Merge utils/test/test-profiles.py: Don't count profiles when USE_SYSTEM=1

If USE_SYSTEM=1 then we can't assume all the various profiles have been installed and therefore that the counts of the profiles will be as expected. In that case, simply testing that parsing the profiles occurs without errors is sufficient. Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/924 Merged-by: Alex Murray <alex.murray@canonical.com>
Merge profiles: add authd socket to unix-chkpwd for authd PAM
2025-08-22 01:57:43 +00:00 · 2025-08-21 15:15:58 +00:00 · 2025-08-19 02:26:14 +00:00 · 2025-08-18 23:54:40 +00:00 · 2025-08-18 16:31:35 -07:00 · 2025-08-18 12:15:40 -07:00
3 changed files with 20 additions and 2 deletions
--- a/profiles/apparmor.d/curl
+++ b/profiles/apparmor.d/curl
@ -42,6 +42,10 @@ profile curl /usr/bin/curl {
  network inet6 stream,
  network inet6 dgram,

+  # Allow access to the snap socket until we can revisit it with delegation
+  # or profile refactoring
+  file rw @{run}/snapd.socket,
+
  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/curl>
 }
--- a/profiles/apparmor.d/unix-chkpwd
+++ b/profiles/apparmor.d/unix-chkpwd
@ -30,6 +30,9 @@ profile unix-chkpwd /{,usr/}{,s}bin/unix_chkpwd {
  /run/host/userdb/*.user r,
  /run/host/userdb/*.user-privileged r,

+  # authd socket for PAM
+  @{run}/authd.sock rw,
+
  # file_inherit
  owner /dev/tty[0-9]* rw,

--- a/utils/test/test-profiles.py
+++ b/utils/test/test-profiles.py
@ -9,6 +9,7 @@
 #
 # ------------------------------------------------------------------

+import os
 import unittest

 import apparmor.aa as aa
@ -25,12 +26,22 @@ class TestFoo(AATest):
    def test_active_profiles(self):
        aa.read_profiles()

-        self.assertGreaterEqual(len(aa.active_profiles.profile_names), 42)
+        # when using system apparmor then we haven't necessarily installed all
+        # the profiles so checking against a specific number may fail - instead
+        # it is sufficient that profiles were read without an exception being
+        # thrown above
+        if os.getenv("USE_SYSTEM", "0") != "1":
+            self.assertGreaterEqual(len(aa.active_profiles.profile_names), 42)

    def test_extra_profiles(self):
        aa.read_inactive_profiles()

-        self.assertGreaterEqual(len(aa.extra_profiles.profile_names), 100)
+        # when using system apparmor then we haven't necessarily installed all
+        # the profiles so checking against a specific number may fail - instead
+        # it is sufficient that profiles were read without an exception being
+        # thrown above
+        if os.getenv("USE_SYSTEM", "0") != "1":
+            self.assertGreaterEqual(len(aa.extra_profiles.profile_names), 100)


 setup_aa(aa)
Author	SHA1	Message	Date
Alex Murray	0c26459cfa	Merge utils/test/test-profiles.py: Don't count profiles when USE_SYSTEM=1 If USE_SYSTEM=1 then we can't assume all the various profiles have been installed and therefore that the counts of the profiles will be as expected. In that case, simply testing that parsing the profiles occurs without errors is sufficient. Signed-off-by: Alex Murray <alex.murray@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/924 Merged-by: Alex Murray <alex.murray@canonical.com>	2025-08-21 15:15:58 +00:00
John Johansen	0e755d24bb	Merge profiles: add authd socket to unix-chkpwd for authd PAM Fixes: LP: #2120211 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1775 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2025-08-19 02:26:14 +00:00
John Johansen	db74dda3c6	Merge profiles: add /run/snapd.socket rule for curl This ideally is a temporary fix because we do not want to allow all users of curl to be able to access the snapd socket. However, this will work for now until we can mediate the accesses better. Fixes: LP: #2120669 Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1774 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>	2025-08-18 23:54:40 +00:00
Ryan Lee	6f5a4219d7	profiles: add authd socket to unix-chkpwd for authd PAM Fixes: LP: #2120211 Signed-off-by: Ryan Lee <ryan.lee@canonical.com>	2025-08-18 16:31:35 -07:00
Ryan Lee	0e58e3d7fb	profiles: add /run/snapd.socket rule for curl This ideally is a temporary fix because we do not want to allow all users of curl to be able to access the snapd socket. However, this will work for now until we can mediate the accesses better. Fixes: LP: #2120669 Signed-off-by: Ryan Lee <ryan.lee@canonical.com>	2025-08-18 12:15:40 -07:00
Alex Murray	262d305660	utils/test/test-profiles.py: Don't count profiles when USE_SYSTEM=1 If USE_SYSTEM=1 then we can't assume all the various profiles have been installed and therefore that the counts of the profiles will be as expected. In that case, simply testing that parsing the profiles occurs without errors is sufficient. Signed-off-by: Alex Murray <alex.murray@canonical.com>	2022-09-13 11:46:06 +09:30