[apparmor] [patch] regression sysctl: skip if sysctl not implemented
John Johansen
john.johansen at canonical.com
Thu Mar 20 10:55:34 UTC 2014
On 03/19/2014 11:35 AM, Steve Beattie wrote:
> On Wed, Mar 19, 2014 at 01:47:32AM -0700, John Johansen wrote:
>> Check to see if sysctl is enabled on the kernel before running the tests
>>
>> If sysctl is not enabled warn that the test is being skipped
>>
>> ---
>>
>> === modified file 'tests/regression/apparmor/syscall_sysctl.sh'
>> --- tests/regression/apparmor/syscall_sysctl.sh 2010-12-20 20:29:10 +0000
>> +++ tests/regression/apparmor/syscall_sysctl.sh 2014-03-16 10:09:09 +0000
>> @@ -27,6 +27,13 @@
>> ##
>> settest syscall_sysctl
>>
>> +#check if the architecture support sysctl
>> +res=`${test} ro`
>> +if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
>> + echo " syscall sysctl not implemented skipping tests ..."
>> + exit 0
>> +fi
>> +
>
> NACK. Even if CONFIG_SYSCALL_SYSCTL is disabled, we still want to run
> the /proc/sys/ based tests. Here's a (sadly much larger, but consists
sigh yep, I missed that
> of mostly whitespace changes) patch that moves each of the test types
> to a shell functions, as well as adding checks for syscall sysctl
> support as well /proc/ based sysctl entries are available.
>
> Signed-off-by: Steve Beattie <steve at nxnw.org>
Acked-by: John Johansen <john.johansen at canonical.com>
> ---
> tests/regression/apparmor/syscall_sysctl.sh | 177 +++++++++++++++-------------
> 1 file changed, 99 insertions(+), 78 deletions(-)
>
> Index: b/tests/regression/apparmor/syscall_sysctl.sh
> ===================================================================
> --- a/tests/regression/apparmor/syscall_sysctl.sh
> +++ b/tests/regression/apparmor/syscall_sysctl.sh
> @@ -25,119 +25,140 @@ bin=$pwd
> ##
> ## C. SYSCTL
> ##
> -settest syscall_sysctl
>
> -runchecktest "SYSCTL (no confinement read only)" pass ro
> +test_syscall_sysctl()
> +{
> + settest syscall_sysctl
>
> -runchecktest "SYSCTL (no confinement rw)" pass
> + runchecktest "SYSCTL (no confinement read only)" pass ro
>
> -genprofile $sysctlgood:r
> -runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
> + runchecktest "SYSCTL (no confinement rw)" pass
>
> -genprofile $sysctlgood:r
> -runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
> + genprofile $sysctlgood:r
> + runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
>
> -genprofile $sysctlgood:w
> -runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
> + genprofile $sysctlgood:r
> + runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
>
> -genprofile $sysctlgood:w
> -runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
> + genprofile $sysctlgood:w
> + runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
>
> -genprofile $sysctlgood:rw
> -runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
> + genprofile $sysctlgood:w
> + runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
>
> -genprofile $sysctlgood:rw
> -runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
> + genprofile $sysctlgood:rw
> + runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
>
> -genprofile $sysctlbad:r
> -runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
> + genprofile $sysctlgood:rw
> + runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
>
> -genprofile $sysctlbad:r
> -runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
> + genprofile $sysctlbad:r
> + runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
>
> -genprofile $sysctlbad:w
> -runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
> + genprofile $sysctlbad:r
> + runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
>
> -genprofile $sysctlbad:w
> -runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
> + genprofile $sysctlbad:w
> + runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
>
> -genprofile $sysctlbad:rw
> -runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
> + genprofile $sysctlbad:w
> + runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
>
> -genprofile $sysctlbad:rw
> -runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
> + genprofile $sysctlbad:rw
> + runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
>
> -# now test /proc/sys/ paths
> + genprofile $sysctlbad:rw
> + runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
> +}
>
> -settest sysctl_proc
> +test_sysctl_proc()
> +{
> + settest sysctl_proc
>
> -#unconfined
> -runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
> -runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
> + #unconfined
> + runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
> + runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
>
> -#test with profile giving access to sysctlgood
> -genprofile $sysctlgood:r
> -runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
> + #test with profile giving access to sysctlgood
> + genprofile $sysctlgood:r
> + runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
>
> -genprofile $sysctlgood:w
> -runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
> + genprofile $sysctlgood:w
> + runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
>
> -genprofile $sysctlgood:rw
> -runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
> + genprofile $sysctlgood:rw
> + runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
>
> -genprofile $sysctlgood:r
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
> + genprofile $sysctlgood:r
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
>
> -genprofile $sysctlgood:w
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
> + genprofile $sysctlgood:w
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
>
> -genprofile $sysctlgood:rw
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
> + genprofile $sysctlgood:rw
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
>
> -genprofile $sysctlgood:r
> -runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
> + genprofile $sysctlgood:r
> + runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
>
> -genprofile $sysctlgood:w
> -runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
> + genprofile $sysctlgood:w
> + runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
>
> -genprofile $sysctlgood:rw
> -runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
> + genprofile $sysctlgood:rw
> + runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
>
> -#test with profile giving access to sysctlbad but access to sysctlgood
> -genprofile $sysctlbad:r
> -runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
> + #test with profile giving access to sysctlbad but access to sysctlgood
> + genprofile $sysctlbad:r
> + runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
>
> -genprofile $sysctlbad:w
> -runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
> + genprofile $sysctlbad:w
> + runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
>
> -genprofile $sysctlbad:rw
> -runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
> + genprofile $sysctlbad:rw
> + runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
>
> -genprofile $sysctlbad:r
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
> + genprofile $sysctlbad:r
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
>
> -genprofile $sysctlbad:w
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
> + genprofile $sysctlbad:w
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
>
> -genprofile $sysctlbad:rw
> -value=`cat $sysctlgood`
> -runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
> + genprofile $sysctlbad:rw
> + value=`cat $sysctlgood`
> + runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
>
> -genprofile $sysctlbad:r
> -runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
> + genprofile $sysctlbad:r
> + runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
>
> -genprofile $sysctlbad:w
> -runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
> + genprofile $sysctlbad:w
> + runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
>
> -genprofile $sysctlbad:rw
> -runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
> + genprofile $sysctlbad:rw
> + runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
> +}
>
>
> +# check if the kernel supports CONFIG_SYSCTL_SYSCALL
> +# generally we want to encourage kernels to disable it, but if it's
> +# enabled we want to test against it
> +settest syscall_sysctl
> +res=$(${test} ro)
> +if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
> + echo " WARNING: syscall sysctl not implemented, skipping tests ..."
> +else
> + test_syscall_sysctl
> +fi
>
> +# now test /proc/sys/ paths
> +if [ ! -f "${sysctlgood}" ] ; then
> + echo " WARNING: proc sysctl path not found, /proc not mounted? Skipping tests ..."
> +else
> + test_sysctl_proc
> +fi
>
>
>
More information about the AppArmor
mailing list