def test_write_manually(self): obj = NetworkRule('inet', 'stream', allow_keyword=True) expected = ' allow network inet stream,' self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule') self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def test_network_ruleset_repr(self): obj = NetworkRuleset() obj.add(NetworkRule('inet', 'stream')) obj.add(NetworkRule.parse(' allow network inet stream, # foo')) expected = '<NetworkRuleset>\n network inet stream,\n allow network inet stream, # foo\n</NetworkRuleset>' self.assertEqual(str(obj), expected)
def _check_invalid_rawrule(self, rawrule): obj = None self.assertFalse(NetworkRule.match(rawrule)) with self.assertRaises(AppArmorException): obj = NetworkRule(NetworkRule.parse(rawrule)) self.assertIsNone(obj, 'NetworkRule handed back an object unexpectedly')
def test_borked_obj_is_covered_1(self): obj = NetworkRule.parse('network inet,') testobj = NetworkRule('inet', 'stream') testobj.domain = '' with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match(rawrule)) obj = NetworkRule.parse(rawrule) clean = obj.get_clean() raw = obj.get_raw() self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def test_borked_obj_is_covered_2(self): obj = NetworkRule.parse('network inet,') testobj = NetworkRule('inet', 'stream') testobj.type_or_protocol = '' with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
class NetworkRuleReprTest(AATest): tests = [ (NetworkRule('inet', 'stream'), '<NetworkRule> network inet stream,'), (NetworkRule.parse(' allow network inet stream, # foo'), '<NetworkRule> allow network inet stream, # foo'), ] def _run_test(self, params, expected): self.assertEqual(str(params), expected)
def _run_test(self, param, expected): obj = NetworkRule.parse(self.rule) check_obj = NetworkRule.parse(param) self.assertTrue(NetworkRule.match(param)) self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0]) self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1]) self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2]) self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
def test_ruleset_2(self): ruleset = NetworkRuleset() rules = [ 'network inet6 raw,', 'allow network inet,', 'deny network udp, # example comment', ] expected_raw = [ ' network inet6 raw,', ' allow network inet,', ' deny network udp, # example comment', '', ] expected_clean = [ ' deny network udp, # example comment', '', ' allow network inet,', ' network inet6 raw,', '', ] for rule in rules: ruleset.add(NetworkRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self): obj = NetworkRule.parse('network inet,') testobj = BaseRule() # different type with self.assertRaises(AppArmorBug): obj.is_equal(testobj)
def _run_test(self, param, expected): obj = NetworkRule.parse(self.rule) check_obj = NetworkRule.parse(param) self.assertTrue(NetworkRule.match(param)) self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0]) self.assertEqual( obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1]) self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2]) self.assertEqual( obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
def test_net_from_log(self): parser = ReadLog('', '', '', '') event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="create" profile="/bin/ping" pid=10589 comm="ping" family="inet" sock_type="raw" protocol=1' parsed_event = parser.parse_event(event) self.assertEqual( parsed_event, { 'request_mask': None, 'denied_mask': None, 'error_code': 0, 'family': 'inet', 'magic_token': 0, 'parent': 0, 'profile': '/bin/ping', 'protocol': 'icmp', 'sock_type': 'raw', 'operation': 'create', 'resource': None, 'info': None, 'aamode': 'REJECTING', 'time': 1428699242, 'active_hat': None, 'pid': 10589, 'task': 0, 'attr': None, 'name2': None, 'name': None, }) obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event) # audit allow deny comment domain all? type/proto all? expected = exp(False, False, False, '', 'inet', False, 'raw', False) self._compare_obj(obj, expected) self.assertEqual(obj.get_raw(1), ' network inet raw,')
def test_net_from_log(self): parser = ReadLog('', '', '', '', '') event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="create" profile="/bin/ping" pid=10589 comm="ping" family="inet" sock_type="raw" protocol=1' parsed_event = parser.parse_event(event) self.assertEqual(parsed_event, { 'request_mask': None, 'denied_mask': None, 'error_code': 0, 'family': 'inet', 'magic_token': 0, 'parent': 0, 'profile': '/bin/ping', 'protocol': 'icmp', 'sock_type': 'raw', 'operation': 'create', 'resource': None, 'info': None, 'aamode': 'REJECTING', 'time': 1428699242, 'active_hat': None, 'pid': 10589, 'task': 0, 'attr': None, 'name2': None, 'name': None, }) obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event) # audit allow deny comment domain all? type/proto all? expected = exp(False, False, False, '' , 'inet', False, 'raw' , False) self._compare_obj(obj, expected) self.assertEqual(obj.get_raw(1), ' network inet raw,')
def test_ruleset_1(self): ruleset = NetworkRuleset() rules = [ 'network tcp,', 'network inet,', ] expected_raw = [ 'network tcp,', 'network inet,', '', ] expected_clean = [ 'network inet,', 'network tcp,', '', ] for rule in rules: ruleset.add(NetworkRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
class NetworkFromInit(NetworkTest): tests = [ # NetworkRule object audit allow deny comment domain all? type/proto all? (NetworkRule('inet', 'raw', deny=True), exp(False, False, True, '', 'inet', False, 'raw', False)), (NetworkRule('inet', 'raw'), exp(False, False, False, '', 'inet', False, 'raw', False)), (NetworkRule('inet', NetworkRule.ALL), exp(False, False, False, '', 'inet', False, None, True)), (NetworkRule(NetworkRule.ALL, NetworkRule.ALL), exp(False, False, False, '', None, True, None, True)), (NetworkRule(NetworkRule.ALL, 'tcp'), exp(False, False, False, '', None, True, 'tcp', False)), (NetworkRule(NetworkRule.ALL, 'stream'), exp(False, False, False, '', None, True, 'stream', False)), ] def _run_test(self, obj, expected): self._compare_obj(obj, expected)
def test_missing_params_2(self): with self.assertRaises(TypeError): NetworkRule('inet')
def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match( rawrule)) # the above invalid rules still match the main regex! with self.assertRaises(expected): NetworkRule.parse(rawrule)
def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match(rawrule)) obj = NetworkRule.parse(rawrule) self.assertEqual(rawrule.strip(), obj.raw_rule) self._compare_obj(obj, expected)
def test_empty_net_data_2(self): obj = NetworkRule('inet', 'stream') obj.type_or_protocol = '' # no type_or_protocol set, and ALL not set with self.assertRaises(AppArmorBug): obj.get_clean(1)
def _run_test(self, params, expected): obj = NetworkRule._parse(params) self.assertEqual(obj.logprof_header(), expected)
def _run_test(self, rawrule, expected): self.assertTrue(NetworkRule.match(rawrule)) # the above invalid rules still match the main regex! with self.assertRaises(expected): NetworkRule.parse(rawrule)
def _run_test(self, params, expected): with self.assertRaises(expected): NetworkRule(params[0], params[1])
def test_empty_net_data_1(self): obj = NetworkRule('inet', 'stream') obj.domain = '' # no domain set, and ALL not set with self.assertRaises(AppArmorBug): obj.get_clean(1)