def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', # XXX huh? should be deleted! '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 1) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_ruleset_2(self): ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
class CapabilityGlobTest(AATest): def AASetup(self): self.ruleset = CapabilityRuleset() def test_glob(self): self.assertEqual(self.ruleset.get_glob('capability net_raw,'), 'capability,') def test_glob_ext(self): with self.assertRaises(NotImplementedError): self.ruleset.get_glob_ext('capability net_raw,')
def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule))
class CapabilityGlobTest(AATest): def AASetup(self): self.ruleset = CapabilityRuleset() def test_glob(self): self.assertEqual(self.ruleset.get_glob('capability net_raw,'), 'capability,') def test_glob_ext(self): with self.assertRaises(AppArmorBug): self.ruleset.get_glob_ext('capability net_raw,')
def test_empty_ruleset(self): ruleset = CapabilityRuleset() ruleset_2 = CapabilityRuleset() self.assertEqual([], ruleset.get_raw(2)) self.assertEqual([], ruleset.get_clean(2)) self.assertEqual([], ruleset_2.get_raw(2)) self.assertEqual([], ruleset_2.get_clean(2))
def test_ruleset_add(self): rule = CapabilityRule('chgrp', comment=' # example comment') ruleset = CapabilityRuleset() ruleset.add(rule) expected_raw = [ ' capability chgrp, # example comment', '', ] expected_clean = expected_raw self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted)
def test_ruleset_1(self): ruleset = CapabilityRuleset() rules = [ 'capability sys_admin,', 'capability chown,', ] expected_raw = [ 'capability sys_admin,', 'capability chown,', '', ] expected_clean = [ 'capability chown,', 'capability sys_admin,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
class CapabilityRulesCoveredTest(AATest): def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'capability setuid setgid,', 'allow capability sys_admin,', 'audit capability kill,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule)) def test_ruleset_is_covered_1(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,'))) def test_ruleset_is_covered_2(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin,'))) def test_ruleset_is_covered_3(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,'))) def test_ruleset_is_covered_4(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setuid,'))) def test_ruleset_is_covered_5(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability setgid,'))) def test_ruleset_is_covered_6(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,'))) def test_ruleset_is_covered_7(self): pass # self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin chown,'))) # fails because it is split over two rule objects internally def test_ruleset_is_covered_8(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability kill,'))) def test_ruleset_is_covered_9(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'))) def test_ruleset_is_covered_10(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,'))) def test_ruleset_is_covered_11(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin chown,'))) def test_ruleset_is_covered_12(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability setgid,'))) def test_ruleset_is_covered_13(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,'))) def test_ruleset_is_covered_14(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chown,'))) def test_ruleset_is_covered_15(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin,'))) def test_ruleset_is_covered_16(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,'))) def test_ruleset_is_covered_17(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,'))) def test_ruleset_is_covered_18(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,'))) def test_ruleset_is_covered_19(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,'))) def test_ruleset_is_covered_20(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit deny capability chgrp,'))) def test_ruleset_is_covered_21(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chgrp,'))) def test_ruleset_is_covered_22(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'))) def test_ruleset_is_covered_23(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False)) def test_ruleset_is_covered_24(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def AASetup(self): self.ruleset = CapabilityRuleset()
class CapabilityDeleteTest(AATest): def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule)) def test_delete(self): expected_raw = [ ' capability chown,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' capability chown,', '', ] self.ruleset.delete(CapabilityRule(['sys_admin'])) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_allcaps(self): expected_raw = [ ' capability chown,', ' deny capability chgrp, # example comment', ' capability,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' capability chown,', ' capability,', '', ] self.ruleset.add(CapabilityRule(CapabilityRule.ALL)) self.ruleset.delete(CapabilityRule('sys_admin')) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_multi(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write'])) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_multi_2(self): self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) with self.assertRaises(AppArmorBug): # XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset # but that's quite some work to cover a corner case. self.ruleset.delete(CapabilityRule('audit_read')) def test_delete_raw_notfound(self): with self.assertRaises(AppArmorBug): self.ruleset.delete(CapabilityRule('audit_write')) def test_delete_duplicates(self): inc = CapabilityRuleset() rules = [ 'capability chown,', 'deny capability chgrp, # example comment', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', '', ] expected_clean = expected_raw self.assertEqual(self.ruleset.delete_duplicates(inc), 2) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_2(self): inc = CapabilityRuleset() rules = [ 'capability audit_write,', 'capability chgrp, # example comment', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 2) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_none(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(None), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_hasher(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(hasher()), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted) def test_delete_duplicates_in_profile_01(self): rules = [ 'audit capability chown,', 'audit capability,', 'capability dac_override,', ] expected_raw = [ ' audit capability,', '', ] expected_clean = [ ' audit capability,', '', ] expected_deleted = 2 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_02(self): rules = [ 'audit capability chown,', 'audit capability,', 'audit capability dac_override,', 'capability ,', 'audit capability ,', ] expected_raw = [ ' audit capability,', '', ] expected_clean = [ ' audit capability,', '', ] expected_deleted = 4 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_03(self): rules = [ 'audit capability chown,', 'capability dac_override,', 'deny capability dac_override,', 'capability dac_override,', 'audit capability chown,', 'deny capability chown,', 'audit deny capability chown,', 'capability,', 'audit capability,', ] expected_raw = [ ' deny capability dac_override,', ' audit deny capability chown,', ' audit capability,', '', ] expected_clean = [ ' audit deny capability chown,', ' deny capability dac_override,', '', ' audit capability,', '', ] expected_deleted = 6 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_04(self): rules = [ 'audit capability chown,', 'deny capability chown,', ] expected_raw = [ ' audit capability chown,', ' deny capability chown,', '', ] expected_clean = [ ' deny capability chown,', '', ' audit capability chown,', '', ] expected_deleted = 0 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
class CapabilityDeleteTest(AATest): def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule)) def test_delete(self): expected_raw = [ ' capability chown,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' capability chown,', '', ] self.ruleset.delete(CapabilityRule(['sys_admin'])) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_allcaps(self): expected_raw = [ ' capability chown,', ' deny capability chgrp, # example comment', ' capability,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' capability chown,', ' capability,', '', ] self.ruleset.add(CapabilityRule(CapabilityRule.ALL)) self.ruleset.delete(CapabilityRule('sys_admin')) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_multi(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write'])) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_with_multi_2(self): self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) with self.assertRaises(AppArmorBug): # XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset # but that's quite some work to cover a corner case. self.ruleset.delete(CapabilityRule('audit_read')) def test_delete_raw_notfound(self): with self.assertRaises(AppArmorBug): self.ruleset.delete(CapabilityRule('audit_write')) def test_delete_duplicates(self): inc = CapabilityRuleset() rules = [ 'capability chown,', 'deny capability chgrp, # example comment', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', '', ] expected_clean = expected_raw self.assertEqual(self.ruleset.delete_duplicates(inc), 2) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_2(self): inc = CapabilityRuleset() rules = [ 'capability audit_write,', 'capability chgrp, # example comment', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', # XXX huh? should be deleted! '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 1) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_none(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(None), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def test_delete_duplicates_hasher(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(hasher()), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1)) def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted) def test_delete_duplicates_in_profile_01(self): rules = [ 'audit capability chown,', 'audit capability,', 'capability dac_override,', ] expected_raw = [ ' audit capability,', '', ] expected_clean = [ ' audit capability,', '', ] expected_deleted = 2 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_02(self): rules = [ 'audit capability chown,', 'audit capability,', 'audit capability dac_override,', 'capability ,', 'audit capability ,', ] expected_raw = [ ' audit capability,', '', ] expected_clean = [ ' audit capability,', '', ] expected_deleted = 4 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_03(self): rules = [ 'audit capability chown,', 'capability dac_override,', 'deny capability dac_override,', 'capability dac_override,', 'audit capability chown,', 'deny capability chown,', 'audit deny capability chown,', 'capability,', 'audit capability,', ] expected_raw = [ ' deny capability dac_override,', ' audit deny capability chown,', ' audit capability,', '', ] expected_clean = [ ' audit deny capability chown,', ' deny capability dac_override,', '', ' audit capability,', '', ] expected_deleted = 6 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted) def test_delete_duplicates_in_profile_04(self): rules = [ 'audit capability chown,', 'deny capability chown,', ] expected_raw = [ ' audit capability chown,', ' deny capability chown,', '', ] expected_clean = [ ' deny capability chown,', '', ' audit capability chown,', '', ] expected_deleted = 0 self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)