mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity
apparmor/utils/test
History
John Johansen d4a76c456d Merge profiles: force read permission to their attachment path 
Unconfined delegates access to open file descriptors. Therefore when running a confined binary from unconfined, it will work even when the attachment path is not read-allowed.

However, as soon as these confined binaries are run from another confined process, this delegation is not permitted anymore and the program breaks.

This has been the cause of several bugs such as https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107455 or https://github.com/canonical/snapd/pull/15181 .

This MR makes sure every confining AppArmor profiles explicitly allow (at least) read access to their attachment path.

This Merge request:
 - Introduce `test_profile.sh`, a helper script that ensures confining AppArmor profiles explicitly allow (at least) read access to their attachment path.
 - Modifies a lot of profiles so that all profiles have r/mr access to their attachment path
 - Extends `make check` to automatically ensure all AppArmor profile grant explicit read access to their attachment path, preventing future omissions.
 - Modifies apparmor_parser to show attachment in --debug output

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1637
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
2025-04-28 12:02:18 +00:00
..
logprof
utils: Fix test-logprof.py for bin.ping profile
2025-04-18 12:41:56 +02:00
wtmp-examples
Add support for lastlog2 to get last login
2025-01-14 19:36:43 +01:00
cleanprof_test.complain
utils: fix cleanprof recursion error when child is defined out of parent
2025-04-01 16:48:24 -03:00
cleanprof_test.in
utils: fix cleanprof recursion error when child is defined out of parent
2025-04-01 16:48:24 -03:00
cleanprof_test.out
utils: fix cleanprof recursion error when child is defined out of parent
2025-04-01 16:48:24 -03:00
common_test.py
utils: remove the skip_*_profiles testing bypass
2025-02-27 16:48:46 -08:00
easyprof.conf
This patchset is broken into 4 parts:
2012-05-07 22:37:48 -07:00
logprof.conf
Stop calling ldd in aa-genprof and aa-autodep
2024-03-31 18:53:12 +02:00
Makefile
Allow overrides and preservation of some environment variables in utils make check
2025-01-22 11:10:41 -08:00
notify.conf
utils: supply a notify.conf for aa-notify tests
2025-04-03 12:20:10 -07:00
README.md
use new build_platlib path with setuptools >= 61.2
2022-07-16 17:47:18 +02:00
runtests-py3.sh
fix utils/test/runtests-py*.sh exitcode
2014-10-03 11:48:21 +02:00
severity_broken.db
Update perl abstraction, logprof.conf, severity.db and tests for Debian/Ubuntu
2014-08-20 19:14:24 -05:00
severity.db
Add aa-logprof test framework
2023-08-13 21:02:50 +02:00
task.yaml
Third iteration of spread support
2024-12-05 02:17:07 +01:00
test-aa-cli-bootstrap.py
Add option to log aa-logprof json input and output
2023-07-30 21:28:35 +02:00
test-aa-decode.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-aa-easyprof.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-aa-notify.py
utils/test/test-aa-notify.py: update last cmd for lxd VMs
2025-03-18 17:45:00 +10:30
test-aa.py
Drop now-unused split_to_merged() and its tests
2024-12-17 22:51:12 +01:00
test-aare.py
util: enhance AARE file path validation
2025-04-02 18:32:03 +02:00
test-abi.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-alias.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-all.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-baserule.py
utils: Simplify logparsing and rule creation from hashlog/event
2024-07-23 16:09:53 +00:00
test-boolean.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-capability.py
logparser: adding support for comm in capability events
2024-08-12 10:23:40 +02:00
test-change_profile.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-common.py
Change apparmor.common.combine_profname arguments from list to tuple literals.
2022-09-11 21:56:26 -04:00
test-config.py
Stop calling ldd in aa-genprof and aa-autodep
2024-03-31 18:53:12 +02:00
test-dbus.py
utils: Simplify logparsing and rule creation from hashlog/event
2024-07-23 16:09:53 +00:00
test-example.py
Order imports and module-level dunder name assignments.
2022-08-21 11:15:07 -04:00
test-file.py
test-file.py: don't expect translated file permissions
2024-09-17 14:44:20 +02:00
test-include.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-io_uring.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-libapparmor-test_multi.py
utils: fix cleanprof regression on header generation
2025-03-31 15:50:15 -03:00
test-logparser.py
logparser: Add tests for create_rule_from_ev
2024-08-13 11:35:58 +02:00
test-logprof.py
Merge profiles: allow fusermount3 to mount in directories used by flatpak (LP: 2100295)
2025-04-02 17:54:13 +00:00
test-minitools.py
utils: remove the skip_*_profiles testing bypass
2025-02-27 16:48:46 -08:00
test-mount.py
Check for mount rules with multiple 'fstype'
2025-04-06 15:19:30 +02:00
test-mqueue.py
MqueueRule: allow / as mqueue name
2024-07-21 16:00:18 +02:00
test-network.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-notify.py
Add support for lastlog2 to get last login
2025-01-14 19:36:43 +01:00
test-parser-simple-tests.py
Move the "unsafe" rules of front_perms_ok simple tests to separate test file
2025-04-10 11:19:05 -07:00
test-pivot_root.py
Add PivotRootRule class
2024-05-20 20:42:50 +02:00
test-profile-list.py
utils: remove the skip_*_profiles testing bypass
2025-02-27 16:48:46 -08:00
test-profile-storage.py
utils: add parent to external child profiles
2025-04-01 16:46:16 -03:00
test-profiles.py
utils: remove the skip_*_profiles testing bypass
2025-02-27 16:48:46 -08:00
test-ptrace.py
utils: Simplify logparsing and rule creation from hashlog/event
2024-07-23 16:09:53 +00:00
test-regex_matches.py
Drop useless code in test-regex_matches.py
2024-12-02 21:33:34 +01:00
test-rlimit.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00
test-severity.py
Change string formatting method in Python tests
2023-02-19 16:54:38 -05:00
test-signal.py
utils: Simplify logparsing and rule creation from hashlog/event
2024-07-23 16:09:53 +00:00
test-translations.py
test-translations: include "ignore" in exec prompts
2025-02-24 13:35:08 +01:00
test-unix.py
utils: fix unix qualifier clean rule generation
2025-04-17 20:39:58 -03:00
test-userns.py
utils: Simplify logparsing and rule creation from hashlog/event
2024-07-23 16:09:53 +00:00
test-variable.py
utils: fix coding style to match PEP8
2024-05-20 13:56:37 -03:00

README.md

Test data generated elsewhere

The tests in parser generate additional test profiles in parser/tst/simple_tests/: see gen-dbus.py and gen-xtrans.py.

utils/test/test-parser-simple-tests.py uses this test data when it is available. If this test data has not been generated, this test will not complain: it will simply exercise fewer test profiles.

Running individual tests

Python's unittest allows individual tests to be executed by specifying the class name and the test on the command line. When running tests individually, the unittest framework executes the "setUp" and "tearDown" methods automatically. For more information, refer to the unittest documentation.

Make sure to set the environment variables pointing to the in-tree apparmor modules, and the in-tree libapparmor and its python wrapper:

$ export PYTHONPATH=..:../../libraries/libapparmor/swig/python/build/$(/usr/bin/python3 ../../libraries/libapparmor/swig/python/test/buildpath.py)
$ export __AA_CONFDIR=.

To execute the test individually, run:

$ python3 ./test-tile.py ClassFoo.test_bar