[apparmor] [patch 21/21] Update the regression tests for v6 policy
john.johansen at canonical.com
john.johansen at canonical.com
Mon Mar 17 23:29:31 UTC 2014
Sorry this mashes several things together that should be separate
patches, but I am not going to spend the time to pull them apart
atm.
This updates the regression tests for v6 policy. It refactors the
required_features test into a have_features fn, and a new
requires_features fn (renamed to catch all instances make sure they
where right)
The have_features fn is then applied to several test to make them
conditionally apply based off of availability of the feature
and policy version.
Also add some new tests for ptrace and mount based on their features
being present.
Signed-off-by: John Johansen <john.johansen at canonical.com>
=== modified file 'tests/regression/apparmor/capabilities.sh'
---
tests/regression/apparmor/capabilities.sh | 23 +
tests/regression/apparmor/dbus_eavesdrop.sh | 2
tests/regression/apparmor/dbus_message.sh | 2
tests/regression/apparmor/dbus_service.sh | 2
tests/regression/apparmor/exec.sh | 6
tests/regression/apparmor/mkprofile.pl | 114 +++++++
tests/regression/apparmor/mount.sh | 102 +++++-
tests/regression/apparmor/prologue.inc | 23 +
tests/regression/apparmor/ptrace.sh | 144 ---------
tests/regression/apparmor/ptrace_v5.inc | 138 ++++++++
tests/regression/apparmor/ptrace_v6.inc | 400 ++++++++++++++++++++++++++
tests/regression/apparmor/regex.sh | 12
tests/regression/apparmor/tcp.sh | 1
tests/regression/apparmor/unix_fd_server.sh | 12
tests/regression/apparmor/unix_socket_file.sh | 1
15 files changed, 804 insertions(+), 178 deletions(-)
--- tests/regression/apparmor/capabilities.sh.orig
+++ tests/regression/apparmor/capabilities.sh
@@ -64,6 +64,7 @@
# we completely disable ptrace(), but it's not clear if we should allow it
# when the sys_ptrace cap is specified.
+# NOTE: we handle special casing of v6 ptrace not needing ptrace cap inline
syscall_ptrace_sys_ptrace=TRUE
# if a test case requires arguments, add them here.
@@ -77,7 +78,7 @@
# if a testcase requires extra subdomain rules, add them here
syscall_chroot_extra_entries="/:r ${tmpdir}/:r"
-syscall_ptrace_extra_entries="hat:sub"
+syscall_ptrace_extra_entries="ptrace:ALL hat:sub ptrace:ALL"
net_raw_extra_entries="network:"
testwrapper=changehat_wrapper
@@ -96,7 +97,13 @@
# no capabilities allowed
genprofile ${my_entries}
- runchecktest "${TEST} -- no caps" fail ${my_arg}
+ if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ] ; then
+ # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
+ # capability + ptrace rule needed between pids
+ runchecktest "${TEST} -- no caps" pass ${my_arg}
+ else
+ runchecktest "${TEST} -- no caps" fail ${my_arg}
+ fi
# all capabilities allowed
genprofile cap:ALL ${my_entries}
@@ -106,6 +113,8 @@
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
+ elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ]; then
+ expected_result=pass
else
expected_result=fail
fi
@@ -117,7 +126,13 @@
# a subprofile.
settest ${testwrapper}
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
- runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
+ if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ] ; then
+ # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
+ # capability + ptrace rule needed between pids
+ runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
+ else
+ runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
+ fi
# all capabilities allowed
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
@@ -126,6 +141,8 @@
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
+ elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" == "true" ]; then
+ expected_result=pass
else
expected_result=fail
fi
--- tests/regression/apparmor/dbus_eavesdrop.sh.orig
+++ tests/regression/apparmor/dbus_eavesdrop.sh
@@ -18,7 +18,7 @@
bin=$pwd
. $bin/prologue.inc
-required_features dbus
+requires_features dbus
. $bin/dbus.inc
args="--session"
--- tests/regression/apparmor/dbus_message.sh.orig
+++ tests/regression/apparmor/dbus_message.sh
@@ -18,7 +18,7 @@
bin=$pwd
. $bin/prologue.inc
-required_features dbus
+requires_features dbus
. $bin/dbus.inc
listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
--- tests/regression/apparmor/dbus_service.sh.orig
+++ tests/regression/apparmor/dbus_service.sh
@@ -17,7 +17,7 @@
bin=$pwd
. $bin/prologue.inc
-required_features dbus
+requires_features dbus
. $bin/dbus.inc
service="--$bus --name=$dest $path $iface"
--- tests/regression/apparmor/exec.sh.orig
+++ tests/regression/apparmor/exec.sh
@@ -43,19 +43,19 @@
# FAIL TEST - px/no profile
-genprofile $file:$ok_px_perm
+genprofile $file:$ok_px_perm signal:ALL
runchecktest "EXEC with px - no profile" fail $file
# NOLINK PERMTEST
-genprofile $file:$badperm
+genprofile $file:$badperm signal:ALL
runchecktest "EXEC no x" fail $file
# MMAP exec
-genprofile $file:$bad_mx_perm
+genprofile $file:$bad_mx_perm signal:ALL
runchecktest "EXEC mmap x" fail $file
--- tests/regression/apparmor/mkprofile.pl.orig
+++ tests/regression/apparmor/mkprofile.pl
@@ -174,6 +174,110 @@
}
}
+sub gen_ptrace($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " ptrace,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " ptrace $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " ptrace $rules[1] $rules[2],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid ptrace description '$rule', ignored\n";
+ }
+}
+
+sub gen_signal($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " signal,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " signal $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " signal $rules[1] $rules[2],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid signal description '$rule', ignored\n";
+ }
+}
+
+sub gen_mount($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " mount,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " mount $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2],\n");
+ } elsif (@rules == 4) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3],\n");
+ } elsif (@rules == 5) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+ } elsif (@rules == 6) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+ } elsif (@rules == 7) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid mount description '$rule', ignored\n";
+ }
+}
+
+sub gen_reount($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " remount,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " remount $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2],\n");
+ } elsif (@rules == 4) {
+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3],\n");
+ } elsif (@rules == 5) {
+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+ } elsif (@rules == 6) {
+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+ } elsif (@rules == 7) {
+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid remount description '$rule', ignored\n";
+ }
+}
+
+sub gen_umount($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " umount,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " umount $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2],\n");
+ } elsif (@rules == 4) {
+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3],\n");
+ } elsif (@rules == 5) {
+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4],\n");
+ } elsif (@rules == 6) {
+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
+ } elsif (@rules == 7) {
+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid umount description '$rule', ignored\n";
+ }
+}
+
sub gen_file($) {
my $rule = shift;
my @rules = split (/:/, $rule);
@@ -260,6 +364,16 @@
gen_network($rule);
} elsif ($rule =~ /^cap:/) {
gen_cap($rule);
+ } elsif ($rule =~ /^ptrace:/) {
+ gen_ptrace($rule);
+ } elsif ($rule =~ /^signal:/) {
+ gen_signal($rule);
+ } elsif ($rule =~ /^mount:/) {
+ gen_mount($rule);
+ } elsif ($rule =~ /^remount:/) {
+ gen_remount($rule);
+ } elsif ($rule =~ /^umount:/) {
+ gen_umount($rule);
} elsif ($rule =~ /^flag:/) {
gen_flag($rule);
} elsif ($rule =~ /^hat:/) {
--- tests/regression/apparmor/mount.sh.orig
+++ tests/regression/apparmor/mount.sh
@@ -28,11 +28,28 @@
mount_file=$tmpdir/mountfile
mount_point=$tmpdir/mountpoint
+mount_bad=$tmpdir/mountbad
loop_device="unset"
+setup_mnt() {
+ /bin/mount -text2 ${loop_device} ${mount_point}
+# /bin/mount -text2 ${loop_device} ${mount_bad}
+}
+remove_mnt() {
+ mountpoint -q "${mount_point}"
+ if [ $? -eq 0 ] ; then
+ /bin/umount -text2 ${mount_point}
+ fi
+ mountpoint -q "${mount_point}"
+ if [ $? -eq 0 ] ; then
+ /bin/umount -text2 ${mount_bad}
+ fi
+}
+
dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
/sbin/mkfs -text2 -F ${mount_file} > /dev/null 2> /dev/null
/bin/mkdir ${mount_point}
+/bin/mkdir ${mount_bad}
# in a modular udev world, the devices won't exist until the loopback
# module is loaded.
@@ -56,32 +73,87 @@
fatalerror 'Unable to find a free loop device'
fi
-# TEST 1. Make sure can mount and umount unconfined
+# TEST 1. Make sure can mount and umount unconfined
runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
-runchecktest "UMOUNT (unconfined)" pass umount ${loop_device} ${mount_point}
+remove_mnt
-# TEST A2. confine MOUNT
+setup_mnt
+runchecktest "UMOUNT (unconfined)" pass umount ${loop_device} ${mount_point}
+remove_mnt
+# TEST A2. confine MOUNT no perms
genprofile
-runchecktest "MOUNT (confined)" fail mount ${loop_device} ${mount_point}
+runchecktest "MOUNT (confined no perm)" fail mount ${loop_device} ${mount_point}
+remove_mnt
-# TEST A3. confine MOUNT - cap sys_admin is not sufficient to mount
-genprofile capability:sys_admin
-runchecktest "MOUNT (confined)" fail mount ${loop_device} ${mount_point}
+setup_mnt
+runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_point}
+remove_mnt
-/bin/umount -text2 ${mount_point}
-# TEST A4. confine UMOUNT
+if [ "$(have_features mount)" != "true" ] ; then
+ genprofile capability:sys_admin
+ runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
+ remove_mnt
-/bin/mount -text2 ${loop_device} ${mount_point}
+ setup_mnt
+ runchecktest "UMOUNT (confined cap)" pass umount ${loop_device} ${mount_point}
+ remove_mnt
+else
+ echo " using mount rules ..."
-genprofile
-runchecktest "UMOUNT (confined)" fail umount ${loop_device} ${mount_point}
+ genprofile capability:sys_admin
+ runchecktest "MOUNT (confined cap)" fail mount ${loop_device} ${mount_point}
+ remove_mnt
+
+ setup_mnt
+ runchecktest "UMOUNT (confined cap)" fail umount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+ genprofile mount:ALL
+ runchecktest "MOUNT (confined mount:ALL)" fail mount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+ genprofile "mount:-> ${mount_point}/"
+ runchecktest "MOUNT (confined bad mntpnt mount -> mntpnt)" fail mount ${loop_device} ${mount_bad}
+ remove_mnt
+
+ runchecktest "MOUNT (confined mount -> mntpnt)" fail mount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+
+ genprofile umount:ALL
+ setup_mnt
+ runchecktest "UMOUNT (confined umount:ALL)" fail umount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+ genprofile mount:ALL cap:sys_admin
+ runchecktest "MOUNT (confined cap mount:ALL)" pass mount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+ genprofile cap:sys_admin "mount:-> ${mount_point}/"
+ runchecktest "MOUNT (confined bad mntpnt cap mount -> mntpnt)" fail mount ${loop_device} ${mount_bad}
+ remove_mnt
+
+ runchecktest "MOUNT (confined cap mount -> mntpnt)" pass mount ${loop_device} ${mount_point}
+ remove_mnt
+
+
+
+ genprofile cap:sys_admin umount:ALL
+ setup_mnt
+ runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
+ remove_mnt
+
+fi
-# TEST A4. confine UMOUNT - cap sys_admin allows unmount
-genprofile capability:sys_admin
-runchecktest "UMOUNT (confined)" pass umount ${loop_device} ${mount_point}
+#need tests for move mount, remount, bind mount, pivot root, chroot
# cleanup, umount file
/bin/umount ${loop_device} > /dev/null 2> /dev/null || /sbin/losetup -d ${loop_device} > /dev/null 2> /dev/null
--- tests/regression/apparmor/prologue.inc.orig
+++ tests/regression/apparmor/prologue.inc
@@ -21,19 +21,32 @@
#
# For this file, functions are first, entry point code is at end, see "MAIN"
-required_features()
+#use $() to retreive the failure message or "true" if success
+have_features()
{
if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
- echo "Kernel feature masks not supported. Skipping tests ..."
- exit 0
+ echo "Kernel feature masks not supported."
+ return 1;
fi
for f in $@ ; do
if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
- echo "Required feature $f not available. Skipping tests ..."
- exit 0
+ echo "Required feature '$f' not available."
+ return 2;
fi
done
+
+ echo "true"
+ return 0;
+}
+
+requires_features()
+{
+ local res=$(have_features $@)
+ if [ "$res" != "true" ] ; then
+ echo "$res. Skipping tests ..."
+ exit 0
+ fi
}
requires_query_interface()
--- tests/regression/apparmor/ptrace.sh.orig
+++ tests/regression/apparmor/ptrace.sh
@@ -40,7 +40,7 @@
runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper /bin/true
# test that unconfined can ptrace before profile attaches
-genprofile image=/bin/true
+genprofile image=/bin/true signal:ALL
runchecktest "test 2" pass -n 100 /bin/true
runchecktest "test 2 -c" pass -c -n 100 /bin/true
runchecktest "test 2 -h" pass -h -n 100 $helper
@@ -48,141 +48,9 @@
runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
-#unconfined tracing confined helper
-#confined helper asking unconfined process to ptrace it
-genprofile image=$helper
-runchecktest "test 3 -h" pass -h -n 100 $helper
-runchecktest "test 3 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
-# lack of 'r' perm is currently not working
-genprofile image=$helper $helper:ix
-runchecktest "test 4 -h" pass -h -n 100 $helper
-runchecktest "test 4 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:rix
-runchecktest "test 5 -h" pass -h -n 100 $helper
-runchecktest "test 5 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:ix /bin/true:rix
-runchecktest "test 6 -h" pass -h -n 100 $helper
-runchecktest "test 6 -hc " pass -h -c -n 100 $helper
-runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced child can ptrace_me to unconfined have unconfined trace them
-genprofile image=/bin/true
-runchecktest "test 7" pass -n 100 /bin/true
-# pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -c " pass -c -n 100 /bin/true
-runchecktest "test 7 -h" pass -h -n 100 $helper
-# pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -hc " pass -h -c -n 100 $helper
-runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:ix /bin/true:rix
-runchecktest "test 7a" pass -n 100 /bin/true
-# pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -c " pass -c -n 100 /bin/true
-runchecktest "test 7a -h" pass -h -n 100 $helper
-# pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -hc " pass -h -c -n 100 $helper
-runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
-runchecktest "test 8" pass -n 100 /bin/true
-# pass - ptrace_attach is done before exec
-runchecktest "test 8 -c " pass -c -n 100 /bin/true
-runchecktest "test 8 -h" pass -h -n 100 $helper
-runchecktest "test 8 -hc " pass -h -c -n 100 $helper
-# pass - can px if tracer can ptrace target
-runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
-runchecktest "test 9" pass -n 100 /bin/true
-# pass - ptrace_attach is done before exec
-runchecktest "test 9 -c " pass -c -n 100 /bin/true
-runchecktest "test 9 -h" pass -h -n 100 $helper
-runchecktest "test 9 -hc " pass -h -c -n 100 $helper
-# pass - can ux if tracer can ptrace target
-runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-genprofile
-# fail due to no exec permission
-runchecktest "test 10" fail -n 100 /bin/true
-runchecktest "test 10 -c" fail -c -n 100 /bin/true
-runchecktest "test 10 -h" fail -h -n 100 $helper
-runchecktest "test 10 -hc" fail -h -c -n 100 $helper
-runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile /bin/true:ix $helper:ix
-# fail due to missing r permission
-#runchecktest "test 11" fail -n 100 /bin/true
-#runchecktest "test 11 -c" fail -c -n 100 /bin/true
-#runchecktest "test 11 -h" fail -h -n 100 $helper
-#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
-#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
-#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-# pass allowed to ix self
-genprofile /bin/true:rix $helper:rix
-runchecktest "test 12" pass -n 100 /bin/true
-runchecktest "test 12 -c" pass -c -n 100 /bin/true
-runchecktest "test 12 -h" pass -h -n 100 $helper
-runchecktest "test 12 -hc" pass -h -c -n 100 $helper
-runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#ptraced confined app can't px - fails to unset profile
-genprofile image=$helper $helper:rix /bin/true:rpx
-runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-#ptraced confined app can ux - if the tracer is unconfined
-#
-genprofile image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
-#ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
-
-#confined app can't ptrace an unconfined app
-genprofile $helper:rux
-runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-#an unconfined app can't ask a confined app to trace it
-runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-#confined app can't ptrace an app confined by a different profile
-genprofile $helper:rpx -- image=$helper
-runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-#a confined app can't ask another confined app with a different profile to
-#trace it
-runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-
-
-# need to do a confined process trying to attach to an unconfined
-# need attaching, and ptrace_me of different confinement
+if [ "$(have_features ptrace)" == "true" ] ; then
+ . $bin/ptrace_v6.inc
+else
+ . $bin/ptrace_v5.inc
+fi
--- /dev/null
+++ tests/regression/apparmor/ptrace_v5.inc
@@ -0,0 +1,138 @@
+#unconfined tracing confined helper
+#confined helper asking unconfined process to ptrace it
+genprofile image=$helper
+runchecktest "test 3 -h" pass -h -n 100 $helper
+runchecktest "test 3 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# lack of 'r' perm is currently not working
+genprofile image=$helper $helper:ix
+runchecktest "test 4 -h" pass -h -n 100 $helper
+runchecktest "test 4 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:rix
+runchecktest "test 5 -h" pass -h -n 100 $helper
+runchecktest "test 5 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix
+runchecktest "test 6 -h" pass -h -n 100 $helper
+runchecktest "test 6 -hc " pass -h -c -n 100 $helper
+runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced child can ptrace_me to unconfined have unconfined trace them
+genprofile image=/bin/true
+runchecktest "test 7" pass -n 100 /bin/true
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -c " pass -c -n 100 /bin/true
+runchecktest "test 7 -h" pass -h -n 100 $helper
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -hc " pass -h -c -n 100 $helper
+runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix
+runchecktest "test 7a" pass -n 100 /bin/true
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -c " pass -c -n 100 /bin/true
+runchecktest "test 7a -h" pass -h -n 100 $helper
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -hc " pass -h -c -n 100 $helper
+runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
+runchecktest "test 8" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 8 -c " pass -c -n 100 /bin/true
+runchecktest "test 8 -h" pass -h -n 100 $helper
+runchecktest "test 8 -hc " pass -h -c -n 100 $helper
+# pass - can px if tracer can ptrace target
+runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
+runchecktest "test 9" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 9 -c " pass -c -n 100 /bin/true
+runchecktest "test 9 -h" pass -h -n 100 $helper
+runchecktest "test 9 -hc " pass -h -c -n 100 $helper
+# pass - can ux if tracer can ptrace target
+runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile
+# fail due to no exec permission
+runchecktest "test 10" fail -n 100 /bin/true
+runchecktest "test 10 -c" fail -c -n 100 /bin/true
+runchecktest "test 10 -h" fail -h -n 100 $helper
+runchecktest "test 10 -hc" fail -h -c -n 100 $helper
+runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:ix $helper:ix
+# fail due to missing r permission
+#runchecktest "test 11" fail -n 100 /bin/true
+#runchecktest "test 11 -c" fail -c -n 100 /bin/true
+#runchecktest "test 11 -h" fail -h -n 100 $helper
+#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
+#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# pass allowed to ix self
+genprofile /bin/true:rix $helper:rix
+runchecktest "test 12" pass -n 100 /bin/true
+runchecktest "test 12 -c" pass -c -n 100 /bin/true
+runchecktest "test 12 -h" pass -h -n 100 $helper
+runchecktest "test 12 -hc" pass -h -c -n 100 $helper
+runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app can't px - fails to unset profile
+genprofile image=$helper $helper:rix /bin/true:rpx
+runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux
+runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux
+runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx -- image=$helper
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+
+
+# need to do a confined process trying to attach to an unconfined
+# need attaching, and ptrace_me of different confinement
--- /dev/null
+++ tests/regression/apparmor/ptrace_v6.inc
@@ -0,0 +1,400 @@
+## v5 ptrace tests except with failures where appropriate. Testing that capability ptrace
+## does not grant ptrace perms
+
+## Note: ptrace tests need signal permissions to function correctly
+## signal permissions are not actually needed by all tests to function but
+## we grant signal perms to all to be consistent
+
+echo " using ptrace v6 tests ..."
+
+################################################################################
+# v5 ptrace tests without ptrace rules
+################################################################################
+
+#unconfined tracing confined helper
+#confined helper asking unconfined process to ptrace it
+genprofile image=$helper signal:ALL
+
+runchecktest "test 3 -h" pass -h -n 100 $helper
+runchecktest "test 3 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# lack of 'r' perm is currently not working
+genprofile image=$helper $helper:ix signal:ALL
+runchecktest "test 4 -h" pass -h -n 100 $helper
+runchecktest "test 4 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:rix signal:ALL
+runchecktest "test 5 -h" pass -h -n 100 $helper
+runchecktest "test 5 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
+runchecktest "test 6 -h" pass -h -n 100 $helper
+runchecktest "test 6 -hc " pass -h -c -n 100 $helper
+runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced child can ptrace_me to unconfined have unconfined trace them
+genprofile image=/bin/true signal:ALL
+runchecktest "test 7" pass -n 100 /bin/true
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -c " pass -c -n 100 /bin/true
+runchecktest "test 7 -h" pass -h -n 100 $helper
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -hc " pass -h -c -n 100 $helper
+runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
+runchecktest "test 7a" pass -n 100 /bin/true
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -c " pass -c -n 100 /bin/true
+runchecktest "test 7a -h" pass -h -n 100 $helper
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -hc " pass -h -c -n 100 $helper
+runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rpx signal:ALL -- image=/bin/true signal:ALL
+runchecktest "test 8" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 8 -c " pass -c -n 100 /bin/true
+runchecktest "test 8 -h" pass -h -n 100 $helper
+runchecktest "test 8 -hc " pass -h -c -n 100 $helper
+# pass - can px if tracer can ptrace target
+runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rux signal:ALL -- image=/bin/true signal:ALL
+runchecktest "test 9" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 9 -c " pass -c -n 100 /bin/true
+runchecktest "test 9 -h" pass -h -n 100 $helper
+runchecktest "test 9 -hc " pass -h -c -n 100 $helper
+# pass - can ux if tracer can ptrace target
+runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile signal:ALL
+# fail due to no exec permission
+runchecktest "test 10" fail -n 100 /bin/true
+runchecktest "test 10 -c" fail -c -n 100 /bin/true
+runchecktest "test 10 -h" fail -h -n 100 $helper
+runchecktest "test 10 -hc" fail -h -c -n 100 $helper
+runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:ix $helper:ix signal:ALL
+# fail due to missing r permission
+#runchecktest "test 11" fail -n 100 /bin/true
+#runchecktest "test 11 -c" fail -c -n 100 /bin/true
+#runchecktest "test 11 -h" fail -h -n 100 $helper
+#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
+#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# fail was pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL
+runchecktest "test 12" fail -n 100 /bin/true
+runchecktest "test 12 -c" fail -c -n 100 /bin/true
+runchecktest "test 12 -h" fail -h -n 100 $helper
+runchecktest "test 12 -hc" fail -h -c -n 100 $helper
+runchecktest "test 12 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by unconfined can px
+genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix
+runchecktest "test 13u -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by profile without ptrace on targeted can't px
+genprofile /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix
+runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+################### cap:sys_ptrace doesn't change results from above ##########################
+# fail was pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL cap:sys_ptrace
+runchecktest "test 12c" fail -n 100 /bin/true
+runchecktest "test 12c -c" fail -c -n 100 /bin/true
+runchecktest "test 12c -h" fail -h -n 100 $helper
+runchecktest "test 12c -hc" fail -h -c -n 100 $helper
+runchecktest "test 12c -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by unconfined can px
+genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
+runchecktest "test 13cu -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by profile without ptrace on targeted can't px
+genprofile /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
+runchecktest "test 13c -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL cap:sys_ptrace
+runchecktest "test 14ca -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14cb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL cap:sys_ptrace
+runchecktest "test 15c -h" fail -h -n 100 $helper
+runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15c -hc" fail -h -c -n 100 $helper
+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL cap:sys_ptrace -- image=$helper signal:ALL cap:sys_ptrace
+runchecktest "test 15c -h" fail -h -n 100 $helper
+runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15c -hc" fail -h -c -n 100 $helper
+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+################################################################################
+# v5 ptrace tests with ptrace rules
+################################################################################
+
+##### Now do tests with ptrace rules in profiles #######
+# pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:ALL
+runchecktest "test 12p" pass -n 100 /bin/true
+runchecktest "test 12p -c" pass -c -n 100 /bin/true
+runchecktest "test 12p -h" pass -h -n 100 $helper
+runchecktest "test 12p -hc" pass -h -c -n 100 $helper
+runchecktest "test 12p -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:$test
+runchecktest "test 12p1" pass -n 100 /bin/true
+runchecktest "test 12p1 -c" pass -c -n 100 /bin/true
+runchecktest "test 12p1 -h" pass -h -n 100 $helper
+runchecktest "test 12p1 -hc" pass -h -c -n 100 $helper
+runchecktest "test 12p1 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:notaprofile
+runchecktest "test 12p2" fail -n 100 /bin/true
+runchecktest "test 12p2 -c" fail -c -n 100 /bin/true
+runchecktest "test 12p2 -h" fail -h -n 100 $helper
+runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
+runchecktest "test 12p2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app traced by profile can px
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix
+runchecktest "test 13p1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p3 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p5 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p7 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p9 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix
+runchecktest "test 13p11 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p31 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p51 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p71 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p91 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix
+runchecktest "test 13p12 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p32 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p52 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p72 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p92 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix
+runchecktest "test 13p13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p33 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p53 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p73 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p93 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix
+runchecktest "test 13p14 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p34 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p54 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p74 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p94 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix
+runchecktest "test 13p15 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p35 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p55 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p75 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p95 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+### todo Variations of below tests
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14pa -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14pb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL
+runchecktest "test 15p -h" fail -h -n 100 $helper
+runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15p -hc" fail -h -c -n 100 $helper
+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
+runchecktest "test 15p -h" fail -h -n 100 $helper
+runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15p -hc" fail -h -c -n 100 $helper
+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+## TODO: ptrace read tests
+## TODO: ptrace + change_profile
+## TODO: ptrace + change_hat
--- tests/regression/apparmor/regex.sh.orig
+++ tests/regression/apparmor/regex.sh
@@ -148,25 +148,25 @@
runchecktest "QUESTION MARK (exec)" pass $file
# FAIL TEST - looking for *
-genprofile /sbin/\*:$okperm
+genprofile /sbin/\*:$okperm signal:ALL
runchecktest "SINGLE TAILGLOB (exec, fail)" fail $file
# FAIL TEST - looking for **
-genprofile /sbi\*\*:$okperm
+genprofile /sbi\*\*:$okperm signal:ALL
runchecktest "DOUBLE TAILGLOB (exec, fail)" fail $file
# FAIL TEST - looking for { , }
-genprofile /bin/\{flase,false\}:$okperm
+genprofile /bin/\{flase,false\}:$okperm signal:ALL
runchecktest "CURLY BRACES (exec, fail)" fail $file
# FAIL TEST - looking for []
-genprofile /bin/\[aef\]rue:$okperm
+genprofile /bin/\[aef\]rue:$okperm signal:ALL
runchecktest "SQUARE BRACES 1 (exec, fail)" fail $file
# FAIL TEST - looking for []
-genprofile /bin/\[u-x\]rue:$okperm
+genprofile /bin/\[u-x\]rue:$okperm signal:ALL
runchecktest "SQUARE BRACES 2 (exec, fail)" fail $file
# FAIL TEST - looking for ?
-genprofile /bin/b\?ue:$okperm
+genprofile /bin/b\?ue:$okperm signal:ALL
runchecktest "QUESTION MARK (exec, fail)" fail $file
--- tests/regression/apparmor/tcp.sh.orig
+++ tests/regression/apparmor/tcp.sh
@@ -15,6 +15,7 @@
bin=$pwd
. $bin/prologue.inc
+requires_features network
port=34567
ip="127.0.0.1"
--- tests/regression/apparmor/unix_fd_server.sh.orig
+++ tests/regression/apparmor/unix_fd_server.sh
@@ -132,10 +132,12 @@
sleep 1
rm -f ${socket}
-# FAIL - confined client, no access to the socket file
+if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+ # FAIL - confined client, no access to the socket file
-genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm
-runchecktest "fd passing; confined client w/o socket access" fail $file $socket $fd_client
+ genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm
+ runchecktest "fd passing; confined client w/o socket access" fail $file $socket $fd_client
-sleep 1
-rm -f ${socket}
+ sleep 1
+ rm -f ${socket}
+fi
--- tests/regression/apparmor/unix_socket_file.sh.orig
+++ tests/regression/apparmor/unix_socket_file.sh
@@ -27,6 +27,7 @@
bin=$pwd
. $bin/prologue.inc
+requires_features policy/versions/v6
client=$bin/unix_socket_file_client
socket=${tmpdir}/unix_socket_file.sock
More information about the AppArmor
mailing list