[apparmor] [patch] regression sysctl: skip if sysctl not implemented
Steve Beattie
steve at nxnw.org
Wed Mar 19 18:35:56 UTC 2014
On Wed, Mar 19, 2014 at 01:47:32AM -0700, John Johansen wrote:
> Check to see if sysctl is enabled on the kernel before running the tests
>
> If sysctl is not enabled warn that the test is being skipped
>
> ---
>
> === modified file 'tests/regression/apparmor/syscall_sysctl.sh'
> --- tests/regression/apparmor/syscall_sysctl.sh 2010-12-20 20:29:10 +0000
> +++ tests/regression/apparmor/syscall_sysctl.sh 2014-03-16 10:09:09 +0000
> @@ -27,6 +27,13 @@
> ##
> settest syscall_sysctl
>
> +#check if the architecture support sysctl
> +res=`${test} ro`
> +if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
> + echo " syscall sysctl not implemented skipping tests ..."
> + exit 0
> +fi
> +
NACK. Even if CONFIG_SYSCALL_SYSCTL is disabled, we still want to run
the /proc/sys/ based tests. Here's a (sadly much larger, but consists
of mostly whitespace changes) patch that moves each of the test types
to a shell functions, as well as adding checks for syscall sysctl
support as well /proc/ based sysctl entries are available.
Signed-off-by: Steve Beattie <steve at nxnw.org>
---
tests/regression/apparmor/syscall_sysctl.sh | 177 +++++++++++++++-------------
1 file changed, 99 insertions(+), 78 deletions(-)
Index: b/tests/regression/apparmor/syscall_sysctl.sh
===================================================================
--- a/tests/regression/apparmor/syscall_sysctl.sh
+++ b/tests/regression/apparmor/syscall_sysctl.sh
@@ -25,119 +25,140 @@ bin=$pwd
##
## C. SYSCTL
##
-settest syscall_sysctl
-runchecktest "SYSCTL (no confinement read only)" pass ro
+test_syscall_sysctl()
+{
+ settest syscall_sysctl
-runchecktest "SYSCTL (no confinement rw)" pass
+ runchecktest "SYSCTL (no confinement read only)" pass ro
-genprofile $sysctlgood:r
-runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
+ runchecktest "SYSCTL (no confinement rw)" pass
-genprofile $sysctlgood:r
-runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
+ genprofile $sysctlgood:r
+ runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
-genprofile $sysctlgood:w
-runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
+ genprofile $sysctlgood:r
+ runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
-genprofile $sysctlgood:w
-runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
+ genprofile $sysctlgood:w
+ runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
-genprofile $sysctlgood:rw
-runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
+ genprofile $sysctlgood:w
+ runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
-genprofile $sysctlgood:rw
-runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
+ genprofile $sysctlgood:rw
+ runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
-genprofile $sysctlbad:r
-runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
+ genprofile $sysctlgood:rw
+ runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
-genprofile $sysctlbad:r
-runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
+ genprofile $sysctlbad:r
+ runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
-genprofile $sysctlbad:w
-runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
+ genprofile $sysctlbad:r
+ runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
-genprofile $sysctlbad:w
-runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
+ genprofile $sysctlbad:w
+ runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
-genprofile $sysctlbad:rw
-runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
+ genprofile $sysctlbad:w
+ runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
-genprofile $sysctlbad:rw
-runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
+ genprofile $sysctlbad:rw
+ runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
-# now test /proc/sys/ paths
+ genprofile $sysctlbad:rw
+ runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
+}
-settest sysctl_proc
+test_sysctl_proc()
+{
+ settest sysctl_proc
-#unconfined
-runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
-runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
+ #unconfined
+ runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
+ runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
-#test with profile giving access to sysctlgood
-genprofile $sysctlgood:r
-runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
+ #test with profile giving access to sysctlgood
+ genprofile $sysctlgood:r
+ runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
-genprofile $sysctlgood:w
-runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
+ genprofile $sysctlgood:w
+ runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
-genprofile $sysctlgood:rw
-runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
+ genprofile $sysctlgood:rw
+ runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
-genprofile $sysctlgood:r
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
+ genprofile $sysctlgood:r
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
-genprofile $sysctlgood:w
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
+ genprofile $sysctlgood:w
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
-genprofile $sysctlgood:rw
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
+ genprofile $sysctlgood:rw
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
-genprofile $sysctlgood:r
-runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
+ genprofile $sysctlgood:r
+ runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
-genprofile $sysctlgood:w
-runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
+ genprofile $sysctlgood:w
+ runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
-genprofile $sysctlgood:rw
-runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
+ genprofile $sysctlgood:rw
+ runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
-#test with profile giving access to sysctlbad but access to sysctlgood
-genprofile $sysctlbad:r
-runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
+ #test with profile giving access to sysctlbad but access to sysctlgood
+ genprofile $sysctlbad:r
+ runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
-genprofile $sysctlbad:w
-runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
+ genprofile $sysctlbad:w
+ runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
-genprofile $sysctlbad:rw
-runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
+ genprofile $sysctlbad:rw
+ runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
-genprofile $sysctlbad:r
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
+ genprofile $sysctlbad:r
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
-genprofile $sysctlbad:w
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
+ genprofile $sysctlbad:w
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
-genprofile $sysctlbad:rw
-value=`cat $sysctlgood`
-runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
+ genprofile $sysctlbad:rw
+ value=`cat $sysctlgood`
+ runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
-genprofile $sysctlbad:r
-runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
+ genprofile $sysctlbad:r
+ runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
-genprofile $sysctlbad:w
-runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
+ genprofile $sysctlbad:w
+ runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
-genprofile $sysctlbad:rw
-runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
+ genprofile $sysctlbad:rw
+ runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
+}
+# check if the kernel supports CONFIG_SYSCTL_SYSCALL
+# generally we want to encourage kernels to disable it, but if it's
+# enabled we want to test against it
+settest syscall_sysctl
+res=$(${test} ro)
+if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
+ echo " WARNING: syscall sysctl not implemented, skipping tests ..."
+else
+ test_syscall_sysctl
+fi
+# now test /proc/sys/ paths
+if [ ! -f "${sysctlgood}" ] ; then
+ echo " WARNING: proc sysctl path not found, /proc not mounted? Skipping tests ..."
+else
+ test_sysctl_proc
+fi
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140319/c0a00ee3/attachment.pgp>
More information about the AppArmor
mailing list