[apparmor] [PATCH 06/11] Add auto generation of xtransition conflict tests

John Johansen john.johansen at canonical.com
Tue Dec 14 08:58:43 GMT 2010 

All the combiniation of xtransition conflics where not well represented in
the regression test suite.  Instead of relying on multiple static test
files, automatically generate all possible conflicts.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/tst/Makefile            |   10 ++-
 parser/tst/gen-xtrans.pl       |  152 ++++++++++++++++++++++++++++++++++++++++
 parser/tst/simple_tests/readme |    2 +
 3 files changed, 162 insertions(+), 2 deletions(-)
 create mode 100755 parser/tst/gen-xtrans.pl
 create mode 100644 parser/tst/simple_tests/readme

diff --git a/parser/tst/Makefile b/parser/tst/Makefile
index 48e160b..c53d6a3 100644
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -11,8 +11,11 @@ endif
 
 all: tests
 
-.PHONY: tests error_output parser_sanity caching
-tests: error_output parser_sanity caching
+.PHONY: tests error_output gen_xtrans parser_sanity caching
+tests: error_output gen_xtrans parser_sanity caching
+
+gen_xtrans:
+	./gen-xtrans.pl
 
 error_output: $(PARSER)
 	$(PARSER) -S -I errors >/dev/null errors/okay.sd
@@ -34,3 +37,6 @@ caching: $(PARSER)
 
 $(PARSER):
 	make -C $(PARSER_DIR) $(PARSER_BIN)
+
+clean:
+	rm -f simple_tests/generated_x/*
diff --git a/parser/tst/gen-xtrans.pl b/parser/tst/gen-xtrans.pl
new file mode 100755
index 0000000..69831ac
--- /dev/null
+++ b/parser/tst/gen-xtrans.pl
@@ -0,0 +1,152 @@
+#!/usr/bin/perl
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $prefix="simple_tests/generated_x";
+
+my @trans_types = ("p", "P", "c", "C", "u", "i");
+my @modifiers = ("i", "u");
+my %trans_modifiers = (
+    "p" => \@modifiers,
+    "P" => \@modifiers,
+    "c" => \@modifiers,
+    "C" => \@modifiers,
+    );
+
+my @targets = ("", "target", "target2");
+my @null_target = ("");
+
+my %named_trans = (
+    "p" => \@targets,
+    "P" => \@targets,
+    "c" => \@targets,
+    "C" => \@targets,
+    "u" => \@null_target,
+    "i" => \@null_target,
+    );
+
+# audit qualifier disabled for now it really shouldn't affect the conflict
+# test but it may be worth checking every once in awhile
+#my @qualifiers = ("", "owner", "audit", "audit owner");
+my @qualifiers = ("", "owner");
+
+my $count = 0;
+
+gen_conflicting_x();
+gen_overlap_re_exact();
+gen_dominate_re_re();
+gen_ambiguous_re_re();
+
+print "Generated $count xtransition interaction tests\n";
+
+sub gen_list {
+    my @output;
+    foreach my $trans (@trans_types) {
+	if ($trans_modifiers{$trans}) {
+	    foreach my $mod (@{$trans_modifiers{$trans}}) {
+		push @output, "${trans}${mod}x";
+	    }
+	}
+	push @output, "${trans}x";
+    }
+    return @output;
+}
+
+sub print_rule($$$$) {
+    my ($file, $name, $perm, $target) = @_;
+    print $file "\t${name} ${perm}";
+    if ($target ne "") {
+	print $file " -> $target";
+    }
+    print $file ",\n";
+}
+
+sub gen_file($$$$$$$$) {
+    my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+
+#    print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
+
+    my $file;
+    unless (open $file, ">$name") {
+	print("couldn't open $name\n");
+	exit 1;
+    }
+
+    print $file "#\n";
+    print $file "#=DESCRIPTION ${name}\n";
+    print $file "#=EXRESULT ${xres}\n";
+    print $file "#\n";
+    print $file "/usr/bin/foo {\n";
+    print_rule($file, $rule1, $perm1, $target1);
+    print_rule($file, $rule2, $perm2, $target2);
+    print $file "}";
+    close($file);
+
+    $count++;
+}
+
+#NOTE: currently we don't do px to cx, or cx to px conversion
+#      so
+# /foo {
+#    /* px -> /foo//bar,
+#    /* cx -> bar,
+#
+# will conflict
+#
+#NOTE: conflict tests don't tests leading permissions or using unsafe keywords
+#      It is assumed that there are extra tests to verify 1 to 1 coorispondance
+sub gen_files($$$$) {
+    my ($name, $rule1, $rule2, $default) = @_;
+
+    my @perms = gen_list();
+
+#    print "@perms\n";
+
+    foreach my $i (@perms) {
+	foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+	    foreach my $q (@qualifiers) {
+		foreach my $j (@perms) {
+		    foreach my $u (@{$named_trans{substr($j, 0, 1)}}) {
+			foreach my $r (@qualifiers) {
+			    my $file="${prefix}/${name}-$q$i$t-$r$j$u.sd";
+#		    print "$file\n";
+
+		    #override failures when transitions are the same
+			    my $xres = ${default};
+			    if ($i eq $j && $t eq $u) {
+				$xres = "PASS";
+			    }
+
+
+#		    print "foo $xres $rule1 $i $t $rule2 $j $u\n";
+			    gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+}
+
+sub gen_conflicting_x {
+    gen_files("conflict", "/bin/cat", "/bin/cat", "FAIL");
+}
+
+sub gen_overlap_re_exact {
+
+    gen_files("exact", "/bin/cat", "/bin/*", "PASS");
+}
+
+# we currently don't support this, once supported change to "PASS"
+sub gen_dominate_re_re {
+    gen_files("dominate", "/bin/*", "/bin/**", "FAIL");
+}
+
+sub gen_ambiguous_re_re {
+    gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
+}
diff --git a/parser/tst/simple_tests/readme b/parser/tst/simple_tests/readme
new file mode 100644
index 0000000..cfa9243
--- /dev/null
+++ b/parser/tst/simple_tests/readme
@@ -0,0 +1,2 @@
+Directory for auto generated x-transition tests
+
-- 
1.7.1

More information about the AppArmor mailing list