[apparmor] [patch] test-parser-simple-tests.py: No longer skip testing generated_perms_leading profiles

[Christian Boltz]

Hello,

FileRule understands leading permissions, so the reason to skip those
(generated) test profiles in test-parser-simple-tests.py is gone.

However, the gen-xtrans.pl script generates profiles with a not-so-valid
mix of uppercase and lowercase, for example "Pux" and "Cux". The parser
accepts this, but the tools complain about such rules. Therefore add the
affected profiles to the exception list.

In total, this means we now test 319 of the 380 generated_perms_leading
test profiles.

IMHO the parser should at least warn about mixed uppercase and lowercase
in exec rules. We should also consider to change gen-xtrans.pl to
generate PUx and CUx rules instead of Pux and Cux ;-)

(The patch also moves some lines around to get the \-escaped profiles
out of the mixed uppercase/lowercase exec rule section.)


[ 01-test-parser-test-leading-perms.diff ]

=== modified file 'utils/test/test-parser-simple-tests.py'
--- utils/test/test-parser-simple-tests.py      2017-02-28 23:04:24 +0000
+++ utils/test/test-parser-simple-tests.py      2017-03-02 20:46:44 +0000
@@ -30,9 +30,6 @@
     'generated_x/ambiguous-',
     'generated_x/dominate-',
 
-    # permissions before path
-    'generated_perms_leading/',
-
     # 'safe' and 'unsafe' keywords
     'generated_perms_safe/',
 
@@ -259,11 +256,75 @@
     'file/ok_5.sd',  # Invalid mode UX
     'file/ok_2.sd',  # Invalid mode RWM
     'file/ok_4.sd',  # Invalid mode iX
+    'xtrans/simple_ok_pix_1.sd',  # Invalid mode pIx
+    'xtrans/simple_ok_pux_1.sd',  # Invalid mode rPux
+
+    # unexpected uppercase vs. lowercase in *x rules - generated_perms_leading directory
+    'generated_perms_leading/exact-re-Puxtarget.sd',
+    'generated_perms_leading/dominate-ownerCuxtarget2.sd',
+    'generated_perms_leading/ambiguous-Cux.sd',
+    'generated_perms_leading/dominate-ownerPux.sd',
+    'generated_perms_leading/exact-re-ownerPux.sd',
+    'generated_perms_leading/overlap-ownerCuxtarget.sd',
+    'generated_perms_leading/exact-re-ownerCuxtarget.sd',
+    'generated_perms_leading/dominate-Puxtarget2.sd',
+    'generated_perms_leading/dominate-ownerCuxtarget.sd',
+    'generated_perms_leading/dominate-ownerPuxtarget.sd',
+    'generated_perms_leading/ambiguous-Pux.sd',
+    'generated_perms_leading/ambiguous-Cuxtarget2.sd',
+    'generated_perms_leading/exact-Puxtarget2.sd',
+    'generated_perms_leading/ambiguous-ownerCux.sd',
+    'generated_perms_leading/exact-ownerPux.sd',
+    'generated_perms_leading/ambiguous-ownerPuxtarget.sd',
+    'generated_perms_leading/exact-re-ownerPuxtarget.sd',
+    'generated_perms_leading/exact-re-Cuxtarget.sd',
+    'generated_perms_leading/exact-re-Puxtarget2.sd',
+    'generated_perms_leading/dominate-Cux.sd',
+    'generated_perms_leading/exact-re-ownerCuxtarget2.sd',
+    'generated_perms_leading/ambiguous-ownerCuxtarget.sd',
+    'generated_perms_leading/exact-re-Cuxtarget2.sd',
+    'generated_perms_leading/ambiguous-Puxtarget.sd',
+    'generated_perms_leading/overlap-Puxtarget.sd',
+    'generated_perms_leading/ambiguous-Puxtarget2.sd',
+    'generated_perms_leading/overlap-Puxtarget2.sd',
+    'generated_perms_leading/exact-Puxtarget.sd',
+    'generated_perms_leading/overlap-ownerPuxtarget.sd',
+    'generated_perms_leading/exact-ownerCuxtarget.sd',
+    'generated_perms_leading/exact-re-ownerCux.sd',
+    'generated_perms_leading/exact-ownerPuxtarget2.sd',
+    'generated_perms_leading/exact-ownerCux.sd',
+    'generated_perms_leading/overlap-Cuxtarget2.sd',
+    'generated_perms_leading/ambiguous-Cuxtarget.sd',
+    'generated_perms_leading/ambiguous-ownerPuxtarget2.sd',
+    'generated_perms_leading/dominate-ownerCux.sd',
+    'generated_perms_leading/exact-Pux.sd',
+    'generated_perms_leading/exact-Cuxtarget.sd',
+    'generated_perms_leading/overlap-ownerCuxtarget2.sd',
+    'generated_perms_leading/overlap-Pux.sd',
+    'generated_perms_leading/overlap-ownerPux.sd',
+    'generated_perms_leading/ambiguous-ownerCuxtarget2.sd',
+    'generated_perms_leading/exact-re-Cux.sd',
+    'generated_perms_leading/exact-re-Pux.sd',
+    'generated_perms_leading/overlap-Cuxtarget.sd',
+    'generated_perms_leading/exact-re-ownerPuxtarget2.sd',
+    'generated_perms_leading/exact-Cuxtarget2.sd',
+    'generated_perms_leading/exact-Cux.sd',
+    'generated_perms_leading/overlap-Cux.sd',
+    'generated_perms_leading/overlap-ownerCux.sd',
+    'generated_perms_leading/exact-ownerPuxtarget.sd',
+    'generated_perms_leading/dominate-Pux.sd',
+    'generated_perms_leading/exact-ownerCuxtarget2.sd',
+    'generated_perms_leading/dominate-Puxtarget.sd',
+    'generated_perms_leading/ambiguous-ownerPux.sd',
+    'generated_perms_leading/overlap-ownerPuxtarget2.sd',
+    'generated_perms_leading/dominate-Cuxtarget2.sd',
+    'generated_perms_leading/dominate-Cuxtarget.sd',
+    'generated_perms_leading/dominate-ownerPuxtarget2.sd',
+
+    # escaping with \
     'file/ok_embedded_spaces_4.sd',  # \-escaped space
     'file/file/ok_embedded_spaces_4.sd',  # \-escaped space
     'file/ok_quoted_4.sd',  # quoted string including \"
-    'xtrans/simple_ok_pix_1.sd',  # Invalid mode pIx
-    'xtrans/simple_ok_pux_1.sd',  # Invalid mode rPux
 
     # misc
     'vars/vars_dbus_8.sd',  # Path doesn't start with / or variable: {/@{TLDS}/foo,/com/@{DOMAINS}}




Regards,

Christian Boltz
-- 
> > Ideally, upstream projects would care for AppArmor profiles
> > (as much as they would care for SELinux),
> Oh, upstream projects really care for SELinux? ;-)
At least as much as they do for AppArmor ;-)
[> Christian Boltz and Sascha Peilicke in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170302/7c2b5772/attachment.pgp>