def AASetup(self):
self.pl = ProfileList()
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add_profile(
'/etc/apparmor.d/usr.bin.wine',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}'
)
class TestFilename_from_attachment(AATest):
tests = [
('/bin/foo', '/etc/apparmor.d/bin.foo'),
('/bin/baz', '/etc/apparmor.d/bin.baz'),
('/bin/foobar', '/etc/apparmor.d/bin.foobar'),
(
'@{foo}', None
), # XXX variables not supported yet (and @{foo} isn't defined in this test)
('/bin/404', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}',
'/etc/apparmor.d/usr.bin.wine'
), # XXX should this really match, or should attachment matching only use AARE?
('/usr/lib/wine/bin/wine-preloader-staging-foo',
'/etc/apparmor.d/usr.bin.wine'), # AARE match
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add_profile('/etc/apparmor.d/bin.baz', 'baz', '/bin/ba*')
self.pl.add_profile('/etc/apparmor.d/bin.foobar', 'foobar',
'/bin/foo{bar,baz}')
self.pl.add_profile(
'/etc/apparmor.d/usr.bin.wine',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}'
)
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_attachment(params), expected)
def test_non_path_attachment(self):
with self.assertRaises(AppArmorBug):
self.pl.filename_from_attachment('foo')
class TestGet(AATest):
def AASetup(self):
self.pl = ProfileList()
def testGet_clean_error(self):
with self.assertRaises(AppArmorBug):
self.pl.get_clean('/etc/apparmor.d/not.found')
def testGet_raw_error(self):
with self.assertRaises(AppArmorBug):
self.pl.get_raw('/etc/apparmor.d/not.found')
class TestFilename_from_profile_name(AATest):
tests = [
('foo', '/etc/apparmor.d/bin.foo'),
('/bin/foo', None),
('bar', None),
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_profile_name(params), expected)
class TestFilename_from_profile_name(AATest):
tests = [
('foo', '/etc/apparmor.d/bin.foo'),
('/bin/foo', None),
('bar', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}',
'/etc/apparmor.d/usr.bin.wine'),
('/usr/lib/wine/bin/wine-preloader-staging-foo',
None), # no AARE matching for profile names
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add_profile(
'/etc/apparmor.d/usr.bin.wine',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}',
'/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}'
)
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_profile_name(params), expected)
class TestFilename_from_attachment(AATest):
tests = [
('/bin/foo', '/etc/apparmor.d/bin.foo'),
('/bin/baz', '/etc/apparmor.d/bin.baz'),
('/bin/foobar', '/etc/apparmor.d/bin.foobar'),
(
'@{foo}', None
), # XXX variables not supported yet (and @{foo} isn't defined in this test)
('/bin/404', None),
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add('/etc/apparmor.d/bin.baz', 'baz', '/bin/ba*')
self.pl.add('/etc/apparmor.d/bin.foobar', 'foobar',
'/bin/foo{bar,baz}')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_attachment(params), expected)
def test_non_path_attachment(self):
with self.assertRaises(AppArmorBug):
self.pl.filename_from_attachment('foo')
class TestAdd_variable(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_variable_1(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule('@{foo}', '=', {'/foo'}))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', ''])
def testAdd_variable_2(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule('@{foo}', '=', {'/foo'}))
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule('@{bar}', '=', {'/bar'}))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', '@{bar} = /bar', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', '@{bar} = /bar', ''])
def testAdd_variable_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_variable('/etc/apparmor.d/bin.foo',
'@{foo}') # str insteadd of IncludeRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_variable_1(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule.parse('@{foo} = /foo'))
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule.parse('@{foo} += /bar # comment'))
self.pl.add_variable('/etc/apparmor.d/bin.foo',
VariableRule.parse('@{foo} += /bar /baz'))
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 1)
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', '@{foo} += /bar /baz', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['@{foo} = /foo', '@{foo} += /bar /baz', ''])
def test_dedup_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.delete_preamble_duplicates('/file/not/found')
self.assertEqual(list(self.pl.files.keys()), [])
class TestAdd_alias(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_alias_1(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', AliasRule('/foo', '/bar'))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', ''])
def testAdd_alias_2(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', AliasRule('/foo', '/bar'))
self.pl.add_alias('/etc/apparmor.d/bin.foo', AliasRule('/xyz', '/zyx'))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /xyz -> /zyx,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /xyz -> /zyx,', ''])
def testAdd_alias_two_targets(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', AliasRule('/foo', '/bar'))
self.pl.add_alias('/etc/apparmor.d/bin.foo',
AliasRule('/foo', '/another_target'))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(
self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /foo -> /another_target,', ''])
self.assertEqual(
self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /foo -> /another_target,', ''])
def testAdd_alias_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_alias('/etc/apparmor.d/bin.foo',
AliasRule(None,
'/foo')) # alias None insteadd of str
self.assertEqual(list(self.pl.files.keys()), [])
def testAdd_alias_error_2(self):
with self.assertRaises(AppArmorBug):
self.pl.add_alias('/etc/apparmor.d/bin.foo',
AliasRule('/foo',
None)) # target None insteadd of str
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_alias_1(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', AliasRule('/foo', '/bar'))
self.pl.add_alias('/etc/apparmor.d/bin.foo',
AliasRule('/foo', '/another_target'))
self.pl.add_alias('/etc/apparmor.d/bin.foo',
AliasRule('/foo', '/bar')) # duplicate
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 1)
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(
self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /foo -> /another_target,', ''])
self.assertEqual(
self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['alias /foo -> /bar,', 'alias /foo -> /another_target,', ''])
class TestAdd_profile(AATest):
def AASetup(self):
self.pl = ProfileList()
def testEmpty(self):
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments, {})
self.assertEqual(
'%s' % self.pl,
"\n".join(['', '<ProfileList>', '', '</ProfileList>', '']))
def testAdd_profile_1(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.assertEqual(self.pl.profile_names,
{'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments,
{'/bin/foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'),
['foo'])
self.assertEqual(
'%s' % self.pl,
'\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profile_2(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments,
{'/bin/foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'),
['/bin/foo'])
self.assertEqual(
'%s' % self.pl,
'\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profile_3(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
self.assertEqual(self.pl.profile_names,
{'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments, {})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'),
['foo'])
self.assertEqual(
'%s' % self.pl,
'\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profileError_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_profile('', 'foo', '/bin/foo') # no filename
def testAdd_profileError_2(self):
with self.assertRaises(AppArmorBug):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None,
None) # neither attachment or profile name
def testAdd_profileError_list_nonexisting_file(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
with self.assertRaises(AppArmorBug):
self.pl.profiles_in_file(
'/etc/apparmor.d/not.found') # different filename
def testAdd_profileError_twice_1(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_2(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
def testAdd_profileError_twice_3(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_4(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_5(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
class TestAdd_abi(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_abi_1(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo',
AbiRule('abi/4.19', False, True))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', ''])
def testAdd_abi_2(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo',
AbiRule('abi/4.19', False, True))
self.pl.add_abi('/etc/apparmor.d/bin.foo',
AbiRule('foo', False, False))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', 'abi "foo",', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', 'abi "foo",', ''])
def testAdd_abi_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_abi('/etc/apparmor.d/bin.foo',
'abi/4.19') # str insteadd of AbiRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_abi_1(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo',
AbiRule.parse('abi <abi/4.19>,'))
self.pl.add_abi('/etc/apparmor.d/bin.foo',
AbiRule.parse(' abi <abi/4.19> , # comment'))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 1)
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['abi <abi/4.19>,', ''])
class TestAdd_inc_ie(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_inc_ie_1(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule('tunables/global', False, True))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
def testAdd_inc_ie_2(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule('tunables/global', False, True))
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule('tunables/dovecot', False, True))
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(
self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', 'include <tunables/dovecot>', ''])
self.assertEqual(
self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', 'include <tunables/dovecot>', ''])
def testAdd_inc_ie_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_inc_ie(
'/etc/apparmor.d/bin.foo',
'tunables/global') # str insteadd of IncludeRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_inc_ie_1(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo',
IncludeRule.parse('include <tunables/global>'))
self.pl.add_inc_ie(
'/etc/apparmor.d/bin.foo',
IncludeRule.parse(
'#include if exists <tunables/global> # comment'))
self.pl.add_inc_ie(
'/etc/apparmor.d/bin.foo',
IncludeRule.parse(' #include <tunables/global> '))
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 2)
self.assertEqual(list(self.pl.files.keys()),
['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'),
['include <tunables/global>', ''])
def test_dedup_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.delete_preamble_duplicates('/file/not/found')
self.assertEqual(list(self.pl.files.keys()), [])
def AASetup(self):
self.pl = ProfileList()
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add('/etc/apparmor.d/bin.baz', 'baz', '/bin/ba*')
self.pl.add('/etc/apparmor.d/bin.foobar', 'foobar',
'/bin/foo{bar,baz}')
def AASetup(self):
self.pl = ProfileList()
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
class TestAdd(AATest):
def AASetup(self):
self.pl = ProfileList()
def testEmpty(self):
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments, {})
def testAdd_1(self):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.assertEqual(self.pl.profile_names,
{'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments,
{'/bin/foo': '/etc/apparmor.d/bin.foo'})
def testAdd_2(self):
self.pl.add('/etc/apparmor.d/bin.foo', None, '/bin/foo')
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments,
{'/bin/foo': '/etc/apparmor.d/bin.foo'})
def testAdd_3(self):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', None)
self.assertEqual(self.pl.profile_names,
{'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments, {})
def testAddError_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add('', 'foo', '/bin/foo') # no filename
def testAddError_2(self):
with self.assertRaises(AppArmorBug):
self.pl.add('/etc/apparmor.d/bin.foo', None,
None) # neither attachment or profile name
def testAddError_twice_1(self):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAddError_twice_2(self):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', None)
def testAddError_twice_3(self):
self.pl.add('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAddError_twice_4(self):
self.pl.add('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAddError_twice_5(self):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', None)
with self.assertRaises(AppArmorException):
self.pl.add('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def AASetup(self):
self.pl = ProfileList()
def logfile_to_profile(logfile):
profile_dummy_file = 'AATest_does_exist'
# we need to find out the profile name and aamode (complain vs. enforce mode) so that the test can access the correct place in storage
parser = ReadLog('', '', '')
parsed_event = parser.parse_event(read_file(logfile))
if not parsed_event: # AA_RECORD_INVALID
return None, 'INVALID'
aamode = parsed_event['aamode']
if aamode in [
'AUDIT', 'STATUS', 'HINT'
]: # ignore some event types # XXX maybe we shouldn't ignore AUDIT events?
return None, aamode
if aamode not in ['PERMITTING', 'REJECTING']:
raise Exception('Unexpected aamode %s' % parsed_event['aamode'])
# cleanup apparmor.aa storage
apparmor.aa.log = dict()
apparmor.aa.aa = apparmor.aa.hasher()
profile, hat = split_name(parsed_event['profile'])
apparmor.aa.active_profiles = ProfileList()
# optional for now, might be needed one day
# if profile.startswith('/'):
# apparmor.aa.active_profiles.add_profile(profile_dummy_file, profile, profile)
# else:
apparmor.aa.active_profiles.add_profile(profile_dummy_file, profile, '')
log_reader = ReadLog(logfile, apparmor.aa.active_profiles, '')
hashlog = log_reader.read_log('')
apparmor.aa.ask_exec(hashlog)
apparmor.aa.ask_addhat(hashlog)
log_dict = apparmor.aa.collapse_log(hashlog, ignore_null_profiles=False)
if profile != hat:
# log event for a child profile means log_dict only contains the child profile
# initialize parent profile in log_dict as ProfileStorage to ensure writing the profile doesn't fail
# (in "normal" usage outside of this test, log_dict will not be handed over to serialize_profile())
if log_dict[aamode][profile][profile] != {}:
raise Exception(
'event for child profile, but parent profile was initialized nevertheless. Logfile: %s'
% logfile)
log_dict[aamode][profile][profile] = apparmor.aa.ProfileStorage(
'TEST DUMMY for empty parent profile', profile_dummy_file,
'logfile_to_profile()')
log_is_empty = True
for tmpaamode in hashlog:
for tmpprofile in hashlog[tmpaamode]:
for tmpruletype in hashlog[tmpaamode][tmpprofile]:
if tmpruletype == 'final_name' and hashlog[tmpaamode][
tmpprofile]['final_name'] == tmpprofile:
continue # final_name is a copy of the profile name (may be changed by ask_exec(), but that won't happen in this test)
if hashlog[tmpaamode][tmpprofile][tmpruletype]:
log_is_empty = False
if logfile.split('/')[-1][:-3] in log_to_profile_known_empty_log:
# unfortunately this function might be called outside Unittest.TestCase, therefore we can't use assertEqual / assertNotEqual
if log_is_empty == False:
raise Exception(
'got non-empty log for logfile in log_to_profile_known_empty_log: %s %s'
% (logfile, hashlog))
else:
if log_is_empty == True:
raise Exception(
'got empty log for logfile not in log_to_profile_known_empty_log: %s %s'
% (logfile, hashlog))
new_profile = apparmor.aa.serialize_profile(log_dict[aamode][profile],
profile, {})
return profile, new_profile
def _run_test(self, params, expected):
logfile = '%s.in' % params
profile_dummy_file = 'AATest_does_exist'
# we need to find out the profile name and aamode (complain vs. enforce mode) so that the test can access the correct place in storage
parser = ReadLog('', '', '', '')
parsed_event = parser.parse_event(read_file(logfile))
if not parsed_event: # AA_RECORD_INVALID
return
if params.split('/')[-1] in log_to_profile_skip:
return
aamode = parsed_event['aamode']
if aamode in [
'AUDIT', 'STATUS', 'HINT'
]: # ignore some event types # XXX maybe we shouldn't ignore AUDIT events?
return
if aamode not in ['PERMITTING', 'REJECTING']:
raise Exception('Unexpected aamode %s' % parsed_event['aamode'])
# cleanup apparmor.aa storage
apparmor.aa.log = dict()
apparmor.aa.aa = apparmor.aa.hasher()
apparmor.aa.prelog = apparmor.aa.hasher()
profile = parsed_event['profile']
hat = profile
if '//' in profile:
profile, hat = profile.split('//')
apparmor.aa.active_profiles = ProfileList()
# optional for now, might be needed one day
# if profile.startswith('/'):
# apparmor.aa.active_profiles.add(profile_dummy_file, profile, profile)
# else:
apparmor.aa.active_profiles.add(profile_dummy_file, profile, '')
log_reader = ReadLog(dict(), logfile, apparmor.aa.active_profiles, '')
log = log_reader.read_log('')
for root in log:
apparmor.aa.handle_children('', '',
root) # interactive for exec events!
log_dict = apparmor.aa.collapse_log()
apparmor.aa.filelist = apparmor.aa.hasher()
apparmor.aa.filelist[profile_dummy_file]['profiles'][profile] = True
new_profile = apparmor.aa.serialize_profile(log_dict[aamode][profile],
profile, None)
expected_profile = read_file('%s.profile' % params)
if params.split('/')[-1] in log_to_profile_known_failures:
self.assertNotEqual(new_profile, expected_profile) # known failure
else:
self.assertEqual(new_profile, expected_profile)