apparmor/utils/test/test-logparser.py

# ----------------------------------------------------------------------
#    Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>
#    Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License as published by the Free Software Foundation.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import unittest

from apparmor.logparser import ReadLog

class TestParseEvent(unittest.TestCase):
    def setUp(self):
        self.parser = ReadLog('', '', '', '', '')

    def test_parse_event_audit_1(self):
        event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'
        parsed_event = self.parser.parse_event(event)
        self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg')
        self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo')
        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
        self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))

        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
        self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))

    def test_parse_event_audit_2(self):
        event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'
        parsed_event = self.parser.parse_event(event)
        self.assertEqual(parsed_event['name'], '/home/foo/.bash_history')
        self.assertEqual(parsed_event['profile'], 'foo bar')
        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
        self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))

        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))
        self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))

    def test_parse_event_syslog_1(self):
        # from https://bugs.launchpad.net/apparmor/+bug/1399027
        event = '2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0'
        parsed_event = self.parser.parse_event(event)
        self.assertEqual(parsed_event['name'], '/dev/tty')
        self.assertEqual(parsed_event['profile'], '/home/cb/linuxtag/apparmor/scripts/hello')
        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
        self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a', '::r', '::w', '::a']))

        self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))

    def test_parse_event_syslog_2(self):
        # from https://bugs.launchpad.net/apparmor/+bug/1399027
        event = 'Dec  7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'
        parsed_event = self.parser.parse_event(event)
        self.assertEqual(parsed_event['name'], '/usr/bin/')
        self.assertEqual(parsed_event['profile'], '/home/simi/bin/aa-test')
        self.assertEqual(parsed_event['aamode'], 'PERMITTING')
        self.assertEqual(parsed_event['request_mask'], set(['r', '::r']))

        self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))
        self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))


if __name__ == "__main__":
    unittest.main(verbosity=2)
Add some tests for logparser.py based on the log lines from https://bugs.launchpad.net/apparmor/+bug/1399027 Also move some existing tests from aa_test.py to test-logparser.py and adds checks for RE_LOG_v2_6_audit and RE_LOG_v2_6_syslog to them. Acked-by: Steve Beattie <steve@nxnw.org> for trunk and 2.9 2015-01-18 14:55:15 +01:00			`# ----------------------------------------------------------------------`
			`# Copyright (C) 2013 Kshitij Gupta <kgupta8592@gmail.com>`
			`# Copyright (C) 2015 Christian Boltz <apparmor@cboltz.de>`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of version 2 of the GNU General Public`
			`# License as published by the Free Software Foundation.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# ----------------------------------------------------------------------`
			`import unittest`

			`from apparmor.logparser import ReadLog`

			`class TestParseEvent(unittest.TestCase):`
			`def setUp(self):`
			`self.parser = ReadLog('', '', '', '', '')`

			`def test_parse_event_audit_1(self):`
			`event = 'type=AVC msg=audit(1345027352.096:499): apparmor="ALLOWED" operation="rename_dest" parent=6974 profile="/usr/sbin/httpd2-prefork//vhost_foo" name=2F686F6D652F7777772F666F6F2E6261722E696E2F68747470646F63732F61707061726D6F722F696D616765732F746573742F696D61676520312E6A7067 pid=20143 comm="httpd2-prefork" requested_mask="wc" denied_mask="wc" fsuid=30 ouid=30'`
			`parsed_event = self.parser.parse_event(event)`
			`self.assertEqual(parsed_event['name'], '/home/www/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg')`
			`self.assertEqual(parsed_event['profile'], '/usr/sbin/httpd2-prefork//vhost_foo')`
			`self.assertEqual(parsed_event['aamode'], 'PERMITTING')`
			`self.assertEqual(parsed_event['request_mask'], set(['w', 'a', '::w', '::a']))`

			`self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))`
			`self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))`

			`def test_parse_event_audit_2(self):`
			`event = 'type=AVC msg=audit(1322614918.292:4376): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000'`
			`parsed_event = self.parser.parse_event(event)`
			`self.assertEqual(parsed_event['name'], '/home/foo/.bash_history')`
			`self.assertEqual(parsed_event['profile'], 'foo bar')`
			`self.assertEqual(parsed_event['aamode'], 'PERMITTING')`
			`self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a','::r' , '::w', '::a']))`

			`self.assertIsNotNone(ReadLog.RE_LOG_v2_6_audit.search(event))`
			`self.assertIsNone(ReadLog.RE_LOG_v2_6_syslog.search(event))`

			`def test_parse_event_syslog_1(self):`
			`# from https://bugs.launchpad.net/apparmor/+bug/1399027`
			`event = '2014-06-09T20:37:28.975070+02:00 geeko kernel: [21028.143765] type=1400 audit(1402339048.973:1421): apparmor="ALLOWED" operation="open" profile="/home/cb/linuxtag/apparmor/scripts/hello" name="/dev/tty" pid=14335 comm="hello" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0'`
			`parsed_event = self.parser.parse_event(event)`
			`self.assertEqual(parsed_event['name'], '/dev/tty')`
			`self.assertEqual(parsed_event['profile'], '/home/cb/linuxtag/apparmor/scripts/hello')`
			`self.assertEqual(parsed_event['aamode'], 'PERMITTING')`
			`self.assertEqual(parsed_event['request_mask'], set(['r', 'w', 'a', '::r', '::w', '::a']))`

			`self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))`
			`self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))`

			`def test_parse_event_syslog_2(self):`
			`# from https://bugs.launchpad.net/apparmor/+bug/1399027`
			`event = 'Dec 7 13:18:59 rosa kernel: audit: type=1400 audit(1417954745.397:82): apparmor="ALLOWED" operation="open" profile="/home/simi/bin/aa-test" name="/usr/bin/" pid=3231 comm="ls" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0'`
			`parsed_event = self.parser.parse_event(event)`
			`self.assertEqual(parsed_event['name'], '/usr/bin/')`
			`self.assertEqual(parsed_event['profile'], '/home/simi/bin/aa-test')`
			`self.assertEqual(parsed_event['aamode'], 'PERMITTING')`
			`self.assertEqual(parsed_event['request_mask'], set(['r', '::r']))`

			`self.assertIsNone(ReadLog.RE_LOG_v2_6_audit.search(event))`
			`self.assertIsNotNone(ReadLog.RE_LOG_v2_6_syslog.search(event))`


			`if __name__ == "__main__":`
			`unittest.main(verbosity=2)`