mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

Merge Introduce AATest.parseInvalidRule()

Browse Source 
... and change all *TestParseInvalid classes to use it, instead of
having (nearly) the same function in every test-*.py.

Also move tests not matching the rule regex into tests array (which now supports this case).

While at it, enable the tests for abi and include rules.

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1728
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Christian Boltz <apparmor@cboltz.de>
This commit is contained in:
Christian Boltz 2025-07-15 18:31:00 +00:00
commit b2bfde5af0
21 changed files with 201 additions and 274 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
utils/test/common_test.py
View File

@ -50,6 +50,14 @@ class AATest(unittest.TestCase):
self.createTmpdir() self.createTmpdir()
return write_file(self.tmpdir, file, contents) return write_file(self.tmpdir, file, contents)
def parseInvalidRule(self, rule_class, rawrule, expected):
''' verify that invalid rules raise an exception, and verify if they at least match the rule regex'''
exp_exception, matches_regex = expected
self.assertEqual(matches_regex, rule_class.match(rawrule)) # does the invalid rules still match the main regex?
with self.assertRaises(exp_exception):
rule_class.create_instance(rawrule)
tests = () tests = ()
tmpdir = None tmpdir = None

17
utils/test/test-abi.py
View File

@ -64,17 +64,16 @@ class AbiTestParse(AbiTest):
class AbiTestParseInvalid(AbiTest): class AbiTestParseInvalid(AbiTest):
# tests = ( tests = (
# (' some abi <abstractions/base>', AppArmorException), # exception matches regex
# (' /etc/fstab r,', AppArmorException), (' some abi <abstractions/base>', (AppArmorException, False)),
# ('/usr/abi r,', AppArmorException), (' /etc/fstab r,', (AppArmorException, False)),
# ('/abi r,', AppArmorException), ('/usr/abi r,', (AppArmorException, False)),
# ) ('/abi r,', (AppArmorException, False)),
)
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(AbiRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(AbiRule, rawrule, expected)
with self.assertRaises(expected):
AbiRule.create_instance(rawrule)
# class AbiTestParseFromLog(AbiTest): # we'll never have log events for abi # class AbiTestParseFromLog(AbiTest): # we'll never have log events for abi

16
utils/test/test-alias.py
View File

@ -58,18 +58,16 @@ class AliasTestParse(AliasTest):
class AliasTestParseInvalid(AliasTest): class AliasTestParseInvalid(AliasTest):
tests = ( tests = (
# rawrule matches regex exception # exception matches regex
('alias ,', (False, AppArmorException)), ('alias ,', (AppArmorException, False)),
('alias /foo ,', (False, AppArmorException)), ('alias /foo ,', (AppArmorException, False)),
('alias /foo -> ,', (True, AppArmorException)), ('alias /foo -> ,', (AppArmorException, True)),
('alias -> /bar ,', (True, AppArmorException)), ('alias -> /bar ,', (AppArmorException, True)),
('/foo -> bar ,', (False, AppArmorException)), ('/foo -> bar ,', (AppArmorException, False)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertEqual(AliasRule.match(rawrule), expected[0]) self.parseInvalidRule(AliasRule, rawrule, expected)
with self.assertRaises(expected[1]):
AliasRule.create_instance(rawrule)
class AliasFromInit(AliasTest): class AliasFromInit(AliasTest):

21
utils/test/test-all.py
View File

@ -60,23 +60,16 @@ class AllTestParse(AllTest):
class AllTestParseInvalid(AllTest): class AllTestParseInvalid(AllTest):
tests = ( tests = (
('all -> ,', AppArmorException), # exception matches regex
('owner all,', AppArmorException), ('all -> ,', (AppArmorException, False)),
('all foo ,', AppArmorException), ('owner all,', (AppArmorException, False)),
('all foo ,', (AppArmorException, False)),
('priority=a all,', (AppArmorException, False)),
('priority=1042 all,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertFalse(AllRule.match(rawrule)) self.parseInvalidRule(AllRule, rawrule, expected)
with self.assertRaises(expected):
AllRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
AllRule.create_instance('priority=a all,')
def test_invalid_priority_2(self):
with self.assertRaises(AppArmorException):
AllRule.create_instance('priority=1042 all,')
# we won't ever support converting a log event to an 'all,' rule # we won't ever support converting a log event to an 'all,' rule

18
utils/test/test-boolean.py
View File

@ -61,20 +61,18 @@ class BooleanTestParse(BooleanTest):
class BooleanTestParseInvalid(BooleanTest): class BooleanTestParseInvalid(BooleanTest):
tests = ( tests = (
# rawrule matches regex exception # exception matches regex
('$foo =', (False, AppArmorException)), ('$foo =', (AppArmorException, False)),
('$ foo = # comment', (False, AppArmorException)), ('$ foo = # comment', (AppArmorException, False)),
('${foo = ', (False, AppArmorException)), ('${foo = ', (AppArmorException, False)),
# XXX RE_PROFILE_BOOLEAN allows a trailing comma even if the parser disallows it # XXX RE_PROFILE_BOOLEAN allows a trailing comma even if the parser disallows it
# ('$foo = true,', (True, AppArmorException)), # trailing comma # ('$foo = true,', (AppArmorException, True)), # trailing comma
# ('$foo = false , ', (True, AppArmorException)), # trailing comma # ('$foo = false , ', (AppArmorException, True)), # trailing comma
# ('$foo = true, # comment', (True, AppArmorException)), # trailing comma # ('$foo = true, # comment', (AppArmorException, True)), # trailing comma
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertEqual(BooleanRule.match(rawrule), expected[0]) self.parseInvalidRule(BooleanRule, rawrule, expected)
with self.assertRaises(expected[1]):
BooleanRule.create_instance(rawrule)
class BooleanFromInit(BooleanTest): class BooleanFromInit(BooleanTest):

5
utils/test/test-capability.py
View File

@ -250,10 +250,7 @@ class CapabilityTestParseInvalid(AATest):
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
exp_exception, matches_regex = expected self.parseInvalidRule(CapabilityRule, rawrule, expected)
self.assertEqual(matches_regex, CapabilityRule.match(rawrule)) # does the invalid rules still match the main regex?
with self.assertRaises(exp_exception):
CapabilityRule.create_instance(rawrule)
class InvalidCapabilityTest(AATest): class InvalidCapabilityTest(AATest):

7
utils/test/test-change_profile.py
View File

@ -84,7 +84,7 @@ class ChangeProfileTestParse(ChangeProfileTest):
class ChangeProfileTestParseInvalid(ChangeProfileTest): class ChangeProfileTestParseInvalid(ChangeProfileTest):
tests = ( tests = (
# rule exception, matches regex? # exception matches regex
('change_profile', (AppArmorException, False)), # missing comma ('change_profile', (AppArmorException, False)), # missing comma
('dbus,', (AppArmorException, False)), # not a change_profile rule ('dbus,', (AppArmorException, False)), # not a change_profile rule
('change_profile -> ,', (AppArmorException, False)), ('change_profile -> ,', (AppArmorException, False)),
@ -96,10 +96,7 @@ class ChangeProfileTestParseInvalid(ChangeProfileTest):
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
exp_exception, matches_regex = expected self.parseInvalidRule(ChangeProfileRule, rawrule, expected)
self.assertEqual(matches_regex, ChangeProfileRule.match(rawrule)) # does the invalid rules still match the main regex?
with self.assertRaises(exp_exception):
ChangeProfileRule.create_instance(rawrule)
class ChangeProfileTestParseFromLog(ChangeProfileTest): class ChangeProfileTestParseFromLog(ChangeProfileTest):

34
utils/test/test-dbus.py
View File

@ -109,28 +109,24 @@ class DbusTestParse(DbusTest):
class DbusTestParseInvalid(DbusTest): class DbusTestParseInvalid(DbusTest):
tests = ( tests = (
('dbus foo,', AppArmorException), # exception matches regex
('dbus foo bar,', AppArmorException), ('dbus foo,', (AppArmorException, True)),
('dbus foo int,', AppArmorException), ('dbus foo bar,', (AppArmorException, True)),
('dbus send bar,', AppArmorException), ('dbus foo int,', (AppArmorException, True)),
('dbus send receive,', AppArmorException), ('dbus send bar,', (AppArmorException, True)),
('dbus peer=,', AppArmorException), ('dbus send receive,', (AppArmorException, True)),
('dbus peer=(label=foo) path=,', AppArmorException), ('dbus peer=,', (AppArmorException, True)),
('dbus (invalid),', AppArmorException), ('dbus peer=(label=foo) path=,', (AppArmorException, True)),
('dbus peer=,', AppArmorException), ('dbus (invalid),', (AppArmorException, True)),
('dbus bus=session bind bus=system,', AppArmorException), ('dbus peer=,', (AppArmorException, True)),
('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException), ('dbus bus=session bind bus=system,', (AppArmorException, True)),
('priority=1042 dbus,', AppArmorException), ('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', (AppArmorException, True)),
('priority=a dbus,', (AppArmorException, False)),
('priority=1042 dbus,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(DbusRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(DbusRule, rawrule, expected)
with self.assertRaises(expected):
DbusRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
DbusRule.create_instance('priority=a dbus,')
class DbusTestParseFromLog(DbusTest): class DbusTestParseFromLog(DbusTest):

34
utils/test/test-file.py
View File

@ -111,28 +111,24 @@ class FileTestParse(FileTest):
class FileTestParseInvalid(FileTest): class FileTestParseInvalid(FileTest):
tests = ( tests = (
('/foo x,', AppArmorException), # should be *x # exception matches regex
('/foo raw,', AppArmorException), # r and a conflict ('/foo x,', (AppArmorException, True)), # should be *x
('deny /foo ix,', AppArmorException), # endy only allows x, but not *x ('/foo raw,', (AppArmorException, True)), # r and a conflict
('deny /foo Px,', AppArmorException), # deny only allows x, but not *x ('deny /foo ix,', (AppArmorException, True)), # endy only allows x, but not *x
('deny /foo Pi,', AppArmorException), # missing 'x', and P not allowed ('deny /foo Px,', (AppArmorException, True)), # deny only allows x, but not *x
('allow /foo x,', AppArmorException), # should be *x ('deny /foo Pi,', (AppArmorException, True)), # missing 'x', and P not allowed
('/foo Pxrix,', AppArmorException), # exec mode conflict ('allow /foo x,', (AppArmorException, True)), # should be *x
('/foo PixUx,', AppArmorException), # exec mode conflict ('/foo Pxrix,', (AppArmorException, True)), # exec mode conflict
('/foo PxUx,', AppArmorException), # exec mode conflict ('/foo PixUx,', (AppArmorException, True)), # exec mode conflict
('/foo PUxPix,', AppArmorException), # exec mode conflict ('/foo PxUx,', (AppArmorException, True)), # exec mode conflict
('/foo Pi,', AppArmorException), # missing 'x' ('/foo PUxPix,', (AppArmorException, True)), # exec mode conflict
('priority=-1042 file,', AppArmorException), # priority must be a number ('/foo Pi,', (AppArmorException, True)), # missing 'x'
('priority=-a file,', (AppArmorException, False)), # priority must be a number
('priority=-1042 file,', (AppArmorException, True)), # priority out of range
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(FileRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(FileRule, rawrule, expected)
with self.assertRaises(expected):
FileRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
FileRule.create_instance('priority=a file,')
class FileTestNonMatch(AATest): class FileTestNonMatch(AATest):

15
utils/test/test-include.py
View File

@ -95,16 +95,17 @@ class IncludeTestParse(IncludeTest):
class IncludeTestParseInvalid(IncludeTest): class IncludeTestParseInvalid(IncludeTest):
tests = ( tests = (
# (' some #include if exists <abstractions/base>', AppArmorException), # exception matches regex
# (' /etc/fstab r,', AppArmorException), (' some #include if exists <abstractions/base>', (AppArmorException, False)),
# ('/usr/include r,', AppArmorException), (' /etc/fstab r,', (AppArmorException, False)),
# ('/include r,', AppArmorException), ('/usr/include r,', (AppArmorException, False)),
('/include r,', (AppArmorException, False)),
(' include <>', (AppArmorException, True)),
(' include ""', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(IncludeRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(IncludeRule, rawrule, expected)
with self.assertRaises(expected):
IncludeRule.create_instance(rawrule)
# class IncludeTestParseFromLog(IncludeTest): # we'll never have log events for includes # class IncludeTestParseFromLog(IncludeTest): # we'll never have log events for includes

25
utils/test/test-io_uring.py
View File

@ -48,25 +48,18 @@ class IOUringTestParse(AATest):
class IOUringTestParseInvalid(AATest): class IOUringTestParseInvalid(AATest):
tests = ( tests = (
('io_uring invalidaccess,', AppArmorException), # exception matches regex
('io_uring label=,', AppArmorException), ('io_uring invalidaccess,', (AppArmorException, True)),
('io_uring invalidaccess label=foo,', AppArmorException), ('io_uring label=,', (AppArmorException, True)),
('io_uring sqpoll label=,', AppArmorException), ('io_uring invalidaccess label=foo,', (AppArmorException, True)),
('priority=1042 io_uring,', AppArmorException), ('io_uring sqpoll label=,', (AppArmorException, True)),
('foo', (AppArmorException, False)),
('priority=a io_uring,', (AppArmorException, False)),
('priority=1042 io_uring,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(IOUringRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(IOUringRule, rawrule, expected)
with self.assertRaises(expected):
IOUringRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
IOUringRule.create_instance('priority=a io_uring,')
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
IOUringRule.create_instance('foo,')
def test_diff_non_iouringrule(self): def test_diff_non_iouringrule(self):
exp = namedtuple('exp', ('audit', 'deny', 'priority')) exp = namedtuple('exp', ('audit', 'deny', 'priority'))

35
utils/test/test-mount.py
View File

@ -119,29 +119,24 @@ class MountTestParse(AATest):
class MountTestParseInvalid(AATest): class MountTestParseInvalid(AATest):
tests = ( tests = (
('mount fstype=,', AppArmorException), # exception matches regex
('mount fstype=(),', AppArmorException), ('mount fstype=,', (AppArmorException, True)),
('mount options=(),', AppArmorException), ('mount fstype=(),', (AppArmorException, True)),
('mount option=(invalid),', AppArmorException), ('mount options=(),', (AppArmorException, True)),
('mount option=(ext3ext4),', AppArmorException), ('mount option=(invalid),', (AppArmorException, True)),
('priority=-1042 umount,', AppArmorException), ('mount option=(ext3ext4),', (AppArmorException, True)),
('mount fstype=({unclosed_regex),', AppArmorException), # invalid AARE ('priority=-1042 umount,', (AppArmorException, True)),
('mount fstype=({closed}twice}),', AppArmorException), # invalid AARE ('mount fstype=({unclosed_regex),', (AppArmorException, True)), # invalid AARE
('mount fstype=({closed}twice}),', (AppArmorException, True)), # invalid AARE
('foo,', (AppArmorException, False)),
('priority=a mount,', (AppArmorException, False)),
('priority=a umount,', (AppArmorException, False)),
('priority=a unmount,', (AppArmorException, False)),
('priority=a remount,', (AppArmorException, False)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(MountRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(MountRule, rawrule, expected)
with self.assertRaises(expected):
MountRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
MountRule.create_instance('foo,')
def test_invalid_priority(self):
for keyword in ['mount', 'umount', 'unmount', 'remount']:
with self.assertRaises(AppArmorException):
MountRule.create_instance('priority=a %s,' % keyword)
def test_invalid_priority_1(self): def test_invalid_priority_1(self):
with self.assertRaises(TypeError): with self.assertRaises(TypeError):

33
utils/test/test-mqueue.py
View File

@ -57,29 +57,22 @@ class MessageQueueTestParse(AATest):
class MessageQueueTestParseInvalid(AATest): class MessageQueueTestParseInvalid(AATest):
tests = ( tests = (
('mqueue label=,', AppArmorException), # exception matches regex
('mqueue invalidaccess /queuename,', AppArmorException), ('mqueue label=,', (AppArmorException, True)),
('mqueue invalidqueuename,', AppArmorException), ('mqueue invalidaccess /queuename,', (AppArmorException, True)),
('mqueue invalidqueuename1234,', AppArmorException), ('mqueue invalidqueuename,', (AppArmorException, True)),
('mqueue foo label foo bar,', AppArmorException), ('mqueue invalidqueuename1234,', (AppArmorException, True)),
('mqueue type=,', AppArmorException), ('mqueue foo label foo bar,', (AppArmorException, True)),
('mqueue type=sysv /foo,', AppArmorException), ('mqueue type=,', (AppArmorException, True)),
('mqueue type=posix 1234,', AppArmorException), ('mqueue type=sysv /foo,', (AppArmorException, True)),
('priority=-1042 mqueue,', AppArmorException), ('mqueue type=posix 1234,', (AppArmorException, True)),
('priority=a mqueue,', (AppArmorException, False)),
('priority=-1042 mqueue,', (AppArmorException, True)),
('foo,', (AppArmorException, False)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(MessageQueueRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(MessageQueueRule, rawrule, expected)
with self.assertRaises(expected):
MessageQueueRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
MessageQueueRule.create_instance('foo,')
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
MessageQueueRule.create_instance('priority=a mqueue,')
def test_diff_non_mqueuerule(self): def test_diff_non_mqueuerule(self):
exp = namedtuple('exp', ('audit', 'deny', 'priority')) exp = namedtuple('exp', ('audit', 'deny', 'priority'))

36
utils/test/test-network.py
View File

@ -117,29 +117,25 @@ class NetworkTestParse(NetworkTest):
class NetworkTestParseInvalid(NetworkTest): class NetworkTestParseInvalid(NetworkTest):
tests = ( tests = (
('network foo,', AppArmorException), # exception matches regex
('network foo bar,', AppArmorException), ('network foo,', (AppArmorException, True)),
('network foo tcp,', AppArmorException), ('network foo bar,', (AppArmorException, True)),
('network inet bar,', AppArmorException), ('network foo tcp,', (AppArmorException, True)),
('network ip=999.999.999.999,', AppArmorException), ('network inet bar,', (AppArmorException, True)),
('network port=99999,', AppArmorException), ('network ip=999.999.999.999,', (AppArmorException, True)),
('network inet ip=in:va::li:d0,', AppArmorException), ('network port=99999,', (AppArmorException, True)),
('network inet ip=in:va::li:d0,', AppArmorException), ('network inet ip=in:va::li:d0,', (AppArmorException, True)),
('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', AppArmorException), # too many segments ('network inet ip=in:va::li:d0,', (AppArmorException, True)),
('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', AppArmorException), # too many segments ('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', (AppArmorException, True)), # too many segments
('network packet ip=1::,', AppArmorException), # Only inet[6] domains can be used in conjunction with a local expression ('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', (AppArmorException, True)), # too many segments
('network packet peer=(ip=1::),', AppArmorException), # Only inet[6] domains can be used in conjunction with a peer expression ('network packet ip=1::,', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a local expression
('priority=-1042 network,', AppArmorException), ('network packet peer=(ip=1::),', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a peer expression
('priority=a network,', (AppArmorException, False)),
('priority=-1042 network,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(NetworkRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(NetworkRule, rawrule, expected)
with self.assertRaises(expected):
NetworkRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
NetworkRule.create_instance('priority=a network,')
class NetworkTestParseFromLog(NetworkTest): class NetworkTestParseFromLog(NetworkTest):

26
utils/test/test-pivot_root.py
View File

@ -87,26 +87,18 @@ class PivotRootTestParse(PivotRootTest):
class PivotRootTestParseInvalid(PivotRootTest): class PivotRootTestParseInvalid(PivotRootTest):
tests = ( tests = (
('pivot_root foo,', AppArmorException), # exception matches regex
('pivot_root foo bar,', AppArmorException), ('pivot_root foo,', (AppArmorException, True)),
('pivot_root oldroot= ,', AppArmorException), ('pivot_root foo bar,', (AppArmorException, True)),
('pivot_root -> ,', AppArmorException), ('pivot_root oldroot= ,', (AppArmorException, True)),
('priority=-1042 pivot_root,', AppArmorException), ('pivot_root -> ,', (AppArmorException, True)),
('priority=a pivot_root,', (AppArmorException, False)),
('priority=-1042 pivot_root,', (AppArmorException, True)),
('pivot_rootbeer,', (AppArmorException, False))
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(PivotRootRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(PivotRootRule, rawrule, expected)
with self.assertRaises(expected):
PivotRootRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
PivotRootRule.create_instance('priority=a pivot_root,')
def test_invalid_rule_name(self):
self.assertFalse(PivotRootRule.match('pivot_rootbeer,'))
with self.assertRaises(AppArmorException):
PivotRootRule.create_instance('pivot_rootbeer,')
class PivotRootTestParseFromLog(PivotRootTest): class PivotRootTestParseFromLog(PivotRootTest):

24
utils/test/test-ptrace.py
View File

@ -74,23 +74,19 @@ class PtraceTestParse(PtraceTest):
class PtraceTestParseInvalid(PtraceTest): class PtraceTestParseInvalid(PtraceTest):
tests = ( tests = (
('ptrace foo,', AppArmorException), # exception matches regex
('ptrace foo bar,', AppArmorException), ('ptrace foo,', (AppArmorException, True)),
('ptrace foo int,', AppArmorException), ('ptrace foo bar,', (AppArmorException, True)),
('ptrace read bar,', AppArmorException), ('ptrace foo int,', (AppArmorException, True)),
('ptrace read tracedby,', AppArmorException), ('ptrace read bar,', (AppArmorException, True)),
('ptrace peer=,', AppArmorException), ('ptrace read tracedby,', (AppArmorException, True)),
('priority=1042 ptrace,', AppArmorException), ('ptrace peer=,', (AppArmorException, True)),
('priority=a ptrace,', (AppArmorException, False)),
('priority=1042 ptrace,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(PtraceRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(PtraceRule, rawrule, expected)
with self.assertRaises(expected):
PtraceRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
PtraceRule.create_instance('priority=a ptrace,')
class PtraceTestParseFromLog(PtraceTest): class PtraceTestParseFromLog(PtraceTest):

29
utils/test/test-rlimit.py
View File

@ -77,24 +77,23 @@ class RlimitTestParse(RlimitTest):
class RlimitTestParseInvalid(RlimitTest): class RlimitTestParseInvalid(RlimitTest):
tests = ( tests = (
('set rlimit,', AppArmorException), # missing parts # exception matches regex
('set rlimit <= 5,', AppArmorException), ('set rlimit,', (AppArmorException, False)), # missing parts
('set rlimit cpu <= ,', AppArmorException), ('set rlimit <= 5,', (AppArmorException, False)),
('set rlimit cpu <= "",', AppArmorBug), # evil quoting trick ('set rlimit cpu <= ,', (AppArmorException, False)),
('set rlimit foo <= 5,', AppArmorException), # unknown rlimit ('set rlimit cpu <= "",', (AppArmorBug, True)), # evil quoting trick
('set rlimit rttime <= 60m,', AppArmorException), # 'm' could mean 'ms' or 'minutes' ('set rlimit foo <= 5,', (AppArmorException, True)), # unknown rlimit
('set rlimit cpu <= 20ms,', AppArmorException), # cpu doesn't support 'ms'... ('set rlimit rttime <= 60m,', (AppArmorException, True)), # 'm' could mean 'ms' or 'minutes'
('set rlimit cpu <= 20us,', AppArmorException), # ... or 'us' ('set rlimit cpu <= 20ms,', (AppArmorException, True)), # cpu doesn't support 'ms'...
('set rlimit nice <= 20MB,', AppArmorException), # invalid unit for this rlimit type ('set rlimit cpu <= 20us,', (AppArmorException, True)), # ... or 'us'
('set rlimit cpu <= 20MB,', AppArmorException), ('set rlimit nice <= 20MB,', (AppArmorException, True)), # invalid unit for this rlimit type
('set rlimit data <= 20seconds,', AppArmorException), ('set rlimit cpu <= 20MB,', (AppArmorException, True)),
('set rlimit locks <= 20seconds,', AppArmorException), ('set rlimit data <= 20seconds,', (AppArmorException, True)),
('set rlimit locks <= 20seconds,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
# self.assertFalse(RlimitRule.match(rawrule)) # the main regex isn't very strict self.parseInvalidRule(RlimitRule, rawrule, expected)
with self.assertRaises(expected):
RlimitRule.create_instance(rawrule)
class RlimitTestParseFromLog(RlimitTest): class RlimitTestParseFromLog(RlimitTest):

30
utils/test/test-signal.py
View File

@ -75,26 +75,22 @@ class SignalTestParse(SignalTest):
class SignalTestParseInvalid(SignalTest): class SignalTestParseInvalid(SignalTest):
tests = ( tests = (
('signal foo,', AppArmorException), # exception matches regex
('signal foo bar,', AppArmorException), ('signal foo,', (AppArmorException, True)),
('signal foo int,', AppArmorException), ('signal foo bar,', (AppArmorException, True)),
('signal send bar,', AppArmorException), ('signal foo int,', (AppArmorException, True)),
('signal send receive,', AppArmorException), ('signal send bar,', (AppArmorException, True)),
('signal set=,', AppArmorException), ('signal send receive,', (AppArmorException, True)),
('signal set=int set=,', AppArmorException), ('signal set=,', (AppArmorException, True)),
('signal set=invalid,', AppArmorException), ('signal set=int set=,', (AppArmorException, True)),
('signal peer=,', AppArmorException), ('signal set=invalid,', (AppArmorException, True)),
('priority=-1042 signal,', AppArmorException), ('signal peer=,', (AppArmorException, True)),
('priority=a signal,', (AppArmorException, False)),
('priority=-1042 signal,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(SignalRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(SignalRule, rawrule, expected)
with self.assertRaises(expected):
SignalRule.create_instance(rawrule)
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
SignalRule.create_instance('priority=a signal,')
class SignalTestParseFromLog(SignalTest): class SignalTestParseFromLog(SignalTest):

21
utils/test/test-unix.py
View File

@ -67,23 +67,16 @@ class UnixTestParse(AATest):
class UnixTestParseInvalid(AATest): class UnixTestParseInvalid(AATest):
tests = ( tests = (
('unix invalid,', AppArmorException), # exception matches regex
('unix (invalid),', AppArmorException), ('unix invalid,', (AppArmorException, True)),
('priority=1042 unix,', AppArmorException), ('unix (invalid),', (AppArmorException, True)),
('foo,', (AppArmorException, False)),
('priority=a unix,', (AppArmorException, False)),
('priority=1042 unix,', (AppArmorException, True)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(UnixRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(UnixRule, rawrule, expected)
with self.assertRaises(expected):
UnixRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
UnixRule.create_instance('foo,')
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
UnixRule.create_instance('priority=a unix,')
def test_invalid_priority_1(self): def test_invalid_priority_1(self):
with self.assertRaises(TypeError): with self.assertRaises(TypeError):

19
utils/test/test-userns.py
View File

@ -46,22 +46,15 @@ class UserNamespaceTestParse(AATest):
class UserNamespaceTestParseInvalid(AATest): class UserNamespaceTestParseInvalid(AATest):
tests = ( tests = (
('userns invalidaccess,', AppArmorException), # exception matches regex
('priority=1042 userns,', AppArmorException), ('userns invalidaccess,', (AppArmorException, True)),
('priority=a userns,', (AppArmorException, False)),
('priority=1042 userns,', (AppArmorException, True)),
('foo,', (AppArmorException, False)),
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertTrue(UserNamespaceRule.match(rawrule)) # the above invalid rules still match the main regex! self.parseInvalidRule(UserNamespaceRule, rawrule, expected)
with self.assertRaises(expected):
UserNamespaceRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
UserNamespaceRule.create_instance('foo,')
def test_invalid_priority(self):
with self.assertRaises(AppArmorException):
UserNamespaceRule.create_instance('priority=a userns,')
def test_diff_non_usernsrule(self): def test_diff_non_usernsrule(self):
exp = namedtuple('exp', ('audit', 'deny', 'priority')) exp = namedtuple('exp', ('audit', 'deny', 'priority'))

22
utils/test/test-variable.py
View File

@ -94,21 +94,19 @@ class VariableTestParse(VariableTest):
class VariableTestParseInvalid(VariableTest): class VariableTestParseInvalid(VariableTest):
tests = ( tests = (
# rawrule matches regex exception # exception matches regex
('@{foo} =', (False, AppArmorException)), ('@{foo} =', (AppArmorException, False)),
('@ {foo} = # comment', (False, AppArmorException)), ('@ {foo} = # comment', (AppArmorException, False)),
('@ {foo} = ', (False, AppArmorException)), ('@ {foo} = ', (AppArmorException, False)),
('@{foo} = /foo,', (True, AppArmorException)), # trailing comma ('@{foo} = /foo,', (AppArmorException, True)), # trailing comma
('@{foo} = /foo, ', (True, AppArmorException)), # trailing comma ('@{foo} = /foo, ', (AppArmorException, True)), # trailing comma
('@{foo} = /foo, # comment', (True, AppArmorException)), # trailing comma ('@{foo} = /foo, # comment', (AppArmorException, True)), # trailing comma
('@{foo} = /foo, /bar', (True, AppArmorException)), # trailing comma in first value ('@{foo} = /foo, /bar', (AppArmorException, True)), # trailing comma in first value
('@{foo = /foo f', (True, AppArmorException)), # variable name broken, missing } ('@{foo = /foo f', (AppArmorException, True)), # variable name broken, missing }
) )
def _run_test(self, rawrule, expected): def _run_test(self, rawrule, expected):
self.assertEqual(VariableRule.match(rawrule), expected[0]) self.parseInvalidRule(VariableRule, rawrule, expected)
with self.assertRaises(expected[1]):
VariableRule.create_instance(rawrule)
class VariableFromInit(VariableTest): class VariableFromInit(VariableTest):