[apparmor] [patch] Add tests for create_new_profile()

[Christian Boltz]

Hello,

these tests ensure that create_new_profile() sets the expected basic
permissions for scripts and non-script files.


[ 93-add-test-for-create_new_profile.diff ]

=== modified file 'utils/test/test-aa.py'
--- utils/test/test-aa.py       2015-06-26 21:21:29 +0000
+++ utils/test/test-aa.py       2015-10-18 13:38:11 +0000
@@ -13,7 +13,8 @@
 from common_test import AATest, setup_all_loops
 from common_test import read_file, write_file
 
-from apparmor.aa import (check_for_apparmor, get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
+from apparmor.aa import (check_for_apparmor, create_new_profile,
+     get_profile_flags, set_profile_flags, is_skippable_file, is_skippable_dir,
      parse_profile_start, parse_profile_data, separate_vars, store_list_var, write_header, serialize_parse_profile_start)
 from apparmor.common import AppArmorException, AppArmorBug
 
@@ -68,6 +71,34 @@
         mounts = write_file(self.tmpdir, 'mounts', self.MOUNTS_WITH_SECURITYFS % self.tmpdir)
         self.assertEqual('%s/security/apparmor' % self.tmpdir, check_for_apparmor(filesystems, mounts))
 
+class AaTest_create_new_profile(AATest):
+    tests = [
+        # file content              expected interpreter    expected abstraction (besides 'base')
+        ('#!/bin/bash\ntrue',      ('/bin/bash',            'abstractions/bash')),
+        ('foo bar',                (None,                   None)),
+    ]
+    def _run_test(self, params, expected):
+        exp_interpreter_path, exp_abstraction = expected
+
+        program = self.writeTmpfile('script', params)
+        profile = create_new_profile(program)
+
+        if exp_interpreter_path:
+            self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['mode'], {'x', '::i', '::x', 'i'} )
+            self.assertEqual(profile[program][program]['allow']['path'][exp_interpreter_path]['audit'], set() )
+            self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r'} )
+            self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
+            self.assertEqual(profile[program][program]['allow']['path'].keys(), {exp_interpreter_path, program} )
+        else:
+            self.assertEqual(profile[program][program]['allow']['path'][program]['mode'], {'r', '::r', 'm', '::m'} )
+            self.assertEqual(profile[program][program]['allow']['path'][program]['audit'], set() )
+            self.assertEqual(profile[program][program]['allow']['path'].keys(), {program} )
+
+        if exp_abstraction:
+            self.assertEqual(profile[program][program]['include'].keys(), {exp_abstraction, 'abstractions/base'})
+        else:
+            self.assertEqual(profile[program][program]['include'].keys(), {'abstractions/base'})
+
 class AaTest_get_profile_flags(AaTestWithTempdir):
     def _test_get_flags(self, profile_header, expected_flags):
         file = write_file(self.tmpdir, 'profile', '%s {\n}\n' % profile_header)


Regards,

Christian Boltz
-- 
Of course, on the system *I* administrate, vi is symlinked to ed.
Emacs has been replaced by a shell script which 1) Generates a syslog
message at level LOG_EMERG; 2) reduces the user's disk quota by 100K;
and 3) RUNS ED!!!!!!
https://groups.google.com/forum/#!search/ed$20is$20the$20standard$20text$20editor$20alt.religion.emacs/alt.religion.emacs/-gu12cOkhB4/g11B1h9QjPwJ