test exec events/rules in test-libapparmor-test_multi.py

So far, exec events were accidentally skipped in test-libapparmor-test_multi.py because aa[profile][hat] was not initialized, and ask_exec() exited early because of this. Initialize aa[profile][hat] in the test to fix this. To avoid that someone needs to select "inherit" each time the tests run, add an optional default_ans parameter to ask_exec(), and let the test call it with 'CMD_ix'. (In case you wonder - defaulting to CMD_cx would ask to sanitize the environment. CMD_ix avoids this.) Also, we have to copy over aa[profile][hat] to log_dict in the test because ask_exec() modifies aa[...], but the test only checks its local log_dict. Finally, add the expected exec rules to the *.profile files
2025-08-22 10:07:12 +00:00 · 2024-10-20 22:42:18 +02:00 · 2024-10-20 22:42:18 +02:00 · 02e2ce0ad9
commit 02e2ce0ad9
parent 5d0fd65a69
4 changed files with 21 additions and 4 deletions
--- a/libraries/libapparmor/testsuite/test_multi/exec01.profile
+++ b/libraries/libapparmor/testsuite/test_multi/exec01.profile
@ -1,2 +1,4 @@
 /home/cb/bin/hello.sh {
+  /usr/bin/rm mrix,
+
 }
--- a/libraries/libapparmor/testsuite/test_multi/exec02.profile
+++ b/libraries/libapparmor/testsuite/test_multi/exec02.profile
@ -1,2 +1,4 @@
 /usr/bin/wireshark {
+  /usr/lib64/wireshark/extcap/androiddump mrix,
+
 }
--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -728,7 +728,7 @@ def ask_addhat(hashlog):
                    continue


-def ask_exec(hashlog):
+def ask_exec(hashlog, default_ans=''):
    """ask the user about exec events (requests to execute another program) and which exec mode to use"""

    for aamode in hashlog:
@ -816,6 +816,9 @@ def ask_exec(hashlog):
                    # ask user about the exec mode to use
                    ans = ''
                    while ans not in ('CMD_ix', 'CMD_px', 'CMD_cx', 'CMD_nx', 'CMD_pix', 'CMD_cix', 'CMD_nix', 'CMD_ux', 'CMD_DENY'):  # add '(I)gnore'? (hotkey conflict with '(i)x'!)
+                        if default_ans:
+                            ans = default_ans
+                        else:
                            ans = q.promptUser()[0]

                        if ans.startswith('CMD_EXEC_IX_'):
--- a/utils/test/test-libapparmor-test_multi.py
+++ b/utils/test/test-libapparmor-test_multi.py
@ -222,8 +222,9 @@ def logfile_to_profile(logfile):
    # cleanup apparmor.aa storage
    apparmor.aa.reset_aa()

-    profile, hat = split_name(parsed_event['profile'])
+    apparmor.aa.load_sev_db()

+    profile, hat = split_name(parsed_event['profile'])

    dummy_prof = apparmor.aa.ProfileStorage('TEST DUMMY for active_profiles', profile_dummy_file, 'logprof_to_profile()')

@ -233,14 +234,23 @@ def logfile_to_profile(logfile):
    # else:
    apparmor.aa.active_profiles.add_profile(profile_dummy_file, profile, '', dummy_prof)

+    apparmor.aa.aa[profile] = {}
+    apparmor.aa.aa[profile][hat] = dummy_prof
+
    log_reader = ReadLog(logfile, apparmor.aa.active_profiles, '')
    hashlog = log_reader.read_log('')

-    apparmor.aa.ask_exec(hashlog)
+    apparmor.aa.ask_exec(hashlog, 'CMD_ix')
    apparmor.aa.ask_addhat(hashlog)

    log_dict = apparmor.aa.collapse_log(hashlog, ignore_null_profiles=False)

+    # ask_exec modifies 'aa', not log_dict. "transfer" exec rules from 'aa' to log_dict
+    for tmpaamode in hashlog:
+        for tmpprofile in hashlog[tmpaamode]:
+            for rule_obj in apparmor.aa.aa[profile][hat]['file'].rules:
+                log_dict[tmpaamode][tmpprofile]['file'].add(rule_obj)
+
    if list(log_dict[aamode].keys()) != [parsed_event['profile']]:
        raise Exception('log_dict[{}] contains unexpected keys. Logfile: {}, keys {}'.format(aamode, logfile, log_dict.keys()))