def _run_test(self, params, expected):
self.createTmpdir()
#copy the local profiles to the test directory
self.profile_dir = '%s/profiles' % self.tmpdir
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
apparmor.aa.profile_dir = self.profile_dir
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
# add some user_globs ('(N)ew') to simulate a professional aa-logprof user (and to make sure that part of the code also gets tested)
apparmor.aa.user_globs['/usr/share/common*/foo/*'] = AARE('/usr/share/common*/foo/*', True)
apparmor.aa.user_globs['/no/thi*ng'] = AARE('/no/thi*ng', True)
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/bash>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/enchant>'))
profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.parse('/dev/null rwk,'))
profile['file'].add(FileRule.parse('/foo/bar rwix,'))
profile['file'].add(FileRule.parse('/foo/log a,')) # will be replaced with '/foo/log w,' (not 'wa')
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
self.assertEqual(proposals, expected)
def validate_edit(self, newpath):
if self.all_paths:
raise AppArmorBug('Attemp to edit bare file rule')
newpath = AARE(
newpath, True
) # might raise AppArmorException if the new path doesn't start with / or a variable
return newpath.match(self.path)
def _run_test(self, params, expected):
regex, path = params
parsed_regex = re.compile(convert_regexp(regex))
self.assertEqual(bool(parsed_regex.search(path)), expected, 'Incorrectly Parsed regex: %s' %regex)
aare_obj = AARE(regex, True)
self.assertEqual(aare_obj.match(path), expected, 'Incorrectly parsed AARE object: %s' % regex)
if not ('*' in path or '{' in path or '}' in path or '?' in path):
self.assertEqual(aare_obj.match(AARE(path, False)), expected, 'Incorrectly parsed AARE object: AARE(%s)' % regex)
def _run_test(self, params, expected):
regex, path = params
parsed_regex = re.compile(convert_regexp(regex))
self.assertEqual(bool(parsed_regex.search(path)), expected,
'Incorrectly Parsed regex: %s' % regex)
aare_obj = AARE(regex, True)
self.assertEqual(aare_obj.match(path), expected,
'Incorrectly parsed AARE object: %s' % regex)
def _aare_or_all(self, rulepart, partname, is_path, log_event):
'''checks rulepart and returns
- (AARE, False) if rulepart is a (non-empty) string
- (None, True) if rulepart is all_obj (typically *Rule.ALL)
- raises AppArmorBug if rulepart is an empty string or has a wrong type
Parameters:
- rulepart: the rule part to check (string or *Rule.ALL object)
- partname: the name of the rulepart (for example 'peer', used for exception messages)
- is_path (passed through to AARE)
- log_event (passed through to AARE)
'''
if rulepart == self.ALL:
return None, True
elif type_is_str(rulepart):
if len(rulepart.strip()) == 0:
raise AppArmorBug(
'Passed empty %(partname)s to %(classname)s: %(rulepart)s'
% {
'partname': partname,
'classname': self.__class__.__name__,
'rulepart': str(rulepart)
})
return AARE(rulepart, is_path=is_path, log_event=log_event), False
else:
raise AppArmorBug(
'Passed unknown %(partname)s to %(classname)s: %(rulepart)s' %
{
'partname': partname,
'classname': self.__class__.__name__,
'rulepart': str(rulepart)
})
def store_edit(self, newpath):
if self.all_paths:
raise AppArmorBug('Attemp to edit bare file rule')
self.path = AARE(
newpath, True
) # might raise AppArmorException if the new path doesn't start with / or a variable
self.raw_rule = None
class TestAAREDeepcopy(AATest):
tests = [
# regex is path? log event expected (dummy value)
(AARE('/foo', False), True),
(AARE('/foo', False, True), True),
(AARE('/foo', True), True),
(AARE('/foo', True, True), True),
]
def _run_test(self, params, expected):
dup = deepcopy(params)
self.assertTrue(params.match('/foo'))
self.assertTrue(dup.match('/foo'))
self.assertEqual(params.regex, dup.regex)
self.assertEqual(params.orig_regex, dup.orig_regex)
self.assertEqual(params.orig_regex, dup.orig_regex)
def _run_test(self, params, expected):
# test for files
oldpath = AARE(params, True)
newpath = oldpath.glob_path_withext()
self.assertEqual(expected, newpath.regex)
# test for directories - should be kept unchanged
oldpath = AARE(params + '/', True)
newpath = oldpath.glob_path_withext()
self.assertEqual(params + '/', newpath.regex) # note that we compare to params, not expected here
def _run_test(self, params, expected):
# test for files
oldpath = AARE(params, True)
newpath = oldpath.glob_path()
self.assertEqual(expected, newpath.regex)
# test for directories
oldpath = AARE(params + '/', True)
newpath = oldpath.glob_path()
self.assertEqual(expected + '/', newpath.regex)
def add(self, filename, profile_name, attachment):
''' Add the given profile and attachment to the list '''
if not filename:
raise AppArmorBug('Empty filename given to ProfileList')
if not profile_name and not attachment:
raise AppArmorBug('Neither profile name or attachment given')
if profile_name in self.profile_names:
raise AppArmorException(_('Profile %(profile_name)s exists in %(filename)s and %(filename2)s' % {'profile_name': profile_name, 'filename': filename, 'filename2': self.profile_names[profile_name]}))
if attachment in self.attachments:
raise AppArmorException(_('Profile for %(profile_name)s exists in %(filename)s and %(filename2)s' % {'profile_name': attachment, 'filename': filename, 'filename2': self.attachments[attachment]}))
if profile_name:
self.profile_names[profile_name] = filename
if attachment:
self.attachments[attachment] = filename
self.attachments_AARE[attachment] = AARE(attachment, True)
def _run_test(self, params, expected):
regex, log_event = params
aare_obj_1 = AARE(regex, True)
aare_obj_2 = AARE(log_event, True, log_event=True)
self.assertEqual(aare_obj_1.match(aare_obj_2), expected)
def test_repr(self):
obj = AARE('/foo', True)
self.assertEqual(str(obj), "AARE('/foo')")
def test_path_missing_slash(self):
with self.assertRaises(AppArmorException):
AARE('foo*', True)
def _run_test(self, params, expected):
regex, is_path, check_for = params
aare_obj = AARE(regex, is_path)
self.assertEqual(expected, aare_obj.match(check_for))
def test_is_equal_invalid_1(self):
aare_obj = AARE('/foo/**', True)
with self.assertRaises(AppArmorBug):
aare_obj.is_equal(42)
def _run_test(self, params, expected):
regex, is_path, check_for = params
aare_obj_1 = AARE(regex, is_path)
aare_obj_2 = AARE(check_for, is_path)
self.assertEqual(expected, aare_obj_1.is_equal(check_for))
self.assertEqual(expected, aare_obj_1.is_equal(aare_obj_2))
def test_match_invalid_1(self):
aare_obj = AARE('@{foo}/[a-d]**', True)
with self.assertRaises(AppArmorBug):
aare_obj.match(set())
def test_match_against_AARE_2(self):
aare_obj_1 = AARE('@{foo}/[a-d]**', True)
aare_obj_2 = AARE('@{foo}/*[a-d]*', True)
self.assertFalse(aare_obj_1.match(aare_obj_2))
self.assertFalse(aare_obj_1.is_equal(aare_obj_2))
def test_multi_usage(self):
aare_obj = AARE('/foo/*', True)
self.assertTrue(aare_obj.match('/foo/bar'))
self.assertFalse(aare_obj.match('/foo/bar/'))
self.assertTrue(aare_obj.match('/foo/asdf'))
