[apparmor] [patch 4/8] testsuite - add multiple binaries to generated profiles

John Johansen john.johansen at canonical.com
Thu Jan 12 10:48:46 UTC 2012 

On 01/12/2012 10:08 AM, Steve Beattie wrote:
> This patch adds the ability to add multiple binaries to a generated
> profile and have the ldd auto-generation of rules occur on it. It
> also kills all testcase usage of $dynlibs, which had stopped being
> generated by prologue.inc in a prior patch.
> 
Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  tests/regression/apparmor/capabilities.sh   |    7 +----
>  tests/regression/apparmor/changehat_misc.sh |    6 -----
>  tests/regression/apparmor/environ.sh        |    2 -
>  tests/regression/apparmor/mkprofile.pl      |   14 +++++++++++
>  tests/regression/apparmor/sd_flags.sh       |   33 +++++++++++++---------------
>  5 files changed, 33 insertions(+), 29 deletions(-)
> 
> Index: b/tests/regression/apparmor/mkprofile.pl
> ===================================================================
> --- a/tests/regression/apparmor/mkprofile.pl
> +++ b/tests/regression/apparmor/mkprofile.pl
> @@ -121,7 +121,7 @@ sub gen_elf_binary($) {
>  sub gen_binary($) {
>    my $bin = shift;
>  
> -  gen_file("$bin:r");
> +  gen_file("$bin:rix");
>  
>    my $hashbang = head($bin);
>    if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
> @@ -199,6 +199,16 @@ sub gen_hat($) {
>    }
>  }
>  
> +sub gen_addimage($) {
> +  my $rule = shift;
> +  my @rules = split (/:/, $rule);
> +  if (@rules != 2) {
> +    (!$nowarn) && print STDERR "Warning: invalid addimage description '$rule', ignored\n";
> +  } else {
> +    gen_binary($rules[1]);
> +  }
> +}
> +
>  my $bin = shift @ARGV;
>  !(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such file or directory\n";
>  
> @@ -220,6 +230,8 @@ for my $rule (@ARGV) {
>      gen_flag($rule);
>    } elsif ($rule =~ /^hat:/) {
>      gen_hat($rule);
> +  } elsif ($rule =~ /^addimage:/) {
> +    gen_addimage($rule);
>    } else {
>      gen_file($rule);
>    }
> Index: b/tests/regression/apparmor/changehat_misc.sh
> ===================================================================
> --- a/tests/regression/apparmor/changehat_misc.sh
> +++ b/tests/regression/apparmor/changehat_misc.sh
> @@ -75,13 +75,9 @@ echo
>  echo "*** A 'Killed' message from bash is expected for the following test"
>  runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
>  
> -# Attempt to changehat out of a profile when the magic token is 0
> -# ugh, need dynlibs from open test
> -settest open
> -open_dynlibs=${dynlibs}
>  settest changehat_wrapper
>  
> -genprofile hat:open ${dynlibs} ${bin}/open:rix ${file}:${okperm}
> +genprofile hat:open addimage:${bin}/open ${file}:${okperm}
>  
>  runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file}
>  runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file}
> Index: b/tests/regression/apparmor/environ.sh
> ===================================================================
> --- a/tests/regression/apparmor/environ.sh
> +++ b/tests/regression/apparmor/environ.sh
> @@ -69,7 +69,7 @@ genprofile ${helper_sh}:Px -- image=${he
>  runchecktest "ENVIRON (shell script): Px & regular env" pass ${helper_sh} FOO=BAR
>  runchecktest "ENVIRON (shell script): Px & sensitive env" fail ${helper_sh} LD_LIBRARY_PATH=.
>  
> -genprofile ${helper_sh}:rix /bin/bash:rix "/lib*/lib*:mr"
> +genprofile addimage:${helper_sh}
>  runchecktest "ENVIRON (shell script): ix & regular env" pass ${helper_sh} FOO=BAR
>  runchecktest "ENVIRON (shell script): ix & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
>  
> Index: b/tests/regression/apparmor/capabilities.sh
> ===================================================================
> --- a/tests/regression/apparmor/capabilities.sh
> +++ b/tests/regression/apparmor/capabilities.sh
> @@ -108,11 +108,8 @@ for TEST in ${TESTS} ; do
>  
>  	# okay, now check to see if the capability functions from within
>  	# a subprofile.
> -	# Eww, this is ugly. subprofile tests depend on the internal
> -	# variable dynlibs defined by prologue.inc::settest
> -	test_dynlibs=${dynlibs}
>  	settest ${testwrapper}
> -	genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix ${my_entries}
> +	genprofile hat:${TEST} addimage:${bin}/${TEST} ${my_entries}
>  	runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg}
>  	for cap in ${CAPABILITIES} ; do
>  		if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
> @@ -120,7 +117,7 @@ for TEST in ${TESTS} ; do
>  		else
>  			expected_result=fail
>  		fi
> -		genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix cap:${cap} ${my_entries}
> +		genprofile hat:${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries}
>  		runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} ${TEST} ${my_arg}
>  	done
>  
> Index: b/tests/regression/apparmor/sd_flags.sh
> ===================================================================
> --- a/tests/regression/apparmor/sd_flags.sh
> +++ b/tests/regression/apparmor/sd_flags.sh
> @@ -54,73 +54,72 @@ genprofile flag:audit flag:complain
>  runchecktest "SD_FLAGS OPEN noaccess (audit,complain)" pass $file
>  
>  # check for flags on hats...
> -open_dynlibs=${dynlibs}
>  settest changehat_wrapper
>  
>  # audit alone
>  # PASS TEST (noflags)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file
>  
>  # PASS TEST 1 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # PASS TEST 2 (audit)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:audit
> +genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # PASS TEST 3 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:audit
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # FAILURE TEST 1 (audit)
> -genprofile flag:audit  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
> +genprofile flag:audit  hat:open addimage:${bin}/open $file:$badperm1
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # FAILURE TEST 2 (audit)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:audit
> +genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # FAILURE TEST 3 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:audit
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # complain alone
>  # PASS TEST 1 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # PASS TEST 2 (complain)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:complain
> +genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # PASS TEST 3 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:complain
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # FAILURE TEST 1 (complain)
> -genprofile flag:complain  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
> +genprofile flag:complain  hat:open addimage:${bin}/open $file:$badperm1
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file
>  
>  # PASS TEST 4 (complain)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:complain
> +genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # PASS TEST 5 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:complain
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # PASS TEST 6 (complain) no hat defined
> -genprofile flag:complain 
> +genprofile flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # audit + complain
>  # PASS TEST 3 (audit+complain)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:complain
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file
>  
>  # FAILURE TEST 3 (complain+audit)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:audit
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file
>  
> 
> 
> -- AppArmor mailing list AppArmor at lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>

More information about the AppArmor mailing list