merge script handling into get_interpreter_and_abstraction()

Both create_new_profile() and handle_children() check if the given exec
target is a script and add permissions for the interpreter and a
matching abstraction.

This patch merges that into the get_interpreter_and_abstraction()
function and changes create_new_profile() and handle_children() to use
this function.

A nice side effect is that handle_children() now knows more abstractions
(its original list was incomplete).
The behaviour of create_new_profile() doesn't change.

Also add tests for get_interpreter_and_abstraction() to make sure it
does what we expect.


Acked-by: Kshitij Gupta <kgupta8592@gmail.com>

Bug: https://launchpad.net/bugs/1505775

utils/test/test-aa.py

@@ -13,7 +13,9 @@ import unittest
 from common_test import AATest, setup_all_loops
 from common_test import read_file, write_file
 
-from apparmor.aa import (check_for_apparmor, create_new_profile,
+import os
+
+from apparmor.aa import (check_for_apparmor, get_interpreter_and_abstraction, create_new_profile,
      get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
      parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header, serialize_parse_profile_start)
 from apparmor.common import AppArmorException, AppArmorBug
@@ -97,6 +99,47 @@ class AaTest_create_new_profile(AATest):
         else:
             self.assertEqual(profile[program][program]['include'].keys(), {'abstractions/base'})
 
+class AaTest_get_interpreter_and_abstraction(AATest):
+    tests = [
+        ('#!/bin/bash',             ('/bin/bash',           'abstractions/bash')),
+        ('#!/bin/dash',             ('/bin/dash',           'abstractions/bash')),
+        ('#!/bin/sh',               ('/bin/sh',             'abstractions/bash')),
+        ('#!  /bin/sh  ',           ('/bin/sh',             'abstractions/bash')),
+        ('#!/usr/bin/perl',         ('/usr/bin/perl',       'abstractions/perl')),
+        ('#!/usr/bin/python',       ('/usr/bin/python',     'abstractions/python')),
+        ('#!/usr/bin/python2',      ('/usr/bin/python2',    'abstractions/python')),
+        ('#!/usr/bin/python2.7',    ('/usr/bin/python2.7',  'abstractions/python')),
+        ('#!/usr/bin/python3',      ('/usr/bin/python3',    'abstractions/python')),
+        ('#!/usr/bin/python4',      ('/usr/bin/python4',    None)),  # python abstraction is only applied to py2 and py3
+        ('#!/usr/bin/ruby',         ('/usr/bin/ruby',       'abstractions/ruby')),
+        ('#!/usr/bin/foobarbaz',    ('/usr/bin/foobarbaz',  None)),  # we don't have an abstraction for "foobarbaz"
+        ('foo',                     (None,                  None)),  # no hashbang - not a script
+    ]
+
+    def _run_test(self, params, expected):
+        exp_interpreter_path, exp_abstraction = expected
+
+        program = self.writeTmpfile('program', "%s\nfoo\nbar" % params)
+        interpreter_path, abstraction = get_interpreter_and_abstraction(program)
+
+        # damn symlinks!
+        if exp_interpreter_path and os.path.islink(exp_interpreter_path):
+            dirname = os.path.dirname(exp_interpreter_path)
+            exp_interpreter_path = os.readlink(exp_interpreter_path)
+            if not exp_interpreter_path.startswith('/'):
+                exp_interpreter_path = os.path.join(dirname, exp_interpreter_path)
+
+        self.assertEqual(interpreter_path, exp_interpreter_path)
+        self.assertEqual(abstraction, exp_abstraction)
+
+    def test_special_file(self):
+        self.assertEqual((None, None), get_interpreter_and_abstraction('/dev/null'))
+
+    def test_file_not_found(self):
+        self.createTmpdir()
+        self.assertEqual((None, None), get_interpreter_and_abstraction('%s/file-not-found' % self.tmpdir))
+
+
 class AaTest_get_profile_flags(AaTestWithTempdir):
     def _test_get_flags(self, profile_header, expected_flags):
         file = write_file(self.tmpdir, 'profile', '%s {\n}\n' % profile_header)