mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-05 00:35:13 +00:00
Code Issues Releases Wiki Activity

Fix most PEP 8 whitespace, indentation, and major line length violations.

Browse Source
This commit is contained in:
Mark Grassi
2022-08-07 12:26:24 -04:00
parent e4f88cc3a8
commit 96f7121944
86 changed files with 4530 additions and 3784 deletions
Download Patch File Download Diff File Expand all files Collapse all files

488
utils/test/test-signal.py
View File

@@ -24,11 +24,13 @@ from apparmor.logparser import ReadLog
from apparmor.translations import init_translation
_ = init_translation()
exp = namedtuple('exp', ('audit', 'allow_keyword', 'deny', 'comment',
'access', 'all_access', 'signal', 'all_signals', 'peer', 'all_peers'))
exp = namedtuple(
'exp', ('audit', 'allow_keyword', 'deny', 'comment',
'access', 'all_access', 'signal', 'all_signals', 'peer', 'all_peers'))
# --- tests for single SignalRule --- #
class SignalTest(AATest):
def _compare_obj(self, obj, expected):
self.assertEqual(expected.allow_keyword, obj.allow_keyword)
@@ -45,22 +47,23 @@ class SignalTest(AATest):
self.assertEqual(expected.deny, obj.deny)
self.assertEqual(expected.comment, obj.comment)
class SignalTestParse(SignalTest):
tests = (
# SignalRule object audit allow deny comment access all? signal all? peer all?
('signal,' , exp(False, False, False, '', None , True , None, True, None, True )),
('signal send,' , exp(False, False, False, '', {'send'}, False, None, True, None, True )),
('signal (send, receive),' , exp(False, False, False, '', {'send', 'receive'}, False, None, True, None, True )),
('signal send set=quit,' , exp(False, False, False, '', {'send'}, False, {'quit'}, False, None, True )),
('deny signal send set=quit, # cmt' , exp(False, False, True , ' # cmt', {'send'}, False, {'quit'}, False, None, True )),
('audit allow signal set=int,' , exp(True , True , False, '', None , True , {'int'}, False, None, True )),
('signal set=quit peer=unconfined,' , exp(False, False, False, '', None , True , {'quit'}, False, 'unconfined', False )),
('signal send set=(quit),' , exp(False, False, False, '', {'send'}, False, {'quit'}, False, None, True )),
('signal send set=(quit, int),' , exp(False, False, False, '', {'send'}, False, {'quit', 'int'}, False, None, True )),
('signal set=(quit, int),' , exp(False, False, False, '', None, True, {'quit', 'int'}, False, None, True )),
('signal send set = ( quit , int ) ,' , exp(False, False, False, '', {'send'}, False, {'quit', 'int'}, False, None, True )),
('signal peer=/foo,' , exp(False, False, False, '', None , True , None, True, '/foo', False )),
('signal r set=quit set=int peer=/foo,' , exp(False, False, False, '', {'r'}, False, {'quit', 'int'}, False, '/foo', False )),
# SignalRule object audit allow deny comment access all? signal all? peer all?
('signal,', exp(False, False, False, '', None, True, None, True, None, True)),
('signal send,', exp(False, False, False, '', {'send'}, False, None, True, None, True)),
('signal (send, receive),', exp(False, False, False, '', {'send', 'receive'}, False, None, True, None, True)),
('signal send set=quit,', exp(False, False, False, '', {'send'}, False, {'quit'}, False, None, True)),
('deny signal send set=quit, # cmt', exp(False, False, True, ' # cmt', {'send'}, False, {'quit'}, False, None, True)),
('audit allow signal set=int,', exp(True, True, False, '', None, True, {'int'}, False, None, True)),
('signal set=quit peer=unconfined,', exp(False, False, False, '', None, True, {'quit'}, False, 'unconfined', False)),
('signal send set=(quit),', exp(False, False, False, '', {'send'}, False, {'quit'}, False, None, True)),
('signal send set=(quit, int),', exp(False, False, False, '', {'send'}, False, {'quit', 'int'}, False, None, True)),
('signal set=(quit, int),', exp(False, False, False, '', None, True, {'quit', 'int'}, False, None, True)),
('signal send set = ( quit , int ) ,', exp(False, False, False, '', {'send'}, False, {'quit', 'int'}, False, None, True)),
('signal peer=/foo,', exp(False, False, False, '', None, True, None, True, '/foo', False)),
('signal r set=quit set=int peer=/foo,', exp(False, False, False, '', {'r'}, False, {'quit', 'int'}, False, '/foo', False)),
)
def _run_test(self, rawrule, expected):
@@ -69,17 +72,18 @@ class SignalTestParse(SignalTest):
self.assertEqual(rawrule.strip(), obj.raw_rule)
self._compare_obj(obj, expected)
class SignalTestParseInvalid(SignalTest):
tests = (
('signal foo,' , AppArmorException),
('signal foo bar,' , AppArmorException),
('signal foo int,' , AppArmorException),
('signal send bar,' , AppArmorException),
('signal send receive,' , AppArmorException),
('signal set=,' , AppArmorException),
('signal set=int set=,' , AppArmorException),
('signal set=invalid,' , AppArmorException),
('signal peer=,' , AppArmorException),
('signal foo,', AppArmorException),
('signal foo bar,', AppArmorException),
('signal foo int,', AppArmorException),
('signal send bar,', AppArmorException),
('signal send receive,', AppArmorException),
('signal set=,', AppArmorException),
('signal set=int set=,', AppArmorException),
('signal set=invalid,', AppArmorException),
('signal peer=,', AppArmorException),
)
def _run_test(self, rawrule, expected):
@@ -87,6 +91,7 @@ class SignalTestParseInvalid(SignalTest):
with self.assertRaises(expected):
SignalRule.parse(rawrule)
class SignalTestParseFromLog(SignalTest):
def test_signal_from_log(self):
parser = ReadLog('', '', '')
@@ -121,45 +126,47 @@ class SignalTestParseFromLog(SignalTest):
obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event)
# audit allow deny comment access all? signal all? peer all?
expected = exp(False, False, False, '', {'send'}, False, {'term'}, False, '/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper', False)
# audit allow deny comment access all? signal all? peer all?
expected = exp(False, False, False, '', {'send'}, False, {'term'}, False, '/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper', False)
self._compare_obj(obj, expected)
self.assertEqual(obj.get_raw(1), ' signal send set=term peer=/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper,')
class SignalFromInit(SignalTest):
tests = (
# SignalRule object audit allow deny comment access all? signal all? peer all?
(SignalRule('r', 'hup', 'unconfined', deny=True) , exp(False, False, True , '' , {'r'}, False, {'hup'}, False, 'unconfined', False)),
(SignalRule(('r', 'send'), ('hup', 'int'), '/bin/foo') , exp(False, False, False, '' , {'r', 'send'},False, {'hup', 'int'}, False, '/bin/foo', False)),
(SignalRule(SignalRule.ALL, 'int', '/bin/foo') , exp(False, False, False, '' , None, True, {'int'}, False, '/bin/foo', False )),
(SignalRule('rw', SignalRule.ALL, '/bin/foo') , exp(False, False, False, '' , {'rw'}, False, None, True, '/bin/foo', False )),
(SignalRule('rw', ('int'), SignalRule.ALL) , exp(False, False, False, '' , {'rw'}, False, {'int'}, False, None, True )),
(SignalRule(SignalRule.ALL, SignalRule.ALL, SignalRule.ALL) , exp(False, False, False, '' , None , True, None, True, None, True )),
# SignalRule object audit allow deny comment access all? signal all? peer all?
(SignalRule('r', 'hup', 'unconfined', deny=True), exp(False, False, True, '', {'r'}, False, {'hup'}, False, 'unconfined', False)),
(SignalRule(('r', 'send'), ('hup', 'int'), '/bin/foo'), exp(False, False, False, '', {'r', 'send'}, False, {'hup', 'int'}, False, '/bin/foo', False)),
(SignalRule(SignalRule.ALL, 'int', '/bin/foo'), exp(False, False, False, '', None, True, {'int'}, False, '/bin/foo', False)),
(SignalRule('rw', SignalRule.ALL, '/bin/foo'), exp(False, False, False, '', {'rw'}, False, None, True, '/bin/foo', False)),
(SignalRule('rw', ('int'), SignalRule.ALL), exp(False, False, False, '', {'rw'}, False, {'int'}, False, None, True)),
(SignalRule(SignalRule.ALL, SignalRule.ALL, SignalRule.ALL), exp(False, False, False, '', None, True, None, True, None, True)),
)
def _run_test(self, obj, expected):
self._compare_obj(obj, expected)
class InvalidSignalInit(AATest):
tests = (
# init params expected exception
(('send', '' , '/foo' ) , AppArmorBug), # empty signal
(('' , 'int' , '/foo' ) , AppArmorBug), # empty access
(('send', 'int' , '' ) , AppArmorBug), # empty peer
((' ', 'int' , '/foo' ) , AppArmorBug), # whitespace access
(('send', ' ' , '/foo' ) , AppArmorBug), # whitespace signal
(('send', 'int' , ' ' ) , AppArmorBug), # whitespace peer
(('xyxy', 'int' , '/foo' ) , AppArmorException), # invalid access
(('send', 'xyxy', '/foo' ) , AppArmorException), # invalid signal
(('send', '', '/foo'), AppArmorBug), # empty signal
(('', 'int', '/foo'), AppArmorBug), # empty access
(('send', 'int', ''), AppArmorBug), # empty peer
((' ', 'int', '/foo'), AppArmorBug), # whitespace access
(('send', ' ', '/foo'), AppArmorBug), # whitespace signal
(('send', 'int', ' '), AppArmorBug), # whitespace peer
(('xyxy', 'int', '/foo'), AppArmorException), # invalid access
(('send', 'xyxy', '/foo'), AppArmorException), # invalid signal
# XXX is 'invalid peer' possible at all?
((dict(), 'int' , '/foo' ) , AppArmorBug), # wrong type for access
((None , 'int' , '/foo' ) , AppArmorBug), # wrong type for access
(('send', dict(), '/foo' ) , AppArmorBug), # wrong type for signal
(('send', None , '/foo' ) , AppArmorBug), # wrong type for signal
(('send', 'int' , dict() ) , AppArmorBug), # wrong type for peer
(('send', 'int' , None ) , AppArmorBug), # wrong type for peer
((dict(), 'int', '/foo'), AppArmorBug), # wrong type for access
((None, 'int', '/foo'), AppArmorBug), # wrong type for access
(('send', dict(), '/foo'), AppArmorBug), # wrong type for signal
(('send', None, '/foo'), AppArmorBug), # wrong type for signal
(('send', 'int', dict()), AppArmorBug), # wrong type for peer
(('send', 'int', None), AppArmorBug), # wrong type for peer
)
def _run_test(self, params, expected):
@@ -178,6 +185,7 @@ class InvalidSignalInit(AATest):
with self.assertRaises(TypeError):
SignalRule('r', 'int')
class InvalidSignalTest(AATest):
def _check_invalid_rawrule(self, rawrule):
obj = None
@@ -226,30 +234,30 @@ class WriteSignalTestAATest(AATest):
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
tests = (
# raw rule clean rule
(' signal , # foo ' , 'signal, # foo'),
(' audit signal send,' , 'audit signal send,'),
(' audit signal (send ),' , 'audit signal send,'),
(' audit signal (send , receive ),' , 'audit signal (receive send),'),
(' deny signal send set=quit,# foo bar' , 'deny signal send set=quit, # foo bar'),
(' deny signal send set=(quit), ' , 'deny signal send set=quit,'),
(' deny signal send set=(int , quit),' , 'deny signal send set=(int quit),'),
(' deny signal send set=(quit, int ),' , 'deny signal send set=(int quit),'),
(' deny signal send ,# foo bar' , 'deny signal send, # foo bar'),
(' allow signal set=int ,# foo bar' , 'allow signal set=int, # foo bar'),
('signal,' , 'signal,'),
('signal (receive),' , 'signal receive,'),
('signal (send),' , 'signal send,'),
('signal (send receive),' , 'signal (receive send),'),
('signal r,' , 'signal r,'),
('signal w,' , 'signal w,'),
('signal rw,' , 'signal rw,'),
('signal send set=("hup"),' , 'signal send set=hup,'),
('signal (receive) set=kill,' , 'signal receive set=kill,'),
('signal w set=(quit int),' , 'signal w set=(int quit),'),
('signal receive peer=foo,' , 'signal receive peer=foo,'),
('signal (send receive) peer=/usr/bin/bar,' , 'signal (receive send) peer=/usr/bin/bar,'),
('signal wr set=(pipe, usr1) peer=/sbin/baz,' , 'signal wr set=(pipe usr1) peer=/sbin/baz,'),
# raw rule clean rule
(' signal , # foo ', 'signal, # foo'),
(' audit signal send,', 'audit signal send,'),
(' audit signal (send ),', 'audit signal send,'),
(' audit signal (send , receive ),', 'audit signal (receive send),'),
(' deny signal send set=quit,# foo bar', 'deny signal send set=quit, # foo bar'),
(' deny signal send set=(quit), ', 'deny signal send set=quit,'),
(' deny signal send set=(int , quit),', 'deny signal send set=(int quit),'),
(' deny signal send set=(quit, int ),', 'deny signal send set=(int quit),'),
(' deny signal send ,# foo bar', 'deny signal send, # foo bar'),
(' allow signal set=int ,# foo bar', 'allow signal set=int, # foo bar'),
('signal,', 'signal,'),
('signal (receive),', 'signal receive,'),
('signal (send),', 'signal send,'),
('signal (send receive),', 'signal (receive send),'),
('signal r,', 'signal r,'),
('signal w,', 'signal w,'),
('signal rw,', 'signal rw,'),
('signal send set=("hup"),', 'signal send set=hup,'),
('signal (receive) set=kill,', 'signal receive set=kill,'),
('signal w set=(quit int),', 'signal w set=(int quit),'),
('signal receive peer=foo,', 'signal receive peer=foo,'),
('signal (send receive) peer=/usr/bin/bar,', 'signal (receive send) peer=/usr/bin/bar,'),
('signal wr set=(pipe, usr1) peer=/sbin/baz,', 'signal wr set=(pipe usr1) peer=/sbin/baz,'),
)
def test_write_manually(self):
@@ -268,209 +276,225 @@ class SignalCoveredTest(AATest):
self.assertTrue(SignalRule.match(param))
self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in is_equal, expected %s' % expected[0])
self.assertEqual(obj.is_equal(check_obj, True), expected[1], 'Mismatch in is_equal/strict, expected %s' % expected[1])
self.assertEqual(
obj.is_equal(check_obj), expected[0],
'Mismatch in is_equal, expected %s' % expected[0])
self.assertEqual(
obj.is_equal(check_obj, True), expected[1],
'Mismatch in is_equal/strict, expected %s' % expected[1])
self.assertEqual(
obj.is_covered(check_obj), expected[2],
'Mismatch in is_covered, expected %s' % expected[2])
self.assertEqual(
obj.is_covered(check_obj, True, True), expected[3],
'Mismatch in is_covered/exact, expected %s' % expected[3])
self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch in is_covered, expected %s' % expected[2])
self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], 'Mismatch in is_covered/exact, expected %s' % expected[3])
class SignalCoveredTest_01(SignalCoveredTest):
rule = 'signal send,'
tests = (
# rule equal strict equal covered covered exact
('signal,' , ( False , False , False , False )),
('signal send,' , ( True , True , True , True )),
('signal send peer=unconfined,' , ( False , False , True , True )),
('signal send, # comment' , ( True , False , True , True )),
('allow signal send,' , ( True , False , True , True )),
('signal send,' , ( True , False , True , True )),
('signal send set=quit,' , ( False , False , True , True )),
('signal send set=int,' , ( False , False , True , True )),
('audit signal send,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
('signal set=int,' , ( False , False , False , False )),
('audit deny signal send,' , ( False , False , False , False )),
('deny signal send,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
('signal,', (False, False, False, False)),
('signal send,', (True, True, True, True)),
('signal send peer=unconfined,', (False, False, True, True)),
('signal send, # comment', (True, False, True, True)),
('allow signal send,', (True, False, True, True)),
('signal send,', (True, False, True, True)),
('signal send set=quit,', (False, False, True, True)),
('signal send set=int,', (False, False, True, True)),
('audit signal send,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
('signal set=int,', (False, False, False, False)),
('audit deny signal send,', (False, False, False, False)),
('deny signal send,', (False, False, False, False)),
)
class SignalCoveredTest_02(SignalCoveredTest):
rule = 'audit signal send,'
tests = (
# rule equal strict equal covered covered exact
( 'signal send,' , ( False , False , True , False )),
('audit signal send,' , ( True , True , True , True )),
( 'signal send set=quit,' , ( False , False , True , False )),
('audit signal send set=quit,' , ( False , False , True , True )),
( 'signal,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
( 'signal send,', (False, False, True, False)),
('audit signal send,', (True, True, True, True)),
( 'signal send set=quit,', (False, False, True, False)),
('audit signal send set=quit,', (False, False, True, True)),
( 'signal,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
)
class SignalCoveredTest_03(SignalCoveredTest):
rule = 'signal send set=quit,'
tests = (
# rule equal strict equal covered covered exact
( 'signal send set=quit,' , ( True , True , True , True )),
('allow signal send set=quit,' , ( True , False , True , True )),
( 'signal send,' , ( False , False , False , False )),
( 'signal,' , ( False , False , False , False )),
( 'signal send set=int,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('audit signal send set=quit,' , ( False , False , False , False )),
('audit signal set=quit,' , ( False , False , False , False )),
( 'signal send,' , ( False , False , False , False )),
( 'signal,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
( 'signal send set=quit,', (True, True, True, True)),
('allow signal send set=quit,', (True, False, True, True)),
( 'signal send,', (False, False, False, False)),
( 'signal,', (False, False, False, False)),
( 'signal send set=int,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('audit signal send set=quit,', (False, False, False, False)),
('audit signal set=quit,', (False, False, False, False)),
( 'signal send,', (False, False, False, False)),
( 'signal,', (False, False, False, False)),
)
class SignalCoveredTest_04(SignalCoveredTest):
rule = 'signal,'
tests = (
# rule equal strict equal covered covered exact
( 'signal,' , ( True , True , True , True )),
('allow signal,' , ( True , False , True , True )),
( 'signal send,' , ( False , False , True , True )),
( 'signal w set=quit,' , ( False , False , True , True )),
( 'signal set=int,' , ( False , False , True , True )),
( 'signal send set=quit,' , ( False , False , True , True )),
('audit signal,' , ( False , False , False , False )),
('deny signal,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
( 'signal,', (True, True, True, True)),
('allow signal,', (True, False, True, True)),
( 'signal send,', (False, False, True, True)),
( 'signal w set=quit,', (False, False, True, True)),
( 'signal set=int,', (False, False, True, True)),
( 'signal send set=quit,', (False, False, True, True)),
('audit signal,', (False, False, False, False)),
('deny signal,', (False, False, False, False)),
)
class SignalCoveredTest_05(SignalCoveredTest):
rule = 'deny signal send,'
tests = (
# rule equal strict equal covered covered exact
( 'deny signal send,' , ( True , True , True , True )),
('audit deny signal send,' , ( False , False , False , False )),
( 'signal send,' , ( False , False , False , False )), # XXX should covered be true here?
( 'deny signal receive,' , ( False , False , False , False )),
( 'deny signal,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
( 'deny signal send,', (True, True, True, True)),
('audit deny signal send,', (False, False, False, False)),
( 'signal send,', (False, False, False, False)), # XXX should covered be true here?
( 'deny signal receive,', (False, False, False, False)),
( 'deny signal,', (False, False, False, False)),
)
class SignalCoveredTest_06(SignalCoveredTest):
rule = 'signal send peer=unconfined,'
tests = (
# rule equal strict equal covered covered exact
('signal,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send peer=unconfined,' , ( True , True , True , True )),
('signal peer=unconfined,' , ( False , False , False , False )),
('signal send, # comment' , ( False , False , False , False )),
('allow signal send,' , ( False , False , False , False )),
('allow signal send peer=unconfined,' , ( True , False , True , True )),
('allow signal send peer=/foo/bar,' , ( False , False , False , False )),
('allow signal send peer=/**,' , ( False , False , False , False )),
('allow signal send peer=**,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send peer=unconfined,' , ( True , False , True , True )),
('signal send set=quit,' , ( False , False , False , False )),
('signal send set=int peer=unconfined,',( False , False , True , True )),
('audit signal send peer=unconfined,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
('signal set=int,' , ( False , False , False , False )),
('audit deny signal send,' , ( False , False , False , False )),
('deny signal send,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
('signal,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send peer=unconfined,', (True, True, True, True)),
('signal peer=unconfined,', (False, False, False, False)),
('signal send, # comment', (False, False, False, False)),
('allow signal send,', (False, False, False, False)),
('allow signal send peer=unconfined,', (True, False, True, True)),
('allow signal send peer=/foo/bar,', (False, False, False, False)),
('allow signal send peer=/**,', (False, False, False, False)),
('allow signal send peer=**,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send peer=unconfined,', (True, False, True, True)),
('signal send set=quit,', (False, False, False, False)),
('signal send set=int peer=unconfined,', (False, False, True, True)),
('audit signal send peer=unconfined,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
('signal set=int,', (False, False, False, False)),
('audit deny signal send,', (False, False, False, False)),
('deny signal send,', (False, False, False, False)),
)
class SignalCoveredTest_07(SignalCoveredTest):
rule = 'signal send peer=/foo/bar,'
tests = (
# rule equal strict equal covered covered exact
('signal,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send peer=/foo/bar,' , ( True , True , True , True )),
('signal send peer=/foo/*,' , ( False , False , False , False )),
('signal send peer=/**,' , ( False , False , False , False )),
('signal send peer=/what/*,' , ( False , False , False , False )),
('signal peer=/foo/bar,' , ( False , False , False , False )),
('signal send, # comment' , ( False , False , False , False )),
('allow signal send,' , ( False , False , False , False )),
('allow signal send peer=/foo/bar,' , ( True , False , True , True )),
('signal send,' , ( False , False , False , False )),
('signal send peer=/foo/bar,' , ( True , False , True , True )),
('signal send peer=/what/ever,' , ( False , False , False , False )),
('signal send set=quit,' , ( False , False , False , False )),
('signal send set=int peer=/foo/bar,' , ( False , False , True , True )),
('audit signal send peer=/foo/bar,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
('signal set=int,' , ( False , False , False , False )),
('audit deny signal send,' , ( False , False , False , False )),
('deny signal send,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
('signal,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send peer=/foo/bar,', (True, True, True, True)),
('signal send peer=/foo/*,', (False, False, False, False)),
('signal send peer=/**,', (False, False, False, False)),
('signal send peer=/what/*,', (False, False, False, False)),
('signal peer=/foo/bar,', (False, False, False, False)),
('signal send, # comment', (False, False, False, False)),
('allow signal send,', (False, False, False, False)),
('allow signal send peer=/foo/bar,', (True, False, True, True)),
('signal send,', (False, False, False, False)),
('signal send peer=/foo/bar,', (True, False, True, True)),
('signal send peer=/what/ever,', (False, False, False, False)),
('signal send set=quit,', (False, False, False, False)),
('signal send set=int peer=/foo/bar,', (False, False, True, True)),
('audit signal send peer=/foo/bar,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
('signal set=int,', (False, False, False, False)),
('audit deny signal send,', (False, False, False, False)),
('deny signal send,', (False, False, False, False)),
)
class SignalCoveredTest_08(SignalCoveredTest):
rule = 'signal send peer=**,'
tests = (
# rule equal strict equal covered covered exact
('signal,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send peer=/foo/bar,' , ( False , False , True , True )),
('signal send peer=/foo/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal send peer=/**,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal send peer=/what/*,' , ( False , False , False , False )), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal peer=/foo/bar,' , ( False , False , False , False )),
('signal send, # comment' , ( False , False , False , False )),
('allow signal send,' , ( False , False , False , False )),
('allow signal send peer=/foo/bar,' , ( False , False , True , True )),
('signal send,' , ( False , False , False , False )),
('signal send peer=/foo/bar,' , ( False , False , True , True )),
('signal send peer=/what/ever,' , ( False , False , True , True )),
('signal send set=quit,' , ( False , False , False , False )),
('signal send set=int peer=/foo/bar,' , ( False , False , True , True )),
('audit signal send peer=/foo/bar,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
('signal set=int,' , ( False , False , False , False )),
('audit deny signal send,' , ( False , False , False , False )),
('deny signal send,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
('signal,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send peer=/foo/bar,', (False, False, True, True)),
('signal send peer=/foo/*,', (False, False, False, False)), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal send peer=/**,', (False, False, False, False)), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal send peer=/what/*,', (False, False, False, False)), # TODO: wildcard vs. wildcard never matches in is_covered_aare()
('signal peer=/foo/bar,', (False, False, False, False)),
('signal send, # comment', (False, False, False, False)),
('allow signal send,', (False, False, False, False)),
('allow signal send peer=/foo/bar,', (False, False, True, True)),
('signal send,', (False, False, False, False)),
('signal send peer=/foo/bar,', (False, False, True, True)),
('signal send peer=/what/ever,', (False, False, True, True)),
('signal send set=quit,', (False, False, False, False)),
('signal send set=int peer=/foo/bar,', (False, False, True, True)),
('audit signal send peer=/foo/bar,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
('signal set=int,', (False, False, False, False)),
('audit deny signal send,', (False, False, False, False)),
('deny signal send,', (False, False, False, False)),
)
class SignalCoveredTest_09(SignalCoveredTest):
rule = 'signal (send, receive) set=(int, quit),'
tests = (
# rule equal strict equal covered covered exact
('signal,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send set=int,' , ( False , False , True , True )),
('signal receive set=quit,' , ( False , False , True , True )),
('signal (receive,send) set=int,' , ( False , False , True , True )),
('signal (receive,send) set=(int quit),',(True , False , True , True )),
('signal send set=(quit int),' , ( False , False , True , True )),
('signal send peer=/foo/bar,' , ( False , False , False , False )),
('signal send peer=/foo/*,' , ( False , False , False , False )),
('signal send peer=/**,' , ( False , False , False , False )),
('signal send peer=/what/*,' , ( False , False , False , False )),
('signal peer=/foo/bar,' , ( False , False , False , False )),
('signal send, # comment' , ( False , False , False , False )),
('allow signal send,' , ( False , False , False , False )),
('allow signal send peer=/foo/bar,' , ( False , False , False , False )),
('signal send,' , ( False , False , False , False )),
('signal send peer=/foo/bar,' , ( False , False , False , False )),
('signal send peer=/what/ever,' , ( False , False , False , False )),
('signal send set=quit,' , ( False , False , True , True )),
('signal send set=int peer=/foo/bar,' , ( False , False , True , True )),
('audit signal send peer=/foo/bar,' , ( False , False , False , False )),
('audit signal,' , ( False , False , False , False )),
('signal receive,' , ( False , False , False , False )),
('signal set=int,' , ( False , False , False , False )),
('audit deny signal send,' , ( False , False , False , False )),
('deny signal send,' , ( False , False , False , False )),
# rule equal strict equal covered covered exact
('signal,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send set=int,', (False, False, True, True)),
('signal receive set=quit,', (False, False, True, True)),
('signal (receive,send) set=int,', (False, False, True, True)),
('signal (receive,send) set=(int quit),', (True, False, True, True)),
('signal send set=(quit int),', (False, False, True, True)),
('signal send peer=/foo/bar,', (False, False, False, False)),
('signal send peer=/foo/*,', (False, False, False, False)),
('signal send peer=/**,', (False, False, False, False)),
('signal send peer=/what/*,', (False, False, False, False)),
('signal peer=/foo/bar,', (False, False, False, False)),
('signal send, # comment', (False, False, False, False)),
('allow signal send,', (False, False, False, False)),
('allow signal send peer=/foo/bar,', (False, False, False, False)),
('signal send,', (False, False, False, False)),
('signal send peer=/foo/bar,', (False, False, False, False)),
('signal send peer=/what/ever,', (False, False, False, False)),
('signal send set=quit,', (False, False, True, True)),
('signal send set=int peer=/foo/bar,', (False, False, True, True)),
('audit signal send peer=/foo/bar,', (False, False, False, False)),
('audit signal,', (False, False, False, False)),
('signal receive,', (False, False, False, False)),
('signal set=int,', (False, False, False, False)),
('audit deny signal send,', (False, False, False, False)),
('deny signal send,', (False, False, False, False)),
)
class SignalCoveredTest_Invalid(AATest):
def test_borked_obj_is_covered_1(self):
obj = SignalRule.parse('signal send peer=/foo,')
@@ -515,24 +539,26 @@ class SignalCoveredTest_Invalid(AATest):
with self.assertRaises(AppArmorBug):
obj.is_equal(testobj)
class SignalLogprofHeaderTest(AATest):
tests = (
('signal,', [ _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]),
('signal send,', [ _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]),
('signal send set=quit,', [ _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL'), ]),
('deny signal,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]),
('allow signal send,', [_('Qualifier'), 'allow', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]),
('audit signal send set=quit,', [_('Qualifier'), 'audit', _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL'), ]),
('audit deny signal send,', [_('Qualifier'), 'audit deny', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL'), ]),
('signal set=(int, quit),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL'), ]),
('signal set=( quit, int),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL'), ]),
('signal (send, receive) set=( quit, int) peer=/foo,', [ _('Access mode'), 'receive send', _('Signal'), 'int quit', _('Peer'), '/foo', ]),
('signal,', [ _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal send,', [ _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal send set=quit,', [ _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL')]),
('deny signal,', [_('Qualifier'), 'deny', _('Access mode'), _('ALL'), _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('allow signal send,', [_('Qualifier'), 'allow', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('audit signal send set=quit,', [_('Qualifier'), 'audit', _('Access mode'), 'send', _('Signal'), 'quit', _('Peer'), _('ALL')]),
('audit deny signal send,', [_('Qualifier'), 'audit deny', _('Access mode'), 'send', _('Signal'), _('ALL'), _('Peer'), _('ALL')]),
('signal set=(int, quit),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]),
('signal set=( quit, int),', [ _('Access mode'), _('ALL'), _('Signal'), 'int quit', _('Peer'), _('ALL')]),
('signal (send, receive) set=( quit, int) peer=/foo,', [ _('Access mode'), 'receive send', _('Signal'), 'int quit', _('Peer'), '/foo']),
)
def _run_test(self, params, expected):
obj = SignalRule.parse(params)
self.assertEqual(obj.logprof_header(), expected)
## --- tests for SignalRuleset --- #
class SignalRulesTest(AATest):
@@ -616,8 +642,10 @@ class SignalGlobTestAATest(AATest):
# get_glob_ext is not available for signal rules
self.ruleset.get_glob_ext('signal send set=int,')
#class SignalDeleteTestAATest(AATest):
# pass
# class SignalDeleteTestAATest(AATest):
# pass
setup_all_loops(__name__)
if __name__ == '__main__':