[apparmor] [patch] Change minitools_test.py to use aa-* --no-reload

Kshitij Gupta kgupta8592 at gmail.com
Sun May 31 14:42:58 UTC 2015 

Hello,

On Mon, May 25, 2015 at 7:31 PM, Christian Boltz <apparmor at cboltz.de> wrote:

> Hello,
>
> Am Montag, 25. Mai 2015 schrieb Christian Boltz:
> > [ 34-minitools_test-use-no-reload.diff ]
>
> I accidently added a --no-reload between -d and the path in the
> aa-audit test. The test still fails for another reason ;-) but
> nevertheless here's v2:
>
>
> Change minitools_test.py to use aa-* --no-reload.
> This allows to run minitools_test.py as non-root user.
>

Thats a good thing but this change in tests probably breaks two things as
the remainder of code in reload_profile and unload_profile is ignored due
to the flag.

I think there should be additional tests for them.

Also add a check that only creates the force-complain directory if it
> doesn't exist yet.
>
>
> Note: With this patch applied, there are still 4 failing tests, probably
> caused by changes in the profiles that are used in the tests.
>
>
> I propose this patch for trunk and 2.9.
>
>
> [ 34-minitools_test-use-no-reload.diff ]
>
> === modified file utils/test/minitools_test.py
> --- utils/test/minitools_test.py        2015-05-25 15:02:32.489225934 +0200
> +++ utils/test/minitools_test.py        2015-05-25 15:32:59.693035190 +0200
> @@ -31,37 +32,38 @@
>
>      def test_audit(self):
>          #Set ntpd profile to audit mode and check if it was correctly set
> -        str(subprocess.check_output('%s ./../aa-audit -d ./profiles
> %s'%(python_interpreter, test_path), shell=True))
> +        str(subprocess.check_output('%s ./../aa-audit --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True))
>
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), 'audit', 'Audit flag could not be set in profile
> %s'%local_profilename)
>
>          #Remove audit mode from ntpd profile and check if it was
> correctly removed
> -        subprocess.check_output('%s ./../aa-audit -d ./profiles -r
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-audit --no-reload -d
> ./profiles -r %s'%(python_interpreter, test_path), shell=True)
>
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), None, 'Audit flag could not be removed in profile
> %s'%local_profilename)
>
>
>      def test_complain(self):
>          #Set ntpd profile to complain mode and check if it was correctly
> set
> -        subprocess.check_output('%s ./../aa-complain -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-complain --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>
>          # "manually" create a force-complain symlink (will be deleted by
> aa-enforce later)
> -        os.mkdir('./profiles/force-complain')
> +        if not os.path.isdir('./profiles/force-complain'):
> +            os.mkdir('./profiles/force-complain')
>          os.symlink(local_profilename,
> './profiles/force-complain/%s'%os.path.basename(local_profilename) )
>
>
>  self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)),
> True, 'Failed to create a symlink for %s in
> force-complain'%local_profilename)
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), 'complain', 'Complain flag could not be set in profile
> %s'%local_profilename)
>
>          #Set ntpd profile to enforce mode and check if it was correctly
> set
> -        subprocess.check_output('%s ./../aa-enforce -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-enforce --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>
>
>  self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from
> force-complain'%local_profilename)
>
>  self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from disable'%local_profilename)
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), None, 'Complain flag could not be removed in profile
> %s'%local_profilename)
>
>          # Set audit flag and then complain flag in a profile
> -        subprocess.check_output('%s ./../aa-audit -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> -        subprocess.check_output('%s ./../aa-complain -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-audit --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-complain --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>          # "manually" create a force-complain symlink (will be deleted by
> aa-enforce later)
>          os.symlink(local_profilename,
> './profiles/force-complain/%s'%os.path.basename(local_profilename) )
>
> @@ -72,20 +76,20 @@
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), 'audit,complain', 'Complain flag could not be set in profile
> %s'%local_profilename)
>
>          #Remove complain flag first i.e. set to enforce mode
> -        subprocess.check_output('%s ./../aa-enforce -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-enforce --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>
>
>  self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from
> force-complain'%local_profilename)
>
>  self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from disable'%local_profilename)
>          self.assertEqual(apparmor.get_profile_flags(local_profilename,
> test_path), 'audit', 'Complain flag could not be removed in profile
> %s'%local_profilename)
>
>          #Remove audit flag
> -        subprocess.check_output('%s ./../aa-audit -d ./profiles -r
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-audit --no-reload -d
> ./profiles -r %s'%(python_interpreter, test_path), shell=True)
>
>      def test_enforce(self):
>          #Set ntpd profile to complain mode and check if it was correctly
> set
>
>          #Set ntpd profile to enforce mode and check if it was correctly
> set
> -        subprocess.check_output('%s ./../aa-enforce -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-enforce --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>
>
>  self.assertEqual(os.path.islink('./profiles/force-complain/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from
> force-complain'%local_profilename)
>
>  self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)),
> False, 'Failed to remove symlink for %s from disable'%local_profilename)
> @@ -94,7 +98,7 @@
>
>      def test_disable(self):
>          #Disable the ntpd profile and check if it was correctly disabled
>
Nitpick: As the next patch changes the used profile from ntpd to winbind I
think the above comment is rendered wrong.
A replacement of "ntpd" with "test" in such comments would be nice.

> -        subprocess.check_output('%s ./../aa-disable -d ./profiles
> %s'%(python_interpreter, test_path), shell=True)
> +        subprocess.check_output('%s ./../aa-disable --no-reload -d
> ./profiles %s'%(python_interpreter, test_path), shell=True)
>
>
>  self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)),
> True, 'Failed to create a symlink for %s in disable'%local_profilename)
>
> @@ -120,7 +123,7 @@
>          #Our silly test program whose profile we wish to clean
>          cleanprof_test = '/usr/bin/a/simple/cleanprof/test/profile'
>
> -        subprocess.check_output('%s ./../aa-cleanprof  -d ./profiles -s
> %s' % (python_interpreter, cleanprof_test), shell=True)
> +        subprocess.check_output('%s ./../aa-cleanprof  --no-reload -d
> ./profiles -s %s' % (python_interpreter, cleanprof_test), shell=True)
>
>          #Strip off the first line (#modified line)
>          subprocess.check_output('sed -i 1d ./profiles/%s'%(input_file),
> shell=True)
>
>
>
>
> Acked-by: Kshitij Gupta <kgupta8592 at gmail.com>.

Thanks.

Regards,

Kshitij Gupta

>
> Regards,
>
> Christian Boltz
> --
> Verstehen kann ich das Problem. Die meisten von uns hätten gerne
> brandaktuelle *und* felsenstabile Software. Der Unterschied zwischen
> Redmond und Pinguinhausen ist, daß erstere dir erzählen, daß man
> beides haben könne. Stimmt aber nicht. [Ratti in suse-linux]
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150531/83c1ff35/attachment-0001.html>

More information about the AppArmor mailing list