def test_write_manually(self):
obj = IncludeRule('abs/foo', False, True, comment=' # cmt')
expected = ' include <abs/foo> # cmt'
self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def _run_test(self, params, expected):
self.createTmpdir()
#copy the local profiles to the test directory
self.profile_dir = '%s/profiles' % self.tmpdir
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
apparmor.aa.profile_dir = self.profile_dir
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
abs_include1 = write_file(self.tmpdir, 'test-abs1', "/some/random/include rw,")
apparmor.aa.load_include(abs_include1)
abs_include2 = write_file(self.tmpdir, 'test-abs2', "/some/other/* rw,")
apparmor.aa.load_include(abs_include2)
abs_include3 = write_file(self.tmpdir, 'test-abs3', "/some/other/inc* rw,")
apparmor.aa.load_include(abs_include3)
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include1))
profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include2))
profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include3))
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
self.assertEqual(proposals, expected)
def _run_test(self, params, expected):
self.createTmpdir()
#copy the local profiles to the test directory
self.profile_dir = '%s/profiles' % self.tmpdir
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
apparmor.aa.profile_dir = self.profile_dir
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
# add some user_globs ('(N)ew') to simulate a professional aa-logprof user (and to make sure that part of the code also gets tested)
apparmor.aa.user_globs['/usr/share/common*/foo/*'] = AARE('/usr/share/common*/foo/*', True)
apparmor.aa.user_globs['/no/thi*ng'] = AARE('/no/thi*ng', True)
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/bash>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/enchant>'))
profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.parse('/dev/null rwk,'))
profile['file'].add(FileRule.parse('/foo/bar rwix,'))
profile['file'].add(FileRule.parse('/foo/log a,')) # will be replaced with '/foo/log w,' (not 'wa')
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
self.assertEqual(proposals, expected)
def _run_test(self, params, expected):
self.createTmpdir()
#copy the local profiles to the test directory
self.profile_dir = '%s/profiles' % self.tmpdir
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
# load the abstractions we need in the test
apparmor.aa.profile_dir = self.profile_dir
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/bash'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/enchant'))
apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/aspell'))
profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py')
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/bash>'))
profile['inc_ie'].add(IncludeRule.parse('include <abstractions/enchant>'))
profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/** w,'))
profile['file'].add(FileRule.parse('owner /usr/share/common-licenses/what/ever a,')) # covered by the above 'w' rule, so 'a' should be ignored
profile['file'].add(FileRule.parse('/dev/null rwk,'))
profile['file'].add(FileRule.parse('/foo/bar rwix,'))
perms = get_file_perms(profile, params, False, False) # only testing with audit and deny = False
self.assertEqual(perms, expected)
def _run_test(self, rawrule, expected):
self.assertTrue(IncludeRule.match(rawrule))
obj = IncludeRule.parse(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _check_invalid_rawrule(self, rawrule, matches_regex=False):
obj = None
self.assertEqual(IncludeRule.match(rawrule), matches_regex)
with self.assertRaises(AppArmorException):
obj = IncludeRule.parse(rawrule)
self.assertIsNone(obj,
'IncludeRule handed back an object unexpectedly')
def testAdd_inc_ie_2(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule('tunables/global', False, True))
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule('tunables/dovecot', False, True))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(
self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', 'include <tunables/dovecot>', ''])
self.assertEqual(
self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', 'include <tunables/dovecot>', ''])
class IncludeFromInit(IncludeTest):
tests = [
# IncludeRule object ifexists ismagic comment path ifexists ismagic
(IncludeRule('abstractions/base', False,
False), exp('', 'abstractions/base', False, False)),
(IncludeRule('foo', True, False), exp('', 'foo', True, False)),
(IncludeRule('bar', False, True), exp('', 'bar', False, True)),
(IncludeRule('baz', True, True), exp('', 'baz', True, True)),
(IncludeRule('comment', False, False,
comment='# cmt'), exp('# cmt', 'comment', False, False)),
]
def _run_test(self, obj, expected):
self._compare_obj(obj, expected)
def test_ruleset_1(self):
ruleset = IncludeRuleset()
rules = [
' include <foo> ',
' #include "/bar" ',
]
expected_raw = [
'include <foo>',
'#include "/bar"',
'',
]
expected_clean = [
'include "/bar"',
'include <foo>',
'',
]
expected_clean_unsorted = [
'include <foo>',
'include "/bar"',
'',
]
expected_fullpaths = [os.path.join(self.profile_dir, 'foo'), '/bar']
for rule in rules:
ruleset.add(IncludeRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
self.assertEqual(expected_clean_unsorted, ruleset.get_clean_unsorted())
self.assertEqual(expected_fullpaths,
ruleset.get_all_full_paths(self.profile_dir))
def _run_test(self, params, expected):
exp2 = []
for path in expected:
exp2.append(path.replace('@@', self.profile_dir))
obj = IncludeRule._parse(params)
self.assertEqual(obj.get_full_paths(self.profile_dir), exp2)
def _run_test(self, param, expected):
obj = IncludeRule.parse(self.rule)
check_obj = IncludeRule.parse(param)
self.assertTrue(IncludeRule.match(param))
self.assertEqual(obj.is_equal(check_obj), expected[0],
'Mismatch in is_equal, expected %s' % expected[0])
self.assertEqual(
obj.is_equal(check_obj, True), expected[1],
'Mismatch in is_equal/strict, expected %s' % expected[1])
self.assertEqual(obj.is_covered(check_obj), expected[2],
'Mismatch in is_covered, expected %s' % expected[2])
self.assertEqual(
obj.is_covered(check_obj, True, True), expected[3],
'Mismatch in is_covered/exact, expected %s' % expected[3])
def test_dedup_inc_ie_1(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule.parse('include <tunables/global>'))
self.pl.add_inc_ie(
'/etc/apparmor.d/bin.foo',
IncludeRule.parse(
'#include if exists <tunables/global> # comment'))
self.pl.add_inc_ie(
'/etc/apparmor.d/bin.foo',
IncludeRule.parse(' #include <tunables/global> '))
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 2)
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
def test_missing_params_3(self):
with self.assertRaises(TypeError):
IncludeRule('foo', False)
def _run_test(self, params, expected):
obj = IncludeRule._parse(params)
self.assertEqual(obj.logprof_header(), expected)
def _run_test(self, rawrule, expected):
self.assertTrue(IncludeRule.match(rawrule))
obj = IncludeRule.parse(rawrule)
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
def _run_test(self, rawrule, expected):
self.assertTrue(IncludeRule.match(
rawrule)) # the above invalid rules still match the main regex!
with self.assertRaises(expected):
IncludeRule.parse(rawrule)
def _run_test(self, params, expected):
with self.assertRaises(expected):
IncludeRule(params[0], params[1], params[2])
def test_deny_true(self):
with self.assertRaises(AppArmorBug):
IncludeRule('foo', False, False, deny=True)
def test_audit_true(self):
with self.assertRaises(AppArmorBug):
IncludeRule('foo', False, False, audit=True)
def test_missing_params_1(self):
with self.assertRaises(TypeError):
IncludeRule()