test: add some security checks.

2025-06-02 20:41:20 +02:00 · 2025-06-02 20:41:20 +02:00 · f579940ae7
commit f579940ae7
parent fff0df39ba
1 changed files with 78 additions and 3 deletions
--- a/tests/check.sh
+++ b/tests/check.sh
@ -12,7 +12,7 @@ RES=$(mktemp)
 echo "false" >"$RES"
 MAX_JOBS=$(nproc)
 declare WITH_CHECK
-readonly MAX_JOBS APPARMORD="apparmor.d"
+readonly RES MAX_JOBS APPARMORD="apparmor.d"
 readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m"
 _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; }
 _warn() {
@ -58,6 +58,12 @@ _check() {
    while IFS= read -r line; do
        line_number=$((line_number + 1))

+        # Rules checks
+        _check_abstractions
+        _check_directory_mark
+        _check_equivalent
+        _check_too_wide
+
        # Guidelines check
        _check_abi
        _check_include
@ -84,13 +90,82 @@ _check() {
    _res_vim
 }

+# Rules checks: security, compatibility and rule issues
+
+readonly ABS="abstractions"
+readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp)
+declare -A ABS_DEPRECATED=(
+    ["nameservice"]="nameservice-strict"
+    ["bash"]="shell"
+    ["X"]="X-strict"
+    ["dbus-accessibility-strict"]="bus-accessibility"
+    ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager"
+    ["dbus-session-strict"]="bus-session"
+    ["dbus-system-strict"]="bus-system"
+)
+_check_abstractions() {
+    _is_enabled abstractions || return 0
+
+    local absname
+    for absname in "${ABS_DANGEROUS[@]}"; do
+        if [[ "$line" == *"<$ABS/$absname>"* ]]; then
+            _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'"
+        fi
+    done
+    for absname in "${!ABS_DEPRECATED[@]}"; do
+        if [[ "$line" == *"<$ABS/$absname>"* ]]; then
+            _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead"
+        fi
+    done
+}
+
+readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}')
+_check_directory_mark() {
+    _is_enabled directory_mark || return 0
+    for pattern in "${DIRECTORIES[@]}"; do
+        if [[ "$line" == *"$pattern"* ]]; then
+            [[ "$line" == *'='* ]] && continue
+            if [[ ! "$line" == *"$pattern/"* ]]; then
+                _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'"
+            fi
+        fi
+    done
+}
+
+declare -A EQUIVALENTS=(
+    ["awk"]="{m,g,}awk"
+    ["grep"]="{,e}grep"
+    ["which"]="which{,.debianutils}"
+)
+_check_equivalent() {
+    _is_enabled equivalent || return 0
+    local prgmname
+    for prgmname in "${!EQUIVALENTS[@]}"; do
+        if [[ "$line" == *"/$prgmname"* ]]; then
+            if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then
+                _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'"
+            fi
+        fi
+    done
+}
+
+readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**')
+_check_too_wide() {
+    _is_enabled too_wide || return 0
+    for pattern in "${TOOWIDE[@]}"; do
+        if [[ "$line" == *" $pattern "* ]]; then
+            _err security "$file:$line_number" "rule too wide: '$pattern'"
+        fi
+    done
+}
+
 # Guidelines check: https://apparmor.pujol.io/development/guidelines/

 RES_ABI=false
 readonly ABI_SYNTAX='abi <abi/4.0>,'
 _check_abi() {
    _is_enabled abi || return 0
-    if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then
+    if [[ "$line" == *"$ABI_SYNTAX" ]]; then
        RES_ABI=true
    fi
 }
@ -104,7 +179,7 @@ _res_abi() {
 RES_INCLUDE=false
 _check_include() {
    _is_enabled include || return 0
-    if [[ "$line" =~ ^.*"${include}"$ ]]; then
+    if [[ "$line" == *"${include}"* ]]; then
        RES_INCLUDE=true
    fi
 }