2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
apparmor/utils/test/test-profile-list.py
Christian Boltz 7451c341a6
add get_all_merged_variables()
This function returns a dict with all variables and their values for a
given profile file. It also checks for redefined variables, and adding
to non-existing variables, and errors out in both cases. Note that it
does not check the include order and is therefore more forgiving than
apparmor_parser.

Also add some tests for get_all_merged_variables().

Note: the tests are based on reading "real" profiles, therefore we need
to initialize apparmor.aa and call some of its functions.

The alternative would be to construct ProfileList objects for some
profiles and includes manually, but doing that in a way that can replace
the tests with "real" profiles would be quite some work, and I'm not
bored enough for that ;-)
2020-05-27 13:32:44 +02:00

363 lines
20 KiB
Python

#! /usr/bin/python3
# ------------------------------------------------------------------
#
# Copyright (C) 2018 Christian Boltz <apparmor@cboltz.de>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
import unittest
from common_test import AATest, setup_aa, setup_all_loops, write_file
import apparmor.aa
import os
import shutil
from apparmor.common import AppArmorBug, AppArmorException
from apparmor.profile_list import ProfileList
from apparmor.rule.abi import AbiRule
from apparmor.rule.include import IncludeRule
from apparmor.rule.variable import VariableRule
class TestAdd_profile(AATest):
def AASetup(self):
self.pl = ProfileList()
def testEmpty(self):
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments, {})
self.assertEqual('%s' % self.pl, "\n".join(['', '<ProfileList>', '', '</ProfileList>', '']))
def testAdd_profile_1(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.assertEqual(self.pl.profile_names, {'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments, {'/bin/foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'), ['foo'])
self.assertEqual('%s' % self.pl, '\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profile_2(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
self.assertEqual(self.pl.profile_names, {})
self.assertEqual(self.pl.attachments, {'/bin/foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'), ['/bin/foo'])
self.assertEqual('%s' % self.pl, '\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profile_3(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
self.assertEqual(self.pl.profile_names, {'foo': '/etc/apparmor.d/bin.foo'})
self.assertEqual(self.pl.attachments, {})
self.assertEqual(self.pl.profiles_in_file('/etc/apparmor.d/bin.foo'), ['foo'])
self.assertEqual('%s' % self.pl, '\n<ProfileList>\n/etc/apparmor.d/bin.foo\n</ProfileList>\n')
def testAdd_profileError_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_profile('', 'foo', '/bin/foo') # no filename
def testAdd_profileError_2(self):
with self.assertRaises(AppArmorBug):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, None) # neither attachment or profile name
def testAdd_profileError_list_nonexisting_file(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
with self.assertRaises(AppArmorBug):
self.pl.profiles_in_file('/etc/apparmor.d/not.found') # different filename
def testAdd_profileError_twice_1(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_2(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
def testAdd_profileError_twice_3(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_4(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', None, '/bin/foo')
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
def testAdd_profileError_twice_5(self):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', None)
with self.assertRaises(AppArmorException):
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
class TestFilename_from_profile_name(AATest):
tests = [
('foo', '/etc/apparmor.d/bin.foo'),
('/bin/foo', None),
('bar', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'),
('/usr/lib/wine/bin/wine-preloader-staging-foo', None), # no AARE matching for profile names
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add_profile('/etc/apparmor.d/usr.bin.wine', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_profile_name(params), expected)
class TestFilename_from_attachment(AATest):
tests = [
('/bin/foo', '/etc/apparmor.d/bin.foo'),
('/bin/baz', '/etc/apparmor.d/bin.baz'),
('/bin/foobar', '/etc/apparmor.d/bin.foobar'),
('@{foo}', None), # XXX variables not supported yet (and @{foo} isn't defined in this test)
('/bin/404', None),
('/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/etc/apparmor.d/usr.bin.wine'), # XXX should this really match, or should attachment matching only use AARE?
('/usr/lib/wine/bin/wine-preloader-staging-foo', '/etc/apparmor.d/usr.bin.wine'), # AARE match
]
def AASetup(self):
self.pl = ProfileList()
self.pl.add_profile('/etc/apparmor.d/bin.foo', 'foo', '/bin/foo')
self.pl.add_profile('/etc/apparmor.d/bin.baz', 'baz', '/bin/ba*')
self.pl.add_profile('/etc/apparmor.d/bin.foobar', 'foobar', '/bin/foo{bar,baz}')
self.pl.add_profile('/etc/apparmor.d/usr.bin.wine', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}', '/usr{,{/lib,/lib32,/lib64}/wine}/bin/wine{,-preloader,server}{,-staging-*,-vanilla-*}')
def _run_test(self, params, expected):
self.assertEqual(self.pl.filename_from_attachment(params), expected)
def test_non_path_attachment(self):
with self.assertRaises(AppArmorBug):
self.pl.filename_from_attachment('foo')
class TestAdd_inc_ie(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_inc_ie_1(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule('tunables/global', False, True))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', ''])
def testAdd_inc_ie_2(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule('tunables/global', False, True))
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule('tunables/dovecot', False, True))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', 'include <tunables/dovecot>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', 'include <tunables/dovecot>', ''])
def testAdd_inc_ie_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', 'tunables/global') # str insteadd of IncludeRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_inc_ie_1(self):
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule.parse('include <tunables/global>'))
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule.parse('#include if exists <tunables/global> # comment'))
self.pl.add_inc_ie('/etc/apparmor.d/bin.foo', IncludeRule.parse(' #include <tunables/global> '))
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 2)
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['include <tunables/global>', ''])
def test_dedup_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.delete_preamble_duplicates('/file/not/found')
self.assertEqual(list(self.pl.files.keys()), [])
class TestAdd_abi(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_abi_1(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo', AbiRule('abi/4.19', False, True))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', ''])
def testAdd_abi_2(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo', AbiRule('abi/4.19', False, True))
self.pl.add_abi('/etc/apparmor.d/bin.foo', AbiRule('foo', False, False))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', 'abi "foo",', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', 'abi "foo",', ''])
def testAdd_abi_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_abi('/etc/apparmor.d/bin.foo', 'abi/4.19') # str insteadd of AbiRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_abi_1(self):
self.pl.add_abi('/etc/apparmor.d/bin.foo', AbiRule.parse('abi <abi/4.19>,'))
self.pl.add_abi('/etc/apparmor.d/bin.foo', AbiRule.parse(' abi <abi/4.19> , # comment'))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 1)
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['abi <abi/4.19>,', ''])
class TestAdd_alias(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_alias_1(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', '/bar')
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['alias /foo -> /bar,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['alias /foo -> /bar,', ''])
def testAdd_alias_2(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', '/bar')
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/xyz', '/zyx')
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['alias /foo -> /bar,', 'alias /xyz -> /zyx,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['alias /foo -> /bar,', 'alias /xyz -> /zyx,', ''])
def testAdd_alias_dupe(self):
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', '/bar')
# parser allows re-defining aliases
# with self.assertRaises(AppArmorException):
# self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', '/redefine') # attempt to redefine alias
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', '/redefine') # redefine alias
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['alias /foo -> /redefine,', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['alias /foo -> /redefine,', ''])
def testAdd_alias_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_alias('/etc/apparmor.d/bin.foo', None, '/foo') # alias None insteadd of str
self.assertEqual(list(self.pl.files.keys()), [])
def testAdd_alias_error_2(self):
with self.assertRaises(AppArmorBug):
self.pl.add_alias('/etc/apparmor.d/bin.foo', '/foo', None) # target None insteadd of str
self.assertEqual(list(self.pl.files.keys()), [])
# def test_dedup_alias_1(self):
# TODO: implement after fixing alias handling (when a profile has two aliases with the same path on the left side)
class TestAdd_variable(AATest):
def AASetup(self):
self.pl = ProfileList()
def testAdd_variable_1(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule('@{foo}', '=', {'/foo'}))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', ''])
def testAdd_variable_2(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule('@{foo}', '=', {'/foo'}))
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule('@{bar}', '=', {'/bar'}))
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', '@{bar} = /bar', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', '@{bar} = /bar', ''])
def testAdd_variable_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.add_variable('/etc/apparmor.d/bin.foo', '@{foo}') # str insteadd of IncludeRule
self.assertEqual(list(self.pl.files.keys()), [])
def test_dedup_variable_1(self):
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule.parse('@{foo} = /foo'))
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule.parse('@{foo} += /bar # comment'))
self.pl.add_variable('/etc/apparmor.d/bin.foo', VariableRule.parse('@{foo} += /bar /baz'))
deleted = self.pl.delete_preamble_duplicates('/etc/apparmor.d/bin.foo')
self.assertEqual(deleted, 1)
self.assertEqual(list(self.pl.files.keys()), ['/etc/apparmor.d/bin.foo'])
self.assertEqual(self.pl.get_clean('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', '@{foo} += /bar /baz', ''])
self.assertEqual(self.pl.get_raw('/etc/apparmor.d/bin.foo'), ['@{foo} = /foo', '@{foo} += /bar /baz', ''])
def test_dedup_error_1(self):
with self.assertRaises(AppArmorBug):
self.pl.delete_preamble_duplicates('/file/not/found')
self.assertEqual(list(self.pl.files.keys()), [])
class TestGet(AATest):
def AASetup(self):
self.pl = ProfileList()
def testGet_clean_error(self):
with self.assertRaises(AppArmorBug):
self.pl.get_clean('/etc/apparmor.d/not.found')
def testGet_raw_error(self):
with self.assertRaises(AppArmorBug):
self.pl.get_raw('/etc/apparmor.d/not.found')
class AaTest_get_all_merged_variables(AATest):
tests = []
def AASetup(self):
self.createTmpdir()
# copy the local profiles to the test directory
self.profile_dir = '%s/profiles' % self.tmpdir
apparmor.aa.profile_dir = self.profile_dir
shutil.copytree('../../profiles/apparmor.d/', self.profile_dir, symlinks=True)
def _load_profiles(self):
apparmor.aa.reset_aa()
# load the profiles and abstractions
apparmor.aa.profiledir = self.profile_dir
apparmor.aa.loadincludes()
apparmor.aa.read_profiles()
def test_unchanged(self):
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq')
vars = apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
self.assertEqual(vars['@{TFTP_DIR}'], {'/var/tftp', '/srv/tftp', '/srv/tftpboot'})
self.assertEqual(vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/'})
def test_extended_home(self):
write_file(self.profile_dir, 'tunables/home.d/extend_home', '@{HOME} += /my/castle/')
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq')
vars = apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
self.assertEqual(vars['@{TFTP_DIR}'], {'/var/tftp', '/srv/tftp', '/srv/tftpboot'})
self.assertEqual(vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/', '/my/castle/'})
def test_extended_home_2(self):
write_file(self.profile_dir, 'tunables/home.d/extend_home', '@{HOME} += /my/castle/')
write_file(self.profile_dir, 'tunables/home.d/moving_around', '@{HOME} += /on/the/road/')
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq')
vars = apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
self.assertEqual(vars['@{TFTP_DIR}'], {'/var/tftp', '/srv/tftp', '/srv/tftpboot'})
self.assertEqual(vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/', '/my/castle/', '/on/the/road/'})
def test_extend_home_in_mainfile(self):
write_file(self.profile_dir, 'tunables/home.d/extend_home', '@{HOME} += /my/castle/')
write_file(self.profile_dir, 'dummy_profile', 'include <tunables/global>\n@{HOME} += /in/the/profile/')
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'dummy_profile')
vars = apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'dummy_profile'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
self.assertEqual(vars.get('@{TFTP_DIR}', None), None)
self.assertEqual(vars['@{HOME}'], {'@{HOMEDIRS}/*/', '/root/', '/my/castle/', '/in/the/profile/'})
def test_redefine_home(self):
write_file(self.profile_dir, 'tunables/home.d/overwrite_home', '@{HOME} = /my/castle/') # note: =, not +=
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq')
with self.assertRaises(AppArmorException):
apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
def test_add_to_nonexisting(self):
write_file(self.profile_dir, 'tunables/home.d/no_such_var', '@{NO_SUCH_HOME} += /my/castle/') # add to non-existing variable
self._load_profiles()
prof_filename = os.path.join(self.profile_dir, 'usr.sbin.dnsmasq')
with self.assertRaises(AppArmorException):
apparmor.aa.active_profiles.get_all_merged_variables(os.path.join(self.profile_dir, 'usr.sbin.dnsmasq'), apparmor.aa.include_list_recursive(apparmor.aa.active_profiles.files[prof_filename]), self.profile_dir)
setup_aa(apparmor.aa)
setup_all_loops(__name__)
if __name__ == '__main__':
unittest.main(verbosity=1)