예제 #1
0
    def test_write_manually(self):
        obj = NetworkRule('inet', 'stream', allow_keyword=True)

        expected = '    allow network inet stream,'

        self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
        self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
예제 #2
0
    def test_write_manually(self):
        obj = NetworkRule('inet', 'stream', allow_keyword=True)

        expected = '    allow network inet stream,'

        self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
        self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
예제 #3
0
    def test_network_ruleset_repr(self):
        obj = NetworkRuleset()
        obj.add(NetworkRule('inet', 'stream'))
        obj.add(NetworkRule.parse(' allow  network  inet  stream, # foo'))

        expected = '<NetworkRuleset>\n  network inet stream,\n  allow  network  inet  stream, # foo\n</NetworkRuleset>'
        self.assertEqual(str(obj), expected)
예제 #4
0
    def _check_invalid_rawrule(self, rawrule):
        obj = None
        self.assertFalse(NetworkRule.match(rawrule))
        with self.assertRaises(AppArmorException):
            obj = NetworkRule(NetworkRule.parse(rawrule))

        self.assertIsNone(obj, 'NetworkRule handed back an object unexpectedly')
예제 #5
0
    def test_borked_obj_is_covered_1(self):
        obj = NetworkRule.parse('network inet,')

        testobj = NetworkRule('inet', 'stream')
        testobj.domain = ''

        with self.assertRaises(AppArmorBug):
            obj.is_covered(testobj)
예제 #6
0
    def _run_test(self, rawrule, expected):
        self.assertTrue(NetworkRule.match(rawrule))
        obj = NetworkRule.parse(rawrule)
        clean = obj.get_clean()
        raw = obj.get_raw()

        self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
        self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
예제 #7
0
    def test_borked_obj_is_covered_2(self):
        obj = NetworkRule.parse('network inet,')

        testobj = NetworkRule('inet', 'stream')
        testobj.type_or_protocol = ''

        with self.assertRaises(AppArmorBug):
            obj.is_covered(testobj)
예제 #8
0
    def _run_test(self, rawrule, expected):
        self.assertTrue(NetworkRule.match(rawrule))
        obj = NetworkRule.parse(rawrule)
        clean = obj.get_clean()
        raw = obj.get_raw()

        self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
        self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
예제 #9
0
    def test_borked_obj_is_covered_2(self):
        obj = NetworkRule.parse('network inet,')

        testobj = NetworkRule('inet', 'stream')
        testobj.type_or_protocol = ''

        with self.assertRaises(AppArmorBug):
            obj.is_covered(testobj)
예제 #10
0
    def test_borked_obj_is_covered_1(self):
        obj = NetworkRule.parse('network inet,')

        testobj = NetworkRule('inet', 'stream')
        testobj.domain = ''

        with self.assertRaises(AppArmorBug):
            obj.is_covered(testobj)
예제 #11
0
    def _check_invalid_rawrule(self, rawrule):
        obj = None
        self.assertFalse(NetworkRule.match(rawrule))
        with self.assertRaises(AppArmorException):
            obj = NetworkRule(NetworkRule.parse(rawrule))

        self.assertIsNone(obj,
                          'NetworkRule handed back an object unexpectedly')
예제 #12
0
class NetworkRuleReprTest(AATest):
    tests = [
        (NetworkRule('inet', 'stream'), '<NetworkRule> network inet stream,'),
        (NetworkRule.parse(' allow  network  inet  stream, # foo'),
         '<NetworkRule> allow  network  inet  stream, # foo'),
    ]

    def _run_test(self, params, expected):
        self.assertEqual(str(params), expected)
예제 #13
0
    def _run_test(self, param, expected):
        obj = NetworkRule.parse(self.rule)
        check_obj = NetworkRule.parse(param)

        self.assertTrue(NetworkRule.match(param))

        self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0])
        self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1])

        self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2])
        self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
예제 #14
0
    def test_ruleset_2(self):
        ruleset = NetworkRuleset()
        rules = [
            'network inet6 raw,',
            'allow network inet,',
            'deny network udp, # example comment',
        ]

        expected_raw = [
            '  network inet6 raw,',
            '  allow network inet,',
            '  deny network udp, # example comment',
            '',
        ]

        expected_clean = [
            '  deny network udp, # example comment',
            '',
            '  allow network inet,',
            '  network inet6 raw,',
            '',
        ]

        for rule in rules:
            ruleset.add(NetworkRule.parse(rule))

        self.assertEqual(expected_raw, ruleset.get_raw(1))
        self.assertEqual(expected_clean, ruleset.get_clean(1))
예제 #15
0
    def test_invalid_is_equal(self):
        obj = NetworkRule.parse('network inet,')

        testobj = BaseRule()  # different type

        with self.assertRaises(AppArmorBug):
            obj.is_equal(testobj)
예제 #16
0
    def test_ruleset_2(self):
        ruleset = NetworkRuleset()
        rules = [
            'network inet6 raw,',
            'allow network inet,',
            'deny network udp, # example comment',
        ]

        expected_raw = [
            '  network inet6 raw,',
            '  allow network inet,',
            '  deny network udp, # example comment',
            '',
        ]

        expected_clean = [
            '  deny network udp, # example comment',
            '',
            '  allow network inet,',
            '  network inet6 raw,',
            '',
        ]

        for rule in rules:
            ruleset.add(NetworkRule.parse(rule))

        self.assertEqual(expected_raw, ruleset.get_raw(1))
        self.assertEqual(expected_clean, ruleset.get_clean(1))
예제 #17
0
    def test_invalid_is_equal(self):
        obj = NetworkRule.parse('network inet,')

        testobj = BaseRule()  # different type

        with self.assertRaises(AppArmorBug):
            obj.is_equal(testobj)
예제 #18
0
    def _run_test(self, param, expected):
        obj = NetworkRule.parse(self.rule)
        check_obj = NetworkRule.parse(param)

        self.assertTrue(NetworkRule.match(param))

        self.assertEqual(obj.is_equal(check_obj), expected[0],
                         'Mismatch in is_equal, expected %s' % expected[0])
        self.assertEqual(
            obj.is_equal(check_obj, True), expected[1],
            'Mismatch in is_equal/strict, expected %s' % expected[1])

        self.assertEqual(obj.is_covered(check_obj), expected[2],
                         'Mismatch in is_covered, expected %s' % expected[2])
        self.assertEqual(
            obj.is_covered(check_obj, True, True), expected[3],
            'Mismatch in is_covered/exact, expected %s' % expected[3])
예제 #19
0
    def test_net_from_log(self):
        parser = ReadLog('', '', '', '')
        event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="create" profile="/bin/ping" pid=10589 comm="ping" family="inet" sock_type="raw" protocol=1'

        parsed_event = parser.parse_event(event)

        self.assertEqual(
            parsed_event, {
                'request_mask': None,
                'denied_mask': None,
                'error_code': 0,
                'family': 'inet',
                'magic_token': 0,
                'parent': 0,
                'profile': '/bin/ping',
                'protocol': 'icmp',
                'sock_type': 'raw',
                'operation': 'create',
                'resource': None,
                'info': None,
                'aamode': 'REJECTING',
                'time': 1428699242,
                'active_hat': None,
                'pid': 10589,
                'task': 0,
                'attr': None,
                'name2': None,
                'name': None,
            })

        obj = NetworkRule(parsed_event['family'],
                          parsed_event['sock_type'],
                          log_event=parsed_event)

        #              audit  allow  deny   comment        domain    all?   type/proto  all?
        expected = exp(False, False, False, '', 'inet', False, 'raw', False)

        self._compare_obj(obj, expected)

        self.assertEqual(obj.get_raw(1), '  network inet raw,')
예제 #20
0
    def test_net_from_log(self):
        parser = ReadLog('', '', '', '', '')
        event = 'type=AVC msg=audit(1428699242.551:386): apparmor="DENIED" operation="create" profile="/bin/ping" pid=10589 comm="ping" family="inet" sock_type="raw" protocol=1'

        parsed_event = parser.parse_event(event)

        self.assertEqual(parsed_event, {
            'request_mask': None,
            'denied_mask': None,
            'error_code': 0,
            'family': 'inet',
            'magic_token': 0,
            'parent': 0,
            'profile': '/bin/ping',
            'protocol': 'icmp',
            'sock_type': 'raw',
            'operation': 'create',
            'resource': None,
            'info': None,
            'aamode': 'REJECTING',
            'time': 1428699242,
            'active_hat': None,
            'pid': 10589,
            'task': 0,
            'attr': None,
            'name2': None,
            'name': None,
        })

        obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event)

        #              audit  allow  deny   comment        domain    all?   type/proto  all?
        expected = exp(False, False, False, ''           , 'inet',   False, 'raw'    , False)

        self._compare_obj(obj, expected)

        self.assertEqual(obj.get_raw(1), '  network inet raw,')
예제 #21
0
    def test_ruleset_1(self):
        ruleset = NetworkRuleset()
        rules = [
            'network tcp,',
            'network inet,',
        ]

        expected_raw = [
            'network tcp,',
            'network inet,',
            '',
        ]

        expected_clean = [
            'network inet,',
            'network tcp,',
            '',
        ]

        for rule in rules:
            ruleset.add(NetworkRule.parse(rule))

        self.assertEqual(expected_raw, ruleset.get_raw())
        self.assertEqual(expected_clean, ruleset.get_clean())
예제 #22
0
    def test_ruleset_1(self):
        ruleset = NetworkRuleset()
        rules = [
            'network tcp,',
            'network inet,',
        ]

        expected_raw = [
            'network tcp,',
            'network inet,',
            '',
        ]

        expected_clean = [
            'network inet,',
            'network tcp,',
            '',
        ]

        for rule in rules:
            ruleset.add(NetworkRule.parse(rule))

        self.assertEqual(expected_raw, ruleset.get_raw())
        self.assertEqual(expected_clean, ruleset.get_clean())
예제 #23
0
class NetworkFromInit(NetworkTest):
    tests = [
        # NetworkRule object                                  audit  allow  deny   comment        domain    all?   type/proto  all?
        (NetworkRule('inet', 'raw', deny=True),
         exp(False, False, True, '', 'inet', False, 'raw', False)),
        (NetworkRule('inet', 'raw'),
         exp(False, False, False, '', 'inet', False, 'raw', False)),
        (NetworkRule('inet', NetworkRule.ALL),
         exp(False, False, False, '', 'inet', False, None, True)),
        (NetworkRule(NetworkRule.ALL, NetworkRule.ALL),
         exp(False, False, False, '', None, True, None, True)),
        (NetworkRule(NetworkRule.ALL, 'tcp'),
         exp(False, False, False, '', None, True, 'tcp', False)),
        (NetworkRule(NetworkRule.ALL, 'stream'),
         exp(False, False, False, '', None, True, 'stream', False)),
    ]

    def _run_test(self, obj, expected):
        self._compare_obj(obj, expected)
예제 #24
0
 def test_missing_params_2(self):
     with self.assertRaises(TypeError):
         NetworkRule('inet')
예제 #25
0
 def _run_test(self, rawrule, expected):
     self.assertTrue(NetworkRule.match(
         rawrule))  # the above invalid rules still match the main regex!
     with self.assertRaises(expected):
         NetworkRule.parse(rawrule)
예제 #26
0
 def _run_test(self, rawrule, expected):
     self.assertTrue(NetworkRule.match(rawrule))
     obj = NetworkRule.parse(rawrule)
     self.assertEqual(rawrule.strip(), obj.raw_rule)
     self._compare_obj(obj, expected)
예제 #27
0
 def test_empty_net_data_2(self):
     obj = NetworkRule('inet', 'stream')
     obj.type_or_protocol = ''
     # no type_or_protocol set, and ALL not set
     with self.assertRaises(AppArmorBug):
         obj.get_clean(1)
예제 #28
0
 def _run_test(self, params, expected):
     obj = NetworkRule._parse(params)
     self.assertEqual(obj.logprof_header(), expected)
예제 #29
0
 def _run_test(self, params, expected):
     obj = NetworkRule._parse(params)
     self.assertEqual(obj.logprof_header(), expected)
예제 #30
0
 def _run_test(self, rawrule, expected):
     self.assertTrue(NetworkRule.match(rawrule))
     obj = NetworkRule.parse(rawrule)
     self.assertEqual(rawrule.strip(), obj.raw_rule)
     self._compare_obj(obj, expected)
예제 #31
0
 def _run_test(self, rawrule, expected):
     self.assertTrue(NetworkRule.match(rawrule))  # the above invalid rules still match the main regex!
     with self.assertRaises(expected):
         NetworkRule.parse(rawrule)
예제 #32
0
 def _run_test(self, params, expected):
     with self.assertRaises(expected):
         NetworkRule(params[0], params[1])
예제 #33
0
 def test_empty_net_data_1(self):
     obj = NetworkRule('inet', 'stream')
     obj.domain = ''
     # no domain set, and ALL not set
     with self.assertRaises(AppArmorBug):
         obj.get_clean(1)
예제 #34
0
 def test_empty_net_data_2(self):
     obj = NetworkRule('inet', 'stream')
     obj.type_or_protocol = ''
     # no type_or_protocol set, and ALL not set
     with self.assertRaises(AppArmorBug):
         obj.get_clean(1)
예제 #35
0
 def test_empty_net_data_1(self):
     obj = NetworkRule('inet', 'stream')
     obj.domain = ''
     # no domain set, and ALL not set
     with self.assertRaises(AppArmorBug):
         obj.get_clean(1)