[apparmor] [patch] add tests for aa.py check_for_apparmor()
Christian Boltz
apparmor at cboltz.de
Thu Nov 27 18:02:11 UTC 2014
Hello,
this patch adds some tests for aa.py check_for_apparmor().
It also changes check_for_apparmor() to allow easier testing by optionally
specifying alternative locations for /proc/filesystems and /proc/mounts
as parameter.
I ran this testcase also with the old code (before applying Peter's patch).
The old code raised an unexpected TypeError in
if not valid_path(aa_mountpoint + '/profiles'):
if aa_mountpoint was None. After temporarily fixing that in my local
copy, all tests passed. (No patch for that since Peter's patch fixed
that anyway.)
Needless to say that the tests also pass with Peter's patch applied.
Also note that the code in check_for_apparmor() differs from what the
comment says - valid_path() only does syntax checks, but doesn't
check if the directory exists. I added a comment saying exactly that.
Currently things could explode if securityfs is mounted, but AppArmor
is disabled in the kernel (assumption based on reading the code, not
tested). Fixing that is worth another patch ;-) - any volunteers?
[ add-aa.py-check_for_apparmor-tests.diff ]
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py 2014-11-27 17:34:45 +0000
+++ utils/apparmor/aa.py 2014-11-27 17:50:53 +0000
@@ -156,10 +156,8 @@
shutdown_yast()
sys.exit(1)
-def check_for_apparmor():
+def check_for_apparmor(filesystem='/proc/filesystems', mounts='/proc/mounts'):
"""Finds and returns the mountpoint for apparmor None otherwise"""
- filesystem = '/proc/filesystems'
- mounts = '/proc/mounts'
support_securityfs = False
aa_mountpoint = None
if valid_path(filesystem):
@@ -175,6 +173,7 @@
if len(split) > 2 and split[2] == 'securityfs':
mountpoint = split[1] + '/apparmor'
# Check if apparmor is actually mounted there
+ # XXX valid_path() only checks the syntax, but not if the directory exists!
if valid_path(mountpoint) and valid_path(mountpoint + '/profiles'):
aa_mountpoint = mountpoint
break
=== added file 'utils/test/test-aa.py'
--- utils/test/test-aa.py 1970-01-01 00:00:00 +0000
+++ utils/test/test-aa.py 2014-11-27 17:49:43 +0000
@@ -0,0 +1,75 @@
+#! /usr/bin/env python
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2014 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+import unittest
+import os
+import shutil
+import tempfile
+from common_test import write_file
+
+from apparmor.aa import check_for_apparmor
+
+class AaTest_check_for_apparmor(unittest.TestCase):
+ FILESYSTEMS_WITH_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsecurityfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
+ FILESYSTEMS_WITHOUT_SECURITYFS = 'nodev\tdevtmpfs\nnodev\tsockfs\n\text3\n\text2\n\text4'
+
+ MOUNTS_WITH_SECURITYFS = ( 'proc /proc proc rw,relatime 0 0\n'
+ 'securityfs %s/security securityfs rw,nosuid,nodev,noexec,relatime 0 0\n'
+ '/dev/sda1 / ext3 rw,noatime,data=ordered 0 0' )
+
+ MOUNTS_WITHOUT_SECURITYFS = ( 'proc /proc proc rw,relatime 0 0\n'
+ '/dev/sda1 / ext3 rw,noatime,data=ordered 0 0' )
+
+ def setUp(self):
+ self.tmpdir = tempfile.mkdtemp(prefix='aa-py-')
+
+ def tearDown(self):
+ if os.path.exists(self.tmpdir):
+ shutil.rmtree(self.tmpdir)
+
+ def test_check_for_apparmor_None_1(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS)
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_None_2(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITHOUT_SECURITYFS)
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_None_3(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITHOUT_SECURITYFS)
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_securityfs_invalid_filesystems(self):
+ filesystems = ''
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_securityfs_invalid_mounts(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
+ mounts = ''
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_invalid_securityfs_path(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % 'xxx')
+ self.assertEqual(None, check_for_apparmor(filesystems, mounts))
+
+ def test_check_for_apparmor_securityfs_mounted(self):
+ filesystems = write_file(self.tmpdir, 'filesystems', self.FILESYSTEMS_WITH_SECURITYFS)
+ mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
+ self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
+
+
+if __name__ == '__main__':
+ unittest.main(verbosity=2)
Regards,
Christian Boltz
--
> Gibt es eine CPU Beschränkung bei der Prof. Version?
Die gibt es tatsaechlich, hat aber nichts mit der Professional Version
zu tun, sondern mit dem Linux-Kernel selbst. Das Limit liegt aber weit
jenseits von dem, was für Dich vermutlich relevant und bezahlbar ist ;-)
[> Robert und Thomas Hertweck in suse-linux]
More information about the AppArmor
mailing list