mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-22 18:17:09 +00:00
Merge Introduce AATest.parseInvalidRule()
... and change all *TestParseInvalid classes to use it, instead of having (nearly) the same function in every test-*.py. Also move tests not matching the rule regex into tests array (which now supports this case). While at it, enable the tests for abi and include rules. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1728 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Christian Boltz <apparmor@cboltz.de>
This commit is contained in:
Christian Boltz
commit
b2bfde5af0
@ -50,6 +50,14 @@ class AATest(unittest.TestCase):
|
||||
self.createTmpdir()
|
||||
return write_file(self.tmpdir, file, contents)
|
||||
|
||||
def parseInvalidRule(self, rule_class, rawrule, expected):
|
||||
''' verify that invalid rules raise an exception, and verify if they at least match the rule regex'''
|
||||
|
||||
exp_exception, matches_regex = expected
|
||||
self.assertEqual(matches_regex, rule_class.match(rawrule)) # does the invalid rules still match the main regex?
|
||||
with self.assertRaises(exp_exception):
|
||||
rule_class.create_instance(rawrule)
|
||||
|
||||
tests = ()
|
||||
tmpdir = None
|
||||
|
||||
|
||||
@ -64,17 +64,16 @@ class AbiTestParse(AbiTest):
|
||||
|
||||
|
||||
class AbiTestParseInvalid(AbiTest):
|
||||
# tests = (
|
||||
# (' some abi <abstractions/base>', AppArmorException),
|
||||
# (' /etc/fstab r,', AppArmorException),
|
||||
# ('/usr/abi r,', AppArmorException),
|
||||
# ('/abi r,', AppArmorException),
|
||||
# )
|
||||
tests = (
|
||||
# exception matches regex
|
||||
(' some abi <abstractions/base>', (AppArmorException, False)),
|
||||
(' /etc/fstab r,', (AppArmorException, False)),
|
||||
('/usr/abi r,', (AppArmorException, False)),
|
||||
('/abi r,', (AppArmorException, False)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(AbiRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
AbiRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(AbiRule, rawrule, expected)
|
||||
|
||||
# class AbiTestParseFromLog(AbiTest): # we'll never have log events for abi
|
||||
|
||||
|
||||
@ -58,18 +58,16 @@ class AliasTestParse(AliasTest):
|
||||
|
||||
class AliasTestParseInvalid(AliasTest):
|
||||
tests = (
|
||||
# rawrule matches regex exception
|
||||
('alias ,', (False, AppArmorException)),
|
||||
('alias /foo ,', (False, AppArmorException)),
|
||||
('alias /foo -> ,', (True, AppArmorException)),
|
||||
('alias -> /bar ,', (True, AppArmorException)),
|
||||
('/foo -> bar ,', (False, AppArmorException)),
|
||||
# exception matches regex
|
||||
('alias ,', (AppArmorException, False)),
|
||||
('alias /foo ,', (AppArmorException, False)),
|
||||
('alias /foo -> ,', (AppArmorException, True)),
|
||||
('alias -> /bar ,', (AppArmorException, True)),
|
||||
('/foo -> bar ,', (AppArmorException, False)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertEqual(AliasRule.match(rawrule), expected[0])
|
||||
with self.assertRaises(expected[1]):
|
||||
AliasRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(AliasRule, rawrule, expected)
|
||||
|
||||
|
||||
class AliasFromInit(AliasTest):
|
||||
|
||||
@ -60,23 +60,16 @@ class AllTestParse(AllTest):
|
||||
|
||||
class AllTestParseInvalid(AllTest):
|
||||
tests = (
|
||||
('all -> ,', AppArmorException),
|
||||
('owner all,', AppArmorException),
|
||||
('all foo ,', AppArmorException),
|
||||
# exception matches regex
|
||||
('all -> ,', (AppArmorException, False)),
|
||||
('owner all,', (AppArmorException, False)),
|
||||
('all foo ,', (AppArmorException, False)),
|
||||
('priority=a all,', (AppArmorException, False)),
|
||||
('priority=1042 all,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertFalse(AllRule.match(rawrule))
|
||||
with self.assertRaises(expected):
|
||||
AllRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
AllRule.create_instance('priority=a all,')
|
||||
|
||||
def test_invalid_priority_2(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
AllRule.create_instance('priority=1042 all,')
|
||||
self.parseInvalidRule(AllRule, rawrule, expected)
|
||||
|
||||
|
||||
# we won't ever support converting a log event to an 'all,' rule
|
||||
|
||||
@ -61,20 +61,18 @@ class BooleanTestParse(BooleanTest):
|
||||
|
||||
class BooleanTestParseInvalid(BooleanTest):
|
||||
tests = (
|
||||
# rawrule matches regex exception
|
||||
('$foo =', (False, AppArmorException)),
|
||||
('$ foo = # comment', (False, AppArmorException)),
|
||||
('${foo = ', (False, AppArmorException)),
|
||||
# exception matches regex
|
||||
('$foo =', (AppArmorException, False)),
|
||||
('$ foo = # comment', (AppArmorException, False)),
|
||||
('${foo = ', (AppArmorException, False)),
|
||||
# XXX RE_PROFILE_BOOLEAN allows a trailing comma even if the parser disallows it
|
||||
# ('$foo = true,', (True, AppArmorException)), # trailing comma
|
||||
# ('$foo = false , ', (True, AppArmorException)), # trailing comma
|
||||
# ('$foo = true, # comment', (True, AppArmorException)), # trailing comma
|
||||
# ('$foo = true,', (AppArmorException, True)), # trailing comma
|
||||
# ('$foo = false , ', (AppArmorException, True)), # trailing comma
|
||||
# ('$foo = true, # comment', (AppArmorException, True)), # trailing comma
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertEqual(BooleanRule.match(rawrule), expected[0])
|
||||
with self.assertRaises(expected[1]):
|
||||
BooleanRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(BooleanRule, rawrule, expected)
|
||||
|
||||
|
||||
class BooleanFromInit(BooleanTest):
|
||||
|
||||
@ -250,10 +250,7 @@ class CapabilityTestParseInvalid(AATest):
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
exp_exception, matches_regex = expected
|
||||
self.assertEqual(matches_regex, CapabilityRule.match(rawrule)) # does the invalid rules still match the main regex?
|
||||
with self.assertRaises(exp_exception):
|
||||
CapabilityRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(CapabilityRule, rawrule, expected)
|
||||
|
||||
|
||||
class InvalidCapabilityTest(AATest):
|
||||
|
||||
@ -84,7 +84,7 @@ class ChangeProfileTestParse(ChangeProfileTest):
|
||||
|
||||
class ChangeProfileTestParseInvalid(ChangeProfileTest):
|
||||
tests = (
|
||||
# rule exception, matches regex?
|
||||
# exception matches regex
|
||||
('change_profile', (AppArmorException, False)), # missing comma
|
||||
('dbus,', (AppArmorException, False)), # not a change_profile rule
|
||||
('change_profile -> ,', (AppArmorException, False)),
|
||||
@ -96,10 +96,7 @@ class ChangeProfileTestParseInvalid(ChangeProfileTest):
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
exp_exception, matches_regex = expected
|
||||
self.assertEqual(matches_regex, ChangeProfileRule.match(rawrule)) # does the invalid rules still match the main regex?
|
||||
with self.assertRaises(exp_exception):
|
||||
ChangeProfileRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(ChangeProfileRule, rawrule, expected)
|
||||
|
||||
|
||||
class ChangeProfileTestParseFromLog(ChangeProfileTest):
|
||||
|
||||
@ -109,28 +109,24 @@ class DbusTestParse(DbusTest):
|
||||
|
||||
class DbusTestParseInvalid(DbusTest):
|
||||
tests = (
|
||||
('dbus foo,', AppArmorException),
|
||||
('dbus foo bar,', AppArmorException),
|
||||
('dbus foo int,', AppArmorException),
|
||||
('dbus send bar,', AppArmorException),
|
||||
('dbus send receive,', AppArmorException),
|
||||
('dbus peer=,', AppArmorException),
|
||||
('dbus peer=(label=foo) path=,', AppArmorException),
|
||||
('dbus (invalid),', AppArmorException),
|
||||
('dbus peer=,', AppArmorException),
|
||||
('dbus bus=session bind bus=system,', AppArmorException),
|
||||
('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', AppArmorException),
|
||||
('priority=1042 dbus,', AppArmorException),
|
||||
# exception matches regex
|
||||
('dbus foo,', (AppArmorException, True)),
|
||||
('dbus foo bar,', (AppArmorException, True)),
|
||||
('dbus foo int,', (AppArmorException, True)),
|
||||
('dbus send bar,', (AppArmorException, True)),
|
||||
('dbus send receive,', (AppArmorException, True)),
|
||||
('dbus peer=,', (AppArmorException, True)),
|
||||
('dbus peer=(label=foo) path=,', (AppArmorException, True)),
|
||||
('dbus (invalid),', (AppArmorException, True)),
|
||||
('dbus peer=,', (AppArmorException, True)),
|
||||
('dbus bus=session bind bus=system,', (AppArmorException, True)),
|
||||
('dbus bus=1 bus=2 bus=3 bus=4 bus=5 bus=6 bus=7,', (AppArmorException, True)),
|
||||
('priority=a dbus,', (AppArmorException, False)),
|
||||
('priority=1042 dbus,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(DbusRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
DbusRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
DbusRule.create_instance('priority=a dbus,')
|
||||
self.parseInvalidRule(DbusRule, rawrule, expected)
|
||||
|
||||
|
||||
class DbusTestParseFromLog(DbusTest):
|
||||
|
||||
@ -111,28 +111,24 @@ class FileTestParse(FileTest):
|
||||
|
||||
class FileTestParseInvalid(FileTest):
|
||||
tests = (
|
||||
('/foo x,', AppArmorException), # should be *x
|
||||
('/foo raw,', AppArmorException), # r and a conflict
|
||||
('deny /foo ix,', AppArmorException), # endy only allows x, but not *x
|
||||
('deny /foo Px,', AppArmorException), # deny only allows x, but not *x
|
||||
('deny /foo Pi,', AppArmorException), # missing 'x', and P not allowed
|
||||
('allow /foo x,', AppArmorException), # should be *x
|
||||
('/foo Pxrix,', AppArmorException), # exec mode conflict
|
||||
('/foo PixUx,', AppArmorException), # exec mode conflict
|
||||
('/foo PxUx,', AppArmorException), # exec mode conflict
|
||||
('/foo PUxPix,', AppArmorException), # exec mode conflict
|
||||
('/foo Pi,', AppArmorException), # missing 'x'
|
||||
('priority=-1042 file,', AppArmorException), # priority must be a number
|
||||
# exception matches regex
|
||||
('/foo x,', (AppArmorException, True)), # should be *x
|
||||
('/foo raw,', (AppArmorException, True)), # r and a conflict
|
||||
('deny /foo ix,', (AppArmorException, True)), # endy only allows x, but not *x
|
||||
('deny /foo Px,', (AppArmorException, True)), # deny only allows x, but not *x
|
||||
('deny /foo Pi,', (AppArmorException, True)), # missing 'x', and P not allowed
|
||||
('allow /foo x,', (AppArmorException, True)), # should be *x
|
||||
('/foo Pxrix,', (AppArmorException, True)), # exec mode conflict
|
||||
('/foo PixUx,', (AppArmorException, True)), # exec mode conflict
|
||||
('/foo PxUx,', (AppArmorException, True)), # exec mode conflict
|
||||
('/foo PUxPix,', (AppArmorException, True)), # exec mode conflict
|
||||
('/foo Pi,', (AppArmorException, True)), # missing 'x'
|
||||
('priority=-a file,', (AppArmorException, False)), # priority must be a number
|
||||
('priority=-1042 file,', (AppArmorException, True)), # priority out of range
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(FileRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
FileRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
FileRule.create_instance('priority=a file,')
|
||||
self.parseInvalidRule(FileRule, rawrule, expected)
|
||||
|
||||
|
||||
class FileTestNonMatch(AATest):
|
||||
|
||||
@ -95,16 +95,17 @@ class IncludeTestParse(IncludeTest):
|
||||
|
||||
class IncludeTestParseInvalid(IncludeTest):
|
||||
tests = (
|
||||
# (' some #include if exists <abstractions/base>', AppArmorException),
|
||||
# (' /etc/fstab r,', AppArmorException),
|
||||
# ('/usr/include r,', AppArmorException),
|
||||
# ('/include r,', AppArmorException),
|
||||
# exception matches regex
|
||||
(' some #include if exists <abstractions/base>', (AppArmorException, False)),
|
||||
(' /etc/fstab r,', (AppArmorException, False)),
|
||||
('/usr/include r,', (AppArmorException, False)),
|
||||
('/include r,', (AppArmorException, False)),
|
||||
(' include <>', (AppArmorException, True)),
|
||||
(' include ""', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(IncludeRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
IncludeRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(IncludeRule, rawrule, expected)
|
||||
|
||||
# class IncludeTestParseFromLog(IncludeTest): # we'll never have log events for includes
|
||||
|
||||
|
||||
@ -48,25 +48,18 @@ class IOUringTestParse(AATest):
|
||||
|
||||
class IOUringTestParseInvalid(AATest):
|
||||
tests = (
|
||||
('io_uring invalidaccess,', AppArmorException),
|
||||
('io_uring label=,', AppArmorException),
|
||||
('io_uring invalidaccess label=foo,', AppArmorException),
|
||||
('io_uring sqpoll label=,', AppArmorException),
|
||||
('priority=1042 io_uring,', AppArmorException),
|
||||
# exception matches regex
|
||||
('io_uring invalidaccess,', (AppArmorException, True)),
|
||||
('io_uring label=,', (AppArmorException, True)),
|
||||
('io_uring invalidaccess label=foo,', (AppArmorException, True)),
|
||||
('io_uring sqpoll label=,', (AppArmorException, True)),
|
||||
('foo', (AppArmorException, False)),
|
||||
('priority=a io_uring,', (AppArmorException, False)),
|
||||
('priority=1042 io_uring,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(IOUringRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
IOUringRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
IOUringRule.create_instance('priority=a io_uring,')
|
||||
|
||||
def test_parse_fail(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
IOUringRule.create_instance('foo,')
|
||||
self.parseInvalidRule(IOUringRule, rawrule, expected)
|
||||
|
||||
def test_diff_non_iouringrule(self):
|
||||
exp = namedtuple('exp', ('audit', 'deny', 'priority'))
|
||||
|
||||
@ -119,29 +119,24 @@ class MountTestParse(AATest):
|
||||
|
||||
class MountTestParseInvalid(AATest):
|
||||
tests = (
|
||||
('mount fstype=,', AppArmorException),
|
||||
('mount fstype=(),', AppArmorException),
|
||||
('mount options=(),', AppArmorException),
|
||||
('mount option=(invalid),', AppArmorException),
|
||||
('mount option=(ext3ext4),', AppArmorException),
|
||||
('priority=-1042 umount,', AppArmorException),
|
||||
('mount fstype=({unclosed_regex),', AppArmorException), # invalid AARE
|
||||
('mount fstype=({closed}twice}),', AppArmorException), # invalid AARE
|
||||
# exception matches regex
|
||||
('mount fstype=,', (AppArmorException, True)),
|
||||
('mount fstype=(),', (AppArmorException, True)),
|
||||
('mount options=(),', (AppArmorException, True)),
|
||||
('mount option=(invalid),', (AppArmorException, True)),
|
||||
('mount option=(ext3ext4),', (AppArmorException, True)),
|
||||
('priority=-1042 umount,', (AppArmorException, True)),
|
||||
('mount fstype=({unclosed_regex),', (AppArmorException, True)), # invalid AARE
|
||||
('mount fstype=({closed}twice}),', (AppArmorException, True)), # invalid AARE
|
||||
('foo,', (AppArmorException, False)),
|
||||
('priority=a mount,', (AppArmorException, False)),
|
||||
('priority=a umount,', (AppArmorException, False)),
|
||||
('priority=a unmount,', (AppArmorException, False)),
|
||||
('priority=a remount,', (AppArmorException, False)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(MountRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
MountRule.create_instance(rawrule)
|
||||
|
||||
def test_parse_fail(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
MountRule.create_instance('foo,')
|
||||
|
||||
def test_invalid_priority(self):
|
||||
for keyword in ['mount', 'umount', 'unmount', 'remount']:
|
||||
with self.assertRaises(AppArmorException):
|
||||
MountRule.create_instance('priority=a %s,' % keyword)
|
||||
self.parseInvalidRule(MountRule, rawrule, expected)
|
||||
|
||||
def test_invalid_priority_1(self):
|
||||
with self.assertRaises(TypeError):
|
||||
|
||||
@ -57,29 +57,22 @@ class MessageQueueTestParse(AATest):
|
||||
|
||||
class MessageQueueTestParseInvalid(AATest):
|
||||
tests = (
|
||||
('mqueue label=,', AppArmorException),
|
||||
('mqueue invalidaccess /queuename,', AppArmorException),
|
||||
('mqueue invalidqueuename,', AppArmorException),
|
||||
('mqueue invalidqueuename1234,', AppArmorException),
|
||||
('mqueue foo label foo bar,', AppArmorException),
|
||||
('mqueue type=,', AppArmorException),
|
||||
('mqueue type=sysv /foo,', AppArmorException),
|
||||
('mqueue type=posix 1234,', AppArmorException),
|
||||
('priority=-1042 mqueue,', AppArmorException),
|
||||
# exception matches regex
|
||||
('mqueue label=,', (AppArmorException, True)),
|
||||
('mqueue invalidaccess /queuename,', (AppArmorException, True)),
|
||||
('mqueue invalidqueuename,', (AppArmorException, True)),
|
||||
('mqueue invalidqueuename1234,', (AppArmorException, True)),
|
||||
('mqueue foo label foo bar,', (AppArmorException, True)),
|
||||
('mqueue type=,', (AppArmorException, True)),
|
||||
('mqueue type=sysv /foo,', (AppArmorException, True)),
|
||||
('mqueue type=posix 1234,', (AppArmorException, True)),
|
||||
('priority=a mqueue,', (AppArmorException, False)),
|
||||
('priority=-1042 mqueue,', (AppArmorException, True)),
|
||||
('foo,', (AppArmorException, False)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(MessageQueueRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
MessageQueueRule.create_instance(rawrule)
|
||||
|
||||
def test_parse_fail(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
MessageQueueRule.create_instance('foo,')
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
MessageQueueRule.create_instance('priority=a mqueue,')
|
||||
self.parseInvalidRule(MessageQueueRule, rawrule, expected)
|
||||
|
||||
def test_diff_non_mqueuerule(self):
|
||||
exp = namedtuple('exp', ('audit', 'deny', 'priority'))
|
||||
|
||||
@ -117,29 +117,25 @@ class NetworkTestParse(NetworkTest):
|
||||
|
||||
class NetworkTestParseInvalid(NetworkTest):
|
||||
tests = (
|
||||
('network foo,', AppArmorException),
|
||||
('network foo bar,', AppArmorException),
|
||||
('network foo tcp,', AppArmorException),
|
||||
('network inet bar,', AppArmorException),
|
||||
('network ip=999.999.999.999,', AppArmorException),
|
||||
('network port=99999,', AppArmorException),
|
||||
('network inet ip=in:va::li:d0,', AppArmorException),
|
||||
('network inet ip=in:va::li:d0,', AppArmorException),
|
||||
('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', AppArmorException), # too many segments
|
||||
('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', AppArmorException), # too many segments
|
||||
('network packet ip=1::,', AppArmorException), # Only inet[6] domains can be used in conjunction with a local expression
|
||||
('network packet peer=(ip=1::),', AppArmorException), # Only inet[6] domains can be used in conjunction with a peer expression
|
||||
('priority=-1042 network,', AppArmorException),
|
||||
# exception matches regex
|
||||
('network foo,', (AppArmorException, True)),
|
||||
('network foo bar,', (AppArmorException, True)),
|
||||
('network foo tcp,', (AppArmorException, True)),
|
||||
('network inet bar,', (AppArmorException, True)),
|
||||
('network ip=999.999.999.999,', (AppArmorException, True)),
|
||||
('network port=99999,', (AppArmorException, True)),
|
||||
('network inet ip=in:va::li:d0,', (AppArmorException, True)),
|
||||
('network inet ip=in:va::li:d0,', (AppArmorException, True)),
|
||||
('network inet ip=1:2:3:4:5:6:7:8:9:0:0:0,', (AppArmorException, True)), # too many segments
|
||||
('network inet peer=(ip=1:2:3:4:5:6:7:8:9:0:0:0),', (AppArmorException, True)), # too many segments
|
||||
('network packet ip=1::,', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a local expression
|
||||
('network packet peer=(ip=1::),', (AppArmorException, True)), # Only inet[6] domains can be used in conjunction with a peer expression
|
||||
('priority=a network,', (AppArmorException, False)),
|
||||
('priority=-1042 network,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(NetworkRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
NetworkRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
NetworkRule.create_instance('priority=a network,')
|
||||
self.parseInvalidRule(NetworkRule, rawrule, expected)
|
||||
|
||||
|
||||
class NetworkTestParseFromLog(NetworkTest):
|
||||
|
||||
@ -87,26 +87,18 @@ class PivotRootTestParse(PivotRootTest):
|
||||
|
||||
class PivotRootTestParseInvalid(PivotRootTest):
|
||||
tests = (
|
||||
('pivot_root foo,', AppArmorException),
|
||||
('pivot_root foo bar,', AppArmorException),
|
||||
('pivot_root oldroot= ,', AppArmorException),
|
||||
('pivot_root -> ,', AppArmorException),
|
||||
('priority=-1042 pivot_root,', AppArmorException),
|
||||
# exception matches regex
|
||||
('pivot_root foo,', (AppArmorException, True)),
|
||||
('pivot_root foo bar,', (AppArmorException, True)),
|
||||
('pivot_root oldroot= ,', (AppArmorException, True)),
|
||||
('pivot_root -> ,', (AppArmorException, True)),
|
||||
('priority=a pivot_root,', (AppArmorException, False)),
|
||||
('priority=-1042 pivot_root,', (AppArmorException, True)),
|
||||
('pivot_rootbeer,', (AppArmorException, False))
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(PivotRootRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
PivotRootRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
PivotRootRule.create_instance('priority=a pivot_root,')
|
||||
|
||||
def test_invalid_rule_name(self):
|
||||
self.assertFalse(PivotRootRule.match('pivot_rootbeer,'))
|
||||
with self.assertRaises(AppArmorException):
|
||||
PivotRootRule.create_instance('pivot_rootbeer,')
|
||||
self.parseInvalidRule(PivotRootRule, rawrule, expected)
|
||||
|
||||
|
||||
class PivotRootTestParseFromLog(PivotRootTest):
|
||||
|
||||
@ -74,23 +74,19 @@ class PtraceTestParse(PtraceTest):
|
||||
|
||||
class PtraceTestParseInvalid(PtraceTest):
|
||||
tests = (
|
||||
('ptrace foo,', AppArmorException),
|
||||
('ptrace foo bar,', AppArmorException),
|
||||
('ptrace foo int,', AppArmorException),
|
||||
('ptrace read bar,', AppArmorException),
|
||||
('ptrace read tracedby,', AppArmorException),
|
||||
('ptrace peer=,', AppArmorException),
|
||||
('priority=1042 ptrace,', AppArmorException),
|
||||
# exception matches regex
|
||||
('ptrace foo,', (AppArmorException, True)),
|
||||
('ptrace foo bar,', (AppArmorException, True)),
|
||||
('ptrace foo int,', (AppArmorException, True)),
|
||||
('ptrace read bar,', (AppArmorException, True)),
|
||||
('ptrace read tracedby,', (AppArmorException, True)),
|
||||
('ptrace peer=,', (AppArmorException, True)),
|
||||
('priority=a ptrace,', (AppArmorException, False)),
|
||||
('priority=1042 ptrace,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(PtraceRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
PtraceRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
PtraceRule.create_instance('priority=a ptrace,')
|
||||
self.parseInvalidRule(PtraceRule, rawrule, expected)
|
||||
|
||||
|
||||
class PtraceTestParseFromLog(PtraceTest):
|
||||
|
||||
@ -77,24 +77,23 @@ class RlimitTestParse(RlimitTest):
|
||||
|
||||
class RlimitTestParseInvalid(RlimitTest):
|
||||
tests = (
|
||||
('set rlimit,', AppArmorException), # missing parts
|
||||
('set rlimit <= 5,', AppArmorException),
|
||||
('set rlimit cpu <= ,', AppArmorException),
|
||||
('set rlimit cpu <= "",', AppArmorBug), # evil quoting trick
|
||||
('set rlimit foo <= 5,', AppArmorException), # unknown rlimit
|
||||
('set rlimit rttime <= 60m,', AppArmorException), # 'm' could mean 'ms' or 'minutes'
|
||||
('set rlimit cpu <= 20ms,', AppArmorException), # cpu doesn't support 'ms'...
|
||||
('set rlimit cpu <= 20us,', AppArmorException), # ... or 'us'
|
||||
('set rlimit nice <= 20MB,', AppArmorException), # invalid unit for this rlimit type
|
||||
('set rlimit cpu <= 20MB,', AppArmorException),
|
||||
('set rlimit data <= 20seconds,', AppArmorException),
|
||||
('set rlimit locks <= 20seconds,', AppArmorException),
|
||||
# exception matches regex
|
||||
('set rlimit,', (AppArmorException, False)), # missing parts
|
||||
('set rlimit <= 5,', (AppArmorException, False)),
|
||||
('set rlimit cpu <= ,', (AppArmorException, False)),
|
||||
('set rlimit cpu <= "",', (AppArmorBug, True)), # evil quoting trick
|
||||
('set rlimit foo <= 5,', (AppArmorException, True)), # unknown rlimit
|
||||
('set rlimit rttime <= 60m,', (AppArmorException, True)), # 'm' could mean 'ms' or 'minutes'
|
||||
('set rlimit cpu <= 20ms,', (AppArmorException, True)), # cpu doesn't support 'ms'...
|
||||
('set rlimit cpu <= 20us,', (AppArmorException, True)), # ... or 'us'
|
||||
('set rlimit nice <= 20MB,', (AppArmorException, True)), # invalid unit for this rlimit type
|
||||
('set rlimit cpu <= 20MB,', (AppArmorException, True)),
|
||||
('set rlimit data <= 20seconds,', (AppArmorException, True)),
|
||||
('set rlimit locks <= 20seconds,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
# self.assertFalse(RlimitRule.match(rawrule)) # the main regex isn't very strict
|
||||
with self.assertRaises(expected):
|
||||
RlimitRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(RlimitRule, rawrule, expected)
|
||||
|
||||
|
||||
class RlimitTestParseFromLog(RlimitTest):
|
||||
|
||||
@ -75,26 +75,22 @@ class SignalTestParse(SignalTest):
|
||||
|
||||
class SignalTestParseInvalid(SignalTest):
|
||||
tests = (
|
||||
('signal foo,', AppArmorException),
|
||||
('signal foo bar,', AppArmorException),
|
||||
('signal foo int,', AppArmorException),
|
||||
('signal send bar,', AppArmorException),
|
||||
('signal send receive,', AppArmorException),
|
||||
('signal set=,', AppArmorException),
|
||||
('signal set=int set=,', AppArmorException),
|
||||
('signal set=invalid,', AppArmorException),
|
||||
('signal peer=,', AppArmorException),
|
||||
('priority=-1042 signal,', AppArmorException),
|
||||
# exception matches regex
|
||||
('signal foo,', (AppArmorException, True)),
|
||||
('signal foo bar,', (AppArmorException, True)),
|
||||
('signal foo int,', (AppArmorException, True)),
|
||||
('signal send bar,', (AppArmorException, True)),
|
||||
('signal send receive,', (AppArmorException, True)),
|
||||
('signal set=,', (AppArmorException, True)),
|
||||
('signal set=int set=,', (AppArmorException, True)),
|
||||
('signal set=invalid,', (AppArmorException, True)),
|
||||
('signal peer=,', (AppArmorException, True)),
|
||||
('priority=a signal,', (AppArmorException, False)),
|
||||
('priority=-1042 signal,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(SignalRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
SignalRule.create_instance(rawrule)
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
SignalRule.create_instance('priority=a signal,')
|
||||
self.parseInvalidRule(SignalRule, rawrule, expected)
|
||||
|
||||
|
||||
class SignalTestParseFromLog(SignalTest):
|
||||
|
||||
@ -67,23 +67,16 @@ class UnixTestParse(AATest):
|
||||
|
||||
class UnixTestParseInvalid(AATest):
|
||||
tests = (
|
||||
('unix invalid,', AppArmorException),
|
||||
('unix (invalid),', AppArmorException),
|
||||
('priority=1042 unix,', AppArmorException),
|
||||
# exception matches regex
|
||||
('unix invalid,', (AppArmorException, True)),
|
||||
('unix (invalid),', (AppArmorException, True)),
|
||||
('foo,', (AppArmorException, False)),
|
||||
('priority=a unix,', (AppArmorException, False)),
|
||||
('priority=1042 unix,', (AppArmorException, True)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(UnixRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
UnixRule.create_instance(rawrule)
|
||||
|
||||
def test_parse_fail(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
UnixRule.create_instance('foo,')
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
UnixRule.create_instance('priority=a unix,')
|
||||
self.parseInvalidRule(UnixRule, rawrule, expected)
|
||||
|
||||
def test_invalid_priority_1(self):
|
||||
with self.assertRaises(TypeError):
|
||||
|
||||
@ -46,22 +46,15 @@ class UserNamespaceTestParse(AATest):
|
||||
|
||||
class UserNamespaceTestParseInvalid(AATest):
|
||||
tests = (
|
||||
('userns invalidaccess,', AppArmorException),
|
||||
('priority=1042 userns,', AppArmorException),
|
||||
# exception matches regex
|
||||
('userns invalidaccess,', (AppArmorException, True)),
|
||||
('priority=a userns,', (AppArmorException, False)),
|
||||
('priority=1042 userns,', (AppArmorException, True)),
|
||||
('foo,', (AppArmorException, False)),
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertTrue(UserNamespaceRule.match(rawrule)) # the above invalid rules still match the main regex!
|
||||
with self.assertRaises(expected):
|
||||
UserNamespaceRule.create_instance(rawrule)
|
||||
|
||||
def test_parse_fail(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
UserNamespaceRule.create_instance('foo,')
|
||||
|
||||
def test_invalid_priority(self):
|
||||
with self.assertRaises(AppArmorException):
|
||||
UserNamespaceRule.create_instance('priority=a userns,')
|
||||
self.parseInvalidRule(UserNamespaceRule, rawrule, expected)
|
||||
|
||||
def test_diff_non_usernsrule(self):
|
||||
exp = namedtuple('exp', ('audit', 'deny', 'priority'))
|
||||
|
||||
@ -94,21 +94,19 @@ class VariableTestParse(VariableTest):
|
||||
|
||||
class VariableTestParseInvalid(VariableTest):
|
||||
tests = (
|
||||
# rawrule matches regex exception
|
||||
('@{foo} =', (False, AppArmorException)),
|
||||
('@ {foo} = # comment', (False, AppArmorException)),
|
||||
('@ {foo} = ', (False, AppArmorException)),
|
||||
('@{foo} = /foo,', (True, AppArmorException)), # trailing comma
|
||||
('@{foo} = /foo, ', (True, AppArmorException)), # trailing comma
|
||||
('@{foo} = /foo, # comment', (True, AppArmorException)), # trailing comma
|
||||
('@{foo} = /foo, /bar', (True, AppArmorException)), # trailing comma in first value
|
||||
('@{foo = /foo f', (True, AppArmorException)), # variable name broken, missing }
|
||||
# exception matches regex
|
||||
('@{foo} =', (AppArmorException, False)),
|
||||
('@ {foo} = # comment', (AppArmorException, False)),
|
||||
('@ {foo} = ', (AppArmorException, False)),
|
||||
('@{foo} = /foo,', (AppArmorException, True)), # trailing comma
|
||||
('@{foo} = /foo, ', (AppArmorException, True)), # trailing comma
|
||||
('@{foo} = /foo, # comment', (AppArmorException, True)), # trailing comma
|
||||
('@{foo} = /foo, /bar', (AppArmorException, True)), # trailing comma in first value
|
||||
('@{foo = /foo f', (AppArmorException, True)), # variable name broken, missing }
|
||||
)
|
||||
|
||||
def _run_test(self, rawrule, expected):
|
||||
self.assertEqual(VariableRule.match(rawrule), expected[0])
|
||||
with self.assertRaises(expected[1]):
|
||||
VariableRule.create_instance(rawrule)
|
||||
self.parseInvalidRule(VariableRule, rawrule, expected)
|
||||
|
||||
|
||||
class VariableFromInit(VariableTest):
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user