def _run_test(self, params, expected): self.createTmpdir() #copy the local profiles to the test directory self.profile_dir = '%s/profiles' % self.tmpdir shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True) # load the abstractions we need in the test apparmor.aa.profile_dir = self.profile_dir apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base')) apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash')) apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant')) apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell')) # add some user_globs ('(N)ew') to simulate a professional aa-logprof user (and to make sure that part of the code also gets tested) apparmor.aa.user_globs['/usr/share/common*/foo/*'] = AARE('/usr/share/common*/foo/*', True) apparmor.aa.user_globs['/no/thi*ng'] = AARE('/no/thi*ng', True) profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py') profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>')) profile['inc_ie'].add(IncludeRule.parse('include <abstractions/bash>')) profile['inc_ie'].add(IncludeRule.parse('include <abstractions/enchant>')) profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/** w,')) profile['file'].add(FileRule.parse('/dev/null rwk,')) profile['file'].add(FileRule.parse('/foo/bar rwix,')) profile['file'].add(FileRule.parse('/foo/log a,')) # will be replaced with '/foo/log w,' (not 'wa') rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True) proposals = propose_file_rules(profile, rule_obj) self.assertEqual(proposals, expected)
def validate_edit(self, newpath): if self.all_paths: raise AppArmorBug('Attemp to edit bare file rule') newpath = AARE( newpath, True ) # might raise AppArmorException if the new path doesn't start with / or a variable return newpath.match(self.path)
def _run_test(self, params, expected): regex, path = params parsed_regex = re.compile(convert_regexp(regex)) self.assertEqual(bool(parsed_regex.search(path)), expected, 'Incorrectly Parsed regex: %s' %regex) aare_obj = AARE(regex, True) self.assertEqual(aare_obj.match(path), expected, 'Incorrectly parsed AARE object: %s' % regex) if not ('*' in path or '{' in path or '}' in path or '?' in path): self.assertEqual(aare_obj.match(AARE(path, False)), expected, 'Incorrectly parsed AARE object: AARE(%s)' % regex)
def _run_test(self, params, expected): regex, path = params parsed_regex = re.compile(convert_regexp(regex)) self.assertEqual(bool(parsed_regex.search(path)), expected, 'Incorrectly Parsed regex: %s' % regex) aare_obj = AARE(regex, True) self.assertEqual(aare_obj.match(path), expected, 'Incorrectly parsed AARE object: %s' % regex)
def _aare_or_all(self, rulepart, partname, is_path, log_event): '''checks rulepart and returns - (AARE, False) if rulepart is a (non-empty) string - (None, True) if rulepart is all_obj (typically *Rule.ALL) - raises AppArmorBug if rulepart is an empty string or has a wrong type Parameters: - rulepart: the rule part to check (string or *Rule.ALL object) - partname: the name of the rulepart (for example 'peer', used for exception messages) - is_path (passed through to AARE) - log_event (passed through to AARE) ''' if rulepart == self.ALL: return None, True elif type_is_str(rulepart): if len(rulepart.strip()) == 0: raise AppArmorBug( 'Passed empty %(partname)s to %(classname)s: %(rulepart)s' % { 'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart) }) return AARE(rulepart, is_path=is_path, log_event=log_event), False else: raise AppArmorBug( 'Passed unknown %(partname)s to %(classname)s: %(rulepart)s' % { 'partname': partname, 'classname': self.__class__.__name__, 'rulepart': str(rulepart) })
def store_edit(self, newpath): if self.all_paths: raise AppArmorBug('Attemp to edit bare file rule') self.path = AARE( newpath, True ) # might raise AppArmorException if the new path doesn't start with / or a variable self.raw_rule = None
class TestAAREDeepcopy(AATest): tests = [ # regex is path? log event expected (dummy value) (AARE('/foo', False), True), (AARE('/foo', False, True), True), (AARE('/foo', True), True), (AARE('/foo', True, True), True), ] def _run_test(self, params, expected): dup = deepcopy(params) self.assertTrue(params.match('/foo')) self.assertTrue(dup.match('/foo')) self.assertEqual(params.regex, dup.regex) self.assertEqual(params.orig_regex, dup.orig_regex) self.assertEqual(params.orig_regex, dup.orig_regex)
def _run_test(self, params, expected): # test for files oldpath = AARE(params, True) newpath = oldpath.glob_path_withext() self.assertEqual(expected, newpath.regex) # test for directories - should be kept unchanged oldpath = AARE(params + '/', True) newpath = oldpath.glob_path_withext() self.assertEqual(params + '/', newpath.regex) # note that we compare to params, not expected here
def _run_test(self, params, expected): # test for files oldpath = AARE(params, True) newpath = oldpath.glob_path() self.assertEqual(expected, newpath.regex) # test for directories oldpath = AARE(params + '/', True) newpath = oldpath.glob_path() self.assertEqual(expected + '/', newpath.regex)
def add(self, filename, profile_name, attachment): ''' Add the given profile and attachment to the list ''' if not filename: raise AppArmorBug('Empty filename given to ProfileList') if not profile_name and not attachment: raise AppArmorBug('Neither profile name or attachment given') if profile_name in self.profile_names: raise AppArmorException(_('Profile %(profile_name)s exists in %(filename)s and %(filename2)s' % {'profile_name': profile_name, 'filename': filename, 'filename2': self.profile_names[profile_name]})) if attachment in self.attachments: raise AppArmorException(_('Profile for %(profile_name)s exists in %(filename)s and %(filename2)s' % {'profile_name': attachment, 'filename': filename, 'filename2': self.attachments[attachment]})) if profile_name: self.profile_names[profile_name] = filename if attachment: self.attachments[attachment] = filename self.attachments_AARE[attachment] = AARE(attachment, True)
def _run_test(self, params, expected): regex, log_event = params aare_obj_1 = AARE(regex, True) aare_obj_2 = AARE(log_event, True, log_event=True) self.assertEqual(aare_obj_1.match(aare_obj_2), expected)
def test_repr(self): obj = AARE('/foo', True) self.assertEqual(str(obj), "AARE('/foo')")
def test_path_missing_slash(self): with self.assertRaises(AppArmorException): AARE('foo*', True)
def _run_test(self, params, expected): regex, is_path, check_for = params aare_obj = AARE(regex, is_path) self.assertEqual(expected, aare_obj.match(check_for))
def test_is_equal_invalid_1(self): aare_obj = AARE('/foo/**', True) with self.assertRaises(AppArmorBug): aare_obj.is_equal(42)
def _run_test(self, params, expected): regex, is_path, check_for = params aare_obj_1 = AARE(regex, is_path) aare_obj_2 = AARE(check_for, is_path) self.assertEqual(expected, aare_obj_1.is_equal(check_for)) self.assertEqual(expected, aare_obj_1.is_equal(aare_obj_2))
def test_match_invalid_1(self): aare_obj = AARE('@{foo}/[a-d]**', True) with self.assertRaises(AppArmorBug): aare_obj.match(set())
def test_match_against_AARE_2(self): aare_obj_1 = AARE('@{foo}/[a-d]**', True) aare_obj_2 = AARE('@{foo}/*[a-d]*', True) self.assertFalse(aare_obj_1.match(aare_obj_2)) self.assertFalse(aare_obj_1.is_equal(aare_obj_2))
def test_multi_usage(self): aare_obj = AARE('/foo/*', True) self.assertTrue(aare_obj.match('/foo/bar')) self.assertFalse(aare_obj.match('/foo/bar/')) self.assertTrue(aare_obj.match('/foo/asdf'))