[apparmor] [PATCH 3/4] parser: Regression tests for DBus rules

Tyler Hicks tyhicks at canonical.com
Mon Jul 29 23:06:23 UTC 2013 

On 2013-07-29 15:49:39, Seth Arnold wrote:
> On Sat, Jul 27, 2013 at 02:45:17AM -0700, Tyler Hicks wrote:
> > This is a test in the style of gen-xtrans.pl that attempts to run
> > through the most commonly constructed DBus rules. It also attempts to
> > run through some common mistakes to ensure that the parser fails
> > appropriately.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> One quick question inline..
> 
> > ---
> >  parser/tst/Makefile    |   7 ++-
> >  parser/tst/gen-dbus.pl | 161 +++++++++++++++++++++++++++++++++++++++++++++++++
> >  2 files changed, 166 insertions(+), 2 deletions(-)
> >  create mode 100755 parser/tst/gen-dbus.pl
> > 
> > diff --git a/parser/tst/Makefile b/parser/tst/Makefile
> > index b152db2..f98aff6 100644
> > --- a/parser/tst/Makefile
> > +++ b/parser/tst/Makefile
> > @@ -13,9 +13,9 @@ endif
> >  all: tests
> >  
> >  .PHONY: tests error_output gen_xtrans parser_sanity caching minimize
> > -tests: error_output gen_xtrans parser_sanity caching minimize
> > +tests: error_output gen_xtrans gen_dbus parser_sanity caching minimize
> >  
> > -GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/
> > +GEN_TRANS_DIRS=simple_tests/generated_x/ simple_tests/generated_perms_leading/ simple_tests/generated_perms_safe/ simple_tests/generated_dbus
> >  
> >  gen_xtrans: $(GEN_TRANS_DIRS)
> >  	./gen-xtrans.pl
> > @@ -23,6 +23,9 @@ gen_xtrans: $(GEN_TRANS_DIRS)
> >  $(GEN_TRANS_DIRS):
> >  	mkdir $@
> >  
> > +gen_dbus: $(GEN_TRANS_DIRS)
> > +	./gen-dbus.pl
> > +
> >  error_output: $(PARSER)
> >  	$(PARSER) -S -I errors >/dev/null errors/okay.sd
> >  	LANG=C $(PARSER) -S -I errors 2>&1 >/dev/null errors/single.sd | \
> > diff --git a/parser/tst/gen-dbus.pl b/parser/tst/gen-dbus.pl
> > new file mode 100755
> > index 0000000..a5fc2b4
> > --- /dev/null
> > +++ b/parser/tst/gen-dbus.pl
> > @@ -0,0 +1,161 @@
> > +#!/usr/bin/perl
> > +#
> > +#   Copyright (c) 2013
> > +#   Canonical, Ltd. (All rights reserved)
> > +#
> > +#   This program is free software; you can redistribute it and/or
> > +#   modify it under the terms of version 2 of the GNU General Public
> > +#   License published by the Free Software Foundation.
> > +#
> > +#   This program is distributed in the hope that it will be useful,
> > +#   but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> > +#   GNU General Public License for more details.
> > +#
> > +#   You should have received a copy of the GNU General Public License
> > +#   along with this program; if not, contact Canonical Ltd.
> > +#
> > +
> > +use strict;
> > +use Locale::gettext;
> > +use POSIX;
> > +
> > +setlocale(LC_MESSAGES, "");
> > +
> > +my $count=0;
> > +
> > +my $prefix="simple_tests/generated_dbus";
> > +
> > +my @quantifier = ("", "deny", "audit");
> > +my @session = ("", "bus=session", "bus=system", "bus=accessibility");
> > +my @path = ("", "path=/foo/bar", "path=\"/foo/bar\"");
> > +my @interface = ("", "interface=com.baz", "interface=\"com.baz\"");
> > +my @member = ("", "member=bar", "member=\"bar\"");
> > +
> > +my @name = ("", "name=com.foo", "name=\"com.foo\"");
> > +my @peer = map { "peer=($_)" } (@name, "label=/usr/bin/app",
> > +				"label=\"/usr/bin/app\"",
> > +				"name=com.foo label=/usr/bin/app",
> > +				"name=\"com.foo\" label=\"/usr/bin/app\"");
> > +
> > +# @msg_perms are the permissions that are related to sending and receiving
> > +# messages. @svc_perms are the permissions related to services.
> > +my @base_msg_perms = ("r", "w", "rw", "read", "receive", "write", "send");
> > +my @msg_perms = ("", @base_msg_perms, (map { "($_)" } @base_msg_perms),
> > +		 "(write, read)", "(send receive)", "(send read)",
> > +		 "(receive write)");
> > +
> > +gen_files("message-rules", "PASS", \@quantifier, \@msg_perms, \@session,
> > +	  [""], \@path, \@interface, \@member, \@peer);
> > +gen_files("service-rules", "PASS", \@quantifier, ["bind"], \@session,
> > +	  \@name, [""], [""], [""], [""]);
> > +gen_file("sloppy-formatting", "PASS", "", "(send , receive )", "bus=session",
> > +	 "", "path =\"/foo/bar\"", "interface = com.foo", "  member=bar",
> > +	 "peer =(   label= /usr/bin/app name  =\"com.foo\")");
> > +gen_file("sloppy-formatting", "PASS", "", "bind", "bus =session",
> > +	 "name= com.foo", "", "", "", "");
> > +
> > +# Don't use the first element, which is empty, from each array since all empty
> > +# conditionals would PASS but we want all FAILs
> > +shift @msg_perms;
> > +shift @name;
> > +shift @path;
> > +shift @interface;
> > +shift @member;
> > +shift @peer;
> > +gen_files("message-incompat", "FAIL", \@quantifier, \@msg_perms, \@session,
> > +	  \@name, [""], [""], [""], [""]);
> > +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> > +	  \@name, \@path, [""], [""], [""]);
> > +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> > +	  \@name, [""], \@interface, [""], [""]);
> > +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> > +	  \@name, [""], [""], \@member, [""]);
> > +gen_files("service-incompat", "FAIL", \@quantifier, ["bind"], \@session,
> > +	  \@name, [""], [""], [""], \@peer);
> > +
> > +gen_files("pairing-unsupported", "FAIL", \@quantifier, ["send", "bind"],
> > +	  \@session, ["name=sn", "label=sl"], [""], [""], [""],
> > +	  ["peer=(name=pn)", "peer=(label=pl)"]);
> > +
> > +# missing bus= prefix
> > +gen_file("bad-formatting", "FAIL", "", "send", "session", "", "", "", "", "");
> > +# incorrectly formatted permissions
> > +gen_files("bad-perms", "FAIL", [""], ["send receive", "(send", "send)"],
> > +	  ["bus=session"], [""], [""], [""], [""], [""]);
> > +# invalid permissions
> > +gen_files("bad-perms", "FAIL", [""],
> > +	  ["a", "x", "Ux", "ix", "m", "k", "l", "(a)", "(x)"], [""], [""],
> > +	  [""], [""], [""], [""]);
> > +
> > +gen_file("duplicated-conditionals", "FAIL", "", "bus=1 bus=2");
> > +gen_file("duplicated-conditionals", "FAIL", "", "name=1 name=2");
> > +gen_file("duplicated-conditionals", "FAIL", "", "path=1 path=2");
> > +gen_file("duplicated-conditionals", "FAIL", "", "interface=1 interface=2");
> > +gen_file("duplicated-conditionals", "FAIL", "", "member=1 member=2");
> > +gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(name=2)");
> > +gen_file("duplicated-conditionals", "FAIL", "", "peer=(label=1) peer=(label=2)");
> > +gen_file("duplicated-conditionals", "FAIL", "", "peer=(name=1) peer=(label=2)");
> > +
> 
> Here's the gen_file() prototype (to force C syntax on Perl :) :
> > +sub gen_file($$$$$$$$$$) {
> 
> there's a few missing parameters.. does it all work out alright in the
> end?

It does work out in the end. You can't force anything into the
$quantifier param since it goes in front of the dbus keyword (which is
why there's the one empty "" param), but then you can shove anything
into any parameter after that.

Sorry, it is ugly but so is a bunch of empty parameters. I kept flip
flopping between empty parameters and taking the shortcut that you
caught. :)

Named parameters would be nice here...

Tyler

> 
> > +print "Generated $count dbus tests\n";
> > +
> > +sub print_rule($$$$$$$$$) {
> > +    my ($file, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
> > +
> > +    print $file " ";
> > +    print $file " ${quantifier}" if ${quantifier};
> > +    print $file " dbus";
> > +    print $file " ${perms}" if ${perms};
> > +    print $file " ${session}" if ${session};
> > +    print $file " ${name}" if ${name};
> > +    print $file " ${path}" if ${path};
> > +    print $file " ${interface}" if ${interface};
> > +    print $file " ${member}" if ${member};
> > +    print $file " ${peer}" if ${peer};
> > +    print $file ",\n";
> > +}
> > +
> > +sub gen_file($$$$$$$$$$) {
> > +    my ($test, $xres, $quantifier, $perms, $session, $name, $path, $interface, $member, $peer) = @_;
> > +
> > +    my $file;
> > +    unless (open $file, ">${prefix}/$test-$count.sd") {
> > +	print("couldn't open $test\n");
> > +	exit 1;
> > +    }
> > +
> > +    print $file "#\n";
> > +    print $file "#=DESCRIPTION ${test}\n";
> > +    print $file "#=EXRESULT ${xres}\n";
> > +    print $file "#\n";
> > +    print $file "/usr/bin/foo {\n";
> > +    print_rule($file, $quantifier, $perms, $session, $name, $path, $interface,
> > +	       $member, $peer);
> > +    print $file "}\n";
> > +    close($file);
> > +
> > +    $count++;
> > +}
> > +
> > +sub gen_files($$$$$$$$$$) {
> > +    my ($test, $xres, $quantifiers, $perms, $sessions, $names, $paths, $interfaces, $members, $peers) = @_;
> > +
> > +    foreach my $quantifier (@{$quantifiers}) {
> > +      foreach my $perm (@{$perms}) {
> > +	foreach my $session (@{$sessions}) {
> > +	  foreach my $name (@{$names}) {
> > +	    foreach my $path (@{$paths}) {
> > +	      foreach my $interface (@{$interfaces}) {
> > +		foreach my $member (@{$members}) {
> > +		  foreach my $peer (@{$peers}) {
> > +		    gen_file($test, $xres, $quantifier, $perm, $session, $name,
> > +			     $path, $interface, $member, $peer);
> > +		  }
> > +		}
> > +	      }
> > +	    }
> > +	  }
> > +	}
> > +      }
> > +    }
> > +}
> > -- 
> > 1.8.3.2
> 
> Thanks



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130729/02dbde4a/attachment-0001.pgp>

More information about the AppArmor mailing list