def _check_invalid_rawrule(self, rawrule):
obj = None
with self.assertRaises(AppArmorException):
obj = CapabilityRule.parse(rawrule)
self.assertFalse(CapabilityRule.match(rawrule))
self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_delete_with_multi_2(self):
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
with self.assertRaises(AppArmorBug):
# XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset
# but that's quite some work to cover a corner case.
self.ruleset.delete(CapabilityRule('audit_read'))
def test_write_manually(self):
obj = CapabilityRule(['ptrace', 'audit_write'], allow_keyword=True)
expected = ' allow capability audit_write ptrace,'
self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_write_manually(self):
obj = CapabilityRule(['ptrace', 'audit_write'], allow_keyword=True)
expected = ' allow capability audit_write ptrace,'
self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_invalid_rawrule(self, rawrule):
obj = None
with self.assertRaises(AppArmorException):
obj = CapabilityRule(CapabilityRule.parse(rawrule))
self.assertFalse(CapabilityRule.match(rawrule))
self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def _check_write_rule(self, rawrule, cleanrule):
obj = CapabilityRule.parse(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _check_write_rule(self, rawrule, cleanrule):
obj = CapabilityRule.parse(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _compare_obj_with_rawrule(self, rawrule, expected):
obj = CapabilityRule.parse(rawrule)
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
def test_borked_obj_is_covered(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = CapabilityRule('chown')
testobj.capability.clear()
with self.assertRaises(AppArmorBug):
obj.is_covered(testobj)
def _compare_obj_with_rawrule(self, rawrule, expected):
obj = CapabilityRule.parse(rawrule)
self.assertTrue(CapabilityRule.match(rawrule))
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
def test_empty_init(self):
# add to internal set instead of using .set_* (which overwrites the internal set) to make sure obj and obj2 use separate storage
obj = CapabilityRule('fsetid')
obj2 = CapabilityRule('fsetid')
obj.capability.add('sys_admin')
obj2.capability.add('ptrace')
self.assertTrue(self._is_covered(obj, 'capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'capability ptrace,'))
self.assertFalse(self._is_covered(obj2, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj2, 'capability ptrace,'))
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = BaseRule() # different type
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = BaseRule() # different type
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
def test_borked_obj_is_covered(self):
obj = CapabilityRule.parse('capability sys_admin,')
testobj = CapabilityRule('chown')
testobj.capability.clear()
with self.assertRaises(AppArmorBug):
obj.is_covered(testobj)
def test_covered_deny_2(self):
obj = CapabilityRule.parse('deny capability sys_admin,')
self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'deny capability chown,'))
self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_deny_2(self):
obj = CapabilityRule.parse('deny capability sys_admin,')
self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'capability sys_admin,'))
self.assertFalse(self._is_covered(obj, 'deny capability chown,'))
self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_check_audit(self):
obj = CapabilityRule.parse('audit capability sys_admin,')
self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,'))
self.assertFalse(self._is_covered_exact(obj, 'audit capability,'))
self.assertFalse(self._is_covered_exact(obj, 'capability chown,'))
self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_check_audit(self):
obj = CapabilityRule.parse('audit capability sys_admin,')
self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,'))
self.assertFalse(self._is_covered_exact(obj, 'audit capability,'))
self.assertFalse(self._is_covered_exact(obj, 'capability chown,'))
self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_all(self):
obj = CapabilityRule.parse('capability,')
self.assertTrue(self._is_covered(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability,'))
self.assertFalse(self._is_covered(obj, 'audit capability,'))
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_covered_all(self):
obj = CapabilityRule.parse('capability,')
self.assertTrue(self._is_covered(obj, 'capability sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,'))
self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,'))
self.assertTrue(self._is_covered(obj, 'capability,'))
self.assertFalse(self._is_covered(obj, 'audit capability,'))
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_cap_from_log(self):
parser = ReadLog('', '', '', '')
event = 'type=AVC msg=audit(1415403814.628:662): apparmor="ALLOWED" operation="capable" profile="/bin/ping" pid=15454 comm="ping" capability=13 capname="net_raw"'
parsed_event = parser.parse_event(event)
self.assertEqual(
parsed_event, {
'request_mask': None,
'denied_mask': None,
'error_code': 0,
'magic_token': 0,
'parent': 0,
'profile': '/bin/ping',
'operation': 'capable',
'resource': None,
'info': None,
'aamode': 'PERMITTING',
'time': 1415403814,
'active_hat': None,
'pid': 15454,
'task': 0,
'attr': None,
'name2': None,
'name': 'net_raw',
'family': None,
'protocol': None,
'sock_type': None,
})
obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)
self._compare_obj(
obj, {
'allow_keyword': False,
'deny': False,
'audit': False,
'capability': {'net_raw'},
'all_caps': False,
'comment': "",
})
self.assertEqual(obj.get_raw(1), ' capability net_raw,')
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_cap_from_init_02(self):
obj = CapabilityRule(['chown'])
self._compare_obj(obj, {
'allow_keyword': False,
'deny': False,
'audit': False,
'capability': {'chown'},
'all_caps': False,
'comment': "",
})
def test_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True))
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False))
self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def test_cap_from_init_04(self):
obj = CapabilityRule(['chown', 'fsetid'], deny=True)
self._compare_obj(obj, {
'allow_keyword': False,
'deny': True,
'audit': False,
'capability': {'chown', 'fsetid'},
'all_caps': False,
'comment': "",
})
def test_equal(self):
obj = CapabilityRule.parse('capability sys_admin,')
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True))
self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False))
self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False))
self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def test_delete_with_allcaps(self):
expected_raw = [
' capability chown,',
' deny capability chgrp, # example comment',
' capability,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' capability chown,',
' capability,',
'',
]
self.ruleset.add(CapabilityRule(CapabilityRule.ALL))
self.ruleset.delete(CapabilityRule('sys_admin'))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write']))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_cap_from_log(self):
parser = ReadLog('', '', '', '', '')
event = 'type=AVC msg=audit(1415403814.628:662): apparmor="ALLOWED" operation="capable" profile="/bin/ping" pid=15454 comm="ping" capability=13 capname="net_raw"'
parsed_event = parser.parse_event(event)
self.assertEqual(parsed_event, {
'request_mask': None,
'denied_mask': None,
'error_code': 0,
'magic_token': 0,
'parent': 0,
'profile': '/bin/ping',
'operation': 'capable',
'resource': None,
'info': None,
'aamode': 'PERMITTING',
'time': 1415403814,
'active_hat': None,
'pid': 15454,
'task': 0,
'attr': None,
'name2': None,
'name': 'net_raw'
})
obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)
self._compare_obj(obj, {
'allow_keyword': False,
'deny': False,
'audit': False,
'capability': {'net_raw'},
'all_caps': False,
'comment': "",
})
self.assertEqual(obj.get_raw(1), ' capability net_raw,')
def test_ruleset_add(self):
rule = CapabilityRule('chgrp', comment=' # example comment')
ruleset = CapabilityRuleset()
ruleset.add(rule)
expected_raw = [
' capability chgrp, # example comment',
'',
]
expected_clean = expected_raw
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def _run_test(self, params, expected):
obj = CapabilityRule._parse(params)
self.assertEqual(obj.logprof_header(), expected)
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_delete_raw_notfound(self):
with self.assertRaises(AppArmorBug):
self.ruleset.delete(CapabilityRule('audit_write'))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
