def _run_test(self, params, expected): self.createTmpdir() #copy the local profiles to the test directory self.profile_dir = '%s/profiles' % self.tmpdir shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True) # load the abstractions we need in the test apparmor.aa.profile_dir = self.profile_dir apparmor.aa.load_include(os.path.join(self.profile_dir, 'abstractions/base')) abs_include1 = write_file(self.tmpdir, 'test-abs1', "/some/random/include rw,") apparmor.aa.load_include(abs_include1) abs_include2 = write_file(self.tmpdir, 'test-abs2', "/some/other/* rw,") apparmor.aa.load_include(abs_include2) abs_include3 = write_file(self.tmpdir, 'test-abs3', "/some/other/inc* rw,") apparmor.aa.load_include(abs_include3) profile = apparmor.aa.ProfileStorage('/test', '/test', 'test-aa.py') profile['inc_ie'].add(IncludeRule.parse('include <abstractions/base>')) profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include1)) profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include2)) profile['inc_ie'].add(IncludeRule.parse('include "%s"' % abs_include3)) rule_obj = FileRule(params[0], params[1], None, FileRule.ALL, owner=False, log_event=True) proposals = propose_file_rules(profile, rule_obj) self.assertEqual(proposals, expected)
def test_check_for_apparmor_securityfs_mounted(self): filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS) mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir) self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
def AASetup(self): self.createTmpdir() #copy the local profiles to the test directory self.profile_dir = '%s/profiles' % self.tmpdir shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True) write_file(self.profile_dir, 'baz', '/baz r,')
def test_redefine_home(self): write_file(self.profile_dir, 'tunables/home.d/overwrite_home', '@{HOME} = /my/castle/') # note: =, not += self._load_profiles() prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq') with self.assertRaises(AppArmorException): apparmor.aa.active_profiles.get_all_merged_variables( os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive( apparmor.aa.active_profiles.files[prof_filename]))
def test_add_to_nonexisting(self): write_file( self.profile_dir, 'tunables/home.d/no_such_var', '@{NO_SUCH_HOME} += /my/castle/') # add to non-existing variable self._load_profiles() prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq') with self.assertRaises(AppArmorException): apparmor.aa.active_profiles.get_all_merged_variables( os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive( apparmor.aa.active_profiles.files[prof_filename]))
def test_extended_home(self): write_file(self.profile_dir, 'tunables/home.d/extend_home', '@{HOME} += /my/castle/') self._load_profiles() prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq') vars = apparmor.aa.active_profiles.get_all_merged_variables( os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive( apparmor.aa.active_profiles.files[prof_filename])) self.assertEqual(vars['@{TFTP_DIR}'], {'/var/tftp', '/srv/tftp', '/srv/tftpboot'}) self.assertEqual(vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/', '/my/castle/'})
def test_extend_home_in_mainfile(self): write_file(self.profile_dir, 'tunables/home.d/extend_home', '@{HOME} += /my/castle/') write_file(self.profile_dir, 'dummy_profile', 'include <tunables/global>\n@{HOME} += /in/the/profile/') self._load_profiles() prof_filename = os.path.join(self.profile_dir, 'dummy_profile') vars = apparmor.aa.active_profiles.get_all_merged_variables( os.path.join(self.profile_dir, 'dummy_profile'), apparmor.aa.include_list_recursive( apparmor.aa.active_profiles.files[prof_filename])) self.assertEqual(vars.get('@{TFTP_DIR}', None), None) self.assertEqual( vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/', '/my/castle/', '/in/the/profile/'})
def _test_set_flags(self, profile, old_flags, new_flags, whitespace='', comment='', more_rules='', expected_more_rules='@-@-@', expected_flags='@-@-@', check_new_flags=True, profile_name='/foo'): if old_flags: old_flags = ' %s' % old_flags if expected_flags == '@-@-@': expected_flags = new_flags if expected_flags: expected_flags = ' flags=(%s)' % (expected_flags) else: expected_flags = '' if expected_more_rules == '@-@-@': expected_more_rules = more_rules if comment: comment = ' %s' % comment dummy_profile_content = ' #include <abstractions/base>\n capability chown,\n /bar r,' prof_template = '%s%s%s {%s\n%s\n%s\n}\n' old_prof = prof_template % (whitespace, profile, old_flags, comment, more_rules, dummy_profile_content) new_prof = prof_template % (whitespace, profile, expected_flags, comment, expected_more_rules, dummy_profile_content) self.file = write_file(self.tmpdir, 'profile', old_prof) set_profile_flags(self.file, profile_name, new_flags) if check_new_flags: real_new_prof = read_file(self.file) self.assertEqual(new_prof, real_new_prof)
def _test_change_profile_flags(self, profile, old_flags, flags_to_change, set_flag, expected_flags, whitespace='', comment='', more_rules='', expected_more_rules='@-@-@', check_new_flags=True, profile_name='/foo'): if old_flags: old_flags = ' %s' % old_flags if expected_flags: expected_flags = ' flags=(%s)' % (expected_flags) else: expected_flags = '' if expected_more_rules == '@-@-@': expected_more_rules = more_rules if comment: comment = ' %s' % comment dummy_profile_content = ' #include <abstractions/base>\n capability chown,\n /bar r,' prof_template = '%s%s%s {%s\n%s\n%s\n}\n' old_prof = prof_template % (whitespace, profile, old_flags, comment, more_rules, dummy_profile_content) new_prof = prof_template % (whitespace, profile, expected_flags, comment, expected_more_rules, dummy_profile_content) self.file = write_file(self.tmpdir, 'profile', old_prof) change_profile_flags(self.file, profile_name, flags_to_change, set_flag) if check_new_flags: real_new_prof = read_file(self.file) self.assertEqual(new_prof, real_new_prof)
def test_set_flags_no_profile_found(self): # test behaviour if the file doesn't contain any profile orig_prof = '# /comment flags=(complain) {\n# }' self.file = write_file(self.tmpdir, 'profile', orig_prof) with self.assertRaises(AppArmorBug): set_profile_flags(self.file, None, 'audit') # the file should not be changed real_new_prof = read_file(self.file) self.assertEqual(orig_prof, real_new_prof)
def test_change_profile_flags_no_profile_found(self): # test behaviour if the file doesn't contain any profile orig_prof = '# /comment flags=(complain) {\n# }' self.file = write_file(self.tmpdir, 'profile', orig_prof) with self.assertRaises(AppArmorException): change_profile_flags(self.file, None, 'audit', True) # the file should not be changed real_new_prof = read_file(self.file) self.assertEqual(orig_prof, real_new_prof)
def test_set_flags_other_profile(self): # test behaviour if the file doesn't contain the specified /foo profile orig_prof = '/no-such-profile flags=(complain) {\n}' self.file = write_file(self.tmpdir, 'profile', orig_prof) with self.assertRaises(AppArmorBug): set_profile_flags(self.file, '/foo', 'audit') # the file should not be changed real_new_prof = read_file(self.file) self.assertEqual(orig_prof, real_new_prof)
def test_change_profile_flags_other_profile(self): # test behaviour if the file doesn't contain the specified /foo profile orig_prof = '/no-such-profile flags=(complain) {\n}' self.file = write_file(self.tmpdir, 'profile', orig_prof) with self.assertRaises(AppArmorException): change_profile_flags(self.file, '/foo', 'audit', True) # the file should not be changed real_new_prof = read_file(self.file) self.assertEqual(orig_prof, real_new_prof)
def AASetup(self): self.createTmpdir() #copy the local profiles to the test directory self.profile_dir = '%s/profiles' % self.tmpdir shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True) inc_dir = os.path.join(self.profile_dir, 'abstractions/inc.d') os.mkdir(inc_dir, 0o755) write_file(inc_dir, 'incfoo', '/incfoo r,') write_file(inc_dir, 'incbar', '/incbar r,') write_file(inc_dir, 'README', '# README') # gets skipped sub_dir = os.path.join(self.profile_dir, 'abstractions/inc.d/subdir') # gets skipped os.mkdir(sub_dir, 0o755) empty_dir = os.path.join(self.profile_dir, 'abstractions/empty.d') os.mkdir(empty_dir, 0o755)
def _test_get_flags(self, profile_header, expected_flags): file = write_file(self.tmpdir, 'profile', '%s {\n}\n' % profile_header) flags = get_profile_flags(file, '/foo') self.assertEqual(flags, expected_flags)
def test_check_for_apparmor_invalid_securityfs_path(self): filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS) mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % 'xxx') self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_mounts(self): filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS) mounts = '' self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_securityfs_invalid_filesystems(self): filesystems = '' mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir) self.assertEqual(None, check_for_apparmor(filesystems, mounts))
def test_check_for_apparmor_None_3(self): filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS) mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS) self.assertEqual(None, check_for_apparmor(filesystems, mounts))