1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
#!/usr/bin/python3
# ----------------------------------------------------------------------
# Copyright (C) 2022 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# ----------------------------------------------------------------------
import unittest
from collections import namedtuple
from apparmor.logparser import ReadLog
from common_test import AATest, setup_all_loops
from apparmor.rule.userns import UserNamespaceRule, UserNamespaceRuleset
from apparmor.common import AppArmorException, AppArmorBug, hasher
from apparmor.translations import init_translation
_ = init_translation()
class UserNamespaceTestParse(AATest):
tests = (
# access audit deny allow comment
('userns,', UserNamespaceRule(UserNamespaceRule.ALL, False, False, False, '')),
('userns create,', UserNamespaceRule(('create'), False, False, False, '')),
('audit userns create,', UserNamespaceRule(('create'), True, False, False, '')),
('deny userns,', UserNamespaceRule(UserNamespaceRule.ALL, False, True, False, '')),
('audit allow userns,', UserNamespaceRule(UserNamespaceRule.ALL, True, False, True, '')),
('userns create, # cmt', UserNamespaceRule(('create'), False, False, False, ' # cmt')),
)
def _run_test(self, rawrule, expected):
self.assertTrue(UserNamespaceRule.match(rawrule))
obj = UserNamespaceRule.create_instance(rawrule)
expected.raw_rule = rawrule.strip()
self.assertTrue(obj.is_equal(expected, True))
class UserNamespaceTestParseInvalid(AATest):
tests = (
('userns invalidaccess,', AppArmorException),
)
def _run_test(self, rawrule, expected):
self.assertTrue(UserNamespaceRule.match(rawrule)) # the above invalid rules still match the main regex!
with self.assertRaises(expected):
UserNamespaceRule.create_instance(rawrule)
def test_parse_fail(self):
with self.assertRaises(AppArmorException):
UserNamespaceRule.create_instance('foo,')
def test_diff_non_usernsrule(self):
exp = namedtuple('exp', ('audit', 'deny', 'priority'))
obj = UserNamespaceRule(('create'))
with self.assertRaises(AppArmorBug):
obj.is_equal(exp(False, False, None), False)
def test_diff_access(self):
obj1 = UserNamespaceRule(UserNamespaceRule.ALL)
obj2 = UserNamespaceRule(('create'))
self.assertFalse(obj1.is_equal(obj2, False))
class InvalidUserNamespaceInit(AATest):
tests = (
# init params expected exception
((''), TypeError), # empty access
((' '), AppArmorBug), # whitespace access
(('xyxy'), AppArmorException), # invalid access
(dict(), TypeError), # wrong type for access
(None, TypeError), # wrong type for access
)
def _run_test(self, params, expected):
with self.assertRaises(expected):
UserNamespaceRule(*params)
def test_missing_params(self):
with self.assertRaises(TypeError):
UserNamespaceRule()
class WriteUserNamespaceTestAATest(AATest):
tests = (
# raw rule clean rule
(' userns , # foo ', 'userns, # foo'),
(' audit userns create,', 'audit userns create,'),
(' deny userns ,# foo bar', 'deny userns, # foo bar'),
(' allow userns create ,# foo bar', 'allow userns create, # foo bar'),
('userns,', 'userns,'),
('userns create,', 'userns create,'),
(' priority = -1 allow userns create,', 'priority=-1 allow userns create,'),
(' priority = 0 allow userns create,', 'priority=0 allow userns create,'),
(' priority=+234 allow userns create,', 'priority=234 allow userns create,'),
(' priority = 65 allow userns create,', 'priority=65 allow userns create,'),
)
def _run_test(self, rawrule, expected):
self.assertTrue(UserNamespaceRule.match(rawrule))
obj = UserNamespaceRule.create_instance(rawrule)
clean = obj.get_clean()
raw = obj.get_raw()
self.assertEqual(expected.strip(), clean, 'unexpected clean rule')
self.assertEqual(rawrule.strip(), raw, 'unexpected raw rule')
def test_write_manually(self):
obj = UserNamespaceRule('create', allow_keyword=True)
expected = ' allow userns create,'
self.assertEqual(expected, obj.get_clean(2), 'unexpected clean rule')
self.assertEqual(expected, obj.get_raw(2), 'unexpected raw rule')
def test_write_invalid_access(self):
obj = UserNamespaceRule('create')
obj.access = ''
with self.assertRaises(AppArmorBug):
obj.get_clean()
class UserNamespaceIsCoveredTest(AATest):
def test_is_covered(self):
obj = UserNamespaceRule(UserNamespaceRule.ALL)
self.assertTrue(obj.is_covered(UserNamespaceRule(('create'))))
self.assertTrue(obj.is_covered(UserNamespaceRule(UserNamespaceRule.ALL)))
def test_is_not_covered(self):
obj = UserNamespaceRule(('create'))
self.assertFalse(obj.is_covered(UserNamespaceRule(UserNamespaceRule.ALL)))
class UserNamespaceLogprofHeaderTest(AATest):
tests = (
('userns,', [_('Access mode'), _('ALL')]),
('userns create,', [_('Access mode'), 'create']),
)
def _run_test(self, params, expected):
obj = UserNamespaceRule.create_instance(params)
self.assertEqual(obj.logprof_header(), expected)
def test_unconfined_usens_from_log(self):
log = 'type=AVC msg=audit(1720613712.153:168): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=5630 comm="unshare" requested="userns_create" target="unprivileged_userns" execpath="/usr/bin/unshare"'
parser = ReadLog('', '', '')
hl = hasher()
ev = parser.parse_event(log)
UserNamespaceRule.hashlog_from_event(hl, ev)
expected = {'create': True}
self.assertEqual(hl, expected)
ur = UserNamespaceRule.from_hashlog(hl)
expected = UserNamespaceRule('create')
self.assertTrue(expected.is_equal(next(ur)))
with self.assertRaises(StopIteration):
next(ur)
class UserNamespaceGlobTestAATest(AATest):
def test_glob(self):
self.assertEqual(UserNamespaceRuleset().get_glob('userns create,'), 'userns,')
setup_all_loops(__name__)
if __name__ == '__main__':
unittest.main(verbosity=1)
|
