def _check_invalid_rawrule(self, rawrule): obj = None with self.assertRaises(AppArmorException): obj = CapabilityRule.parse(rawrule) self.assertFalse(CapabilityRule.match(rawrule)) self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def test_delete_with_multi_2(self): self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) with self.assertRaises(AppArmorBug): # XXX ideally delete_raw should remove audit_read from the "capability audit_read audit_write," ruleset # but that's quite some work to cover a corner case. self.ruleset.delete(CapabilityRule('audit_read'))
def test_write_manually(self): obj = CapabilityRule(['ptrace', 'audit_write'], allow_keyword=True) expected = ' allow capability audit_write ptrace,' self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule') self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def test_delete_duplicates_3(self): self.ruleset.add(CapabilityRule.parse('audit capability dac_override,')) inc = CapabilityRuleset() rules = [ 'capability dac_override,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', ' audit capability dac_override,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' audit capability dac_override,', ' capability chown,', '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 0) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def _check_invalid_rawrule(self, rawrule): obj = None with self.assertRaises(AppArmorException): obj = CapabilityRule(CapabilityRule.parse(rawrule)) self.assertFalse(CapabilityRule.match(rawrule)) self.assertIsNone(obj, 'CapbilityRule handed back an object unexpectedly')
def _check_write_rule(self, rawrule, cleanrule): obj = CapabilityRule.parse(rawrule) clean = obj.get_clean() raw = obj.get_raw() self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(cleanrule.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _compare_obj_with_rawrule(self, rawrule, expected): obj = CapabilityRule.parse(rawrule) self.assertTrue(CapabilityRule.match(rawrule)) self.assertEqual(rawrule.strip(), obj.raw_rule) self._compare_obj(obj, expected)
def test_borked_obj_is_covered(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = CapabilityRule('chown') testobj.capability.clear() with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
def test_empty_init(self): # add to internal set instead of using .set_* (which overwrites the internal set) to make sure obj and obj2 use separate storage obj = CapabilityRule('fsetid') obj2 = CapabilityRule('fsetid') obj.capability.add('sys_admin') obj2.capability.add('ptrace') self.assertTrue(self._is_covered(obj, 'capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'capability ptrace,')) self.assertFalse(self._is_covered(obj2, 'capability sys_admin,')) self.assertTrue(self._is_covered(obj2, 'capability ptrace,'))
def test_ruleset_2(self): ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self): obj = CapabilityRule.parse('capability sys_admin,') testobj = BaseRule() # different type with self.assertRaises(AppArmorBug): obj.is_equal(testobj)
def test_delete_duplicates_4(self): inc = CapabilityRuleset() rules = [ 'capability,', ] for rule in rules: inc.add(CapabilityRule.parse(rule)) expected_raw = [ ' allow capability sys_admin,', # XXX huh? should be deleted! ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', # XXX huh? should be deleted! '', ] self.assertEqual(self.ruleset.delete_duplicates(inc), 1) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_covered_deny_2(self): obj = CapabilityRule.parse('deny capability sys_admin,') self.assertTrue(self._is_covered(obj, 'deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'audit deny capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'capability sys_admin,')) self.assertFalse(self._is_covered(obj, 'deny capability chown,')) self.assertFalse(self._is_covered(obj, 'deny capability,'))
def test_covered_check_audit(self): obj = CapabilityRule.parse('audit capability sys_admin,') self.assertFalse(self._is_covered_exact(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered_exact(obj, 'audit capability sys_admin,')) self.assertFalse(self._is_covered_exact(obj, 'audit capability,')) self.assertFalse(self._is_covered_exact(obj, 'capability chown,')) self.assertFalse(self._is_covered_exact(obj, 'capability,'))
def test_covered_all(self): obj = CapabilityRule.parse('capability,') self.assertTrue(self._is_covered(obj, 'capability sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability audit_write,')) self.assertTrue(self._is_covered(obj, 'capability audit_write sys_admin,')) self.assertTrue(self._is_covered(obj, 'capability sys_admin audit_write,')) self.assertTrue(self._is_covered(obj, 'capability,')) self.assertFalse(self._is_covered(obj, 'audit capability,'))
def AASetup(self): self.ruleset = CapabilityRuleset() rules = [ 'capability chown,', 'allow capability sys_admin,', 'deny capability chgrp, # example comment', ] for rule in rules: self.ruleset.add(CapabilityRule.parse(rule))
def test_cap_from_log(self): parser = ReadLog('', '', '', '') event = 'type=AVC msg=audit(1415403814.628:662): apparmor="ALLOWED" operation="capable" profile="/bin/ping" pid=15454 comm="ping" capability=13 capname="net_raw"' parsed_event = parser.parse_event(event) self.assertEqual( parsed_event, { 'request_mask': None, 'denied_mask': None, 'error_code': 0, 'magic_token': 0, 'parent': 0, 'profile': '/bin/ping', 'operation': 'capable', 'resource': None, 'info': None, 'aamode': 'PERMITTING', 'time': 1415403814, 'active_hat': None, 'pid': 15454, 'task': 0, 'attr': None, 'name2': None, 'name': 'net_raw', 'family': None, 'protocol': None, 'sock_type': None, }) obj = CapabilityRule(parsed_event['name'], log_event=parsed_event) self._compare_obj( obj, { 'allow_keyword': False, 'deny': False, 'audit': False, 'capability': {'net_raw'}, 'all_caps': False, 'comment': "", }) self.assertEqual(obj.get_raw(1), ' capability net_raw,')
def _check_test_delete_duplicates_in_profile(self, rules, expected_raw, expected_clean, expected_deleted): obj = CapabilityRuleset() for rule in rules: obj.add(CapabilityRule.parse(rule)) deleted = obj.delete_duplicates(None) self.assertEqual(expected_raw, obj.get_raw(1)) self.assertEqual(expected_clean, obj.get_clean(1)) self.assertEqual(deleted, expected_deleted)
def test_cap_from_init_02(self): obj = CapabilityRule(['chown']) self._compare_obj(obj, { 'allow_keyword': False, 'deny': False, 'audit': False, 'capability': {'chown'}, 'all_caps': False, 'comment': "", })
def test_equal(self): obj = CapabilityRule.parse('capability sys_admin,') self.assertTrue(self._is_equal(obj, 'capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'allow capability sys_admin,', True)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', True)) self.assertTrue(self._is_equal(obj, 'capability sys_admin,', False)) self.assertTrue(self._is_equal(obj, 'allow capability sys_admin,', False)) self.assertFalse(self._is_equal(obj, 'audit capability sys_admin,', False))
def test_cap_from_init_04(self): obj = CapabilityRule(['chown', 'fsetid'], deny=True) self._compare_obj(obj, { 'allow_keyword': False, 'deny': True, 'audit': False, 'capability': {'chown', 'fsetid'}, 'all_caps': False, 'comment': "", })
def test_delete_with_allcaps(self): expected_raw = [ ' capability chown,', ' deny capability chgrp, # example comment', ' capability,', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' capability chown,', ' capability,', '', ] self.ruleset.add(CapabilityRule(CapabilityRule.ALL)) self.ruleset.delete(CapabilityRule('sys_admin')) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_delete_with_multi(self): expected_raw = [ ' capability chown,', ' allow capability sys_admin,', ' deny capability chgrp, # example comment', '', ] expected_clean = [ ' deny capability chgrp, # example comment', '', ' allow capability sys_admin,', ' capability chown,', '', ] self.ruleset.add(CapabilityRule(['audit_read', 'audit_write'])) self.ruleset.delete(CapabilityRule(['audit_read', 'audit_write'])) self.assertEqual(expected_raw, self.ruleset.get_raw(1)) self.assertEqual(expected_clean, self.ruleset.get_clean(1))
def test_cap_from_log(self): parser = ReadLog('', '', '', '', '') event = 'type=AVC msg=audit(1415403814.628:662): apparmor="ALLOWED" operation="capable" profile="/bin/ping" pid=15454 comm="ping" capability=13 capname="net_raw"' parsed_event = parser.parse_event(event) self.assertEqual(parsed_event, { 'request_mask': None, 'denied_mask': None, 'error_code': 0, 'magic_token': 0, 'parent': 0, 'profile': '/bin/ping', 'operation': 'capable', 'resource': None, 'info': None, 'aamode': 'PERMITTING', 'time': 1415403814, 'active_hat': None, 'pid': 15454, 'task': 0, 'attr': None, 'name2': None, 'name': 'net_raw' }) obj = CapabilityRule(parsed_event['name'], log_event=parsed_event) self._compare_obj(obj, { 'allow_keyword': False, 'deny': False, 'audit': False, 'capability': {'net_raw'}, 'all_caps': False, 'comment': "", }) self.assertEqual(obj.get_raw(1), ' capability net_raw,')
def test_ruleset_add(self): rule = CapabilityRule('chgrp', comment=' # example comment') ruleset = CapabilityRuleset() ruleset.add(rule) expected_raw = [ ' capability chgrp, # example comment', '', ] expected_clean = expected_raw self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_ruleset_1(self): ruleset = CapabilityRuleset() rules = [ 'capability sys_admin,', 'capability chown,', ] expected_raw = [ 'capability sys_admin,', 'capability chown,', '', ] expected_clean = [ 'capability chown,', 'capability sys_admin,', '', ] for rule in rules: ruleset.add(CapabilityRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
def test_ruleset_is_covered_1(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chown,')))
def test_ruleset_is_covered_22(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,')))
def test_ruleset_is_covered_24(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability chown,'), check_allow_deny=False))
def test_ruleset_is_covered_17(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability setgid,')))
def test_ruleset_is_covered_23(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability chgrp,'), check_allow_deny=False))
def test_ruleset_is_covered_18(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('audit capability kill,')))
def test_ruleset_is_covered_19(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('deny capability chgrp,')))
def _run_test(self, params, expected): obj = CapabilityRule._parse(params) self.assertEqual(obj.logprof_header(), expected)
def test_ruleset_is_covered_13(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability kill,')))
def test_ruleset_is_covered_16(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('audit capability sys_admin chown,')))
def test_ruleset_is_covered_6(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('capability setgid setuid,')))
def test_delete_raw_notfound(self): with self.assertRaises(AppArmorBug): self.ruleset.delete(CapabilityRule('audit_write'))
def test_ruleset_is_covered_10(self): self.assertFalse(self.ruleset.is_covered(CapabilityRule.parse('deny capability sys_admin,')))
def test_ruleset_is_covered_3(self): self.assertTrue(self.ruleset.is_covered(CapabilityRule.parse('allow capability sys_admin,')))