From a13d8cfffbd06b42d759e5ea945842b739bbe530 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Sun, 15 Jun 2025 18:34:54 +0200 Subject: [PATCH] utils: move tests for invalid priority to test-* ... instead of having them in test-modifiers.py for all rule types Also add a few additional tests while on it. --- utils/test/test-all.py | 17 ++++++ utils/test/test-capability.py | 10 ++++ utils/test/test-change_profile.py | 10 ++++ utils/test/test-dbus.py | 13 +++++ utils/test/test-file.py | 13 +++++ utils/test/test-io_uring.py | 13 +++++ utils/test/test-modifiers.py | 90 ------------------------------- utils/test/test-mount.py | 14 +++++ utils/test/test-mqueue.py | 13 +++++ utils/test/test-network.py | 13 +++++ utils/test/test-pivot_root.py | 13 +++++ utils/test/test-ptrace.py | 13 +++++ utils/test/test-signal.py | 13 +++++ utils/test/test-unix.py | 13 +++++ utils/test/test-userns.py | 13 +++++ 15 files changed, 181 insertions(+), 90 deletions(-) delete mode 100644 utils/test/test-modifiers.py diff --git a/utils/test/test-all.py b/utils/test/test-all.py index 71eeb3267..7d38d3cb7 100644 --- a/utils/test/test-all.py +++ b/utils/test/test-all.py @@ -48,6 +48,7 @@ class AllTestParse(AllTest): ('deny all, # comment', exp(False, False, True, ' # comment')), ('audit allow all,', exp(True, True, False, '')), ('audit allow all,', exp(True, True, False, '')), + ('priority=-1 all,', exp(False, False, False, '')), ) def _run_test(self, rawrule, expected): @@ -69,6 +70,14 @@ class AllTestParseInvalid(AllTest): with self.assertRaises(expected): AllRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + AllRule.create_instance('priority=a all,') + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + AllRule.create_instance('priority=1042 all,') + # we won't ever support converting a log event to an 'all,' rule # class AllTestParseFromLog(AllTest): @@ -84,6 +93,14 @@ class AllFromInit(AllTest): def _run_test(self, obj, expected): self._compare_obj(obj, expected) + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + AllRule(priority=AllRule) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + AllRule(priority='invalid') + # no localvars -> no way to hand over invalid values, or to miss a required parameter # class InvalidAllInit(AATest): diff --git a/utils/test/test-capability.py b/utils/test/test-capability.py index 648bcd897..f3d3a7572 100644 --- a/utils/test/test-capability.py +++ b/utils/test/test-capability.py @@ -245,6 +245,8 @@ class CapabilityTestParseInvalid(AATest): # rule exception, matches regex? ('capability', (AppArmorException, False)), # missing comma ('network,', (AppArmorException, False)), # not a capability rule + ('priority=1042 capability,', (AppArmorException, True)), + ('priority=a capability,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): @@ -286,6 +288,14 @@ class InvalidCapabilityTest(AATest): with self.assertRaises(AppArmorBug): CapabilityRule(dict()) + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + CapabilityRule(CapabilityRule.ALL, priority=CapabilityRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + CapabilityRule(CapabilityRule.ALL, priority='invalid') + class WriteCapabilityTest(AATest): def _check_write_rule(self, rawrule, cleanrule): diff --git a/utils/test/test-change_profile.py b/utils/test/test-change_profile.py index ffd5b7c41..c5f1cffc4 100644 --- a/utils/test/test-change_profile.py +++ b/utils/test/test-change_profile.py @@ -91,6 +91,8 @@ class ChangeProfileTestParseInvalid(ChangeProfileTest): ('change_profile foo -> ,', (AppArmorException, False)), ('change_profile notsafe,', (AppArmorException, False)), ('change_profile safety -> /bar,', (AppArmorException, False)), + ('priority=-1042 change_profile,', (AppArmorException, True)), + ('priority=a change_profile,', (AppArmorException, False)), ) def _run_test(self, rawrule, expected): @@ -192,6 +194,14 @@ class InvalidChangeProfileInit(AATest): with self.assertRaises(TypeError): ChangeProfileRule(None, ChangeProfileRule.ALL) + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + ChangeProfileRule(None, ChangeProfileRule.ALL, '/bar', priority=ChangeProfileRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + ChangeProfileRule(None, ChangeProfileRule.ALL, '/bar', priority='invalid') + class InvalidChangeProfileTest(AATest): def test_empty_net_data_1(self): diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py index e7c8f1468..0585a3b68 100644 --- a/utils/test/test-dbus.py +++ b/utils/test/test-dbus.py @@ -120,6 +120,7 @@ class DbusTestParseInvalid(DbusTest): ('dbus peer=,', AppArmorException), ('dbus bus=session bind bus=system,', AppArmorException), ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException), + ('priority=1042 dbus,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -127,6 +128,10 @@ class DbusTestParseInvalid(DbusTest): with self.assertRaises(expected): DbusRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + DbusRule.create_instance('priority=a dbus,') + class DbusTestParseFromLog(DbusTest): def test_dbus_from_log(self): @@ -275,6 +280,14 @@ class InvalidDbusInit(AATest): with self.assertRaises(expected): DbusRule(*params) + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + DbusRule(DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, priority=DbusRule.ALL) # invalid priority ALL + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + DbusRule(DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, priority='invalid') # invalid priority (text) + def test_missing_params_1(self): with self.assertRaises(TypeError): DbusRule('send') diff --git a/utils/test/test-file.py b/utils/test/test-file.py index b73990434..0f5ab7280 100644 --- a/utils/test/test-file.py +++ b/utils/test/test-file.py @@ -122,6 +122,7 @@ class FileTestParseInvalid(FileTest): ('/foo PxUx,', AppArmorException), # exec mode conflict ('/foo PUxPix,', AppArmorException), # exec mode conflict ('/foo Pi,', AppArmorException), # missing 'x' + ('priority=-1042 file,', AppArmorException), # priority must be a number ) def _run_test(self, rawrule, expected): @@ -129,6 +130,10 @@ class FileTestParseInvalid(FileTest): with self.assertRaises(expected): FileRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + FileRule.create_instance('priority=a file,') + class FileTestNonMatch(AATest): tests = ( @@ -299,6 +304,14 @@ class InvalidFileInit(AATest): with self.assertRaises(AppArmorException): FileRule('/foo', 'rw', 'ix', '/bar', False, False, False, deny=True) + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + FileRule('/foo', '', 'ix', '/bar', False, False, False, priority=FileRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + FileRule('/foo', '', 'ix', '/bar', False, False, False, priority='invalid') + class InvalidFileTest(AATest): def _check_invalid_rawrule(self, rawrule): diff --git a/utils/test/test-io_uring.py b/utils/test/test-io_uring.py index 957956d5f..ee2a27fad 100644 --- a/utils/test/test-io_uring.py +++ b/utils/test/test-io_uring.py @@ -52,6 +52,7 @@ class IOUringTestParseInvalid(AATest): ('io_uring label=,', AppArmorException), ('io_uring invalidaccess label=foo,', AppArmorException), ('io_uring sqpoll label=,', AppArmorException), + ('priority=1042 io_uring,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -59,6 +60,10 @@ class IOUringTestParseInvalid(AATest): with self.assertRaises(expected): IOUringRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + IOUringRule.create_instance('priority=a io_uring,') + def test_parse_fail(self): with self.assertRaises(AppArmorException): IOUringRule.create_instance('foo,') @@ -106,6 +111,14 @@ class InvalidIOUringInit(AATest): with self.assertRaises(TypeError): IOUringRule('override_creds') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + IOUringRule(IOUringRule.ALL, IOUringRule.ALL, priority=IOUringRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + IOUringRule(IOUringRule.ALL, IOUringRule.ALL, priority='invalid') + class WriteIOUringTestAATest(AATest): tests = ( diff --git a/utils/test/test-modifiers.py b/utils/test/test-modifiers.py deleted file mode 100644 index 36d773e54..000000000 --- a/utils/test/test-modifiers.py +++ /dev/null @@ -1,90 +0,0 @@ -#! /usr/bin/python3 -# ------------------------------------------------------------------ -# -# Copyright (C) 2025 Canonical Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License as published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# ---------------------------------------------------------------------- - -import unittest - -from apparmor.common import AppArmorException -from apparmor.rule.capability import CapabilityRule -from apparmor.rule.change_profile import ChangeProfileRule -from apparmor.rule.dbus import DbusRule -from apparmor.rule.file import FileRule -from apparmor.rule.io_uring import IOUringRule -from apparmor.rule.mount import MountRule -from apparmor.rule.mqueue import MessageQueueRule -from apparmor.rule.network import NetworkRule -from apparmor.rule.pivot_root import PivotRootRule -from apparmor.rule.ptrace import PtraceRule -from apparmor.rule.signal import SignalRule -from apparmor.rule.unix import UnixRule -from apparmor.rule.userns import UserNamespaceRule -from apparmor.rule.all import AllRule -from common_test import AATest, setup_all_loops - - -class TestInvalid_parse_priority(AATest): - tests = ( - ((CapabilityRule, 'priority=a capability,'), AppArmorException), - ((DbusRule, 'priority=a dbus,'), AppArmorException), - ((MountRule, 'priority=a mount,'), AppArmorException), - ((MountRule, 'priority=a umount,'), AppArmorException), - ((MountRule, 'priority=a unmount,'), AppArmorException), - ((MountRule, 'priority=a remount,'), AppArmorException), - ((SignalRule, 'priority=a signal,'), AppArmorException), - ((PtraceRule, 'priority=a ptrace,'), AppArmorException), - ((PivotRootRule, 'priority=a pivot_root,'), AppArmorException), - ((UnixRule, 'priority=a unix,'), AppArmorException), - ((NetworkRule, 'priority=a network,'), AppArmorException), - ((UserNamespaceRule, 'priority=a userns,'), AppArmorException), - ((MessageQueueRule, 'priority=a mqueue,'), AppArmorException), - ((IOUringRule, 'priority=a io_uring,'), AppArmorException), - ((ChangeProfileRule, 'priority=a change_profile,'), AppArmorException), - ((FileRule, 'priority=a file,'), AppArmorException), - ((AllRule, 'priority=a all,'), AppArmorException), - ) - - def _run_test(self, params, expected): - rule_cls, rule = params - with self.assertRaises(expected): - rule_cls.create_instance(rule) # Invalid rule - - -class TestInvalid_init_priority(AATest): - tests = ( - ((CapabilityRule, (CapabilityRule.ALL,)), AppArmorException), - ((DbusRule, (DbusRule.ALL,) * 8), AppArmorException), - ((MountRule, (MountRule.ALL,) * 5), AppArmorException), - ((SignalRule, (SignalRule.ALL,) * 3), AppArmorException), - ((PtraceRule, (PtraceRule.ALL,) * 2), AppArmorException), - ((PivotRootRule, (PivotRootRule.ALL,) * 3), AppArmorException), - ((UnixRule, (UnixRule.ALL,) * 4), AppArmorException), - ((NetworkRule, (NetworkRule.ALL,) * 5), AppArmorException), - ((UserNamespaceRule, (UserNamespaceRule.ALL,) * 1), AppArmorException), - ((MessageQueueRule, (MessageQueueRule.ALL,) * 4), AppArmorException), - ((IOUringRule, (IOUringRule.ALL,) * 2), AppArmorException), - ((ChangeProfileRule, (ChangeProfileRule.ALL,) * 3), AppArmorException), - ((FileRule, (FileRule.ALL,) * 5), AppArmorException), - ((AllRule, ()), AppArmorException), - ) - - def _run_test(self, params, expected): - rule_cls, args = params - with self.assertRaises(expected): - rule_cls(*args, priority="invalid") # ValueError - - -setup_all_loops(__name__) -if __name__ == '__main__': - unittest.main(verbosity=1) diff --git a/utils/test/test-mount.py b/utils/test/test-mount.py index c2e8f4609..e18fe7177 100644 --- a/utils/test/test-mount.py +++ b/utils/test/test-mount.py @@ -124,6 +124,7 @@ class MountTestParseInvalid(AATest): ('mount options=(),', AppArmorException), ('mount option=(invalid),', AppArmorException), ('mount option=(ext3ext4),', AppArmorException), + ('priority=-1042 umount,', AppArmorException), ('mount fstype=({unclosed_regex),', AppArmorException), # invalid AARE ('mount fstype=({closed}twice}),', AppArmorException), # invalid AARE ) @@ -137,6 +138,19 @@ class MountTestParseInvalid(AATest): with self.assertRaises(AppArmorException): MountRule.create_instance('foo,') + def test_invalid_priority(self): + for keyword in ['mount', 'umount', 'unmount', 'remount']: + with self.assertRaises(AppArmorException): + MountRule.create_instance('priority=a %s,' % keyword) + + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, priority=MountRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + MountRule('mount', MountRule.ALL, MountRule.ALL, MountRule.ALL, MountRule.ALL, priority='invalid') + def test_diff_non_mountrule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) obj = MountRule('mount', ('=', ['ext4']), MountRule.ALL, MountRule.ALL, MountRule.ALL) diff --git a/utils/test/test-mqueue.py b/utils/test/test-mqueue.py index 1f6199c07..c5d3030f1 100644 --- a/utils/test/test-mqueue.py +++ b/utils/test/test-mqueue.py @@ -65,6 +65,7 @@ class MessageQueueTestParseInvalid(AATest): ('mqueue type=,', AppArmorException), ('mqueue type=sysv /foo,', AppArmorException), ('mqueue type=posix 1234,', AppArmorException), + ('priority=-1042 mqueue,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -76,6 +77,10 @@ class MessageQueueTestParseInvalid(AATest): with self.assertRaises(AppArmorException): MessageQueueRule.create_instance('foo,') + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + MessageQueueRule.create_instance('priority=a mqueue,') + def test_diff_non_mqueuerule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) obj = MessageQueueRule(('open'), 'posix', 'bar', '/foo') @@ -145,6 +150,14 @@ class InvalidMessageQueueInit(AATest): with self.assertRaises(TypeError): MessageQueueRule('r', 'sysv', 'foo') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, priority=MessageQueueRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + MessageQueueRule(MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, MessageQueueRule.ALL, priority='invalid') + class WriteMessageQueueTestAATest(AATest): tests = ( diff --git a/utils/test/test-network.py b/utils/test/test-network.py index a74fa32c2..e861ac0cf 100644 --- a/utils/test/test-network.py +++ b/utils/test/test-network.py @@ -129,6 +129,7 @@ class NetworkTestParseInvalid(NetworkTest): ('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', AppArmorException), # too many segments ('network packet ip=1::,', AppArmorException), # Only inet[6] domains can be used in conjunction with a local expression ('network packet peer=(ip=1::),', AppArmorException), # Only inet[6] domains can be used in conjunction with a peer expression + ('priority=-1042 network,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -136,6 +137,10 @@ class NetworkTestParseInvalid(NetworkTest): with self.assertRaises(expected): NetworkRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + NetworkRule.create_instance('priority=a network,') + class NetworkTestParseFromLog(NetworkTest): def test_net_from_log(self): @@ -235,6 +240,14 @@ class InvalidNetworkInit(AATest): with self.assertRaises(TypeError): NetworkRule('inet') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + NetworkRule(NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, priority=NetworkRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + NetworkRule(NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, NetworkRule.ALL, priority='invalid') + class InvalidNetworkTest(AATest): def _check_invalid_rawrule(self, rawrule): diff --git a/utils/test/test-pivot_root.py b/utils/test/test-pivot_root.py index 1b6fcc816..7a9559a48 100644 --- a/utils/test/test-pivot_root.py +++ b/utils/test/test-pivot_root.py @@ -91,6 +91,7 @@ class PivotRootTestParseInvalid(PivotRootTest): ('pivot_root foo bar,', AppArmorException), ('pivot_root oldroot= ,', AppArmorException), ('pivot_root -> ,', AppArmorException), + ('priority=-1042 pivot_root,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -98,6 +99,10 @@ class PivotRootTestParseInvalid(PivotRootTest): with self.assertRaises(expected): PivotRootRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + PivotRootRule.create_instance('priority=a pivot_root,') + def test_invalid_rule_name(self): self.assertFalse(PivotRootRule.match('pivot_rootbeer,')) with self.assertRaises(AppArmorException): @@ -201,6 +206,14 @@ class InvalidPivotRootInit(AATest): with self.assertRaises(TypeError): PivotRootRule('/foo', '/bar') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + PivotRootRule(PivotRootRule.ALL, PivotRootRule.ALL, PivotRootRule.ALL, priority=PivotRootRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + PivotRootRule(PivotRootRule.ALL, PivotRootRule.ALL, PivotRootRule.ALL, priority='invalid') + class InvalidPivotRootTest(AATest): def _check_invalid_rawrule(self, rawrule): diff --git a/utils/test/test-ptrace.py b/utils/test/test-ptrace.py index 5193d99c5..b92c2115f 100644 --- a/utils/test/test-ptrace.py +++ b/utils/test/test-ptrace.py @@ -80,6 +80,7 @@ class PtraceTestParseInvalid(PtraceTest): ('ptrace read bar,', AppArmorException), ('ptrace read tracedby,', AppArmorException), ('ptrace peer=,', AppArmorException), + ('priority=1042 ptrace,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -87,6 +88,10 @@ class PtraceTestParseInvalid(PtraceTest): with self.assertRaises(expected): PtraceRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + PtraceRule.create_instance('priority=a ptrace,') + class PtraceTestParseFromLog(PtraceTest): def test_ptrace_from_log(self): @@ -191,6 +196,14 @@ class InvalidPtraceInit(AATest): with self.assertRaises(TypeError): PtraceRule('r') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + PtraceRule(PtraceRule.ALL, PtraceRule.ALL, priority=PtraceRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + PtraceRule(PtraceRule.ALL, PtraceRule.ALL, priority='invalid') + class InvalidPtraceTest(AATest): def _check_invalid_rawrule(self, rawrule): diff --git a/utils/test/test-signal.py b/utils/test/test-signal.py index 92f7cf771..ab668760e 100644 --- a/utils/test/test-signal.py +++ b/utils/test/test-signal.py @@ -84,6 +84,7 @@ class SignalTestParseInvalid(SignalTest): ('signal set=int set=,', AppArmorException), ('signal set=invalid,', AppArmorException), ('signal peer=,', AppArmorException), + ('priority=-1042 signal,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -91,6 +92,10 @@ class SignalTestParseInvalid(SignalTest): with self.assertRaises(expected): SignalRule.create_instance(rawrule) + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + SignalRule.create_instance('priority=a signal,') + class SignalTestParseFromLog(SignalTest): def test_signal_from_log(self): @@ -204,6 +209,14 @@ class InvalidSignalInit(AATest): with self.assertRaises(TypeError): SignalRule('r', 'int') + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + SignalRule(SignalRule.ALL, SignalRule.ALL, priority=SignalRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + SignalRule(SignalRule.ALL, SignalRule.ALL, SignalRule.ALL, priority='invalid') + class InvalidSignalTest(AATest): def _check_invalid_rawrule(self, rawrule): diff --git a/utils/test/test-unix.py b/utils/test/test-unix.py index 5fbf013c9..77691cf67 100644 --- a/utils/test/test-unix.py +++ b/utils/test/test-unix.py @@ -69,6 +69,7 @@ class UnixTestParseInvalid(AATest): tests = ( ('unix invalid,', AppArmorException), ('unix (invalid),', AppArmorException), + ('priority=1042 unix,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -80,6 +81,18 @@ class UnixTestParseInvalid(AATest): with self.assertRaises(AppArmorException): UnixRule.create_instance('foo,') + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + UnixRule.create_instance('priority=a unix,') + + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + UnixRule(UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, False, False, False, '', priority=UnixRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + UnixRule(UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, UnixRule.ALL, False, False, False, '', priority='invalid') + def test_invalid_key(self): with self.assertRaises(AppArmorException): UnixRule('send', UnixRule.ALL, {'invalid': 'whatever'}, UnixRule.ALL, False, False, False, '') diff --git a/utils/test/test-userns.py b/utils/test/test-userns.py index 4d5419eed..fc1e0c453 100644 --- a/utils/test/test-userns.py +++ b/utils/test/test-userns.py @@ -47,6 +47,7 @@ class UserNamespaceTestParse(AATest): class UserNamespaceTestParseInvalid(AATest): tests = ( ('userns invalidaccess,', AppArmorException), + ('priority=1042 userns,', AppArmorException), ) def _run_test(self, rawrule, expected): @@ -58,6 +59,10 @@ class UserNamespaceTestParseInvalid(AATest): with self.assertRaises(AppArmorException): UserNamespaceRule.create_instance('foo,') + def test_invalid_priority(self): + with self.assertRaises(AppArmorException): + UserNamespaceRule.create_instance('priority=a userns,') + def test_diff_non_usernsrule(self): exp = namedtuple('exp', ('audit', 'deny', 'priority')) obj = UserNamespaceRule(('create')) @@ -88,6 +93,14 @@ class InvalidUserNamespaceInit(AATest): with self.assertRaises(TypeError): UserNamespaceRule() + def test_invalid_priority_1(self): + with self.assertRaises(TypeError): + UserNamespaceRule(UserNamespaceRule.ALL, priority=UserNamespaceRule.ALL) + + def test_invalid_priority_2(self): + with self.assertRaises(AppArmorException): + UserNamespaceRule(UserNamespaceRule.ALL, priority='invalid') + class WriteUserNamespaceTestAATest(AATest): tests = (