On Sun, Dec 27, 2015 at 04:08:49PM +0100, Christian Boltz wrote: > Hello, > > $subject. > > The tests include the two tests from test-dbus_parse.py, therefore > delete this file. > > As usual, we have 100% coverage :-) > > Also addd an explicit str() conversion to common_test.py to avoid > TypeError: not all arguments converted during string formatting > > > > [ 56-add-test-dbus.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks (Also, where do I send a bill to buy a larger monitor? :) > > --- utils/test/test-dbus.py 2015-12-27 00:13:43.570046876 +0100 > +++ utils/test/test-dbus.py 2015-12-27 00:10:59.171207134 +0100 > @@ -0,0 +1,864 @@ > +#!/usr/bin/env python > +# ---------------------------------------------------------------------- > +# Copyright (C) 2015 Christian Boltz <appar...@cboltz.de> > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License as published by the Free Software Foundation. > +# > +# This program is distributed in the hope that it will be useful, > +# but WITHOUT ANY WARRANTY; without even the implied warranty of > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +# GNU General Public License for more details. > +# > +# ---------------------------------------------------------------------- > + > +import unittest > +from collections import namedtuple > +from common_test import AATest, setup_all_loops > + > +from apparmor.rule.dbus import DbusRule, DbusRuleset > +from apparmor.rule import BaseRule > +from apparmor.common import AppArmorException, AppArmorBug > +from apparmor.logparser import ReadLog > +from apparmor.translations import init_translation > +_ = init_translation() > + > +exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment', > + 'access', 'all_access', 'bus', 'all_buses', 'path', 'all_paths', > 'name', 'all_names', 'interface', 'all_interfaces', 'member', 'all_members', > 'peername', 'all_peernames', 'peerlabel', 'all_peerlabels']) > + > +# --- tests for single DbusRule --- # > + > +class DbusTest(AATest): > + def _compare_obj(self, obj, expected): > + self.assertEqual(obj.allow_keyword, expected.allow_keyword) > + self.assertEqual(obj.audit, expected.audit) > + self.assertEqual(obj.deny, expected.deny) > + self.assertEqual(obj.comment, expected.comment) > + > + self.assertEqual(obj.access, expected.access) > + self._assertEqual_aare(obj.bus, expected.bus) > + self._assertEqual_aare(obj.path, expected.path) > + self._assertEqual_aare(obj.name, expected.name) > + self._assertEqual_aare(obj.interface, expected.interface) > + self._assertEqual_aare(obj.member, expected.member) > + self._assertEqual_aare(obj.peername, expected.peername) > + self._assertEqual_aare(obj.peerlabel, expected.peerlabel) > + > + self.assertEqual(obj.all_access, expected.all_access) > + self.assertEqual(obj.all_buses, expected.all_buses) > + self.assertEqual(obj.all_paths, expected.all_paths) > + self.assertEqual(obj.all_names, expected.all_names) > + self.assertEqual(obj.all_interfaces, expected.all_interfaces) > + self.assertEqual(obj.all_members, expected.all_members) > + self.assertEqual(obj.all_peernames, expected.all_peernames) > + self.assertEqual(obj.all_peerlabels, expected.all_peerlabels) > + > + def _assertEqual_aare(self, obj, expected): > + if obj: > + self.assertEqual(obj.regex, expected) > + else: > + self.assertEqual(obj, expected) > + > +class DbusTestParse(DbusTest): > + tests = [ > + # DbusRule object audit allow > deny comment access all? bus all? path > all? name all? interface all? member all? > peername all? peerlabel all? > + ('dbus,' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus ( ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus ( , ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus send,' , exp(False, False, > False, '', {'send'}, False, None, True, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus (send, receive),' , exp(False, False, > False, '', {'send', 'receive'}, False, None, True, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus send bus=session,' , exp(False, False, > False, '', {'send'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('deny dbus send bus="session", # cmt' , exp(False, False, > True , ' # cmt', {'send'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('audit allow dbus peer=(label=foo),' , exp(True , True , > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, None, > True, 'foo', False)), > + ('dbus bus=session path=/foo/bar,' , exp(False, False, > False, '', None , True , 'session', False, > '/foo/bar', False, None, True, None, True, None, True, > None, True, None, True)), > + ('dbus send bus=(session),' , exp(False, False, > False, '', {'send'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus name=(SomeService),' , exp(False, False, > False, '', None, True, None, True, None, > True, 'SomeService',False, None, True, None, True, None, > True, None, True)), > + ('dbus send bus=session peer=(label="foo"),' , exp(False, False, > False, '', {'send'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, 'foo', False)), > + ('dbus send bus = ( session ) , ' , exp(False, False, > False, '', {'send'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus path=/foo,' , exp(False, False, > False, '', None , True , None, True, '/foo', > False, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus eavesdrop bus=session,' , exp(False, False, > False, '', {'eavesdrop'}, False, 'session', False, None, > True, None, True, None, True, None, True, None, > True, None, True)), > + ('dbus peer=(name=foo label=bar),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=( name = foo label = bar ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=( name = foo , label = bar ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=(, name = foo , label = bar ,),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=( name = foo, label = bar ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo,', > False, 'bar', False)), # XXX peername includes the comma > + ('dbus peer=(label=bar name=foo),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=( label = bar name = foo ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=(, label = bar , name = foo ,),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=(, label = bar, name = foo ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar,', False)), # XXX peerlabel includes the comma > + ('dbus peer=( label = bar , name = foo ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ('dbus peer=( label = "bar" name = "foo" ),' , exp(False, False, > False, '', None , True , None, True, None, > True, None, True, None, True, None, True, 'foo', > False, 'bar', False)), > + ] > + > + def _run_test(self, rawrule, expected): > + self.assertTrue(DbusRule.match(rawrule)) > + obj = DbusRule.parse(rawrule) > + self.assertEqual(rawrule.strip(), obj.raw_rule) > + self._compare_obj(obj, expected) > + > +class DbusTestParseInvalid(DbusTest): > + tests = [ > + ('dbus foo,' , AppArmorException), > + ('dbus foo bar,' , AppArmorException), > + ('dbus foo int,' , AppArmorException), > + ('dbus send bar,' , AppArmorException), > + ('dbus send receive,' , AppArmorException), > + ('dbus peer=,' , AppArmorException), > + ('dbus peer=(label=foo) path=,' , AppArmorException), > + ('dbus (invalid),' , AppArmorException), > + ('dbus peer=,' , AppArmorException), > + ] > + > + def _run_test(self, rawrule, expected): > + self.assertTrue(DbusRule.match(rawrule)) # the above invalid rules > still match the main regex! > + with self.assertRaises(expected): > + DbusRule.parse(rawrule) > + > +class DbusTestParseFromLog(DbusTest): > + def test_dbus_from_log(self): > + parser = ReadLog('', '', '', '', '') > + event = 'type=USER_AVC msg=audit(1375323372.644:157): pid=363 > uid=102 auid=4294967295 ses=4294967295 msg=\'apparmor="DENIED" > operation="dbus_method_call" bus="system" name="org.freedesktop.DBus" > path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" > mask="send" pid=2833 > profile="/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service" > peer_profile="unconfined" exe="/bin/dbus-daemon" sauid=102 hostname=? addr=? > terminal=?\'' > + > + parsed_event = parser.parse_event(event) > + > + self.assertEqual(parsed_event, { > + 'request_mask': None, > + 'denied_mask': 'send', > + 'error_code': 0, > + 'magic_token': 0, > + 'parent': 0, > + 'profile': > '/tmp/apparmor-2.8.0/tests/regression/apparmor/dbus_service', > + 'bus': 'system', > + 'peer_profile': 'unconfined', > + 'operation': 'dbus_method_call', > + 'resource': None, > + 'info': None, > + 'aamode': 'REJECTING', > + 'time': 1375323372, > + 'active_hat': None, > + 'pid': 2833, > + 'task': 0, > + 'attr': None, > + 'name2': None, > + 'name': 'org.freedesktop.DBus', > + 'path': '/org/freedesktop/DBus', > + 'interface': 'org.freedesktop.DBus', > + 'member': 'Hello', > + }) > + > +# XXX send rules must not contain name conditional, but the log event > includes it - how should we handle this in logparser.py? > + > +# # access bus > path name interface > member peername peerlabel > +# obj = DbusRule(parsed_event['denied_mask'], parsed_event['bus'], > parsed_event['path'], parsed_event['name'], parsed_event['interface'], > parsed_event['member'], parsed_event['peer_profile'], DbusRule.ALL, > log_event=parsed_event) > + > +# # DbusRule audit allow deny comment access > all? bus all? path all? name all? > interface all? member all? peername all? peerlabel all? > +# expected = exp( False, False, False, '', {'send'}, > False, 'system', False, '/org/freedesktop/DBus', False, > 'org.freedesktop.DBus', False, 'org.freedesktop.DBus', False, > +# > > 'Hello', False, 'unconfined', False, None, True) > + > +# self._compare_obj(obj, expected) > + > +# self.assertEqual(obj.get_raw(1), ' dbus send bus=system > path=/org/freedesktop/DBus name=org.freedesktop.DBus member=Hello > peer=(name=unconfined),') > + > +class DbusFromInit(DbusTest): > + tests = [ > + #DbusRule# access bus path name > interface member peername peerlabel > audit=, deny=, allow_keyword, comment=, log_event) > + (DbusRule( 'send' , 'session', DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL), > + #exp# audit allow deny comment access > all? bus all? path all? name all? > interface all? member all? peername all? peerlabel all? > + exp( False, False, False, '', {'send'}, > False, 'session', False, None, True, None, True, > None, True, None, True, None, True, None, True)), > + > + #DbusRule# access bus path name > interface member peername peerlabel > audit=, deny=, allow_keyword, comment=, log_event) > + (DbusRule(('send', 'receive'), 'session', DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL), > + #exp# audit allow deny comment access > all? bus all? path all? name all? > interface all? member all? peername all? peerlabel all? > + exp( False, False, False, '', {'send', > 'receive'}, False, 'session', False, None, True, None, > True, None, True, None, True, None, True, None, > True)), > + > + #DbusRule# access bus path name > interface member peername peerlabel > audit=, deny=, allow_keyword, comment=, log_event) > + (DbusRule(DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), > + #exp# audit allow deny comment access > all? bus all? path all? name all? > interface all? member all? peername all? peerlabel > all? > + exp( False, False, False, '', None , > True , None, True, None, True, None, True, > '/int/face',False, '/mem/ber', False, '/peer/name', False, '/peer/label', > False)), > + ] > + > + def _run_test(self, obj, expected): > + self._compare_obj(obj, expected) > + > +class InvalidDbusInit(AATest): > + tests = [ > + # access bus path name > interface member peername peerlabel expected > exception > + > + # empty fields > + ( ('', 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( ((), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, '', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', '', > '/int/face', '/mem/ber', '/peer/name', '/peer/label'), > AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', '' > ), AppArmorBug), > + > + # whitespace fields > + ( (' ', 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, ' ', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', ' ', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', ' ', > '/int/face', '/mem/ber', '/peer/name', '/peer/label'), > AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', ' ', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', ' ', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', ' ', > '/peer/label'), AppArmorBug), > + ( (DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', ' ' > ), AppArmorBug), > + > + # wrong type - dict() > + ( (dict(), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), dict(), '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', dict(), > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', dict(), > '/int/face', '/mem/ber', '/peer/name', '/peer/label'), > AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', dict(), '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', dict(), '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', dict(), > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', dict() > ), AppArmorBug), > + > + > + # wrong type - None > + ( (None, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( ((None), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), None, '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', None, > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', None, > '/int/face', '/mem/ber', '/peer/name', '/peer/label'), > AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', None, '/mem/ber', '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', None, '/peer/name', > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', None, > '/peer/label'), AppArmorBug), > + ( (('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', None > ), AppArmorBug), > + > + # bind conflicts with path, interface, member, peer name and peer > label > + ( (('bind'), DbusRule.ALL, '/org/test', > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('bind'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, '/int/face', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('bind'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, '/mem/ber', DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('bind'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, '/peer/name', DbusRule.ALL > ), AppArmorException), > + ( (('bind'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > '/peer/label'), AppArmorException), > + > + # eavesdrop conflcts with path, name, interface, member, peer name > and peer label > + ( (('eavesdrop'),DbusRule.ALL, '/org/test', > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('eavesdrop'),DbusRule.ALL, DbusRule.ALL, > 'com.aa.test', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('eavesdrop'),DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, '/int/face', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('eavesdrop'),DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, '/mem/ber', DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('eavesdrop'),DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, '/peer/name', DbusRule.ALL > ), AppArmorException), > + ( (('eavesdrop'),DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > '/peer/label'), AppArmorException), > + > + # send and receive conflict with name > + ( (('send'), DbusRule.ALL, DbusRule.ALL, > 'com.aa.test', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + ( (('receive'), DbusRule.ALL, DbusRule.ALL, > 'com.aa.test', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), > + > + # misc > + ( (DbusRule.ALL, DbusRule.ALL, 'foo/bar', > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), # path doesn't start with / > + ( (('foo'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), # invalid access keyword > + ( (('foo', 'send'), DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, DbusRule.ALL > ), AppArmorException), # valid + invalid access keyword > + ] > + > + def _run_test(self, params, expected): > + with self.assertRaises(expected): > + DbusRule(params[0], params[1], params[2], params[3], params[4], > params[5], params[6], params[7]) > + > + def test_missing_params_1(self): > + with self.assertRaises(TypeError): > + DbusRule('send') > + > + def test_missing_params_2(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session') > + > + def test_missing_params_3(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session', '/org/test') > + > + def test_missing_params_4(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session', '/org/test', > 'com.aa.test') > + > + def test_missing_params_5(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session', '/org/test', > 'com.aa.test', '/int/face') > + > + def test_missing_params_6(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber') > + > + def test_missing_params_7(self): > + with self.assertRaises(TypeError): > + DbusRule(('send'), 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name') > + > +class InvalidDbusTest(AATest): > + def _check_invalid_rawrule(self, rawrule): > + obj = None > + self.assertFalse(DbusRule.match(rawrule)) > + with self.assertRaises(AppArmorException): > + obj = DbusRule(DbusRule.parse(rawrule)) > + > + self.assertIsNone(obj, 'DbusRule handed back an object unexpectedly') > + > + def test_invalid_dbus_missing_comma(self): > + self._check_invalid_rawrule('dbus') # missing comma > + > + def test_invalid_non_DbusRule(self): > + self._check_invalid_rawrule('signal,') # not a dbus rule > + > + def test_empty_data_1(self): > + # access bus path name > interface member peername peerlabel > expected exception > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.access = '' > + # no access set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_2(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.bus = '' > + # no bus set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_3(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.path = '' > + # no path set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_4(self): > + obj = DbusRule(DbusRule.ALL, 'session', '/org/test', > 'com.aa.test', '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.name = '' > + # no name set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_5(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.interface = '' > + # no interface set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_6(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.member = '' > + # no member set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_7(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.peername = '' > + # no peername set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + def test_empty_data_8(self): > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', '/peer/label') > + obj.peerlabel = '' > + # no peerlabel set, and ALL not set > + with self.assertRaises(AppArmorBug): > + obj.get_clean(1) > + > + > +class WriteDbusTest(AATest): > + def _run_test(self, rawrule, expected): > + self.assertTrue(DbusRule.match(rawrule), 'DbusRule.match() failed') > + obj = DbusRule.parse(rawrule) > + clean = obj.get_clean() > + raw = obj.get_raw() > + > + self.assertEqual(expected.strip(), clean, 'unexpected clean rule') > + self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule') > + > + tests = [ > + # raw rule > clean rule > + (' dbus , # foo ' > , 'dbus, # foo'), > + (' audit dbus send,' > , 'audit dbus send,'), > + (' audit dbus (send ),' > , 'audit dbus send,'), > + (' audit dbus (send , receive ),' > , 'audit dbus (receive send),'), > + (' deny dbus send bus=session,# foo bar' > , 'deny dbus send bus=session, # foo bar'), > + (' deny dbus send bus=(session), ' > , 'deny dbus send bus=session,'), > + (' deny dbus send peer=(name=unconfined label=foo),' > , 'deny dbus send peer=(name=unconfined label=foo),'), > + (' deny dbus send interface = ( foo ),' > , 'deny dbus send interface=foo,'), > + (' deny dbus send ,# foo bar' > , 'deny dbus send, # foo bar'), > + (' allow dbus peer=(label=foo) ,# foo bar' > , 'allow dbus peer=(label=foo), # foo bar'), > + ('dbus,' > , 'dbus,'), > + ('dbus (receive),' > , 'dbus receive,'), > + ('dbus (send),' > , 'dbus send,'), > + ('dbus (send receive),' > , 'dbus (receive send),'), > + ('dbus receive,' > , 'dbus receive,'), > + ('dbus eavesdrop,' > , 'dbus eavesdrop,'), > + ('dbus bind bus = foo name = bar,' > , 'dbus bind bus=foo name=bar,'), > + ('dbus send peer=( label = /foo ) ,' > , 'dbus send peer=(label=/foo),'), > + ('dbus (receive) member=baz,' > , 'dbus receive member=baz,'), > + ('dbus send path = /foo,' > , 'dbus send path=/foo,'), > + ('dbus receive peer=(label=foo),' > , 'dbus receive peer=(label=foo),'), > + ('dbus (send receive) peer=(name=/usr/bin/bar),' > , 'dbus (receive send) peer=(name=/usr/bin/bar),'), > + ('dbus (, receive ,,, send ,) interface=/sbin/baz,' > , 'dbus (receive send) interface=/sbin/baz,'), # XXX leading and trailing > ',' inside (...) causes error > + # XXX add more complex rules > + ] > + > + def test_write_manually_1(self): > + # access bus path name > interface member peername peerlabel > expected exception > + obj = DbusRule(('send'), 'session', '/org/test', > DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', > '/peer/label', allow_keyword=True) > + > + expected = ' allow dbus send bus=session path=/org/test > interface=/int/face member=/mem/ber peer=(name=/peer/name label=/peer/label),' > + > + self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule') > + self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule') > + > + def test_write_manually_2(self): > + # access bus path > name interface member peername peerlabel > expected exception > + obj = DbusRule(('send', 'receive'), DbusRule.ALL, '/org/test', > DbusRule.ALL, DbusRule.ALL, '/mem/ber', '/peer/name', DbusRule.ALL, > allow_keyword=True) > + > + expected = ' allow dbus (receive send) path=/org/test > member=/mem/ber peer=(name=/peer/name),' > + > + self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule') > + self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule') > + > + > +class DbusCoveredTest(AATest): > + def _run_test(self, param, expected): > + obj = DbusRule.parse(self.rule) > + check_obj = DbusRule.parse(param) > + > + self.assertTrue(DbusRule.match(param)) > + > + self.assertEqual(obj.is_equal(check_obj), expected[0], 'Mismatch in > is_equal, expected %s' % expected[0]) > + self.assertEqual(obj.is_equal(check_obj, True), expected[1], > 'Mismatch in is_equal/strict, expected %s' % expected[1]) > + > + self.assertEqual(obj.is_covered(check_obj), expected[2], 'Mismatch > in is_covered, expected %s' % expected[2]) > + self.assertEqual(obj.is_covered(check_obj, True, True), expected[3], > 'Mismatch in is_covered/exact, expected %s' % expected[3]) > + > +class DbusCoveredTest_01(DbusCoveredTest): > + rule = 'dbus send,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ True , True > , True , True ]), > + ('dbus send member=unconfined,' , [ False , False > , True , True ]), > + ('dbus send, # comment' , [ True , False > , True , True ]), > + ('allow dbus send,' , [ True , False > , True , True ]), > + ('dbus send,' , [ True , False > , True , True ]), > + ('dbus send bus=session,' , [ False , False > , True , True ]), > + ('dbus send member=(label=foo),' , [ False , False > , True , True ]), > + ('audit dbus send,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus member=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_02(DbusCoveredTest): > + rule = 'audit dbus send,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ( 'dbus send,' , [ False , False > , True , False ]), > + ('audit dbus send,' , [ True , True > , True , True ]), > + ( 'dbus send bus=session,' , [ False , False > , True , False ]), > + ('audit dbus send bus=session,' , [ False , False > , True , True ]), > + ( 'dbus,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_03(DbusCoveredTest): > + rule = 'dbus send bus=session,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ( 'dbus send bus=session,' , [ True , True > , True , True ]), > + ('allow dbus send bus=session,' , [ True , False > , True , True ]), > + ( 'dbus send,' , [ False , False > , False , False ]), > + ( 'dbus,' , [ False , False > , False , False ]), > + ( 'dbus send member=(label=foo),' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('audit dbus send bus=session,' , [ False , False > , False , False ]), > + ('audit dbus bus=session,' , [ False , False > , False , False ]), > + ( 'dbus send,' , [ False , False > , False , False ]), > + ( 'dbus,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_04(DbusCoveredTest): > + rule = 'dbus,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ( 'dbus,' , [ True , True > , True , True ]), > + ('allow dbus,' , [ True , False > , True , True ]), > + ( 'dbus send,' , [ False , False > , True , True ]), > + ( 'dbus receive bus=session,' , [ False , False > , True , True ]), > + ( 'dbus member=(label=foo),' , [ False , False > , True , True ]), > + ( 'dbus send bus=session,' , [ False , False > , True , True ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('deny dbus,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_05(DbusCoveredTest): > + rule = 'deny dbus send,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ( 'deny dbus send,' , [ True , True > , True , True ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ( 'dbus send,' , [ False , False > , False , False ]), # XXX should covered be true here? > + ( 'deny dbus receive,' , [ False , False > , False , False ]), > + ( 'deny dbus,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_06(DbusCoveredTest): > + rule = 'dbus send peer=(name=unconfined),' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send peer=(name=unconfined),' , [ True , True > , True , True ]), > + ('dbus peer=(name=unconfined),' , [ False , False > , False , False ]), > + ('dbus send, # comment' , [ False , False > , False , False ]), > + ('allow dbus send,' , [ False , False > , False , False ]), > + ('allow dbus send peer=(name=unconfined),' , [ True , False > , True , True ]), > + ('allow dbus send peer=(name=/foo/bar),' , [ False , False > , False , False ]), > + ('allow dbus send peer=(name=/**),' , [ False , False > , False , False ]), > + ('allow dbus send peer=(name=**),' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send peer=(name=unconfined),' , [ True , False > , True , True ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send peer=(name=unconfined label=foo),' , [ False , False > , True , True ]), > + ('audit dbus send peer=(name=unconfined),' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_07(DbusCoveredTest): > + rule = 'dbus send peer=(label=unconfined),' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send peer=(label=unconfined),' , [ True , True > , True , True ]), > + ('dbus peer=(label=unconfined),' , [ False , False > , False , False ]), > + ('dbus send, # comment' , [ False , False > , False , False ]), > + ('allow dbus send,' , [ False , False > , False , False ]), > + ('allow dbus send peer=(label=unconfined),' , [ True , False > , True , True ]), > + ('allow dbus send peer=(label=/foo/bar),' , [ False , False > , False , False ]), > + ('allow dbus send peer=(label=/**),' , [ False , False > , False , False ]), > + ('allow dbus send peer=(label=**),' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send peer=(label=unconfined),' , [ True , False > , True , True ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send peer=(label=unconfined name=foo),' , [ False , False > , True , True ]), > + ('audit dbus send peer=(label=unconfined),' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_08(DbusCoveredTest): > + rule = 'dbus send path=/foo/bar,' > + > + tests = [ > + # rule equal > strict equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send path=/foo/bar,' , [ True , True > , True , True ]), > + ('dbus send path=/foo/*,' , [ False , False > , False , False ]), > + ('dbus send path=/**,' , [ False , False > , False , False ]), > + ('dbus send path=/what/*,' , [ False , False > , False , False ]), > + ('dbus path=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send, # comment' , [ False , False > , False , False ]), > + ('allow dbus send,' , [ False , False > , False , False ]), > + ('allow dbus send path=/foo/bar,' , [ True , False > , True , True ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send path=/foo/bar,' , [ True , False > , True , True ]), > + ('dbus send path=/what/ever,' , [ False , False > , False , False ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send path=/foo/bar peer=(label=foo),' , [ False , False > , True , True ]), > + ('audit dbus send path=/foo/bar,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_09(DbusCoveredTest): > + rule = 'dbus send member=**,' > + > + tests = [ > + # rule equal > strict equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/bar,' , [ False , False > , True , True ]), > + ('dbus send member=/foo/*,' , [ False , False > , True , True ]), > + ('dbus send member=/**,' , [ False , False > , True , True ]), > + ('dbus send member=/what/*,' , [ False , False > , True , True ]), > + ('dbus member=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send, # comment' , [ False , False > , False , False ]), > + ('allow dbus send,' , [ False , False > , False , False ]), > + ('allow dbus send member=/foo/bar,' , [ False , False > , True , True ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/bar,' , [ False , False > , True , True ]), > + ('dbus send member=/what/ever,' , [ False , False > , True , True ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/bar peer=(label=foo),' , [ False , False > , True , True ]), > + ('audit dbus send member=/foo/bar,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus member=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_10(DbusCoveredTest): > + rule = 'dbus (send, receive) interface=foo,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send interface=foo,' , [ False , False > , True , True ]), > + ('dbus receive bus=session interface=foo,' , [ False , False > , True , True ]), > + ('dbus (receive,send) interface=foo,' , [ True , False > , True , True ]), > + ('dbus (receive,send),' , [ False , False > , False , False ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/*,' , [ False , False > , False , False ]), > + ('dbus send member=/**,' , [ False , False > , False , False ]), > + ('dbus send member=/what/*,' , [ False , False > , False , False ]), > + ('dbus member=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send, # comment' , [ False , False > , False , False ]), > + ('allow dbus send,' , [ False , False > , False , False ]), > + ('allow dbus send member=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send,' , [ False , False > , False , False ]), > + ('dbus send member=/foo/bar,' , [ False , False > , False , False ]), > + ('dbus send member=/what/ever,' , [ False , False > , False , False ]), > + ('dbus send bus=session,' , [ False , False > , False , False ]), > + ('dbus send bus=session interface=foo,' , [ False , False > , True , True ]), > + ('dbus send member=/foo/bar peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit dbus send member=/foo/bar,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus send,' , [ False , False > , False , False ]), > + ('deny dbus send,' , [ False , False > , False , False ]), > + ] > + > +class DbusCoveredTest_11(DbusCoveredTest): > + rule = 'dbus name=/foo/bar,' > + > + tests = [ > + # rule equal strict > equal covered covered exact > + ('dbus,' , [ False , False > , False , False ]), > + ('dbus name=/foo/bar,' , [ True , True > , True , True ]), > + ('dbus name=/foo/*,' , [ False , False > , False , False ]), > + ('dbus name=/**,' , [ False , False > , False , False ]), > + ('dbus name=/what/*,' , [ False , False > , False , False ]), > + ('dbus, # comment' , [ False , False > , False , False ]), > + ('allow dbus,' , [ False , False > , False , False ]), > + ('allow dbus name=/foo/bar,' , [ True , False > , True , True ]), > + ('dbus ,' , [ False , False > , False , False ]), > + ('dbus name=/foo/bar,' , [ True , False > , True , True ]), > + ('dbus name=/what/ever,' , [ False , False > , False , False ]), > + ('dbus bus=session,' , [ False , False > , False , False ]), > + ('dbus name=/foo/bar peer=(label=foo),' , [ False , False > , True , True ]), > + ('audit dbus name=/foo/bar,' , [ False , False > , False , False ]), > + ('audit dbus,' , [ False , False > , False , False ]), > + ('dbus receive,' , [ False , False > , False , False ]), > + ('dbus peer=(label=foo),' , [ False , False > , False , False ]), > + ('audit deny dbus,' , [ False , False > , False , False ]), > + ('deny dbus,' , [ False , False > , False , False ]), > + ] > + > + > + > +class DbusCoveredTest_Invalid(AATest): > + def AASetup(self): > + # access bus path > name interface member peername > peerlabel expected exception > + self.obj = DbusRule(('send', 'receive'), 'session', > '/org/test', DbusRule.ALL, '/int/face', DbusRule.ALL, '/peer/name', > '/peer/label', allow_keyword=True) > + self.testobj = DbusRule(('send'), 'session', > '/org/test', DbusRule.ALL, '/int/face', '/mem/ber', '/peer/name', > '/peer/label', allow_keyword=True) > + > + > + def test_borked_obj_is_covered_1(self): > + self.testobj.access = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_2(self): > + self.testobj.bus = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_3(self): > + self.testobj.path = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_4(self): > + # we need a different 'victim' because dbus send doesn't allow the > name conditional we want to test here > + self.obj = DbusRule(('bind'), 'session', > DbusRule.ALL, '/name', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, allow_keyword=True) > + self.testobj = DbusRule(('bind'), 'session', > DbusRule.ALL, '/name', DbusRule.ALL, DbusRule.ALL, DbusRule.ALL, > DbusRule.ALL, allow_keyword=True) > + self.testobj.name = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_5(self): > + self.testobj.interface = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_6(self): > + self.testobj.member = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_7(self): > + self.testobj.peername = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + def test_borked_obj_is_covered_8(self): > + self.testobj.peerlabel = '' > + > + with self.assertRaises(AppArmorBug): > + self.obj.is_covered(self.testobj) > + > + > + def test_invalid_is_covered(self): > + obj = DbusRule.parse('dbus send,') > + > + testobj = BaseRule() # different type > + > + with self.assertRaises(AppArmorBug): > + obj.is_covered(testobj) > + > + def test_invalid_is_equal(self): > + obj = DbusRule.parse('dbus send,') > + > + testobj = BaseRule() # different type > + > + with self.assertRaises(AppArmorBug): > + obj.is_equal(testobj) > + > +class DbusLogprofHeaderTest(AATest): > + tests = [ > + ('dbus,', [ > _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('dbus (send receive),', [ > _('Access mode'), 'receive send', _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('dbus send bus=session,', [ > _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('deny dbus,', [_('Qualifier'), 'deny', > _('Access mode'), _('ALL'), _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('allow dbus send,', [_('Qualifier'), 'allow', > _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('audit dbus send bus=session,', [_('Qualifier'), 'audit', > _('Access mode'), 'send', _('Bus'), 'session', _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('audit deny dbus send,', [_('Qualifier'), 'audit deny', > _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('dbus bind name=bind.name,', [ > _('Access mode'), 'bind', _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), 'bind.name', _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), _('ALL')]), > + ('dbus send bus=session path=/path interface=aa.test member=ExMbr > peer=(name=(peer.name)),', > + [ > _('Access mode'), 'send', _('Bus'), 'session', _('Path'), '/path', > _('Name'), _('ALL'), _('Interface'), 'aa.test', _('Member'), 'ExMbr', > _('Peer name'), 'peer.name',_('Peer label'), _('ALL')]), > + ('dbus send peer=(label=foo),', [ > _('Access mode'), 'send', _('Bus'), _('ALL'), _('Path'), _('ALL'), > _('Name'), _('ALL'), _('Interface'), _('ALL'), _('Member'), _('ALL'), > _('Peer name'), _('ALL'), _('Peer label'), 'foo' ]), > + ] > + > + def _run_test(self, params, expected): > + obj = DbusRule._parse(params) > + self.assertEqual(obj.logprof_header(), expected) > + > +## --- tests for DbusRuleset --- # > + > +class DbusRulesTest(AATest): > + def test_empty_ruleset(self): > + ruleset = DbusRuleset() > + ruleset_2 = DbusRuleset() > + self.assertEqual([], ruleset.get_raw(2)) > + self.assertEqual([], ruleset.get_clean(2)) > + self.assertEqual([], ruleset_2.get_raw(2)) > + self.assertEqual([], ruleset_2.get_clean(2)) > + > + def test_ruleset_1(self): > + ruleset = DbusRuleset() > + rules = [ > + 'dbus peer=(label=foo),', > + 'dbus send,', > + ] > + > + expected_raw = [ > + 'dbus peer=(label=foo),', > + 'dbus send,', > + '', > + ] > + > + expected_clean = [ > + 'dbus peer=(label=foo),', > + 'dbus send,', > + '', > + ] > + > + for rule in rules: > + ruleset.add(DbusRule.parse(rule)) > + > + self.assertEqual(expected_raw, ruleset.get_raw()) > + self.assertEqual(expected_clean, ruleset.get_clean()) > + > + def test_ruleset_2(self): > + ruleset = DbusRuleset() > + rules = [ > + 'dbus send peer=(label=foo),', > + 'allow dbus send,', > + 'deny dbus bus=session, # example comment', > + ] > + > + expected_raw = [ > + ' dbus send peer=(label=foo),', > + ' allow dbus send,', > + ' deny dbus bus=session, # example comment', > + '', > + ] > + > + expected_clean = [ > + ' deny dbus bus=session, # example comment', > + '', > + ' allow dbus send,', > + ' dbus send peer=(label=foo),', > + '', > + ] > + > + for rule in rules: > + ruleset.add(DbusRule.parse(rule)) > + > + self.assertEqual(expected_raw, ruleset.get_raw(1)) > + self.assertEqual(expected_clean, ruleset.get_clean(1)) > + > + > +class DbusGlobTest(AATest): > + def setUp(self): > + self.maxDiff = None > + self.ruleset = DbusRuleset() > + > + def test_glob_1(self): > + self.assertEqual(self.ruleset.get_glob('dbus send,'), 'dbus,') > + > + # not supported or used yet > + # def test_glob_2(self): > + # self.assertEqual(self.ruleset.get_glob('dbus send raw,'), 'dbus > send,') > + > + def test_glob_ext(self): > + with self.assertRaises(NotImplementedError): > + # get_glob_ext is not available for dbus rules > + self.ruleset.get_glob_ext('dbus send peer=(label=foo),') > + > +#class DbusDeleteTest(AATest): > +# pass > + > +setup_all_loops(__name__) > +if __name__ == '__main__': > + unittest.main(verbosity=2) > --- utils/test/test-dbus_parse.py 2015-12-27 00:13:43.570046876 +0100 > +++ utils/test/test-dbus_parse.py 2015-12-25 17:09:48.881061665 +0100 > @@ -1,28 +0,0 @@ > -#! /usr/bin/env python > -# ------------------------------------------------------------------ > -# > -# Copyright (C) 2014 Canonical Ltd. > -# > -# This program is free software; you can redistribute it and/or > -# modify it under the terms of version 2 of the GNU General Public > -# License published by the Free Software Foundation. > -# > -# ------------------------------------------------------------------ > - > -import apparmor.aa as aa > -import unittest > -from common_test import AAParseTest, setup_regex_tests > - > -class AAParseDBUSTest(AAParseTest): > - > - def setUp(self): > - self.parse_function = aa.parse_dbus_rule > - > - tests = [ > - ('dbus,', 'dbus base keyword'), > - ('dbus send,', 'dbus simple send rule'), > - ] > - > -if __name__ == '__main__': > - setup_regex_tests(AAParseDBUSTest) > - unittest.main(verbosity=2) > --- utils/test/common_test.py 2015-12-27 00:13:43.570046876 +0100 > +++ utils/test/common_test.py 2015-12-24 18:13:40.628157819 +0100 > @@ -87,7 +87,7 @@ > def stub_test(self, test_data=test_data, expected=expected): > self._run_test(test_data, expected) > > - stub_test.__doc__ = "test '%s'" % (test_data) > + stub_test.__doc__ = "test '%s'" % str(test_data) > setattr(test_class, 'test_%d' % (i), stub_test) > > > Regards,
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor