mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00
Code Issues Releases Wiki Activity

Merge parser: equality test fixups

Browse Source 
The original location of the error count checks in the middle of the priority function helper was completely nonsensical. We can instead do this check just once after running all the tests.

In addition, some tests in the priority helper don't use the priority variables at all, and are moved out of the helper to avoid repeating the exact same sequence of tests 16 times.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1604
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-04-02 17:53:15 +00:00
commit a54e4e2cf9
1 changed files with 30 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
parser/tst/equality.sh
View File

@ -879,28 +879,6 @@ verify_binary_equality "'$p1'x'$p2' link rules slash filtering" \
@{BAR}=/mnt/ @{BAR}=/mnt/
/t { $p2 link @{FOO}/foo -> @{BAR}/bar, }" /t { $p2 link @{FOO}/foo -> @{BAR}/bar, }"
verify_binary_equality "'$p1'x'$p2' attachment slash filtering" \
"/t /bin/foo { }" \
"/t /bin//foo { }" \
"@{BAR}=/bin/
/t @{BAR}/foo { }" \
"@{FOO}=/foo
/t /bin/@{FOO} { }" \
"@{BAR}=/bin/
@{FOO}=/foo
/t @{BAR}/@{FOO} { }"
# verify comment at end of variable assignment is not treated as a value
verify_binary_equality "comment at end of set var" \
"/t { /bin/ r, }" \
"@{BAR}=/bin/ #a tail comment
/t { @{BAR} r, }"
verify_binary_equality "value like comment at end of set var" \
"/t { /{bin/,#value} r, }" \
"@{BAR}=bin/ \#value
/t { /@{BAR} r, }"
# This can potentially fail as ideally it requires a better dfa comparison # This can potentially fail as ideally it requires a better dfa comparison
# routine as it can generates hormomorphic dfas. The enumeration of the # routine as it can generates hormomorphic dfas. The enumeration of the
@ -912,12 +890,6 @@ verify_binary_equality "'$p1'x'$p2' mount specific deny doesn't affect non-overl
"/t { $p2 audit deny mount /s/** -> /**, "/t { $p2 audit deny mount /s/** -> /**,
mount options=bind /e/ -> /**, }" mount options=bind /e/ -> /**, }"
if [ $fails -ne 0 ] || [ $errors -ne 0 ]
then
printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 1>&2
exit $((fails + errors))
fi
## priority override equivalence tests ## priority override equivalence tests
## compare single rule, to multi-rule profile where one rule overrides ## compare single rule, to multi-rule profile where one rule overrides
@ -1082,6 +1054,29 @@ run_tests()
"/t { /a r, }" \ "/t { /a r, }" \
"/t { priority=-1 audit deny /* rwxlk, /a r, }" "/t { priority=-1 audit deny /* rwxlk, /a r, }"
# Tests that do not use priority keywords at all
verify_binary_equality "attachment slash filtering" \
"/t /bin/foo { }" \
"/t /bin//foo { }" \
"@{BAR}=/bin/
/t @{BAR}/foo { }" \
"@{FOO}=/foo
/t /bin/@{FOO} { }" \
"@{BAR}=/bin/
@{FOO}=/foo
/t @{BAR}/@{FOO} { }"
# verify comment at end of variable assignment is not treated as a value
verify_binary_equality "comment at end of set var" \
"/t { /bin/ r, }" \
"@{BAR}=/bin/ #a tail comment
/t { @{BAR} r, }"
verify_binary_equality "value like comment at end of set var" \
"/t { /{bin/,#value} r, }" \
"@{BAR}=bin/ \#value
/t { /@{BAR} r, }"
# verify combinations of different priority levels # verify combinations of different priority levels
# for single rule comparisons, rules should keep same expected result # for single rule comparisons, rules should keep same expected result
# even when the priorities are different. # even when the priorities are different.
@ -1109,8 +1104,13 @@ run_tests()
done done
[ -z "${verbose}" ] && printf "\n" [ -z "${verbose}" ] && printf "\n"
printf "PASS\n" if [ $fails -ne 0 ] || [ $errors -ne 0 ]; then
exit 0 printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 1>&2
exit $((fails + errors))
else
printf "PASS\n"
exit 0
fi
} }