[apparmor] [PATCH 3/4] parser: Regression tests for DBus rules

Seth Arnold seth.arnold at canonical.com
Mon Jul 29 22:49:39 UTC 2013 

On Sat, Jul 27, 2013 at 02:45:17AM -0700, Tyler Hicks wrote:
> This is a test in the style of gen-xtrans.pl that attempts to run
> through the most commonly constructed DBus rules. It also attempts to
> run through some common mistakes to ensure that the parser fails
> appropriately.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

One quick question inline..

> ---
>  parser/tst/Makefile    |   7 ++-
>  parser/tst/gen-dbus.pl | 161 +++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 166 insertions(+), 2 deletions(-)
>  create mode 100755 parser/tst/gen-dbus.pl
> 
> diff --git a/parser/tst/Makefile b/parser/tst/Makefile
> index b152db2..f98aff6 100644
> --- a/parser/tst/Makefile
> +++ b/parser/tst/Makefile
> @@ -13,9 +13,9 @@ endif
>  all: tests
>  
>  .PHONY: tests error_output gen_xtrans parser_sanity caching minimize
> -tests: error_output gen_xtrans parser_sanity caching minimize
> +tests: error_output gen_xtrans gen_dbus parser_sanity caching minimize
>  
> -GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/
> +GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
>  
>  gen_xtrans: $(GEN_TRANS_DIRS)
>  	./gen-xtrans.pl
> @@ -23,6 +23,9 @@ gen_xtrans: $(GEN_TRANS_DIRS)
>  $(GEN_TRANS_DIRS):
>  	mkdir $@
>  
> +gen_dbus: $(GEN_TRANS_DIRS)
> +	./gen-dbus.pl
> +
>  error_output: $(PARSER)
>  	$(PARSER) -S -I errors >/dev/null errors/okay.sd
>  	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/single.sd | \
> diff --git a/parser/tst/gen-dbus.pl b/parser/tst/gen-dbus.pl
> new file mode 100755
> index 0000000..a5fc2b4
> --- /dev/null
> +++ b/parser/tst/gen-dbus.pl
> @@ -0,0 +1,161 @@
> +#!/usr/bin/perl
> +#
> +#   Copyright (c) 2013
> +#   Canonical, Ltd. (All rights reserved)
> +#
> +#   This program is free software; you can redistribute it and/or
> +#   modify it under the terms of version 2 of the GNU General Public
> +#   License published by the Free Software Foundation.
> +#
> +#   This program is distributed in the hope that it will be useful,
> +#   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +#   GNU General Public License for more details.
> +#
> +#   You should have received a copy of the GNU General Public License
> +#   along with this program; if not, contact Canonical Ltd.
> +#
> +
> +use strict;
> +use Locale::gettext;
> +use POSIX;
> +
> +setlocale(LC_MESSAGES, "");
> +
> +my $count=0;
> +
> +my $prefix="simple_tests/generated_dbus";
> +
> +my @quantifier = ("", "deny", "audit");
> +my @session = ("", "bus=session", "bus=system", "bus=accessibility");
> +my @path = ("", "path=/foo/bar", "path=\"/foo/bar\"");
> +my @interface = ("", "interface=com.baz", "interface=\"com.baz\"");
> +my @member = ("", "member=bar", "member=\"bar\"");
> +
> +my @name = ("", "name=com.foo", "name=\"com.foo\"");
> +my @peer = map { "peer=($_)" } (@name, "label=/usr/bin/app",
> +				"label=\"/usr/bin/app\"",
> +				"name=com.foo label=/usr/bin/app",
> +				"name=\"com.foo\" label=\"/usr/bin/app\"");
> +
> +# @msg_perms are the permissions that are related to sending and receiving
> +# messages. @svc_perms are the permissions related to services.
> +my @base_msg_perms = ("r", "w", "rw", "read", "receive", "write", "send");
> +my @msg_perms = ("", @base_msg_perms, (map { "($_)" } @base_msg_perms),
> +		 "(write, read)", "(send receive)", "(send read)",
> +		 "(receive write)");
> +
> +gen_files("message-rules", "PASS", \@quantifier, \@msg_perms, \@session,
> +	  [""], \@path, \@interface, \@member, \@peer);
> +gen_files("service-rules", "PASS", \@quantifier, ["bind"], \@session,
> +	  \@name, [""], [""], [""], [""]);
> +gen_file("sloppy-formatting", "PASS", "", "(send , receive )", "bus=session",
> +	 "", "path =\"/foo/bar\"", "interface = com.foo", "  member=bar",
> +	 "peer =(   label= /usr/bin/app name  =\"com.foo\")");
> +gen_file("sloppy-formatting", "PASS", "", "bind", "bus =session",
> +	 "name= com.foo", "", "", "", "");
> +
> +# Don't use the first element, which is empty, from each array since all empty
> +# conditionals would PASS but we want all FAILs
> +shift @msg_perms;
> +shift @name;
> +shift @path;
> +shift @interface;
> +shift @member;
> +shift @peer;
> +gen_files("message-incompat", "FAIL", \@quantifier, \@msg_perms, \@session,
> +	  \@name, [""], [""], [""], [""]);
> +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> +	  \@name, \@path, [""], [""], [""]);
> +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> +	  \@name, [""], \@interface, [""], [""]);
> +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> +	  \@name, [""], [""], \@member, [""]);
> +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> +	  \@name, [""], [""], [""], \@peer);
> +
> +gen_files("pairing-unsupported", "FAIL", \@quantifier, ["send", "bind"],
> +	  \@session, ["name=sn", "label=sl"], [""], [""], [""],
> +	  ["peer=(name=pn)", "peer=(label=pl)"]);
> +
> +# missing bus= prefix
> +gen_file("bad-formatting", "FAIL", "", "send", "session", "", "", "", "", "");
> +# incorrectly formatted permissions
> +gen_files("bad-perms", "FAIL", [""], ["send receive", "(send", "send)"],
> +	  ["bus=session"], [""], [""], [""], [""], [""]);
> +# invalid permissions
> +gen_files("bad-perms", "FAIL", [""],
> +	  ["a", "x", "Ux", "ix", "m", "k", "l", "(a)", "(x)"], [""], [""],
> +	  [""], [""], [""], [""]);
> +
> +gen_file("duplicated-conditionals", "FAIL", "", "bus=1 bus=2");
> +gen_file("duplicated-conditionals", "FAIL", "", "name=1 name=2");
> +gen_file("duplicated-conditionals", "FAIL", "", "path=1 path=2");
> +gen_file("duplicated-conditionals", "FAIL", "", "interface=1 interface=2");
> +gen_file("duplicated-conditionals", "FAIL", "", "member=1 member=2");
> +gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(name=2)");
> +gen_file("duplicated-conditionals", "FAIL", "", "peer=(label=1) peer=(label=2)");
> +gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(label=2)");
> +

Here's the gen_file() prototype (to force C syntax on Perl :) :
> +sub gen_file($$$$$$$$$$) {

there's a few missing parameters.. does it all work out alright in the
end?

> +print "Generated $count dbus tests\n";
> +
> +sub print_rule($$$$$$$$$) {
> +    my ($file, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
> +
> +    print $file " ";
> +    print $file " ${quantifier}" if ${quantifier};
> +    print $file " dbus";
> +    print $file " ${perms}" if ${perms};
> +    print $file " ${session}" if ${session};
> +    print $file " ${name}" if ${name};
> +    print $file " ${path}" if ${path};
> +    print $file " ${interface}" if ${interface};
> +    print $file " ${member}" if ${member};
> +    print $file " ${peer}" if ${peer};
> +    print $file ",\n";
> +}
> +
> +sub gen_file($$$$$$$$$$) {
> +    my ($test, $xres, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
> +
> +    my $file;
> +    unless (open $file, ">${prefix}/$test-$count.sd") {
> +	print("couldn't open $test\n");
> +	exit 1;
> +    }
> +
> +    print $file "#\n";
> +    print $file "#=DESCRIPTION ${test}\n";
> +    print $file "#=EXRESULT ${xres}\n";
> +    print $file "#\n";
> +    print $file "/usr/bin/foo {\n";
> +    print_rule($file, $quantifier, $perms, $session, $name, $path, $interface,
> +	       $member, $peer);
> +    print $file "}\n";
> +    close($file);
> +
> +    $count++;
> +}
> +
> +sub gen_files($$$$$$$$$$) {
> +    my ($test, $xres, $quantifiers, $perms, $sessions, $names, $paths, $interfaces, $members, $peers) = @_;
> +
> +    foreach my $quantifier (@{$quantifiers}) {
> +      foreach my $perm (@{$perms}) {
> +	foreach my $session (@{$sessions}) {
> +	  foreach my $name (@{$names}) {
> +	    foreach my $path (@{$paths}) {
> +	      foreach my $interface (@{$interfaces}) {
> +		foreach my $member (@{$members}) {
> +		  foreach my $peer (@{$peers}) {
> +		    gen_file($test, $xres, $quantifier, $perm, $session, $name,
> +			     $path, $interface, $member, $peer);
> +		  }
> +		}
> +	      }
> +	    }
> +	  }
> +	}
> +      }
> +    }
> +}
> -- 
> 1.8.3.2

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130729/148a472d/attachment-0001.pgp>

More information about the AppArmor mailing list