[apparmor] [PATCH 07/11] Add auto generation of tests to verify leading and trailing perms for xrules

John Johansen john.johansen at canonical.com
Tue Dec 14 08:58:44 GMT 2010


Test the leading permission form of an xrule against its trailing permission
form, to verify that they are generating the same xtransition and thus
don't conflict (assumes xtransition conflict checking is working).
  eg.
     px /foo,
     /foo px,

should generate the same rule and thus not result in any conflicts

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 parser/tst/Makefile                                |    1 +
 parser/tst/gen-xtrans.pl                           |   46 ++++++++++++++++---
 .../simple_tests/generated_perms_leading/readme    |    5 ++
 3 files changed, 44 insertions(+), 8 deletions(-)
 create mode 100644 parser/tst/simple_tests/generated_perms_leading/readme

diff --git a/parser/tst/Makefile b/parser/tst/Makefile
index c53d6a3..b30ec6e 100644
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -40,3 +40,4 @@ $(PARSER):
 
 clean:
 	rm -f simple_tests/generated_x/*
+	rm -f simple_tests/generated_perms_leading/*
diff --git a/parser/tst/gen-xtrans.pl b/parser/tst/gen-xtrans.pl
index 69831ac..a1fe4a7 100755
--- a/parser/tst/gen-xtrans.pl
+++ b/parser/tst/gen-xtrans.pl
@@ -7,6 +7,7 @@ use POSIX;
 setlocale(LC_MESSAGES, "");
 
 my $prefix="simple_tests/generated_x";
+my $prefix_leading="simple_tests/generated_perms_leading";
 
 my @trans_types = ("p", "P", "c", "C", "u", "i");
 my @modifiers = ("i", "u");
@@ -40,6 +41,11 @@ gen_conflicting_x();
 gen_overlap_re_exact();
 gen_dominate_re_re();
 gen_ambiguous_re_re();
+gen_leading_perms("exact", "/bin/cat", "/bin/cat");
+gen_leading_perms("exact-re", "/bin/*", "/bin/*");
+gen_leading_perms("overlap", "/*", "/bin/cat");
+gen_leading_perms("dominate", "/**", "/*");
+gen_leading_perms("ambiguous", "/a*", "/*b");
 
 print "Generated $count xtransition interaction tests\n";
 
@@ -56,17 +62,21 @@ sub gen_list {
     return @output;
 }
 
-sub print_rule($$$$) {
-    my ($file, $name, $perm, $target) = @_;
-    print $file "\t${name} ${perm}";
+sub print_rule($$$$$$) {
+    my ($file, $leading, $qual, $name, $perm, $target) = @_;
+    if ($leading) {
+	print $file "\t${qual} ${perm} ${name}";
+    } else {
+	print $file "\t${qual} ${name} ${perm}";
+    }
     if ($target ne "") {
 	print $file " -> $target";
     }
     print $file ",\n";
 }
 
-sub gen_file($$$$$$$$) {
-    my ($name, $xres, $rule1, $perm1, $target1, $rule2, $perm2, $target2) = @_;
+sub gen_file($$$$$$$$$$$$) {
+    my ($name, $xres, $leading1, $qual1, $rule1, $perm1, $target1, $leading2, $qual2, $rule2, $perm2, $target2) = @_;
 
 #    print "$xres $rule1 $perm1 $target1 $rule2 $perm2 $target2\n";
 
@@ -81,8 +91,8 @@ sub gen_file($$$$$$$$) {
     print $file "#=EXRESULT ${xres}\n";
     print $file "#\n";
     print $file "/usr/bin/foo {\n";
-    print_rule($file, $rule1, $perm1, $target1);
-    print_rule($file, $rule2, $perm2, $target2);
+    print_rule($file, $leading1, $qual1, $rule1, $perm1, $target1);
+    print_rule($file, $leading2, $qual2, $rule2, $perm2, $target2);
     print $file "}";
     close($file);
 
@@ -123,7 +133,7 @@ sub gen_files($$$$) {
 
 
 #		    print "foo $xres $rule1 $i $t $rule2 $j $u\n";
-			    gen_file($file, $xres, "$q $rule1", $i, $t, "$r $rule2", $j, $u);
+			    gen_file($file, $xres, 0, $q, $rule1, $i, $t, 0, $r, $rule2, $j, $u);
 			}
 		    }
 		}
@@ -150,3 +160,23 @@ sub gen_dominate_re_re {
 sub gen_ambiguous_re_re {
     gen_files("ambiguous", "/bin/a*", "/bin/*b", "FAIL");
 }
+
+
+# test that rules that lead with permissions don't conflict with
+# the same rule using trailing permissions.
+sub gen_leading_perms($$$) {
+    my ($name, $rule1, $rule2) = @_;
+
+    my @perms = gen_list();
+
+    foreach my $i (@perms) {
+	foreach my $t (@{$named_trans{substr($i, 0, 1)}}) {
+	    foreach my $q (@qualifiers) {
+		my $file="${prefix_leading}/${name}-$q$i$t.sd";
+#		    print "$file\n";
+
+		gen_file($file, "PASS", 0, $q, $rule1, $i, $t, 1, $q, $rule2, $i, $t);
+	    }
+	}
+    }
+}
diff --git a/parser/tst/simple_tests/generated_perms_leading/readme b/parser/tst/simple_tests/generated_perms_leading/readme
new file mode 100644
index 0000000..32c1f9c
--- /dev/null
+++ b/parser/tst/simple_tests/generated_perms_leading/readme
@@ -0,0 +1,5 @@
+Autogenerated tests for testing that leading and trailing style perms don't
+conflict.
+  eg.
+   /foo px,
+   px /foo,
-- 
1.7.1




More information about the AppArmor mailing list