def test_write_manually(self): obj = SignalRule('send', 'quit', '/foo', allow_keyword=True) expected = ' allow signal send set=quit peer=/foo,' self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule') self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def _check_invalid_rawrule(self, rawrule): obj = None self.assertFalse(SignalRule.match(rawrule)) with self.assertRaises(AppArmorException): obj = SignalRule(SignalRule.parse(rawrule)) self.assertIsNone(obj, 'SignalRule handed back an object unexpectedly')
def test_borked_obj_is_covered_3(self): obj = SignalRule.parse('signal send set=quit peer=/foo,') testobj = SignalRule('send', 'quit', '/foo') testobj.peer = '' with self.assertRaises(AppArmorBug): obj.is_covered(testobj)
def _run_test(self, rawrule, expected): self.assertTrue(SignalRule.match(rawrule)) obj = SignalRule.parse(rawrule) clean = obj.get_clean() raw = obj.get_raw() self.assertEqual(expected.strip(), clean, 'unexpected clean rule') self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def _run_test(self, param, expected): obj = SignalRule.parse(self.rule) check_obj = SignalRule.parse(param) self.assertTrue(SignalRule.match(param)) self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0]) self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1]) self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2]) self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
def test_signal_from_log(self): parser = ReadLog('', '', '', '') event = 'type=AVC msg=audit(1409438250.564:201): apparmor="DENIED" operation="signal" profile="/usr/bin/pulseaudio" pid=2531 comm="pulseaudio" requested_mask="send" denied_mask="send" signal=term peer="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper"' parsed_event = parser.parse_event(event) self.assertEqual( parsed_event, { 'request_mask': 'send', 'denied_mask': 'send', 'error_code': 0, 'magic_token': 0, 'parent': 0, 'profile': '/usr/bin/pulseaudio', 'signal': 'term', 'peer': '/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper', 'operation': 'signal', 'resource': None, 'info': None, 'aamode': 'REJECTING', 'time': 1409438250, 'active_hat': None, 'pid': 2531, 'task': 0, 'attr': None, 'name2': None, 'name': None, 'family': None, 'protocol': None, 'sock_type': None, }) obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event) # audit allow deny comment access all? signal all? peer all? expected = exp( False, False, False, '', {'send'}, False, {'term'}, False, '/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper', False) self._compare_obj(obj, expected) self.assertEqual( obj.get_raw(1), ' signal send set=term peer=/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper,' )
def test_ruleset_2(self): ruleset = SignalRuleset() rules = [ 'signal send set=int,', 'allow signal send,', 'deny signal set=quit, # example comment', ] expected_raw = [ ' signal send set=int,', ' allow signal send,', ' deny signal set=quit, # example comment', '', ] expected_clean = [ ' deny signal set=quit, # example comment', '', ' allow signal send,', ' signal send set=int,', '', ] for rule in rules: ruleset.add(SignalRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw(1)) self.assertEqual(expected_clean, ruleset.get_clean(1))
def test_invalid_is_equal(self): obj = SignalRule.parse('signal send,') testobj = BaseRule() # different type with self.assertRaises(AppArmorBug): obj.is_equal(testobj)
class SignalFromInit(SignalTest): tests = [ # SignalRule object audit allow deny comment access all? signal all? peer all? (SignalRule('r', 'hup', 'unconfined', deny=True) , exp(False, False, True , '' , {'r'}, False, {'hup'}, False, 'unconfined', False)), (SignalRule(('r', 'send'), ('hup', 'int'), '/bin/foo') , exp(False, False, False, '' , {'r', 'send'},False, {'hup', 'int'}, False, '/bin/foo', False)), (SignalRule(SignalRule.ALL, 'int', '/bin/foo') , exp(False, False, False, '' , None, True, {'int'}, False, '/bin/foo', False )), (SignalRule('rw', SignalRule.ALL, '/bin/foo') , exp(False, False, False, '' , {'rw'}, False, None, True, '/bin/foo', False )), (SignalRule('rw', ('int'), SignalRule.ALL) , exp(False, False, False, '' , {'rw'}, False, {'int'}, False, None, True )), (SignalRule(SignalRule.ALL, SignalRule.ALL, SignalRule.ALL) , exp(False, False, False, '' , None , True, None, True, None, True )), ] def _run_test(self, obj, expected): self._compare_obj(obj, expected)
def test_ruleset_1(self): ruleset = SignalRuleset() rules = [ 'signal set=int,', 'signal send,', ] expected_raw = [ 'signal set=int,', 'signal send,', '', ] expected_clean = [ 'signal send,', 'signal set=int,', '', ] for rule in rules: ruleset.add(SignalRule.parse(rule)) self.assertEqual(expected_raw, ruleset.get_raw()) self.assertEqual(expected_clean, ruleset.get_clean())
def _run_test(self, rawrule, expected): self.assertTrue(SignalRule.match(rawrule)) obj = SignalRule.parse(rawrule) self.assertEqual(rawrule.strip(), obj.raw_rule) self._compare_obj(obj, expected)
def _run_test(self, params, expected): obj = SignalRule._parse(params) self.assertEqual(obj.logprof_header(), expected)
def test_empty_data_3(self): obj = SignalRule('send', 'quit', '/foo') obj.peer = '' # no signal set, and ALL not set with self.assertRaises(AppArmorBug): obj.get_clean(1)
def test_missing_params_3(self): with self.assertRaises(TypeError): SignalRule('r', 'int')
def _run_test(self, params, expected): with self.assertRaises(expected): SignalRule(params[0], params[1], params[2])
def _run_test(self, rawrule, expected): self.assertTrue(SignalRule.match( rawrule)) # the above invalid rules still match the main regex! with self.assertRaises(expected): SignalRule.parse(rawrule)