apparmor/utils/test/test-notify.py

#! /usr/bin/python3
# ------------------------------------------------------------------
#
#    Copyright (C) 2021 Christian Boltz <apparmor@cboltz.de>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

import unittest

from apparmor.common import AppArmorBug
from apparmor.notify import get_last_login_timestamp, get_last_login_timestamp_wtmp, sane_timestamp, get_event_special_type, set_userns_special_profile
from apparmor.logparser import ReadLog
from common_test import AATest, setup_all_loops


class TestGet_last_login_timestamp(AATest):
    tests = (
        #  wtmp file         lastlog2 db         user           expected login timestamp
        (('wtmp-x86_64',    'lastlog2.db',     'root'),         1723749426),  # Thu Aug 15 19:17:06 UTC 2024
        (('wtmp-x86_64',    'lastlog2.db',     'whoever'),      0),
        (('wtmp-x86_64',    'lastlog2.db',     'cb'),           1726995194),  # Sun Sep 22 08:53:14 UTC 2024
        (('wtmp-x86_64',    'lastlog2.db',     'sddm'),         1721084423),  # Mon Jul 15 23:00:23 UTC 2024

        (('wtmp-x86_64',    'does-not-exist',   'root'),        1635070346),  # Sun Oct 24 12:12:26 CEST 2021
        (('wtmp-x86_64',    'does-not-exist',   'whoever'),     0),

        (('wtmp-s390x',     'lastlog2.db',      'root'),        1723749426),  # Thu Aug 15 19:17:06 UTC 2024
        (('wtmp-s390x',     'lastlog2.db',      'whoever'),     0),
        (('wtmp-s390x',     'does-not-exist',   'linux1'),      1626368772),  # Thu Jul 15 19:06:12 CEST 2021
        (('wtmp-s390x',     'does-not-exist',   'whoever'),     0),

        (('wtmp-aarch64',   'lastlog2.db',      'whoever'),     0),
        (('wtmp-aarch64',   'does-not-exist',   'guillaume'),   1611562789),  # Mon Jan 25 09:19:49 CET 2021
        (('wtmp-aarch64',   'does-not-exist',   'whoever'),     0),

        (('wtmp-truncated', 'does-not-exist',   'root'),        0),
        (('wtmp-truncated', 'does-not-exist',   'whoever'),     0),
    )

    def _run_test(self, params, expected):
        wtmpdb, lastlog2_db, user = params
        wtmpdb = 'wtmp-examples/' + wtmpdb
        lastlog2_db = 'wtmp-examples/' + lastlog2_db
        self.assertEqual(get_last_login_timestamp(user, wtmpdb, lastlog2_db), expected)

    def test_date_1999(self):
        with self.assertRaises(AppArmorBug):
            # wtmp-x86_64-past is hand-edited to Thu Dec 30 00:00:00 CET 1999, which is outside the expected data range
            get_last_login_timestamp('root', 'wtmp-examples/wtmp-x86_64-past', 'wtmp-examples/does-not-exist')


class TestSane_timestamp(AATest):
    tests = (
        (2524704400, False),  # Sun Jan  2 03:46:40 CET 2050
        (944780400, False),  # Fri Dec 10 00:00:00 CET 1999
        (1635026400, True),  # Sun Oct 24 00:00:00 CEST 2021
    )

    def _run_test(self, params, expected):
        self.assertEqual(sane_timestamp(params), expected)


class TestGet_last_login_timestamp_wtmp(AATest):
    tests = (
        (('wtmp-x86_64',    'root'),      1635070346),  # Sun Oct 24 12:12:26 CEST 2021
        (('wtmp-x86_64',    'whoever'),   0),
        (('wtmp-s390x',     'root'),      1626368763),  # Thu Jul 15 19:06:03 CEST 2021
        (('wtmp-s390x',     'linux1'),    1626368772),  # Thu Jul 15 19:06:12 CEST 2021
        (('wtmp-s390x',     'whoever'),   0),
        (('wtmp-aarch64',   'guillaume'), 1611562789),  # Mon Jan 25 09:19:49 CET 2021
        (('wtmp-aarch64',   'whoever'),   0),
        (('wtmp-truncated', 'root'),      0),
        (('wtmp-truncated', 'whoever'),   0),
    )

    def _run_test(self, params, expected):
        filename, user = params
        filename = 'wtmp-examples/' + filename
        self.assertEqual(get_last_login_timestamp_wtmp(user, filename), expected)

    def test_date_1999(self):
        with self.assertRaises(AppArmorBug):
            # wtmp-x86_64-past is hand-edited to Thu Dec 30 00:00:00 CET 1999, which is outside the expected data range
            get_last_login_timestamp_wtmp('root', 'wtmp-examples/wtmp-x86_64-past')


class TestEventSpecialType(AATest):
    userns_special_profiles = set_userns_special_profile(['unconfined', 'unprivileged_userns', 'unpriv_.*'])
    parser = ReadLog('', '', '')
    tests = (
        ('[  176.385388] audit: type=1400 audit(1666891380.570:78): apparmor="DENIED" operation="userns_create" class="namespace" profile="/usr/bin/bwrap-userns-restrict" pid=1785 comm="userns_child_ex" requested="userns_create" denied="userns_create"',                                                                                           'normal'),
        ('[  839.488169] audit: type=1400 audit(1752065668.819:208): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=12124 comm="unshare" requested="userns_create" denied="userns_create" target="unprivileged_userns"', 'userns_denied'),
        ('[  429.272003] audit: type=1400 audit(1720613712.153:168): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=5630 comm="unshare" requested="userns_create" target="unprivileged_userns" execpath="/usr/bin/unshare"',                                        'userns_change_profile'),
        ('[   52.901383] audit: type=1400 audit(1752064882.228:82): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=6700 comm="electron" capability=21  capname="sys_admin"',                                                                                                                                       'userns_capable'),
        ('Jul 31 17:11:16 dbusdev-saucy-amd64 dbus[1692]: apparmor="DENIED" operation="dbus_bind"  bus="session" name="com.apparmor.Test" mask="bind" pid=2940 profile="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service"',                                                                                                                   'normal'),
        ('[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"',                                                                             'userns_change_profile'),
        ('[78661.551820] audit: type=1400 audit(1752661047.170:350): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=1412550 comm="node" capability=21  capname="sys_admin"',                                                                                                                                              'userns_capable'),
    )

    def _run_test(self, ev, expected):
        parsed_event = self.parser.parse_event(ev)
        r = self.parser.create_rule_from_ev(parsed_event)
        self.assertIsNotNone(r)

        real_type = get_event_special_type(parsed_event, self.userns_special_profiles)
        self.assertEqual(expected, real_type,
                         "ev {}: {} != {}".format(ev, expected, real_type))

    def test_invalid(self):
        ev = 'type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="unprivileged_userns" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6'
        parsed_event = self.parser.parse_event(ev)
        parsed_event['comm'] = 'something'  # Artificially crafted invalid event
        with self.assertRaises(AppArmorBug):
            get_event_special_type(parsed_event, self.userns_special_profiles)


setup_all_loops(__name__)
if __name__ == '__main__':
    unittest.main(verbosity=1)
Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00			`#! /usr/bin/python3`
			`# ------------------------------------------------------------------`
			`#`
			`# Copyright (C) 2021 Christian Boltz <apparmor@cboltz.de>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License published by the Free Software Foundation.`
			`#`
			`# ------------------------------------------------------------------`

			`import unittest`

Add support for lastlog2 to get last login lastlog2 is the 2038-safe replacement for wtmp, and in the meantime became part of util-linux. This commit switches from trying to parse the lastlog2 output to directly reading lastlog2.db with sqlite3. Adjust get_last_login_timestamp() to use the lastlog2 database (/var/lib/lastlog/lastlog2.db) if it exists, and adjust get_last_login_timestamp_lastlog2() to actually do that. (If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.) Unfortunately lastlog2 doesn't have a way to get machine-readable output (for example json), therefore - after trying and failing to parse the lastlog2 output - directly read from lastlog2.db. Let's hope the format never changes ;-) Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372 2024-09-22 20:27:54 +02:00			`from apparmor.common import AppArmorBug`
aa-notify: Support regexes in userns_special_profiles It is now possible to use regexes to define special profiles. unpriv_.* is used by default. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-10 16:46:40 +02:00			`from apparmor.notify import get_last_login_timestamp, get_last_login_timestamp_wtmp, sane_timestamp, get_event_special_type, set_userns_special_profile`
Add tests for get_event_type Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-09 16:25:55 +02:00			`from apparmor.logparser import ReadLog`
Order imports and module-level dunder name assignments. 2022-08-07 20:32:07 -04:00			`from common_test import AATest, setup_all_loops`
Add tests for sane_timestamp Ensure that pre-2000 and post-2050 dates get rejected, and something in between gets accepted. This also extends coverage to 100% - before, the post-2050 branch was not covered. 2021-10-24 15:29:25 +02:00
Fix most PEP 8 whitespace, indentation, and major line length violations. 2022-08-07 12:26:24 -04:00
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00			`class TestGet_last_login_timestamp(AATest):`
			`tests = (`
Add support for lastlog2 to get last login lastlog2 is the 2038-safe replacement for wtmp, and in the meantime became part of util-linux. This commit switches from trying to parse the lastlog2 output to directly reading lastlog2.db with sqlite3. Adjust get_last_login_timestamp() to use the lastlog2 database (/var/lib/lastlog/lastlog2.db) if it exists, and adjust get_last_login_timestamp_lastlog2() to actually do that. (If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.) Unfortunately lastlog2 doesn't have a way to get machine-readable output (for example json), therefore - after trying and failing to parse the lastlog2 output - directly read from lastlog2.db. Let's hope the format never changes ;-) Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372 2024-09-22 20:27:54 +02:00			`# wtmp file lastlog2 db user expected login timestamp`
			`(('wtmp-x86_64', 'lastlog2.db', 'root'), 1723749426), # Thu Aug 15 19:17:06 UTC 2024`
			`(('wtmp-x86_64', 'lastlog2.db', 'whoever'), 0),`
			`(('wtmp-x86_64', 'lastlog2.db', 'cb'), 1726995194), # Sun Sep 22 08:53:14 UTC 2024`
			`(('wtmp-x86_64', 'lastlog2.db', 'sddm'), 1721084423), # Mon Jul 15 23:00:23 UTC 2024`

			`(('wtmp-x86_64', 'does-not-exist', 'root'), 1635070346), # Sun Oct 24 12:12:26 CEST 2021`
			`(('wtmp-x86_64', 'does-not-exist', 'whoever'), 0),`

			`(('wtmp-s390x', 'lastlog2.db', 'root'), 1723749426), # Thu Aug 15 19:17:06 UTC 2024`
			`(('wtmp-s390x', 'lastlog2.db', 'whoever'), 0),`
			`(('wtmp-s390x', 'does-not-exist', 'linux1'), 1626368772), # Thu Jul 15 19:06:12 CEST 2021`
			`(('wtmp-s390x', 'does-not-exist', 'whoever'), 0),`

			`(('wtmp-aarch64', 'lastlog2.db', 'whoever'), 0),`
			`(('wtmp-aarch64', 'does-not-exist', 'guillaume'), 1611562789), # Mon Jan 25 09:19:49 CET 2021`
			`(('wtmp-aarch64', 'does-not-exist', 'whoever'), 0),`

			`(('wtmp-truncated', 'does-not-exist', 'root'), 0),`
			`(('wtmp-truncated', 'does-not-exist', 'whoever'), 0),`
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00			`)`

			`def _run_test(self, params, expected):`
Add support for lastlog2 to get last login lastlog2 is the 2038-safe replacement for wtmp, and in the meantime became part of util-linux. This commit switches from trying to parse the lastlog2 output to directly reading lastlog2.db with sqlite3. Adjust get_last_login_timestamp() to use the lastlog2 database (/var/lib/lastlog/lastlog2.db) if it exists, and adjust get_last_login_timestamp_lastlog2() to actually do that. (If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.) Unfortunately lastlog2 doesn't have a way to get machine-readable output (for example json), therefore - after trying and failing to parse the lastlog2 output - directly read from lastlog2.db. Let's hope the format never changes ;-) Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372 2024-09-22 20:27:54 +02:00			`wtmpdb, lastlog2_db, user = params`
			`wtmpdb = 'wtmp-examples/' + wtmpdb`
			`lastlog2_db = 'wtmp-examples/' + lastlog2_db`
			`self.assertEqual(get_last_login_timestamp(user, wtmpdb, lastlog2_db), expected)`
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00
			`def test_date_1999(self):`
			`with self.assertRaises(AppArmorBug):`
			`# wtmp-x86_64-past is hand-edited to Thu Dec 30 00:00:00 CET 1999, which is outside the expected data range`
Add support for lastlog2 to get last login lastlog2 is the 2038-safe replacement for wtmp, and in the meantime became part of util-linux. This commit switches from trying to parse the lastlog2 output to directly reading lastlog2.db with sqlite3. Adjust get_last_login_timestamp() to use the lastlog2 database (/var/lib/lastlog/lastlog2.db) if it exists, and adjust get_last_login_timestamp_lastlog2() to actually do that. (If lastlog2.db doesn't exist, aa-notify will read wtmp as usual.) Unfortunately lastlog2 doesn't have a way to get machine-readable output (for example json), therefore - after trying and failing to parse the lastlog2 output - directly read from lastlog2.db. Let's hope the format never changes ;-) Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1228378 Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1216660 Fixes: https://gitlab.com/apparmor/apparmor/-/issues/372 2024-09-22 20:27:54 +02:00			`get_last_login_timestamp('root', 'wtmp-examples/wtmp-x86_64-past', 'wtmp-examples/does-not-exist')`
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00

Add tests for sane_timestamp Ensure that pre-2000 and post-2050 dates get rejected, and something in between gets accepted. This also extends coverage to 100% - before, the post-2050 branch was not covered. 2021-10-24 15:29:25 +02:00			`class TestSane_timestamp(AATest):`
Speed up list creations, and change lists to tuples where appropriate.. 2022-06-18 14:30:49 -04:00			`tests = (`
Fix most PEP 8 whitespace, indentation, and major line length violations. 2022-08-07 12:26:24 -04:00			`(2524704400, False), # Sun Jan 2 03:46:40 CET 2050`
			`(944780400, False), # Fri Dec 10 00:00:00 CET 1999`
			`(1635026400, True), # Sun Oct 24 00:00:00 CEST 2021`
Speed up list creations, and change lists to tuples where appropriate.. 2022-06-18 14:30:49 -04:00			`)`
Add tests for sane_timestamp Ensure that pre-2000 and post-2050 dates get rejected, and something in between gets accepted. This also extends coverage to 100% - before, the post-2050 branch was not covered. 2021-10-24 15:29:25 +02:00
			`def _run_test(self, params, expected):`
			`self.assertEqual(sane_timestamp(params), expected)`
Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00
Fix most PEP 8 whitespace, indentation, and major line length violations. 2022-08-07 12:26:24 -04:00
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00			`class TestGet_last_login_timestamp_wtmp(AATest):`
Speed up list creations, and change lists to tuples where appropriate.. 2022-06-18 14:30:49 -04:00			`tests = (`
Fix most PEP 8 whitespace, indentation, and major line length violations. 2022-08-07 12:26:24 -04:00			`(('wtmp-x86_64', 'root'), 1635070346), # Sun Oct 24 12:12:26 CEST 2021`
			`(('wtmp-x86_64', 'whoever'), 0),`
			`(('wtmp-s390x', 'root'), 1626368763), # Thu Jul 15 19:06:03 CEST 2021`
			`(('wtmp-s390x', 'linux1'), 1626368772), # Thu Jul 15 19:06:12 CEST 2021`
			`(('wtmp-s390x', 'whoever'), 0),`
			`(('wtmp-aarch64', 'guillaume'), 1611562789), # Mon Jan 25 09:19:49 CET 2021`
			`(('wtmp-aarch64', 'whoever'), 0),`
			`(('wtmp-truncated', 'root'), 0),`
			`(('wtmp-truncated', 'whoever'), 0),`
Speed up list creations, and change lists to tuples where appropriate.. 2022-06-18 14:30:49 -04:00			`)`
Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00
			`def _run_test(self, params, expected):`
			`filename, user = params`
Change string formatting method in Python tests 2023-02-19 16:26:14 -05:00			`filename = 'wtmp-examples/' + filename`
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00			`self.assertEqual(get_last_login_timestamp_wtmp(user, filename), expected)`
Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00
Add truncated and ancient wtmp example to tests A too-small file can't contain something useful. Also, a wtmp file with a timestamp from pre-2000 is beyond what you'd expect on a 2021 system. 2021-10-24 15:26:26 +02:00			`def test_date_1999(self):`
			`with self.assertRaises(AppArmorBug):`
			`# wtmp-x86_64-past is hand-edited to Thu Dec 30 00:00:00 CET 1999, which is outside the expected data range`
Rename get_last_login_timestamp to get_last_login_timestamp_wtmp ... and add a wrapper function with the old name Also rename the tests to the new name, and create a copy with the original name. The copy will be adjusted to also check/expect lastlog2 results in a later commit. 2024-07-28 14:08:40 +02:00			`get_last_login_timestamp_wtmp('root', 'wtmp-examples/wtmp-x86_64-past')`
Add truncated and ancient wtmp example to tests A too-small file can't contain something useful. Also, a wtmp file with a timestamp from pre-2000 is beyond what you'd expect on a 2021 system. 2021-10-24 15:26:26 +02:00
Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00
Add tests for get_event_type Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-09 16:25:55 +02:00			`class TestEventSpecialType(AATest):`
aa-notify: Support regexes in userns_special_profiles It is now possible to use regexes to define special profiles. unpriv_.* is used by default. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-10 16:46:40 +02:00			`userns_special_profiles = set_userns_special_profile(['unconfined', 'unprivileged_userns', 'unpriv_.*'])`
Add tests for get_event_type Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-09 16:25:55 +02:00			`parser = ReadLog('', '', '')`
			`tests = (`
			`('[ 176.385388] audit: type=1400 audit(1666891380.570:78): apparmor="DENIED" operation="userns_create" class="namespace" profile="/usr/bin/bwrap-userns-restrict" pid=1785 comm="userns_child_ex" requested="userns_create" denied="userns_create"', 'normal'),`
			`('[ 839.488169] audit: type=1400 audit(1752065668.819:208): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=12124 comm="unshare" requested="userns_create" denied="userns_create" target="unprivileged_userns"', 'userns_denied'),`
			`('[ 429.272003] audit: type=1400 audit(1720613712.153:168): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=5630 comm="unshare" requested="userns_create" target="unprivileged_userns" execpath="/usr/bin/unshare"', 'userns_change_profile'),`
			`('[ 52.901383] audit: type=1400 audit(1752064882.228:82): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=6700 comm="electron" capability=21 capname="sys_admin"', 'userns_capable'),`
			`('Jul 31 17:11:16 dbusdev-saucy-amd64 dbus[1692]: apparmor="DENIED" operation="dbus_bind" bus="session" name="com.apparmor.Test" mask="bind" pid=2940 profile="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service"', 'normal'),`
			`('[103975.623545] audit: type=1400 audit(1481284511.494:2807): apparmor="DENIED" operation="change_onexec" info="no new privs" error=-1 namespace="root//lxd-tor_<var-lib-lxd>" profile="unconfined" name="system_tor" pid=18593 comm="(tor)" target="system_tor"', 'userns_change_profile'),`
aa-notify: Support regexes in userns_special_profiles It is now possible to use regexes to define special profiles. unpriv_.* is used by default. Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-10 16:46:40 +02:00			`('[78661.551820] audit: type=1400 audit(1752661047.170:350): apparmor="DENIED" operation="capable" class="cap" profile="unpriv_bwrap" pid=1412550 comm="node" capability=21 capname="sys_admin"', 'userns_capable'),`
Add tests for get_event_type Signed-off-by: Maxime Bélair <maxime.belair@canonical.com> 2025-07-09 16:25:55 +02:00			`)`

			`def _run_test(self, ev, expected):`
			`parsed_event = self.parser.parse_event(ev)`
			`r = self.parser.create_rule_from_ev(parsed_event)`
			`self.assertIsNotNone(r)`

			`real_type = get_event_special_type(parsed_event, self.userns_special_profiles)`
			`self.assertEqual(expected, real_type,`
			`"ev {}: {} != {}".format(ev, expected, real_type))`

			`def test_invalid(self):`
			`ev = 'type=AVC msg=audit(1333698107.128:273917): apparmor="DENIED" operation="recvmsg" parent=1596 profile="unprivileged_userns" pid=1875 comm="nc" laddr=::ffff:127.0.0.1 lport=2048 faddr=::ffff:127.0.0.1 fport=59180 family="inet6" sock_type="stream" protocol=6'`
			`parsed_event = self.parser.parse_event(ev)`
			`parsed_event['comm'] = 'something' # Artificially crafted invalid event`
			`with self.assertRaises(AppArmorBug):`
			`get_event_special_type(parsed_event, self.userns_special_profiles)`


Add unittest for get_last_login_timestamp ... starting with a x86_64 wtmp example file 2021-10-24 13:10:25 +02:00			`setup_all_loops(__name__)`
			`if __name__ == '__main__':`
			`unittest.main(verbosity=1)`