def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
class CapabilityGlobTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
def test_glob(self):
self.assertEqual(self.ruleset.get_glob('capability net_raw,'), 'capability,')
def test_glob_ext(self):
with self.assertRaises(NotImplementedError):
self.ruleset.get_glob_ext('capability net_raw,')
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
class CapabilityGlobTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
def test_glob(self):
self.assertEqual(self.ruleset.get_glob('capability net_raw,'), 'capability,')
def test_glob_ext(self):
with self.assertRaises(AppArmorBug):
self.ruleset.get_glob_ext('capability net_raw,')
def test_empty_ruleset(self):
ruleset = CapabilityRuleset()
ruleset_2 = CapabilityRuleset()
self.assertEqual([], ruleset.get_raw(2))
self.assertEqual([], ruleset.get_clean(2))
self.assertEqual([], ruleset_2.get_raw(2))
self.assertEqual([], ruleset_2.get_clean(2))
def test_ruleset_add(self):
rule = CapabilityRule('chgrp', comment=' # example comment')
ruleset = CapabilityRuleset()
ruleset.add(rule)
expected_raw = [
' capability chgrp, # example comment',
'',
]
expected_clean = expected_raw
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_empty_ruleset(self):
ruleset = CapabilityRuleset()
ruleset_2 = CapabilityRuleset()
self.assertEqual([], ruleset.get_raw(2))
self.assertEqual([], ruleset.get_clean(2))
self.assertEqual([], ruleset_2.get_raw(2))
self.assertEqual([], ruleset_2.get_clean(2))
def test_ruleset_2(self):
ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_ruleset_add(self):
rule = CapabilityRule('chgrp', comment=' # example comment')
ruleset = CapabilityRuleset()
ruleset.add(rule)
expected_raw = [
' capability chgrp, # example comment',
'',
]
expected_clean = expected_raw
self.assertEqual(expected_raw, ruleset.get_raw(1))
self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_ruleset_1(self):
ruleset = CapabilityRuleset()
rules = [
'capability sys_admin,',
'capability chown,',
]
expected_raw = [
'capability sys_admin,',
'capability chown,',
'',
]
expected_clean = [
'capability chown,',
'capability sys_admin,',
'',
]
for rule in rules:
ruleset.add(CapabilityRule.parse(rule))
self.assertEqual(expected_raw, ruleset.get_raw())
self.assertEqual(expected_clean, ruleset.get_clean())
class CapabilityRulesCoveredTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'capability setuid setgid,',
'allow capability sys_admin,',
'audit capability kill,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_2(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def test_ruleset_is_covered_4(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setuid,')))
def test_ruleset_is_covered_5(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability setgid,')))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_7(self):
pass # self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin chown,'))) # fails because it is split over two rule objects internally
def test_ruleset_is_covered_8(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability kill,')))
def test_ruleset_is_covered_9(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_11(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin chown,')))
def test_ruleset_is_covered_12(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability setgid,')))
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_14(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chown,')))
def test_ruleset_is_covered_15(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_20(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit deny capability chgrp,')))
def test_ruleset_is_covered_21(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chgrp,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def AASetup(self):
self.ruleset = CapabilityRuleset()
class CapabilityDeleteTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_delete(self):
expected_raw = [
' capability chown,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' capability chown,',
'',
]
self.ruleset.delete(CapabilityRule(['sys_admin']))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_allcaps(self):
expected_raw = [
' capability chown,',
' deny capability chgrp, # example comment',
' capability,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' capability chown,',
' capability,',
'',
]
self.ruleset.add(CapabilityRule(CapabilityRule.ALL))
self.ruleset.delete(CapabilityRule('sys_admin'))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write']))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi_2(self):
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
with self.assertRaises(AppArmorBug):
# XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset
# but that's quite some work to cover a corner case.
self.ruleset.delete(CapabilityRule('audit_read'))
def test_delete_raw_notfound(self):
with self.assertRaises(AppArmorBug):
self.ruleset.delete(CapabilityRule('audit_write'))
def test_delete_duplicates(self):
inc = CapabilityRuleset()
rules = [
'capability chown,',
'deny capability chgrp, # example comment',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,',
'',
]
expected_clean = expected_raw
self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_2(self):
inc = CapabilityRuleset()
rules = [
'capability audit_write,',
'capability chgrp, # example comment',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_none(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(None), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_hasher(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(hasher()), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_delete_duplicates_in_profile_01(self):
rules = [
'audit capability chown,',
'audit capability,',
'capability dac_override,',
]
expected_raw = [
' audit capability,',
'',
]
expected_clean = [
' audit capability,',
'',
]
expected_deleted = 2
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_02(self):
rules = [
'audit capability chown,',
'audit capability,',
'audit capability dac_override,',
'capability ,',
'audit capability ,',
]
expected_raw = [
' audit capability,',
'',
]
expected_clean = [
' audit capability,',
'',
]
expected_deleted = 4
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_03(self):
rules = [
'audit capability chown,',
'capability dac_override,',
'deny capability dac_override,',
'capability dac_override,',
'audit capability chown,',
'deny capability chown,',
'audit deny capability chown,',
'capability,',
'audit capability,',
]
expected_raw = [
' deny capability dac_override,',
' audit deny capability chown,',
' audit capability,',
'',
]
expected_clean = [
' audit deny capability chown,',
' deny capability dac_override,',
'',
' audit capability,',
'',
]
expected_deleted = 6
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_04(self):
rules = [
'audit capability chown,',
'deny capability chown,',
]
expected_raw = [
' audit capability chown,',
' deny capability chown,',
'',
]
expected_clean = [
' deny capability chown,',
'',
' audit capability chown,',
'',
]
expected_deleted = 0
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def AASetup(self):
self.ruleset = CapabilityRuleset()
class CapabilityDeleteTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'allow capability sys_admin,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_delete(self):
expected_raw = [
' capability chown,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' capability chown,',
'',
]
self.ruleset.delete(CapabilityRule(['sys_admin']))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_allcaps(self):
expected_raw = [
' capability chown,',
' deny capability chgrp, # example comment',
' capability,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' capability chown,',
' capability,',
'',
]
self.ruleset.add(CapabilityRule(CapabilityRule.ALL))
self.ruleset.delete(CapabilityRule('sys_admin'))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write']))
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi_2(self):
self.ruleset.add(CapabilityRule(['audit_read', 'audit_write']))
with self.assertRaises(AppArmorBug):
# XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset
# but that's quite some work to cover a corner case.
self.ruleset.delete(CapabilityRule('audit_read'))
def test_delete_raw_notfound(self):
with self.assertRaises(AppArmorBug):
self.ruleset.delete(CapabilityRule('audit_write'))
def test_delete_duplicates(self):
inc = CapabilityRuleset()
rules = [
'capability chown,',
'deny capability chgrp, # example comment',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,',
'',
]
expected_clean = expected_raw
self.assertEqual(self.ruleset.delete_duplicates(inc), 2)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_2(self):
inc = CapabilityRuleset()
rules = [
'capability audit_write,',
'capability chgrp, # example comment',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_3(self):
self.ruleset.add(CapabilityRule.parse('audit capability dac_override,'))
inc = CapabilityRuleset()
rules = [
'capability dac_override,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
' audit capability dac_override,',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' audit capability dac_override,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_4(self):
inc = CapabilityRuleset()
rules = [
'capability,',
]
for rule in rules:
inc.add(CapabilityRule.parse(rule))
expected_raw = [
' allow capability sys_admin,', # XXX huh? should be deleted!
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,', # XXX huh? should be deleted!
'',
]
self.assertEqual(self.ruleset.delete_duplicates(inc), 1)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_none(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(None), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_duplicates_hasher(self):
expected_raw = [
' capability chown,',
' allow capability sys_admin,',
' deny capability chgrp, # example comment',
'',
]
expected_clean = [
' deny capability chgrp, # example comment',
'',
' allow capability sys_admin,',
' capability chown,',
'',
]
self.assertEqual(self.ruleset.delete_duplicates(hasher()), 0)
self.assertEqual(expected_raw, self.ruleset.get_raw(1))
self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted):
obj = CapabilityRuleset()
for rule in rules:
obj.add(CapabilityRule.parse(rule))
deleted = obj.delete_duplicates(None)
self.assertEqual(expected_raw, obj.get_raw(1))
self.assertEqual(expected_clean, obj.get_clean(1))
self.assertEqual(deleted, expected_deleted)
def test_delete_duplicates_in_profile_01(self):
rules = [
'audit capability chown,',
'audit capability,',
'capability dac_override,',
]
expected_raw = [
' audit capability,',
'',
]
expected_clean = [
' audit capability,',
'',
]
expected_deleted = 2
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_02(self):
rules = [
'audit capability chown,',
'audit capability,',
'audit capability dac_override,',
'capability ,',
'audit capability ,',
]
expected_raw = [
' audit capability,',
'',
]
expected_clean = [
' audit capability,',
'',
]
expected_deleted = 4
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_03(self):
rules = [
'audit capability chown,',
'capability dac_override,',
'deny capability dac_override,',
'capability dac_override,',
'audit capability chown,',
'deny capability chown,',
'audit deny capability chown,',
'capability,',
'audit capability,',
]
expected_raw = [
' deny capability dac_override,',
' audit deny capability chown,',
' audit capability,',
'',
]
expected_clean = [
' audit deny capability chown,',
' deny capability dac_override,',
'',
' audit capability,',
'',
]
expected_deleted = 6
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
def test_delete_duplicates_in_profile_04(self):
rules = [
'audit capability chown,',
'deny capability chown,',
]
expected_raw = [
' audit capability chown,',
' deny capability chown,',
'',
]
expected_clean = [
' deny capability chown,',
'',
' audit capability chown,',
'',
]
expected_deleted = 0
self._check_test_delete_duplicates_in_profile(rules, expected_raw, expected_clean, expected_deleted)
class CapabilityRulesCoveredTest(AATest):
def AASetup(self):
self.ruleset = CapabilityRuleset()
rules = [
'capability chown,',
'capability setuid setgid,',
'allow capability sys_admin,',
'audit capability kill,',
'deny capability chgrp, # example comment',
]
for rule in rules:
self.ruleset.add(CapabilityRule.parse(rule))
def test_ruleset_is_covered_1(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_2(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin,')))
def test_ruleset_is_covered_3(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))
def test_ruleset_is_covered_4(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setuid,')))
def test_ruleset_is_covered_5(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability setgid,')))
def test_ruleset_is_covered_6(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_ruleset_is_covered_7(self):
pass # self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability sys_admin chown,'))) # fails because it is split over two rule objects internally
def test_ruleset_is_covered_8(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability kill,')))
def test_ruleset_is_covered_9(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,')))
def test_ruleset_is_covered_10(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_11(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin chown,')))
def test_ruleset_is_covered_12(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability setgid,')))
def test_ruleset_is_covered_13(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_14(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chown,')))
def test_ruleset_is_covered_15(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin,')))
def test_ruleset_is_covered_16(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_17(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_18(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def test_ruleset_is_covered_20(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit deny capability chgrp,')))
def test_ruleset_is_covered_21(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability chgrp,')))
def test_ruleset_is_covered_22(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_23(self):
self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_24(self):
self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
