From 0068c1b9a36eea420bb28820cff373bf6a8a8dc5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Sep 2023 15:36:01 +0100 Subject: [PATCH] test(aa-log): add some missing unit tests. --- pkg/logs/logs_test.go | 65 ++++++++++++++++++++++++++++++++++++++++-- pkg/util/tools_test.go | 28 ++++++++++++++++++ tests/audit.log | 2 +- 3 files changed, 91 insertions(+), 4 deletions(-) diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index b19934c76..79fc283cd 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -9,6 +9,8 @@ import ( "reflect" "strings" "testing" + + "github.com/roddhjav/apparmor.d/pkg/aa" ) var ( @@ -37,9 +39,9 @@ var ( "denied_mask": "x", "error": "-1", "fsuid": "1000", - "ouid": "0", + "ouid": "1000", "FSUID": "user", - "OUID": "root", + "OUID": "user", }, } refPowerProfiles = AppArmorLogs{ @@ -272,7 +274,7 @@ func TestAppArmorLogs_String(t *testing.T) { { name: "man", aaLogs: refMan, - want: "\033[1;32mALLOWED\033[0m \033[34mman\033[0m \033[33mexec\033[0m \033[35m@{bin}/preconv\033[0m -> \033[35mman_groff\033[0m info=\"no new privs\" comm=man requested_mask=\033[1;31mx\033[0m denied_mask=\033[1;31mx\033[0m error=-1\n", + want: "\033[1;32mALLOWED\033[0m \033[34mman\033[0m \033[33mexec\033[0m\033[35m owner\033[0m \033[35m@{bin}/preconv\033[0m -> \033[35mman_groff\033[0m info=\"no new privs\" comm=man requested_mask=\033[1;31mx\033[0m denied_mask=\033[1;31mx\033[0m error=-1\n", }, { name: "power-profiles-daemon", @@ -288,3 +290,60 @@ func TestAppArmorLogs_String(t *testing.T) { }) } } + +func TestAppArmorLogs_ParseToProfiles(t *testing.T) { + tests := []struct { + name string + aaLogs AppArmorLogs + want aa.AppArmorProfiles + }{ + { + name: "", + aaLogs: append(append(refKmod, refPowerProfiles...), refKmod...), + want: aa.AppArmorProfiles{ + "kmod": &aa.AppArmorProfile{ + Profile: aa.Profile{ + Name: "kmod", + Rules: aa.Rules{ + &aa.Unix{ + Qualifier: aa.Qualifier{FileInherit: true}, + Access: "send receive", + Type: "stream", + Protocol: "0", + }, + &aa.Unix{ + Qualifier: aa.Qualifier{FileInherit: true}, + Access: "send receive", + Type: "stream", + Protocol: "0", + }, + }, + }, + }, + "power-profiles-daemon": &aa.AppArmorProfile{ + Profile: aa.Profile{ + Name: "power-profiles-daemon", + Rules: aa.Rules{ + &aa.Dbus{ + Access: "send", + Bus: "system", + Name: "org.freedesktop.DBus", + Path: "/org/freedesktop/DBus", + Interface: "org.freedesktop.DBus", + Member: "AddMatch", + Label: "dbus-daemon", + }, + }, + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := tt.aaLogs.ParseToProfiles(); !reflect.DeepEqual(got, tt.want) { + t.Errorf("AppArmorLogs.ParseToProfiles() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go index 6d4d87f9d..92c677ddc 100644 --- a/pkg/util/tools_test.go +++ b/pkg/util/tools_test.go @@ -6,6 +6,7 @@ package util import ( "reflect" + "regexp" "testing" ) @@ -55,3 +56,30 @@ func TestRemoveDuplicate(t *testing.T) { }) } } + +func TestToRegexRepl(t *testing.T) { + tests := []struct { + name string + in []string + want []RegexRepl + }{ + { + name: "", + in: []string{ + "^/foo/bar", "/foo/bar", + "^/foo/bar", "/foo/bar", + }, + want: []RegexRepl{ + {Regex: regexp.MustCompile("^/foo/bar"), Repl: "/foo/bar"}, + {Regex: regexp.MustCompile("^/foo/bar"), Repl: "/foo/bar"}, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := ToRegexRepl(tt.in); !reflect.DeepEqual(got, tt.want) { + t.Errorf("ToRegexRepl() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/tests/audit.log b/tests/audit.log index b8b6fd5b2..f616e0eec 100644 --- a/tests/audit.log +++ b/tests/audit.log @@ -25,7 +25,7 @@ type=AVC msg=audit(1111111111.111:1111): apparmor="DENIED" operation="file_inher type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="open" profile="fusermount" name="/run/user/1000/doc/" pid=8703 comm="fusermount" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000FSUID="root" OUID="user" type=AVC msg=audit(1111111111.111:1111): apparmor="DENIED" operation="open" profile="chrome-gnome-shell" name="/home/user/.netrc" pid=9119 comm="chrome-gnome-sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="user" OUID="user" type=BPF msg=audit(1111111111.111:1111): prog-id=26 op=LOAD -type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="man" name="/usr/bin/preconv" pid=60755 comm="man" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="man_groff" FSUID="user" OUID="root" +type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="man" name="/usr/bin/preconv" pid=60755 comm="man" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 target="man_groff" FSUID="user" OUID="user" type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.3" mask="receive" label="dbus-daemon" peer_pid=1667 peer_label="power-profiles-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus" type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000 type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1667 label="power-profiles-daemon" peer_label="dbus-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=? UID="messagebus" AUID="unset" SAUID="messagebus"