On Tue, 2012-02-07 at 08:50 -0600, Jamie Strandboge wrote: > This patchset is to accomplish the code portion of the > security-p-app-isolation blueprint. aa-easyprof is a standalone CLI > application which can also be imported into developer SDKs. From the man > page: ... > * 0003-aa-easyprof-unittests.patch: tests for the library
This patch implements the unittests for easyprof.py and provides an example for future python unit tests. It consists of: utils/test/* -- Jamie Strandboge | http://www.canonical.com
diff -Naurp -x .bzr -x common apparmor-trunk/utils/test/easyprof.conf apparmor-trunk-easyprof/utils/test/easyprof.conf
--- apparmor-trunk/utils/test/easyprof.conf 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/test/easyprof.conf 2012-02-06 16:38:53.000000000 -0600
@@ -0,0 +1,5 @@
+# Location of system policygroups
+POLICYGROUPS_DIR="./policygroups"
+
+# Location of system templates
+TEMPLATES_DIR="./templates"
diff -Naurp -x .bzr -x common apparmor-trunk/utils/test/test-aa-easyprof.py apparmor-trunk-easyprof/utils/test/test-aa-easyprof.py
--- apparmor-trunk/utils/test/test-aa-easyprof.py 1969-12-31 18:00:00.000000000 -0600
+++ apparmor-trunk-easyprof/utils/test/test-aa-easyprof.py 2012-02-07 07:35:29.000000000 -0600
@@ -0,0 +1,882 @@
+#! /usr/bin/env python
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2011-2012 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import glob
+import os
+import shutil
+import sys
+import tempfile
+import unittest
+
+topdir = None
+debugging = False
+
+def recursive_rm(dirPath, contents_only=False):
+ '''recursively remove directory'''
+ names = os.listdir(dirPath)
+ for name in names:
+ path = os.path.join(dirPath, name)
+ if os.path.islink(path) or not os.path.isdir(path):
+ os.unlink(path)
+ else:
+ recursive_rm(path)
+ if contents_only == False:
+ os.rmdir(dirPath)
+
+#
+# Our test class
+#
+class T(unittest.TestCase):
+ def setUp(self):
+ '''Setup for tests'''
+ global topdir
+
+ self.tmpdir = tempfile.mkdtemp(prefix='test-aa-easyprof')
+
+ # Copy everything into place
+ for d in ['easyprof/policygroups', 'easyprof/templates']:
+ shutil.copytree(os.path.join(topdir, d), os.path.join(self.tmpdir, os.path.basename(d)))
+
+ # Create a test template
+ self.test_template = "test-template"
+ contents = '''# vim:syntax=apparmor
+# %s
+# AppArmor policy for ###NAME###
+# ###AUTHOR###
+# ###COPYRIGHT###
+# ###COMMENT###
+
+#include <tunables/global>
+
+###VAR###
+
+###BINARY### {
+ #include <abstractions/base>
+
+ ###ABSTRACTIONS###
+
+ ###POLICYGROUPS###
+
+ ###READS###
+
+ ###WRITES###
+}
+
+''' % (self.test_template)
+ open(os.path.join(self.tmpdir, 'templates', self.test_template), 'w').write(contents)
+
+ # Create a test policygroup
+ self.test_policygroup = "test-policygroup"
+ contents = '''
+ # %s
+ #include <abstractions/gnome>
+ #include <abstractions/nameservice>
+''' % (self.test_policygroup)
+ open(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), 'w').write(contents)
+
+ # setup our conffile
+ self.conffile = os.path.join(self.tmpdir, 'easyprof.conf')
+ contents = '''
+POLICYGROUPS_DIR="%s/policygroups"
+TEMPLATES_DIR="%s/templates"
+''' % (self.tmpdir, self.tmpdir)
+ open(self.conffile, 'w').write(contents)
+
+ self.binary = "/opt/bin/foo"
+ self.full_args = ['-c', self.conffile, self.binary]
+
+ if debugging:
+ self.full_args.append('-d')
+
+ (self.options, self.args) = easyprof.parse_args(self.full_args + [self.binary])
+
+ def tearDown(self):
+ '''Teardown for tests'''
+ if os.path.exists(self.tmpdir):
+ recursive_rm(self.tmpdir)
+
+#
+# config file tests
+#
+ def test_configuration_file_p_invalid(self):
+ '''Test config parsing (invalid POLICYGROUPS_DIR)'''
+ contents = '''
+POLICYGROUPS_DIR=
+TEMPLATES_DIR="%s/templates"
+''' % (self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_configuration_file_p_empty(self):
+ '''Test config parsing (empty POLICYGROUPS_DIR)'''
+ contents = '''
+POLICYGROUPS_DIR="%s"
+TEMPLATES_DIR="%s/templates"
+''' % ('', self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_configuration_file_p_nonexistent(self):
+ '''Test config parsing (nonexistent POLICYGROUPS_DIR)'''
+ contents = '''
+POLICYGROUPS_DIR="%s/policygroups"
+TEMPLATES_DIR="%s/templates"
+''' % ('/nonexistent', self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_policygroups_dir_relative(self):
+ '''Test --policy-groups-dir (relative DIR)'''
+ os.chdir(self.tmpdir)
+ rel = os.path.join(self.tmpdir, 'relative')
+ os.mkdir(rel)
+ shutil.copy(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), os.path.join(rel, self.test_policygroup))
+
+ args = self.full_args
+ args += ['--policy-groups-dir', './relative', '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # no fallback
+ self.assertTrue(easyp.dirs['policygroups'] == rel, "Not using specified --policy-groups-dir")
+ self.assertFalse(easyp.get_policy_groups() == None, "Could not find policy-groups")
+
+ def test_policygroups_dir_nonexistent(self):
+ '''Test --policy-groups-dir (nonexistent DIR)'''
+ os.chdir(self.tmpdir)
+ rel = os.path.join(self.tmpdir, 'nonexistent')
+
+ args = self.full_args
+ args += ['--policy-groups-dir', rel, '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # test if using fallback
+ self.assertFalse(easyp.dirs['policygroups'] == rel, "Using nonexistent --policy-groups-dir")
+
+ # test fallback
+ self.assertTrue(easyp.get_policy_groups() != None, "Found policy-groups when shouldn't have")
+
+ def test_policygroups_dir_valid(self):
+ '''Test --policy-groups-dir (valid DIR)'''
+ os.chdir(self.tmpdir)
+ valid = os.path.join(self.tmpdir, 'valid')
+ os.mkdir(valid)
+ shutil.copy(os.path.join(self.tmpdir, 'policygroups', self.test_policygroup), os.path.join(valid, self.test_policygroup))
+
+ args = self.full_args
+ args += ['--policy-groups-dir', valid, '--show-policy-group', '--policy-groups=%s' % self.test_policygroup]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # no fallback
+ self.assertTrue(easyp.dirs['policygroups'] == valid, "Not using specified --policy-groups-dir")
+ self.assertFalse(easyp.get_policy_groups() == None, "Could not find policy-groups")
+
+ def test_configuration_file_t_invalid(self):
+ '''Test config parsing (invalid TEMPLATES_DIR)'''
+ contents = '''
+TEMPLATES_DIR=
+POLICYGROUPS_DIR="%s/templates"
+''' % (self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_configuration_file_t_empty(self):
+ '''Test config parsing (empty TEMPLATES_DIR)'''
+ contents = '''
+TEMPLATES_DIR="%s"
+POLICYGROUPS_DIR="%s/templates"
+''' % ('', self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_configuration_file_t_nonexistent(self):
+ '''Test config parsing (nonexistent TEMPLATES_DIR)'''
+ contents = '''
+TEMPLATES_DIR="%s/policygroups"
+POLICYGROUPS_DIR="%s/templates"
+''' % ('/nonexistent', self.tmpdir)
+
+ open(self.conffile, 'w').write(contents)
+ try:
+ easyprof.AppArmorEasyProfile(self.binary, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+
+ raise Exception ("File should have been invalid")
+
+ def test_templates_dir_relative(self):
+ '''Test --templates-dir (relative DIR)'''
+ os.chdir(self.tmpdir)
+ rel = os.path.join(self.tmpdir, 'relative')
+ os.mkdir(rel)
+ shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), os.path.join(rel, self.test_template))
+
+ args = self.full_args
+ args += ['--templates-dir', './relative', '--show-template', '--template=%s' % self.test_template]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # no fallback
+ self.assertTrue(easyp.dirs['templates'] == rel, "Not using specified --template-dir")
+ self.assertFalse(easyp.get_templates() == None, "Could not find templates")
+
+ def test_templates_dir_nonexistent(self):
+ '''Test --templates-dir (nonexistent DIR)'''
+ os.chdir(self.tmpdir)
+ rel = os.path.join(self.tmpdir, 'nonexistent')
+
+ args = self.full_args
+ args += ['--templates-dir', rel, '--show-template', '--template=%s' % self.test_template]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # test if using fallback
+ self.assertFalse(easyp.dirs['templates'] == rel, "Using nonexistent --template-dir")
+
+ # test fallback
+ self.assertTrue(easyp.get_templates() != None, "Found templates when shouldn't have")
+
+ def test_templates_dir_valid(self):
+ '''Test --templates-dir (valid DIR)'''
+ os.chdir(self.tmpdir)
+ valid = os.path.join(self.tmpdir, 'valid')
+ os.mkdir(valid)
+ shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), os.path.join(valid, self.test_template))
+
+ args = self.full_args
+ args += ['--templates-dir', valid, '--show-template', '--template=%s' % self.test_template]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+
+ # no fallback
+ self.assertTrue(easyp.dirs['templates'] == valid, "Not using specified --template-dir")
+ self.assertFalse(easyp.get_templates() == None, "Could not find templates")
+
+#
+# Binary file tests
+#
+ def test_binary(self):
+ '''Test binary'''
+ easyprof.AppArmorEasyProfile('/bin/ls', self.options)
+
+ def test_binary_nonexistent(self):
+ '''Test binary (nonexistent)'''
+ easyprof.AppArmorEasyProfile(os.path.join(self.tmpdir, 'nonexistent'), self.options)
+
+ def test_binary_relative(self):
+ '''Test binary (relative)'''
+ try:
+ easyprof.AppArmorEasyProfile('./foo', self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("Binary should have been invalid")
+
+ def test_binary_symlink(self):
+ '''Test binary (symlink)'''
+ exe = os.path.join(self.tmpdir, 'exe')
+ open(exe, 'wa').close()
+ symlink = exe + ".lnk"
+ os.symlink(exe, symlink)
+
+ try:
+ easyprof.AppArmorEasyProfile(symlink, self.options)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("Binary should have been invalid")
+
+#
+# Templates tests
+#
+ def test_templates_list(self):
+ '''Test templates (list)'''
+ args = self.full_args
+ args.append('--list-templates')
+ (self.options, self.args) = easyprof.parse_args(args)
+
+ easyp = easyprof.AppArmorEasyProfile(None, self.options)
+ for i in easyp.get_templates():
+ self.assertTrue(os.path.exists(i), "Could not find '%s'" % i)
+
+ def test_templates_show(self):
+ '''Test templates (show)'''
+ files = []
+ for f in glob.glob("%s/templates/*" % self.tmpdir):
+ files.append(f)
+
+ for f in files:
+ args = self.full_args
+ args += ['--show-template', '--template', f]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(None, self.options)
+
+ path = os.path.join(easyp.dirs['templates'], f)
+ self.assertTrue(os.path.exists(path), "Could not find '%s'" % path)
+ open(path).read()
+
+#
+# Policygroups tests
+#
+ def test_policygroups_list(self):
+ '''Test policygroups (list)'''
+ args = self.full_args
+ args.append('--list-policy-groups')
+ (self.options, self.args) = easyprof.parse_args(args)
+
+ easyp = easyprof.AppArmorEasyProfile(None, self.options)
+ for i in easyp.get_templates():
+ self.assertTrue(os.path.exists(i), "Could not find '%s'" % i)
+
+ def test_policygroups_show(self):
+ '''Test policygroups (show)'''
+ files = []
+ for f in glob.glob("%s/policygroups/*" % self.tmpdir):
+ files.append(f)
+
+ for f in files:
+ args = self.full_args
+ args += ['--show-template', '--template', f]
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(None, self.options)
+
+ path = os.path.join(easyp.dirs['policygroups'], f)
+ self.assertTrue(os.path.exists(path), "Could not find '%s'" % path)
+ open(path).read()
+
+#
+# Test genpolicy
+#
+ def _gen_policy(self, name=None, template=None, extra_args=[]):
+ '''Generate a policy'''
+ # Build up our args
+ args = self.full_args
+
+ if template == None:
+ args.append('--template=%s' % self.test_template)
+ else:
+ args.append('--template=%s' % template)
+
+ if name != None:
+ args.append('--name=%s' % name)
+
+ if len(extra_args) > 0:
+ args += extra_args
+
+ args.append(self.binary)
+
+ # Now parse our args
+ (self.options, self.args) = easyprof.parse_args(args)
+ easyp = easyprof.AppArmorEasyProfile(self.binary, self.options)
+ params = easyprof.gen_policy_params(self.binary, self.options)
+ p = easyp.gen_policy(**params)
+
+ # We always need to check for these
+ search_terms = [self.binary]
+ if name != None:
+ search_terms.append(name)
+
+ if template == None:
+ search_terms.append(self.test_template)
+
+ for s in search_terms:
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+
+ # ###NAME### should be replaced with self.binary or 'name'. Check for that
+ inv_s = '###NAME###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ if debugging:
+ print p
+
+ return p
+
+ def test_genpolicy_templates_abspath(self):
+ '''Test genpolicy (abspath to template)'''
+ # create a new template
+ template = os.path.join(self.tmpdir, "test-abspath-template")
+ shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), template)
+ contents = open(template).read()
+ test_string = "#teststring"
+ open(template, 'w').write(contents + "\n%s\n" % test_string)
+
+ p = self._gen_policy(template=template)
+
+ for s in [self.test_template, test_string]:
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+
+ def test_genpolicy_templates_system(self):
+ '''Test genpolicy (system template)'''
+ self._gen_policy()
+
+ def test_genpolicy_templates_nonexistent(self):
+ '''Test genpolicy (nonexistent template)'''
+ try:
+ self._gen_policy(template=os.path.join(self.tmpdir, "/nonexistent"))
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("template should be invalid")
+
+ def test_genpolicy_name(self):
+ '''Test genpolicy (name)'''
+ self._gen_policy(name='test-foo')
+
+ def test_genpolicy_comment(self):
+ '''Test genpolicy (comment)'''
+ s = "test comment"
+ p = self._gen_policy(extra_args=['--comment=%s' % s])
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###COMMENT###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_author(self):
+ '''Test genpolicy (author)'''
+ s = "Archibald Poindexter"
+ p = self._gen_policy(extra_args=['--author=%s' % s])
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###AUTHOR###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_copyright(self):
+ '''Test genpolicy (copyright)'''
+ s = "2112/01/01"
+ p = self._gen_policy(extra_args=['--copyright=%s' % s])
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###COPYRIGHT###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_abstractions(self):
+ '''Test genpolicy (single abstraction)'''
+ s = "nameservice"
+ p = self._gen_policy(extra_args=['--abstractions=%s' % s])
+ search = "#include <abstractions/%s>" % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###ABSTRACTIONS###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_abstractions_multiple(self):
+ '''Test genpolicy (multiple abstractions)'''
+ abstractions = "authentication,X,user-tmp"
+ p = self._gen_policy(extra_args=['--abstractions=%s' % abstractions])
+ for s in abstractions.split(','):
+ search = "#include <abstractions/%s>" % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###ABSTRACTIONS###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_policygroups(self):
+ '''Test genpolicy (single policygroup)'''
+ groups = self.test_policygroup
+ p = self._gen_policy(extra_args=['--policy-groups=%s' % groups])
+
+ for s in ['#include <abstractions/nameservice>', '#include <abstractions/gnome>']:
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###POLICYGROUPS###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_policygroups_multiple(self):
+ '''Test genpolicy (multiple policygroups)'''
+ test_policygroup2 = "test-policygroup2"
+ contents = '''
+ # %s
+ #include <abstractions/kde>
+ #include <abstractions/openssl>
+''' % (self.test_policygroup)
+ open(os.path.join(self.tmpdir, 'policygroups', test_policygroup2), 'w').write(contents)
+
+ groups = "%s,%s" % (self.test_policygroup, test_policygroup2)
+ p = self._gen_policy(extra_args=['--policy-groups=%s' % groups])
+
+ for s in ['#include <abstractions/nameservice>',
+ '#include <abstractions/gnome>',
+ '#include <abstractions/kde>',
+ '#include <abstractions/openssl>']:
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###POLICYGROUPS###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_policygroups_nonexistent(self):
+ '''Test genpolicy (nonexistent policygroup)'''
+ try:
+ self._gen_policy(extra_args=['--policy-groups=nonexistent'])
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("policygroup should be invalid")
+
+ def test_genpolicy_readpath_file(self):
+ '''Test genpolicy (read-path file)'''
+ s = "/opt/test-foo"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search = "%s r," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_home_file(self):
+ '''Test genpolicy (read-path file in /home)'''
+ s = "/home/*/test-foo"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search = "owner %s r," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_homevar_file(self):
+ '''Test genpolicy (read-path file in @{HOME})'''
+ s = "@{HOME}/test-foo"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search = "owner %s r," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_homedirs_file(self):
+ '''Test genpolicy (read-path file in @{HOMEDIRS})'''
+ s = "@{HOMEDIRS}/test-foo"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search = "owner %s r," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_dir(self):
+ '''Test genpolicy (read-path directory/)'''
+ s = "/opt/test-foo-dir/"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search_terms = ["%s r," % s, "%s** r," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_dir_glob(self):
+ '''Test genpolicy (read-path directory/*)'''
+ s = "/opt/test-foo-dir/*"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search_terms = ["%s r," % os.path.dirname(s), "%s r," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_dir_glob_all(self):
+ '''Test genpolicy (read-path directory/**)'''
+ s = "/opt/test-foo-dir/**"
+ p = self._gen_policy(extra_args=['--read-path=%s' % s])
+ search_terms = ["%s r," % os.path.dirname(s), "%s r," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_multiple(self):
+ '''Test genpolicy (read-path multiple)'''
+ paths = ["/opt/test-foo",
+ "/home/*/test-foo",
+ "@{HOME}/test-foo",
+ "@{HOMEDIRS}/test-foo",
+ "/opt/test-foo-dir/",
+ "/opt/test-foo-dir/*",
+ "/opt/test-foo-dir/**"]
+ args = []
+ search_terms = []
+ for s in paths:
+ args.append('--read-path=%s' % s)
+ # This mimics easyprof.gen_path_rule()
+ owner = ""
+ if s.startswith('/home/') or s.startswith("@{HOME"):
+ owner = "owner "
+ if s.endswith('/'):
+ search_terms.append("%s r," % (s))
+ search_terms.append("%s%s** r," % (owner, s))
+ elif s.endswith('/**') or s.endswith('/*'):
+ search_terms.append("%s r," % (os.path.dirname(s)))
+ search_terms.append("%s%s r," % (owner, s))
+ else:
+ search_terms.append("%s%s r," % (owner, s))
+
+ p = self._gen_policy(extra_args=args)
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_readpath_bad(self):
+ '''Test genpolicy (read-path bad)'''
+ s = "bar"
+ try:
+ self._gen_policy(extra_args=['--read-path=%s' % s])
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("read-path should be invalid")
+
+ def test_genpolicy_writepath_file(self):
+ '''Test genpolicy (write-path file)'''
+ s = "/opt/test-foo"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search = "%s rwk," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_home_file(self):
+ '''Test genpolicy (write-path file in /home)'''
+ s = "/home/*/test-foo"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search = "owner %s rwk," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_homevar_file(self):
+ '''Test genpolicy (write-path file in @{HOME})'''
+ s = "@{HOME}/test-foo"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search = "owner %s rwk," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_homedirs_file(self):
+ '''Test genpolicy (write-path file in @{HOMEDIRS})'''
+ s = "@{HOMEDIRS}/test-foo"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search = "owner %s rwk," % s
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_dir(self):
+ '''Test genpolicy (write-path directory/)'''
+ s = "/opt/test-foo-dir/"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search_terms = ["%s rwk," % s, "%s** rwk," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_dir_glob(self):
+ '''Test genpolicy (write-path directory/*)'''
+ s = "/opt/test-foo-dir/*"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search_terms = ["%s rwk," % os.path.dirname(s), "%s rwk," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_dir_glob_all(self):
+ '''Test genpolicy (write-path directory/**)'''
+ s = "/opt/test-foo-dir/**"
+ p = self._gen_policy(extra_args=['--write-path=%s' % s])
+ search_terms = ["%s rwk," % os.path.dirname(s), "%s rwk," % s]
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_multiple(self):
+ '''Test genpolicy (write-path multiple)'''
+ paths = ["/opt/test-foo",
+ "/home/*/test-foo",
+ "@{HOME}/test-foo",
+ "@{HOMEDIRS}/test-foo",
+ "/opt/test-foo-dir/",
+ "/opt/test-foo-dir/*",
+ "/opt/test-foo-dir/**"]
+ args = []
+ search_terms = []
+ for s in paths:
+ args.append('--write-path=%s' % s)
+ # This mimics easyprof.gen_path_rule()
+ owner = ""
+ if s.startswith('/home/') or s.startswith("@{HOME"):
+ owner = "owner "
+ if s.endswith('/'):
+ search_terms.append("%s rwk," % (s))
+ search_terms.append("%s%s** rwk," % (owner, s))
+ elif s.endswith('/**') or s.endswith('/*'):
+ search_terms.append("%s rwk," % (os.path.dirname(s)))
+ search_terms.append("%s%s rwk," % (owner, s))
+ else:
+ search_terms.append("%s%s rwk," % (owner, s))
+
+ p = self._gen_policy(extra_args=args)
+ for search in search_terms:
+ self.assertTrue(search in p, "Could not find '%s' in:\n%s" % (search, p))
+ inv_s = '###READPATH###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_writepath_bad(self):
+ '''Test genpolicy (write-path bad)'''
+ s = "bar"
+ try:
+ self._gen_policy(extra_args=['--write-path=%s' % s])
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("write-path should be invalid")
+
+ def test_genpolicy_templatevar(self):
+ '''Test genpolicy (template-var single)'''
+ s = "@{FOO}=bar"
+ p = self._gen_policy(extra_args=['--template-var=%s' % s])
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###TEMPLATEVAR###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_templatevar_multiple(self):
+ '''Test genpolicy (template-var multiple)'''
+ variables = ["@{FOO}=bar", "@{BAR}=baz"]
+ args = []
+ for s in variables:
+ args.append('--template-var=%s' % s)
+
+ p = self._gen_policy(extra_args=args)
+ for s in variables:
+ self.assertTrue(s in p, "Could not find '%s' in:\n%s" % (s, p))
+ inv_s = '###TEMPLATEVAR###'
+ self.assertFalse(inv_s in p, "Found '%s' in :\n%s" % (inv_s, p))
+
+ def test_genpolicy_templatevar_bad(self):
+ '''Test genpolicy (template-var bad)'''
+ s = "{FOO}=bar"
+ try:
+ self._gen_policy(extra_args=['--template-var=%s' % s])
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("template-var should be invalid")
+
+ def test_genpolicy_invalid_template_policy(self):
+ '''Test genpolicy (invalid template policy)'''
+ # create a new template
+ template = os.path.join(self.tmpdir, "test-invalid-template")
+ shutil.copy(os.path.join(self.tmpdir, 'templates', self.test_template), template)
+ contents = open(template).read()
+ bad_pol = ""
+ bad_string = "bzzzt"
+ for line in contents.splitlines():
+ if '}' in line:
+ bad_pol += bad_string
+ else:
+ bad_pol += line
+ bad_pol += "\n"
+ open(template, 'w').write(bad_pol)
+ try:
+ self._gen_policy(template=template)
+ except easyprof.AppArmorException:
+ return
+ except Exception:
+ raise
+ raise Exception ("policy should be invalid")
+
+
+#
+# End test class
+#
+
+#
+# Main
+#
+if __name__ == '__main__':
+ def cleanup(files):
+ for f in files:
+ if os.path.exists(f):
+ os.unlink(f)
+
+ absfn = os.path.abspath(sys.argv[0])
+ topdir = os.path.dirname(os.path.dirname(absfn))
+
+ if len(sys.argv) > 1 and (sys.argv[1] == '-d' or sys.argv[1] == '--debug'):
+ debugging = True
+
+ created = []
+
+ # Create the necessary files to import aa-easyprof
+ init = os.path.join(os.path.dirname(absfn), '__init__.py')
+ if not os.path.exists(init):
+ open(init, 'wa').close()
+ created.append(init)
+
+ symlink = os.path.join(os.path.dirname(absfn), 'easyprof.py')
+ if not os.path.exists(symlink):
+ os.symlink(os.path.join(topdir, 'apparmor', 'easyprof.py'), symlink)
+ created.append(symlink)
+ created.append(symlink + 'c')
+
+ # Now that we have everything we need, import aa-easyprof
+ import easyprof
+
+ # run the tests
+ suite = unittest.TestSuite()
+ suite.addTest(unittest.TestLoader().loadTestsFromTestCase(T))
+ rc = unittest.TextTestRunner(verbosity=2).run(suite)
+
+ cleanup(created)
+
+ if not rc.wasSuccessful():
+ sys.exit(1)
signature.asc
Description: This is a digitally signed message part
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
