utils: add limited support for af_unix rules

This patch adds limited support for af_unix rules in the python utilities, of the "don't touch them, but don't throw a python backtrace when coming across them, either" variety. Testcases are added as well. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Christian Boltz <apparmor@cboltz.de>
2025-08-31 06:16:03 +00:00 · 2014-09-03 18:18:33 -07:00
parent 9e4c01f8d3
commit 6d34893d4d
4 changed files with 133 additions and 1 deletions
--- a/utils/test/test-regex_matches.py
+++ b/utils/test/test-regex_matches.py
@@ -58,6 +58,12 @@ regex_has_comma_testcases = [
    ('pivot_root /old new%s', 'pivot_root with new'),
    ('pivot_root /old /new -> child%s', 'pivot_root with child'),

+    ('unix%s', 'bare unix'),
+    ('unix create%s', 'simple unix'),
+    ('peer=(addr=@abad1dea,label=a_profile) %s ', 'peer parens and comma'),
+    ('type=stream%s', 'unix type'),
+    ('unix (connect, receive, send)%s', 'unix perms'),
+
    # the following fail due to inadequacies in the regex
    # ('dbus (r, w, %s', 'incomplete dbus action'),
    # ('member="{Hello,AddMatch,RemoveMatch, %s', 'incomplete {} regex'),  # also invalid policy
@@ -334,6 +340,31 @@ class AARegexPivotRoot(unittest.TestCase):
        ('pivot_rootbeer /new, # comment', False),
    ]

+class AARegexUnix(unittest.TestCase):
+    '''Tests for RE_PROFILE_UNIX'''
+
+    def setUp(self):
+        self.regex = aa.RE_PROFILE_UNIX
+
+    tests = [
+        ('   unix,', (None, None, 'unix,', None)),
+        ('   audit unix,', ('audit', None, 'unix,', None)),
+        ('   unix accept,', (None, None, 'unix accept,', None)),
+        ('   allow unix connect,', (None, 'allow', 'unix connect,', None)),
+        ('   audit allow unix bind,', ('audit', 'allow', 'unix bind,', None)),
+        ('   deny unix bind,', (None, 'deny', 'unix bind,', None)),
+        ('unix peer=(label=@{profile_name}),',
+         (None, None, 'unix peer=(label=@{profile_name}),', None)),
+        ('unix (receive) peer=(label=unconfined),',
+         (None, None, 'unix (receive) peer=(label=unconfined),', None)),
+        (' unix (getattr, shutdown) peer=(addr=none),',
+         (None, None, 'unix (getattr, shutdown) peer=(addr=none),', None)),
+        ('unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),',
+         (None, None, 'unix (connect, receive, send) type=stream peer=(label=unconfined,addr="@/tmp/dbus-*"),', None)),
+        ('unixlike', False),
+        ('deny unixlike,', False),
+    ]
+
 if __name__ == '__main__':
    verbosity = 2

@@ -345,7 +376,7 @@ if __name__ == '__main__':
    test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(AARegexSplitComment))

    for tests in (AARegexCapability, AARegexPath, AARegexBareFile,
-                  AARegexDbus, AARegexMount,
+                  AARegexDbus, AARegexMount, AARegexUnix,
                  AARegexSignal, AARegexPtrace, AARegexPivotRoot):
        setup_regex_tests(tests)
        test_suite.addTest(unittest.TestLoader().loadTestsFromTestCase(tests))