def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', # XXX huh? should be deleted! '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 1) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_invalid_rawrule(self, rawrule): obj = None with self.assertRaises(AppArmorException): obj = CapabilityRule(CapabilityRule.parse(rawrule)) self.assertFalse(CapabilityRule.match(rawrule)) self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_ruleset_2(self): ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', # XXX huh? should be deleted! '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 1) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_invalid_is_equal(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = BaseRule() # different type with self.assertRaises(AppArmorBug): obj.is_equal(testobj)
def _check_invalid_rawrule(self, rawrule): obj = None with self.assertRaises(AppArmorException): obj = CapabilityRule.parse(rawrule) self.assertFalse(CapabilityRule.match(rawrule)) self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_ruleset_2(self): ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = BaseRule() # different type with self.assertRaises(AppArmorBug): obj.is_equal(testobj)
def _compare_obj_with_rawrule(self, rawrule, expected): obj = CapabilityRule.parse(rawrule) self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(rawrule.strip(), obj.raw_rule) self._compare_obj(obj, expected)
def test_borked_obj_is_covered(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = CapabilityRule('chown') testobj.capability.clear() with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
def _check_write_rule(self, rawrule, cleanrule): obj = CapabilityRule.parse(rawrule) clean = obj.get_clean() raw = obj.get_raw() self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _compare_obj_with_rawrule(self, rawrule, expected): obj = CapabilityRule.parse(rawrule) self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(rawrule.strip(), obj.raw_rule) self._compare_obj(obj, expected)
def _check_write_rule(self, rawrule, cleanrule): obj = CapabilityRule.parse(rawrule) clean = obj.get_clean() raw = obj.get_raw() self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def test_borked_obj_is_covered(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = CapabilityRule('chown') testobj.capability.clear() with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
def test_covered_deny_2(self): obj = CapabilityRule.parse('deny capability sys_admin,') self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'deny capability chown,')) self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_check_audit(self): obj = CapabilityRule.parse('audit capability sys_admin,') self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,')) self.assertFalse(self._is_covered_exact(obj, 'audit capability,')) self.assertFalse(self._is_covered_exact(obj, 'capability chown,')) self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_check_audit(self): obj = CapabilityRule.parse('audit capability sys_admin,') self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,')) self.assertFalse(self._is_covered_exact(obj, 'audit capability,')) self.assertFalse(self._is_covered_exact(obj, 'capability chown,')) self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_deny_2(self): obj = CapabilityRule.parse('deny capability sys_admin,') self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'deny capability chown,')) self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_all(self): obj = CapabilityRule.parse('capability,') self.assertTrue(self._is_covered(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability audit_write,')) self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,')) self.assertTrue(self._is_covered(obj, 'capability,')) self.assertFalse(self._is_covered(obj, 'audit capability,'))
def test_covered_all(self): obj = CapabilityRule.parse('capability,') self.assertTrue(self._is_covered(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability audit_write,')) self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,')) self.assertTrue(self._is_covered(obj, 'capability,')) self.assertFalse(self._is_covered(obj, 'audit capability,'))
def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule))
def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule))
def test_equal(self): obj = CapabilityRule.parse('capability sys_admin,') self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True)) self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False)) self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted)
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted)
def test_equal(self): obj = CapabilityRule.parse('capability sys_admin,') self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True)) self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False)) self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def test_ruleset_1(self): ruleset = CapabilityRuleset() rules = [ 'capability sys_admin,', 'capability chown,', ] expected_raw = [ 'capability sys_admin,', 'capability chown,', '', ] expected_clean = [ 'capability chown,', 'capability sys_admin,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_1(self): ruleset = CapabilityRuleset() rules = [ 'capability sys_admin,', 'capability chown,', ] expected_raw = [ 'capability sys_admin,', 'capability chown,', '', ] expected_clean = [ 'capability chown,', 'capability sys_admin,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_is_covered_1(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_24(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_18(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_22(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_10(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_22(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def _is_equal(self, obj, rule_to_test, strict): self.assertTrue(CapabilityRule.match(rule_to_test)) return obj.is_equal(CapabilityRule.parse(rule_to_test), strict)
def test_ruleset_is_covered_17(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def _is_covered_exact(self, obj, rule_to_test): self.assertTrue(CapabilityRule.match(rule_to_test)) return obj.is_covered(CapabilityRule.parse(rule_to_test), True, True)
def test_ruleset_is_covered_18(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_3(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def test_ruleset_is_covered_16(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_6(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_23(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_13(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_16(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_17(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_13(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_19(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_10(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_23(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_6(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_1(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_3(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def _is_equal(self, obj, rule_to_test, strict): self.assertTrue(CapabilityRule.match(rule_to_test)) return obj.is_equal(CapabilityRule.parse(rule_to_test), strict)
def _is_covered_exact(self, obj, rule_to_test): self.assertTrue(CapabilityRule.match(rule_to_test)) return obj.is_covered(CapabilityRule.parse(rule_to_test), True, True)