def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_invalid_rawrule(self, rawrule):
obj = None
with self.assertRaises(AppArmorException):
obj = CapabilityRule(CapabilityRule.parse(rawrule))
self.assertFalse(CapabilityRule.match(rawrule))
self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_invalid_is_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = BaseRule() # different type
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
def _check_invalid_rawrule(self, rawrule):
obj = None
with self.assertRaises(AppArmorException):
obj = CapabilityRule.parse(rawrule)
self.assertFalse(CapabilityRule.match(rawrule))
self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = BaseRule() # different type
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
def _compare_obj_with_rawrule(self, rawrule, expected):
obj = CapabilityRule.parse(rawrule)
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
def test_borked_obj_is_covered(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = CapabilityRule('chown')
testobj.capability.clear()
with self.assertRaises(AppArmorBug):
obj.is_covered(testobj)
def _check_write_rule(self, rawrule, cleanrule):
obj = CapabilityRule.parse(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _compare_obj_with_rawrule(self, rawrule, expected):
obj = CapabilityRule.parse(rawrule)
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
def _check_write_rule(self, rawrule, cleanrule):
obj = CapabilityRule.parse(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def test_borked_obj_is_covered(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = CapabilityRule('chown')
testobj.capability.clear()
with self.assertRaises(AppArmorBug):
obj.is_covered(testobj)
def test_covered_deny_2(self):
obj = CapabilityRule.parse('deny capability sys_admin,')
self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'deny capability chown,'))
self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_check_audit(self):
obj = CapabilityRule.parse('audit capability sys_admin,')
self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,'))
self.assertFalse(self._is_covered_exact(obj, 'audit capability,'))
self.assertFalse(self._is_covered_exact(obj, 'capability chown,'))
self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_check_audit(self):
obj = CapabilityRule.parse('audit capability sys_admin,')
self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,'))
self.assertFalse(self._is_covered_exact(obj, 'audit capability,'))
self.assertFalse(self._is_covered_exact(obj, 'capability chown,'))
self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_deny_2(self):
obj = CapabilityRule.parse('deny capability sys_admin,')
self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'deny capability chown,'))
self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_all(self):
obj = CapabilityRule.parse('capability,')
self.assertTrue(self._is_covered(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability,'))
self.assertFalse(self._is_covered(obj, 'audit capability,'))
def test_covered_all(self):
obj = CapabilityRule.parse('capability,')
self.assertTrue(self._is_covered(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability,'))
self.assertFalse(self._is_covered(obj, 'audit capability,'))
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True))
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False))
self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True))
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False))
self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def _is_equal(self, obj, rule_to_test, strict):
self.assertTrue(CapabilityRule.match(rule_to_test))
return obj.is_equal(CapabilityRule.parse(rule_to_test), strict)
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def _is_covered_exact(self, obj, rule_to_test):
self.assertTrue(CapabilityRule.match(rule_to_test))
return obj.is_covered(CapabilityRule.parse(rule_to_test), True, True)
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def _is_equal(self, obj, rule_to_test, strict):
self.assertTrue(CapabilityRule.match(rule_to_test))
return obj.is_equal(CapabilityRule.parse(rule_to_test), strict)
def _is_covered_exact(self, obj, rule_to_test):
self.assertTrue(CapabilityRule.match(rule_to_test))
return obj.is_covered(CapabilityRule.parse(rule_to_test), True, True)
