1
fi
if [ -z "${EXPECT_DENIALS:-}" ]; then
echo "Denials were emitted during the test."
cat denials.txt
exit 1
else
readarray -t regexes <<< $(printf "%b" "$EXPECT_DENIALS")
declare -a found_regex_array
# Check if all generated denials match the expected ones
while read denial; do
found=0
for i in "${!regexes[@]}"; do
if grep -E -q "${regexes[i]}" <<< "$denial"; then
found_regex_array[$i]=1
found=1
fi
done
if [ $found -eq 0 ]; then
echo "Unexpected denial: $denial"
exit 1
fi
done <denials.txt
# Check if all denials correspond to a regex
for i in "${!regexes[@]}"; do
if [ -z ${found_regex_array[$i]:-} ] ; then
echo "Exected denial ${regexes[i]} was not found"
exit 1
fi
done
fi
fi
debug-each: |
echo "PROGRAM_NAME=${PROGRAM_NAME:=$(basename "$SPREAD_TASK")}"
command -v "$PROGRAM_NAME"