felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tests(check): look for missing tunables.

Browse source
This commit is contained in:
Alexandre Pujol 2025-07-26 17:03:28 +02:00
parent cb21ee2775
commit 8718626ceb
No known key found for this signature in database
GPG key ID: C5469996F0DF68EC
1 changed files with 50 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

54
tests/check.sh
View file

@ -89,6 +89,7 @@ _check() {
_check_too_wide _check_too_wide
_check_transition _check_transition
_check_useless _check_useless
_check_variables
# Guidelines check # Guidelines check
_check_abi _check_abi
@ -107,7 +108,7 @@ _check() {
_res_vim _res_vim
} }
# Rules checks: security, compatibility and rule issues # Rules checks: security, compatibility, and rule issues
readonly ABS="abstractions" readonly ABS="abstractions"
readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp)
@ -226,6 +227,51 @@ _check_useless() {
done done
} }
declare -A VARIABLES_MISSING=(
# User variables
["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}"
["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}"
["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}"
["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}"
["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}"
["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}"
["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}"
["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}"
["/home/[^/]+/"]="@{HOME}/"
# System variables
["/usr/lib(|32|64|exec)"]='@{lib}'
["/usr/sbin"]='@{sbin}'
["/usr/bin"]='@{bin}'
["(x86_64|amd64|i386|i686)"]='@{arch}'
["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}'
["/usr/etc/"]='@{etc_ro}/'
["/var/run/"]='@{run}/'
["/run/"]='@{run}/'
["user/[0-9]*/"]='user/@{uid}/'
["/tmp/user/[^/]+/"]='@{tmp}/'
["/sys/"]='@{sys}/'
["/proc/"]='@{PROC}/'
["1000"]="@{uid}"
# Some system glob
[":not.active.yet"]="@{busname}"
[":1.[0-9]*"]="@{busname}"
["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}"
["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/"
)
_check_variables() {
_is_enabled variables || return 0
for pattern in "${!VARIABLES_MISSING[@]}"; do
rpattern="$pattern"
[[ "$rpattern" == /* ]] && rpattern=" $rpattern"
if [[ "$line" =~ $rpattern ]]; then
match="${BASH_REMATCH[0]}"
_err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match"
fi
done
}
# Guidelines check: https://apparmor.pujol.io/development/guidelines/ # Guidelines check: https://apparmor.pujol.io/development/guidelines/
RES_ABI=false RES_ABI=false
@ -442,7 +488,7 @@ check_profiles() {
) )
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent useless transition abstractions directory_mark equivalent useless transition variables
abi include profile header tabs trailing indentation subprofiles vim abi include profile header tabs trailing indentation subprofiles vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -462,7 +508,7 @@ check_abstractions() {
mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true)
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide abstractions directory_mark equivalent too_wide variables
abi include header tabs trailing indentation vim abi include header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do
@ -483,7 +529,7 @@ check_abstractions() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
jobs=0 jobs=0
WITH_CHECK=( WITH_CHECK=(
abstractions directory_mark equivalent too_wide abstractions directory_mark equivalent too_wide variables
header tabs trailing indentation vim header tabs trailing indentation vim
) )
for file in "${files[@]}"; do for file in "${files[@]}"; do