mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity
apparmor/utils/test/test-mount.py

250 lines
17 KiB
Python
Raw Normal View History

Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
#!/usr/bin/python3
# ----------------------------------------------------------------------
# Copyright (C) 2024 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import unittest
from collections import namedtuple
from common_test import AATest, setup_all_loops
from apparmor.common import AppArmorException, AppArmorBug
from apparmor.translations import init_translation
from apparmor.rule.mount import MountRule, valid_fs
_ = init_translation()
class MountTestParse(AATest):
tests = (
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
# Rule Operation Filesystem Options Source Destination Audit Deny Allow Comment
('mount fstype=bpf options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('bpf')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
Minor improvements for MountRule
2024-03-07 19:27:03 +00:00
('mount fstype=fuse.obex* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.obex*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
('mount fstype=fuse.* options=rw bpf -> /sys/fs/bpf/,', MountRule('mount', ('=', ('fuse.*')), ('=', ('rw')), 'bpf', '/sys/fs/bpf/', False, False, False, '' )),
('mount fstype=bpf options=(rw) random_label -> /sys/fs/bpf/,', MountRule('mount', ('=', ("bpf")), ('=', ('rw')), 'random_label', '/sys/fs/bpf/', False, False, False, '' )),
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
('mount,', MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4),', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount bpf,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'bpf', MountRule.ALL, False, False, False, '' )),
('mount none,', MountRule('mount', MountRule.ALL, MountRule.ALL, 'none', MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro),', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('mount @{mntpnt},', MountRule('mount', MountRule.ALL, MountRule.ALL, '@{mntpnt}', MountRule.ALL, False, False, False, '' )),
('mount /a,', MountRule('mount', MountRule.ALL, MountRule.ALL, '/a', MountRule.ALL, False, False, False, '' )),
('mount fstype=(ext3, ext4) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/a', '/b', False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
('mount fstype=(ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount fstype=(ext3, ext4) options in (ro, rbind) /a -> /b,', MountRule('mount', ('=', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', '/b', False, False, False, '' )),
('mount fstype in (ext3, ext4) options=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
('mount fstype in (ext3, ext4) option in (ro, rbind) /a, #cmt', MountRule('mount', ('in', ('ext3', 'ext4')), ('in', ('ro', 'rbind')), '/a', MountRule.ALL, False, False, False, ' #cmt')),
('mount fstype=(ext3, ext4) option=(ro, rbind) /a -> /b, #cmt', MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro', 'rbind')), '/a', '/b', False, False, False, ' #cmt')),
Minor improvements for MountRule
2024-03-07 19:27:03 +00:00
('mount options=(rw, rbind) {,/usr}/lib{,32,64,x32}/modules/ -> /tmp/snap.rootfs_*{,/usr}/lib/modules/,',
MountRule('mount', MountRule.ALL, ('=', ('rw', 'rbind')), '{,/usr}/lib{,32,64,x32}/modules/',
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
'/tmp/snap.rootfs_*{,/usr}/lib/modules/',
False, False, False, '' )),
('umount,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount fstype=ext3,', MountRule('umount', ('=', ('ext3')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('umount /a,', MountRule('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/a', False, False, False, '' )),
('remount,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('remount fstype=ext4,', MountRule('remount', ('=', ('ext4')), MountRule.ALL, MountRule.ALL, MountRule.ALL, False, False, False, '' )),
('remount /b,', MountRule('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/b', False, False, False, '' )),
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
)
def _run_test(self, rawrule, expected):
self.assertTrue(MountRule.match(rawrule))
obj = MountRule.create_instance(rawrule)
expected.raw_rule = rawrule.strip()
self.assertTrue(obj.is_equal(expected, True))
class MountTestParseInvalid(AATest):
tests = (
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
('mount fstype=,', AppArmorException),
('mount fstype=(foo),', AppArmorException),
('mount fstype=(),', AppArmorException),
('mount options=(),', AppArmorException),
('mount option=(invalid),', AppArmorException),
('mount option=(ext3ext4),', AppArmorException),
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
)
def _run_test(self, rawrule, expected):
self.assertTrue(MountRule.match(rawrule)) # the above invalid rules still match the main regex!
with self.assertRaises(expected):
MountRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
MountRule.create_instance('foo,')
def test_diff_non_mountrule(self):
exp = namedtuple('exp', ('audit', 'deny'))
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
with self.assertRaises(AppArmorBug):
obj.is_equal(exp(False, False), False)
def test_diff_invalid_fstype_equals_or_in(self):
with self.assertRaises(AppArmorBug):
test-mount.py: fix MountRule instance creation If fstype or options is a str, it has to be exactly one keyword, because __init__() / check_and_split_list() won't parse a str. Our "normal" code already honors this, and only hands over fstype and options as sets or a single-keyword str. However, a few tests (wrongly) handed over a str that would need further parsing. Adjust the tests to no longer do this.
2024-03-03 15:52:14 +01:00
MountRule('mount', ('ext3', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
MountRule: check for unknown fstype and options ... now that the previous commits fixed issues that ended up as unknown keywords. Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which MountRule doesn't support (yet?).
2024-03-03 16:01:40 +01:00
def test_diff_invalid_fstype_keyword(self):
with self.assertRaises(AppArmorException):
MountRule('mount', ('=', 'invalidfs'), MountRule.ALL, MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
def test_diff_invalid_options_equals_or_in(self):
with self.assertRaises(AppArmorBug):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
MountRule('mount', MountRule.ALL, ('rbind', 'rw'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
MountRule: check for unknown fstype and options ... now that the previous commits fixed issues that ended up as unknown keywords. Also add mount/ok_12.sd as known-failing test. It uses fstype=AARE which MountRule doesn't support (yet?).
2024-03-03 16:01:40 +01:00
def test_diff_invalid_options_keyword(self):
with self.assertRaises(AppArmorException):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
MountRule('mount', MountRule.ALL, ('=', 'invalid'), MountRule.ALL, MountRule.ALL) # fstype[0] should be '=' or 'in'
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
def test_diff_fstype(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj1 = MountRule('mount', ('=', 'ext4'), MountRule.ALL, MountRule.ALL, MountRule.ALL)
obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
self.assertFalse(obj1.is_equal(obj2, False))
def test_diff_source(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj1 = MountRule('mount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL)
obj2 = MountRule('mount', MountRule.ALL, MountRule.ALL, '/bar', MountRule.ALL)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
self.assertFalse(obj1.is_equal(obj2, False))
def test_invalid_umount_with_source(self):
with self.assertRaises(AppArmorException):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
MountRule('umount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL) # Umount and remount shall not have a source
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
def test_invalid_remount_with_source(self):
with self.assertRaises(AppArmorException):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
MountRule('remount', MountRule.ALL, MountRule.ALL, '/foo', MountRule.ALL)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
class MountTestFilesystems(AATest):
def test_fs(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
with open('/proc/filesystems') as f:
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
for line in f:
Add useful error message in test-mount.py If /proc/filesystems contains a filesystem that is not listed in MountRule valid_fs, print a useful error message that says what exactly is going on, instead of only saying "False is not True".
2024-03-01 20:34:11 +01:00
fs_name = line.split()[-1]
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
self.assertTrue(fs_name in valid_fs, '/proc/filesystems contains %s which is not listed in MountRule valid_fs' % fs_name)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
class MountTestGlob(AATest):
def test_glob(self):
globList = [(
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
'mount options=(bind, rw) /home/user/Downloads/ -> /mnt/a/,',
'mount options=(bind, rw) /home/user/Downloads/,',
'mount options=(bind, rw) /home/user/*/,',
'mount options=(bind, rw) /home/**/,',
'mount options=(bind, rw),',
'mount,',
'mount,',
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
)]
for globs in globList:
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
for i in range(len(globs) - 1):
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
rule = MountRule.create_instance(globs[i])
rule.glob()
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
self.assertEqual(rule.get_clean(), globs[i + 1])
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
class MountTestClean(AATest):
tests = (
# raw rule clean rule
(' mount , # foo ', 'mount, # foo'),
(' mount fstype = ( sysfs ) , ', 'mount fstype=(sysfs),'),
(' mount fstype = ( sysfs , procfs ) , ', 'mount fstype=(procfs, sysfs),'),
(' mount options = ( rw ) , ', 'mount options=(rw),'),
(' mount options = ( rw , noatime ) , ', 'mount options=(noatime, rw),'),
Fix writing 'mount {options,fstype} in ...' rules We need spaces around the 'in' keyword. Also add some tests for this.
2024-03-03 12:45:08 +01:00
(' mount fstype in ( sysfs ) , ', 'mount fstype in (sysfs),'),
(' mount fstype in ( sysfs , procfs ) , ', 'mount fstype in (procfs, sysfs),'),
(' mount options in ( rw ) , ', 'mount options in (rw),'),
(' mount options in ( rw , noatime ) , ', 'mount options in (noatime, rw),'),
MountRule: make get_clean() more readable ... by getting rid of two mostly-identical, big return statements. Also add tests for bare umound and remount rules to ensure full test coverage.
2024-03-03 13:09:43 +01:00
(' umount , ', 'umount,'),
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
(' umount /foo , ', 'umount /foo,'),
MountRule: make get_clean() more readable ... by getting rid of two mostly-identical, big return statements. Also add tests for bare umound and remount rules to ensure full test coverage.
2024-03-03 13:09:43 +01:00
(' remount , ', 'remount,'),
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
(' remount /foo , ', 'remount /foo,'),
)
def _run_test(self, rawrule, expected):
self.assertTrue(MountRule.match(rawrule))
obj = MountRule.create_instance(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertEqual(expected, clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
class MountLogprofHeaderTest(AATest):
tests = (
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
('mount,', [_('Operation'), _('mount'), _('Fstype'), _('ALL'), _('Options'), _('ALL'), _('Source'), _('ALL'), _('Destination'), _('ALL')]),
('mount options=(ro, nosuid) /a,', [_('Operation'), _('mount'), _('Fstype'), _('ALL'), _('Options'), ('=', _('nosuid ro')), _('Source'), _('/a'), _('Destination'), _('ALL')]),
('mount fstype=(ext3, ext4) options=(ro, nosuid) /a -> /b,', [_('Operation'), _('mount'), _('Fstype'), ('=', _('ext3 ext4')), _('Options'), ('=', _('nosuid ro')), _('Source'), _('/a'), _('Destination'), _('/b')])
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
)
def _run_test(self, params, expected):
obj = MountRule.create_instance(params)
self.assertEqual(obj.logprof_header(), expected)
class MountIsCoveredTest(AATest):
def test_is_covered(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
tests = [
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b', '/bar'),
('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/b')
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
]
for test in tests:
self.assertTrue(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_covered_fs_source(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
self.assertTrue(obj.is_covered(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
self.assertFalse(obj.is_equal(MountRule('mount', ('=', ('ext3')), ('=', ('ro')), 'tmpfs', MountRule.ALL)))
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
Minor improvements for MountRule
2024-03-07 19:27:03 +00:00
def test_is_covered_regex(self):
obj = MountRule('mount', ('=', ('sys*', 'fuse.*')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
tests = [
('mount', ('=', ('sysfs', 'fuse.s3fs')), ('=', ('ro')), 'tmpfs', MountRule.ALL),
('mount', ('=', ('sysfs', 'fuse.jmtpfs', 'fuse.s3fs', 'fuse.obexfs', 'fuse.obexautofs', 'fuse.fuseiso')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
]
for test in tests:
self.assertTrue(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
def test_is_notcovered(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/b*')
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
tests = [
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
('mount', ('in', ('ext3', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
('mount', ('=', ('procfs', 'ext4')), ('=', ('ro')), '/foo/bar', '/bar' ),
('mount', ('=', ('ext3')), ('=', ('rw')), '/foo/bar', '/bar' ),
('mount', ('=', ('ext3', 'ext4')), MountRule.ALL, '/foo/b*', '/bar' ),
('mount', MountRule.ALL, ('=', ('ro')), '/foo/b*', '/bar' ),
('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/invalid/bar', '/bar' ),
('umount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
('remount', MountRule.ALL, MountRule.ALL, MountRule.ALL, '/bar' ),
('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', '/bar' ),
('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), '/foo/b*', '/invalid'),
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
]
for test in tests:
self.assertFalse(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
def test_is_not_covered_fs_source(self):
utils: fix coding style in mount Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2024-03-04 09:24:58 -03:00
obj = MountRule('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'tmpfs', MountRule.ALL)
test = ('mount', ('=', ('ext3', 'ext4')), ('=', ('ro')), 'procfs', MountRule.ALL)
Adding userspace support for mount rules in aa-genprof/aa-logprof
2024-02-29 17:59:50 +00:00
self.assertFalse(obj.is_covered(MountRule(*test)))
self.assertFalse(obj.is_equal(MountRule(*test)))
setup_all_loops(__name__)
if __name__ == '__main__':
unittest.main(verbosity=1)
Reference in New Issue Copy Permalink