[apparmor] [PATCH 3/4] parser: Regression tests for DBus rules

Tyler Hicks tyhicks at canonical.com
Sat Jul 27 09:45:17 UTC 2013 

This is a test in the style of gen-xtrans.pl that attempts to run
through the most commonly constructed DBus rules. It also attempts to
run through some common mistakes to ensure that the parser fails
appropriately.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 parser/tst/Makefile    |   7 ++-
 parser/tst/gen-dbus.pl | 161 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+), 2 deletions(-)
 create mode 100755 parser/tst/gen-dbus.pl

diff --git a/parser/tst/Makefile b/parser/tst/Makefile
index b152db2..f98aff6 100644
--- a/parser/tst/Makefile
+++ b/parser/tst/Makefile
@@ -13,9 +13,9 @@ endif
 all: tests
 
 .PHONY: tests error_output gen_xtrans parser_sanity caching minimize
-tests: error_output gen_xtrans parser_sanity caching minimize
+tests: error_output gen_xtrans gen_dbus parser_sanity caching minimize
 
-GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/
+GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
 
 gen_xtrans: $(GEN_TRANS_DIRS)
 	./gen-xtrans.pl
@@ -23,6 +23,9 @@ gen_xtrans: $(GEN_TRANS_DIRS)
 $(GEN_TRANS_DIRS):
 	mkdir $@
 
+gen_dbus: $(GEN_TRANS_DIRS)
+	./gen-dbus.pl
+
 error_output: $(PARSER)
 	$(PARSER) -S -I errors >/dev/null errors/okay.sd
 	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/single.sd | \
diff --git a/parser/tst/gen-dbus.pl b/parser/tst/gen-dbus.pl
new file mode 100755
index 0000000..a5fc2b4
--- /dev/null
+++ b/parser/tst/gen-dbus.pl
@@ -0,0 +1,161 @@
+#!/usr/bin/perl
+#
+#   Copyright (c) 2013
+#   Canonical, Ltd. (All rights reserved)
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, contact Canonical Ltd.
+#
+
+use strict;
+use Locale::gettext;
+use POSIX;
+
+setlocale(LC_MESSAGES, "");
+
+my $count=0;
+
+my $prefix="simple_tests/generated_dbus";
+
+my @quantifier = ("", "deny", "audit");
+my @session = ("", "bus=session", "bus=system", "bus=accessibility");
+my @path = ("", "path=/foo/bar", "path=\"/foo/bar\"");
+my @interface = ("", "interface=com.baz", "interface=\"com.baz\"");
+my @member = ("", "member=bar", "member=\"bar\"");
+
+my @name = ("", "name=com.foo", "name=\"com.foo\"");
+my @peer = map { "peer=($_)" } (@name, "label=/usr/bin/app",
+				"label=\"/usr/bin/app\"",
+				"name=com.foo label=/usr/bin/app",
+				"name=\"com.foo\" label=\"/usr/bin/app\"");
+
+# @msg_perms are the permissions that are related to sending and receiving
+# messages. @svc_perms are the permissions related to services.
+my @base_msg_perms = ("r", "w", "rw", "read", "receive", "write", "send");
+my @msg_perms = ("", @base_msg_perms, (map { "($_)" } @base_msg_perms),
+		 "(write, read)", "(send receive)", "(send read)",
+		 "(receive write)");
+
+gen_files("message-rules", "PASS", \@quantifier, \@msg_perms, \@session,
+	  [""], \@path, \@interface, \@member, \@peer);
+gen_files("service-rules", "PASS", \@quantifier, ["bind"], \@session,
+	  \@name, [""], [""], [""], [""]);
+gen_file("sloppy-formatting", "PASS", "", "(send , receive )", "bus=session",
+	 "", "path =\"/foo/bar\"", "interface = com.foo", "  member=bar",
+	 "peer =(   label= /usr/bin/app name  =\"com.foo\")");
+gen_file("sloppy-formatting", "PASS", "", "bind", "bus =session",
+	 "name= com.foo", "", "", "", "");
+
+# Don't use the first element, which is empty, from each array since all empty
+# conditionals would PASS but we want all FAILs
+shift @msg_perms;
+shift @name;
+shift @path;
+shift @interface;
+shift @member;
+shift @peer;
+gen_files("message-incompat", "FAIL", \@quantifier, \@msg_perms, \@session,
+	  \@name, [""], [""], [""], [""]);
+gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
+	  \@name, \@path, [""], [""], [""]);
+gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
+	  \@name, [""], \@interface, [""], [""]);
+gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
+	  \@name, [""], [""], \@member, [""]);
+gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
+	  \@name, [""], [""], [""], \@peer);
+
+gen_files("pairing-unsupported", "FAIL", \@quantifier, ["send", "bind"],
+	  \@session, ["name=sn", "label=sl"], [""], [""], [""],
+	  ["peer=(name=pn)", "peer=(label=pl)"]);
+
+# missing bus= prefix
+gen_file("bad-formatting", "FAIL", "", "send", "session", "", "", "", "", "");
+# incorrectly formatted permissions
+gen_files("bad-perms", "FAIL", [""], ["send receive", "(send", "send)"],
+	  ["bus=session"], [""], [""], [""], [""], [""]);
+# invalid permissions
+gen_files("bad-perms", "FAIL", [""],
+	  ["a", "x", "Ux", "ix", "m", "k", "l", "(a)", "(x)"], [""], [""],
+	  [""], [""], [""], [""]);
+
+gen_file("duplicated-conditionals", "FAIL", "", "bus=1 bus=2");
+gen_file("duplicated-conditionals", "FAIL", "", "name=1 name=2");
+gen_file("duplicated-conditionals", "FAIL", "", "path=1 path=2");
+gen_file("duplicated-conditionals", "FAIL", "", "interface=1 interface=2");
+gen_file("duplicated-conditionals", "FAIL", "", "member=1 member=2");
+gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(name=2)");
+gen_file("duplicated-conditionals", "FAIL", "", "peer=(label=1) peer=(label=2)");
+gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(label=2)");
+
+print "Generated $count dbus tests\n";
+
+sub print_rule($$$$$$$$$) {
+    my ($file, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
+
+    print $file " ";
+    print $file " ${quantifier}" if ${quantifier};
+    print $file " dbus";
+    print $file " ${perms}" if ${perms};
+    print $file " ${session}" if ${session};
+    print $file " ${name}" if ${name};
+    print $file " ${path}" if ${path};
+    print $file " ${interface}" if ${interface};
+    print $file " ${member}" if ${member};
+    print $file " ${peer}" if ${peer};
+    print $file ",\n";
+}
+
+sub gen_file($$$$$$$$$$) {
+    my ($test, $xres, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
+
+    my $file;
+    unless (open $file, ">${prefix}/$test-$count.sd") {
+	print("couldn't open $test\n");
+	exit 1;
+    }
+
+    print $file "#\n";
+    print $file "#=DESCRIPTION ${test}\n";
+    print $file "#=EXRESULT ${xres}\n";
+    print $file "#\n";
+    print $file "/usr/bin/foo {\n";
+    print_rule($file, $quantifier, $perms, $session, $name, $path, $interface,
+	       $member, $peer);
+    print $file "}\n";
+    close($file);
+
+    $count++;
+}
+
+sub gen_files($$$$$$$$$$) {
+    my ($test, $xres, $quantifiers, $perms, $sessions, $names, $paths, $interfaces, $members, $peers) = @_;
+
+    foreach my $quantifier (@{$quantifiers}) {
+      foreach my $perm (@{$perms}) {
+	foreach my $session (@{$sessions}) {
+	  foreach my $name (@{$names}) {
+	    foreach my $path (@{$paths}) {
+	      foreach my $interface (@{$interfaces}) {
+		foreach my $member (@{$members}) {
+		  foreach my $peer (@{$peers}) {
+		    gen_file($test, $xres, $quantifier, $perm, $session, $name,
+			     $path, $interface, $member, $peer);
+		  }
+		}
+	      }
+	    }
+	  }
+	}
+      }
+    }
+}
-- 
1.8.3.2

More information about the AppArmor mailing list