[apparmor] [PATCH 4/4] parser: Binary profile equality tests for DBus rules

Seth Arnold seth.arnold at canonical.com
Mon Jul 29 22:55:59 UTC 2013 

On Sat, Jul 27, 2013 at 02:45:18AM -0700, Tyler Hicks wrote:
> This test is to verify that a list of profiles compile down into the
> same binary representation. This is useful, for example, when testing a
> rule syntax that includes permission aliases, as well as implied and
> explicit accesses.

Very cool, one comment inline..

> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  parser/tst/Makefile    |   7 ++-
>  parser/tst/equality.sh | 154 +++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 159 insertions(+), 2 deletions(-)
>  create mode 100755 parser/tst/equality.sh
> 
> diff --git a/parser/tst/Makefile b/parser/tst/Makefile
> index f98aff6..cff6646 100644
> --- a/parser/tst/Makefile
> +++ b/parser/tst/Makefile
> @@ -12,8 +12,8 @@ endif
>  
>  all: tests
>  
> -.PHONY: tests error_output gen_xtrans parser_sanity caching minimize
> -tests: error_output gen_xtrans gen_dbus parser_sanity caching minimize
> +.PHONY: tests error_output gen_xtrans parser_sanity caching minimize equality
> +tests: error_output gen_xtrans gen_dbus parser_sanity caching minimize equality
>  
>  GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
>  
> @@ -47,6 +47,9 @@ caching: $(PARSER)
>  minimize: $(PARSER)
>  	LANG=C APPARMOR_PARSER="$(PARSER)" ./minimize.sh
>  
> +equality: $(PARSER)
> +	LANG=C APPARMOR_PARSER="$(PARSER)" ./equality.sh
> +
>  $(PARSER):
>  	make -C $(PARSER_DIR) $(PARSER_BIN)
>  
> diff --git a/parser/tst/equality.sh b/parser/tst/equality.sh
> new file mode 100755
> index 0000000..c08ae6a
> --- /dev/null
> +++ b/parser/tst/equality.sh
> @@ -0,0 +1,154 @@
> +#!/bin/bash
> +#
> +#   Copyright (c) 2013
> +#   Canonical, Ltd. (All rights reserved)
> +#
> +#   This program is free software; you can redistribute it and/or
> +#   modify it under the terms of version 2 of the GNU General Public
> +#   License published by the Free Software Foundation.
> +#
> +#   This program is distributed in the hope that it will be useful,
> +#   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +#   GNU General Public License for more details.
> +#
> +#   You should have received a copy of the GNU General Public License
> +#   along with this program; if not, contact Canonical Ltd.
> +#
> +
> +# Tests for post-parser equality among multiple profiles. These tests are
> +# useful to verify that keyword aliases, formatting differences, etc., all
> +# result in the same parser output.
> +
> +set -o pipefail
> +
> +APPARMOR_PARSER="${APPARMOR_PARSER:-../apparmor_parser}"
> +fails=0
> +errors=0
> +
> +hash_binary_policy()
> +{
> +	printf %s "$1" | ${APPARMOR_PARSER} -qS 2>/dev/null| md5sum | cut -d ' ' -f 1
> +	return $?
> +}
> +
> +# verify_binary_equality - compares the binary policy of multiple profiles
> +# $1: A short description of the test
> +# $2: The known-good profile
> +# $3..$n: The profiles to compare against $2
> +#
> +# Upon failure/error, prints out the test description and profiles that failed
> +# and increments $fails or $errors for each failure and error, respectively
> +verify_binary_equality()
> +{
> +	local desc=$1
> +	local good_profile=$2
> +	local good_hash
> +	local ret=0
> +
> +	shift
> +	shift
> +
> +	printf "Binary equality %s ..." "$desc"
> +	good_hash=$(hash_binary_policy "$good_profile")
> +	if [ $? -ne 0 ]
> +	then
> +		printf "\nERROR: Error hashing the following \"known-good\" profile:\n%s\n\n" \
> +		       "$good_profile" 1>&2
> +		((errors++))
> +		return $((ret + 1))
> +	fi
> +
> +	for profile in "$@"
> +	do
> +		hash=$(hash_binary_policy "$profile")
> +		if [ $? -ne 0 ]
> +		then
> +			printf "\nERROR: Error hashing the following profile:\n%s\n\n" \
> +			       "$profile" 1>&2
> +			((errors++))
> +			((ret++))
> +		elif [ "$hash" != "$good_hash" ]
> +		then
> +			printf "\nFAIL: Hash values do not match\n" 2>&1
> +			printf "known-good (%s) != profile-under-test (%s) for the following profile:\n%s\n\n" \
> +				"$good_hash" "$hash" "$profile" 1>&2
> +			((fails++))
> +			((ret++))
> +		fi
> +	done
> +
> +	if [ $ret -eq 0 ]
> +	then
> +		printf " ok\n\n"
> +	fi
> +
> +	return $ret
> +}
> +
> +verify_binary_equality "dbus send" \
> +	"/t { dbus send, }" \
> +	"/t { dbus write, }" \
> +	"/t { dbus w, }"
> +
> +verify_binary_equality "dbus receive" \
> +	"/t { dbus receive, }" \
> +	"/t { dbus read, }" \
> +	"/t { dbus r, }"
> +
> +verify_binary_equality "dbus send + receive" \
> +	"/t { dbus (send, receive), }" \
> +	"/t { dbus (read, write), }" \
> +	"/t { dbus (r, w), }" \
> +	"/t { dbus (rw), }" \
> +	"/t { dbus rw, }" \
> +
> +verify_binary_equality "dbus all accesses" \
> +	"/t { dbus (send, receive, bind), }" \
> +	"/t { dbus (read, write, bind), }" \
> +	"/t { dbus (r, w, bind), }" \
> +	"/t { dbus (rw, bind), }" \
> +	"/t { dbus (), }" \
> +	"/t { dbus, }" \
> +
> +verify_binary_equality "dbus implied accesses for services" \
> +	"/t { dbus bind name=com.foo, }" \
> +	"/t { dbus name=com.foo, }"
> +
> +verify_binary_equality "dbus implied accesses for messages" \
> +	"/t { dbus (send, receive) path=/com/foo interface=org.foo, }" \
> +	"/t { dbus path=/com/foo interface=org.foo, }"
> +
> +verify_binary_equality "dbus implied accesses for messages with peer names" \
> +	"/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(name=com.foo), }" \
> +	"/t { dbus path=/com/foo interface=org.foo peer=(name=com.foo), }"

It'd be nice to add the following here as well:

+	"/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(name=(com.foo)), }" \
+	"/t { dbus path=/com/foo interface=org.foo peer=(name=(com.foo)), }"

At least I think that matches the manpage from a few days back...

> +
> +verify_binary_equality "dbus implied accesses for messages with peer labels" \
> +	"/t { dbus (send, receive) path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }" \
> +	"/t { dbus path=/com/foo interface=org.foo peer=(label=/usr/bin/app), }"
> +
> +verify_binary_equality "dbus element parsing" \
> +	"/t { dbus bus=b path=/ interface=i member=m peer=(name=n label=l), }" \
> +	"/t { dbus bus=\"b\" path=\"/\" interface=\"i\" member=\"m\" peer=(name=\"n\" label=\"l\"), }" \
> +	"/t { dbus bus =b path =/ interface =i member =m peer =(name =n label =l), }" \
> +	"/t { dbus bus= b path= / interface= i member= m peer= (name= n label= l), }" \
> +	"/t { dbus bus = b path = / interface = i member = m peer = ( name = n label = l ), }"
> +
> +verify_binary_equality "dbus access parsing" \
> +	"/t { dbus, }" \
> +	"/t { dbus (), }" \
> +	"/t { dbus (send, receive, bind), }" \
> +	"/t { dbus (send receive bind), }" \
> +	"/t { dbus (send,	receive                  bind), }" \
> +	"/t { dbus (send,receive,bind), }" \
> +	"/t { dbus (send,receive,,,,,,,,,,,,,,,,bind), }" \
> +	"/t { dbus (send,send,send,send send receive,bind), }" \
> +
> +if [ $fails -ne 0 -o $errors -ne 0 ]
> +then
> +	printf "ERRORS: %d\nFAILS: %d\n" $errors $fails 2>&1
> +	exit $(($fails + $errors))
> +fi
> +
> +printf "PASS\n"
> +exit 0
> -- 

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130729/4afe3c1d/attachment-0001.pgp>

More information about the AppArmor mailing list