... and add some tests for other error conditions that don't imply
nested childs, so that the intended failure gets tested.
(This is probably a leftover of the `hat == profile` -> `hat = None`
(while not in a hat/child profile) change.)
... and make them class functions of ProfileStorage.
parse_profile_start_to_storage() gets renamed to parse().
Also move the tests for parse_profile_start() and
parse_profile_start_to_storage() to test-profile-storage.py.
The 'profile' flag means "this profile is a profile or a child profile,
but not a hat". Since that's true for most cases, rename the flag to
'is_hat'.
Note that `'profile' == True` translates to `'is_hat' == False`
Also adjust all code to switch from 'profile' to 'is_hat'.
This value is True if we are in a child profile (not: hat), but that's
information we get "for free", so there's no need to hand it around.
Besides that, it was wrongly set to False for main profiles (which are
not hats).
Remove the pps_set_profile return value from parse_profile_start(), and
always assume True unless we were parsing a hat. For completeness,
explicitely set it to False when parsing a hat.
To make sure child profiles and hats don't get mixed up, add a child
profile to cleanprof_test.{in,out}.
test-libapparmor-test_multi.py always interpreted foo//bar as being
a hat, therefore explicitely mark them as such. (Technically not really
needed since this is the default, but it helps to make things clear.)
... and adjust all callers and the tests.
For bonus points ;-) this also removes a hasher usage, and extends the
test to check that only the expected profile gets created.
Add a prof_storage parameter to add_profile() to hand over the actual
profile data/rules as ProfileStorage.
Also adjust several tests to hand over a (dummy) ProfileStorage object.
Note: For now, the parameter is optional because it needs some more changes
in aa.py to be really useable. This will change in a later commit.
... instead of the old [profile][hat] structure.
This needs changes in do_logprof_pass() when calling ask_the_questions()
(using merged_to_split() for now).
Also adjust test-libapparmor-test_multi.py logfile_to_profile() to
expect the merged structure.
... instead of the old [profile][hat] structure.
This needs changes in read_profile() (now using the merged profile name)
and attach_profile_data() (using merged_to_split() for now).
Also adjust test-aa.py to expect the merged structure.
Change parse_profile_data() to internally use merged profile names
(`foo//bar`) instead of separate profile and hat, and only split it up
again to the [profile][hat] layout at the very end with
merged_to_split().
A nice side effect is that we get rid of a hasher() usage.
parse_profile_data() also gets changed to use `hat = None` (instead of
`hat = profile`) if not inside a child profile. As a result,
parse_profile_start() and one of its tests need a small change.
Besides that small change, calling code should not see a difference, and
the tests also stay working.
... by adding some new tests, and by marking two lines as "pragma: no
branch" because I didn't find a testcase that doesn't let them continue
with the next line.
Finally, remove severity.py from the "not 100% covered" list in
test/Makefile.
Add tests with invalid type to ensure error handling works as expected.
Merge branch 'cboltz/cboltz-profile-storage-tests'
[Fixed conflict with prior change to utils/test/test-profile-storage.py]
Acked-by: Steve Beattie <steve@nxnw.org>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/735
Also adjust the calling code to use get_header() instead of
write_header().
Finally, move the tests to test-profile-storage.py and do a few
adjustments needed by the change. Part of these adjustments is to hand
over empty params with the correct type instead of just "None".
This needed several changes because so far data for all includes was
stored in include[]. However, preamble data for everything else gets
stored in active_profiles (and with this commit, preamble includes also
get stored in active_profiles).
The needed changes to store preamble includes in active_profiles are:
* include_list_recursive(): add and honor in_preamble flag
* add this flag at several places calling include_list_recursive() for
a preamble
* parse_profile_data(): call active_profiles.init_file() for all files.
Before, empty/comment-only files weren't (indirectly) added to
active_profiles because none of the add_$ruletype functions was
called, which could lead to KeyErrors for comment-only preamble include
files (prevented by the now-obsolete and removed check in
get_all_merged_variables()).
in_preamble keeps track of the current parsing position.
It's True while parsing the preamble of a profile file, and when loading
an include file that is included in the preamble (typically tunables/*).
While inside a profile or parsing abstractions/*, it is False.
This commit only hands the information around and keeps in_preamble
updated, but it doesn't really get used yet.
Also adjust the tests to hand over the additional parameter to
parse_profile_data().
Since loadincludes() now only loads a specified list of subdirectories,
we no longer need a directory blacklist.
The only possibly remaining part are .git subdirectories (for example
tunables/.git or abstractions/.git). Since it's very unlikely that
someone would have only a subdirectory of /etc/apparmor.d/ in git, drop
that check.
in_contained_hat is needed to know if we are already in a profile or
not. (Simply checking if we are in a hat doesn't work, because something
like "profile foo//bar" will set profile and hat at once, and later
(wrongfully) expect another "}".
However, the way how this variable was set became too complicated.
To simplify the code, set in_contained_hat directly in
parse_profile_data() RE_PROFILE_START instead of returning it via
parse_profile_start() and parse_profile_start_to_storage()
Since this change removes a return value from two functions, also adjust
the tests accordingly.
parse_profile_start_to_storage() converts the result of
parse_profile_start() into a ProfileStorage object.
No functional change, but parse_profile_data() becomes more readable.
Also extend tests to cover parse_profile_start_to_storage().
... to find regressions or improvements in the python code coverage.
`make coverage-regression` will error out if a file looses its 100%
coverage, or if a file improved to 100% coverage.
Other coverage changes (for example 45% -> 47%) will be ignored.
To get them running in the CI,
* call them with `--configdir ./`
* skip testing `aa-unconfined` if securityfs is not available
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/696
Acked-by: John Johansen <john.johansen@canonical.com>
... to ensure that it errors out if a wrong parameter type is given.
This also increases the test coverage of ProfileList to 100%.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/694
Acked-by: John Johansen <john.johansen@canonical.com>
Add the BooleanRule and BooleanRuleset classes, add handling of boolean variable definitions in ProfileList and adjust `parse_profile_data()` to use BooleanRule. As usual, add tests for the added code.
See the individual commits for the details.
Note that this MR is also a bugfix - the previous code in (3.0 and master) saved boolean variables at a wrong place, and they were silently lost when writing the profile.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/693
Acked-by: John Johansen <john.johansen@canonical.com>
... and save rules at the right place (ProfileList) where they actually
get written when writing the profile.
This is also a bugfix - the previous code saved boolean variables at a
wrong place, and they were silently lost when writing the profile.
Extend cleanprof_test.{in,out} to ensure that this doesn't break again.
Also remove boolean_bad_[2-4] from the test-parser-simple-tests.py
exception_not_raised list because these test profiles now get correctly
detected as invalid.
These two classes are meant to handle the definition of boolean rules
like `$foo = true`.
Also extend RE_PROFILE_BOOLEAN to provide named matches.
As usual, add tests for the new classes.
With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
Since this option is mostly meant for testing, it will not show up in `--help`.
`aa-notify` was the only tool that honored the `__AA_CONFDIR` env variable. Drop it in favor of the `--configdir` option.
Note: Since we now pass `confdir=` to `init_aa()` (in most cases `None`), setting the default needs to be moved inside the function.
Also use `--configdir` in the tests.
See the individual commits for details.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/670
Acked-by: John Johansen <john.johansen@canonical.com>
This is needed to catch conflicts between uppercase and lowercase
hotkeys of the same letter, as seen with `(B)enannt` and `A(b)lehnen` in
the german utils translations.
utils/test/test-aa-notify.py:
Change `AANotifyTest.test_entries_since_login()` to be decorated by a
`skipUnless()` checking for existence of **/var/log/wtmp** (similar to
`AANotifyTest.test_entries_since_login_verbose()`).
The test otherwise fails trying to access /var/log/wtmp in environments
where the file is not available.
Fixes#120
