From fc3f27e2557aee15004ad32ec706d0f160f496c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maxime=20B=C3=A9lair?= Date: Fri, 31 Jan 2025 07:56:14 +0100 Subject: [PATCH] spread: Add support for EXPECT_DENIALS in profile tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduce the EXPECT_DENIALS environment variable for profile tests. Each line of EXPECT_DENIALS is a regex that must match an AppArmor denial for the corresponding test, and conversely. This ensures that problematic behaviors are correctly blocked and logged. Signed-off-by: Maxime BĂ©lair --- spread.yaml | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/spread.yaml b/spread.yaml index 556f494c6..586d61d31 100644 --- a/spread.yaml +++ b/spread.yaml @@ -191,11 +191,39 @@ suites: # Check if running the test resulted in any logged denials. if dmesg | grep DENIED > denials.txt; then - echo "Denials were emitted during the test" - cat denials.txt - exit 1 - fi + if [ -z "${EXPECT_DENIALS:-}" ]; then + echo "Denials were emitted during the test." + cat denials.txt + exit 1 + else + readarray -t regexes <<< $(printf "%b" "$EXPECT_DENIALS") + declare -a found_regex_array + # Check if all generated denials match the expected ones + while read denial; do + found=0 + for i in "${!regexes[@]}"; do + if grep -E -q "${regexes[i]}" <<< "$denial"; then + found_regex_array[$i]=1 + found=1 + fi + done + + if [ $found -eq 0 ]; then + echo "Unexpected denial: $denial" + exit 1 + fi + done