[apparmor] [PATCH] parser: Add DFA minimization equality tests for D-Bus rules

Tue Dec 24 21:06:37 UTC 2013

On 12/24/2013 09:47 AM, Tyler Hicks wrote:
> Tests should be added for other rule types but this is a good start at
> testing DFA minimization.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  parser/tst/equality.sh | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
> index 7370c61..c022927 100755
> --- a/parser/tst/equality.sh
> +++ b/parser/tst/equality.sh
> @@ -192,6 +192,29 @@ verify_binary_equality "dbus variable expansion, ensure rule de-duping occurs" \
>  	"@{FOO}=bar foo bar foo
>  	    /t { dbus (send, receive) path=/com/@{FOO}, dbus (send, receive) path=/com/@{FOO}, }"
>  
> +verify_binary_equality "dbus minimization with all perms" \
> +	"/t { dbus, }" \
> +	"/t { dbus bus=session, dbus, }" \
> +	"/t { dbus (send, receive, bind, eavesdrop), dbus, }"
> +
> +verify_binary_equality "dbus minimization with bind" \
> +	"/t { dbus bind, }" \
> +	"/t { dbus bind bus=session, dbus bind, }" \
> +	"/t { dbus bind bus=system name=com.foo, dbus bind, }"
> +
> +verify_binary_equality "dbus minimization with send and a bus conditional" \
> +	"/t { dbus send bus=system, }" \
> +	"/t { dbus send bus=system path=/com/foo interface=com.foo member=bar, dbus send bus=system, }" \
> +	"/t { dbus send bus=system peer=(label=/usr/bin/foo), dbus send bus=system, }"
> +
> +verify_binary_equality "dbus minimization with an audit modifier" \
> +	"/t { audit dbus eavesdrop, }" \
> +	"/t { audit dbus eavesdrop bus=session, audit dbus eavesdrop, }"
> +
> +verify_binary_equality "dbus minimization with a deny modifier" \
> +	"/t { deny dbus send bus=system peer=(name=com.foo), }" \
> +	"/t { deny dbus send bus=system peer=(name=com.foo label=/usr/bin/foo), deny dbus send bus=system peer=(name=com.foo), }" \
> +
>  if [ $fails -ne 0 -o $errors -ne 0 ]
>  then
>  	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
>