mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
spread: Add support for EXPECT_DENIALS in profile tests
Introduce the EXPECT_DENIALS environment variable for profile tests. Each line of EXPECT_DENIALS is a regex that must match an AppArmor denial for the corresponding test, and conversely. This ensures that problematic behaviors are correctly blocked and logged. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com>
This commit is contained in:
Maxime Bélair
parent
54561af112
commit
fc3f27e255
1 changed files with 32 additions and 4 deletions
36
spread.yaml
36
spread.yaml
|
|
@ -191,11 +191,39 @@ suites:
|
|||
|
||||
# Check if running the test resulted in any logged denials.
|
||||
if dmesg | grep DENIED > denials.txt; then
|
||||
echo "Denials were emitted during the test"
|
||||
cat denials.txt
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${EXPECT_DENIALS:-}" ]; then
|
||||
echo "Denials were emitted during the test."
|
||||
cat denials.txt
|
||||
exit 1
|
||||
else
|
||||
readarray -t regexes <<< $(printf "%b" "$EXPECT_DENIALS")
|
||||
declare -a found_regex_array
|
||||
|
||||
# Check if all generated denials match the expected ones
|
||||
while read denial; do
|
||||
found=0
|
||||
for i in "${!regexes[@]}"; do
|
||||
if grep -E -q "${regexes[i]}" <<< "$denial"; then
|
||||
found_regex_array[$i]=1
|
||||
found=1
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $found -eq 0 ]; then
|
||||
echo "Unexpected denial: $denial"
|
||||
exit 1
|
||||
fi
|
||||
done <denials.txt
|
||||
|
||||
# Check if all denials correspond to a regex
|
||||
for i in "${!regexes[@]}"; do
|
||||
if [ -z ${found_regex_array[$i]:-} ] ; then
|
||||
echo "Exected denial ${regexes[i]} was not found"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
debug-each: |
|
||||
echo "PROGRAM_NAME=${PROGRAM_NAME:=$(basename "$SPREAD_TASK")}"
|
||||
command -v "$PROGRAM_NAME"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue