[apparmor] [PATCH 2/4] tests: Improve mount rule tests
Tyler Hicks
tyhicks at canonical.com
Wed Mar 26 17:17:11 UTC 2014
On 2014-03-26 12:00:46, Tyler Hicks wrote:
> From: John Johansen <john.johansen at canonical.com>
>
> The mount.sh regression test script was not testing with actual AppArmor
> mount rules. This patch improves mkprofile.pl by adding the ability to
> generate mount rules and adds tests to mount.sh that verify mount
> mediation is working properly.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> [tyhicks: Fixed a couple typos and added fstype tests]
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
I wanted to point out the changes that I made to your original mount test
changes.
- sbeattie noticed that gen_remount() was mistyped as gen_reount()
- gen_umount() had a typo where the last conditional (@rules == 7) generated a
mount rule instead of a umount rule
- The second part of remove_mnt() incorrectly checked to see if ${mount_point}
was mounted before unmounting ${mount_bad}
- I added a fail test and a pass test for a "mount fstype=ext2," rule since
lxc uses this type of rule in Ubuntu
Here's the incremental diff:
diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl
index eedc70d..9572d0f 100755
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -230,7 +230,7 @@ sub gen_mount($) {
}
}
-sub gen_reount($) {
+sub gen_remount($) {
my $rule = shift;
my @rules = split (/:/, $rule);
if (@rules == 2) {
@@ -272,7 +272,7 @@ sub gen_umount($) {
} elsif (@rules == 6) {
push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
} elsif (@rules == 7) {
- push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
} else {
(!$nowarn) && print STDERR "Warning: invalid umount description '$rule', ignored\n";
}
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index f566e50..dc46601 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -30,24 +30,25 @@ mount_file=$tmpdir/mountfile
mount_point=$tmpdir/mountpoint
mount_bad=$tmpdir/mountbad
loop_device="unset"
+fstype="ext2"
setup_mnt() {
- /bin/mount -text2 ${loop_device} ${mount_point}
-# /bin/mount -text2 ${loop_device} ${mount_bad}
+ /bin/mount -t${fstype} ${loop_device} ${mount_point}
+# /bin/mount -t${fstype} ${loop_device} ${mount_bad}
}
remove_mnt() {
mountpoint -q "${mount_point}"
if [ $? -eq 0 ] ; then
- /bin/umount -text2 ${mount_point}
+ /bin/umount -t${fstype} ${mount_point}
fi
- mountpoint -q "${mount_point}"
+ mountpoint -q "${mount_bad}"
if [ $? -eq 0 ] ; then
- /bin/umount -text2 ${mount_bad}
+ /bin/umount -t${fstype} ${mount_bad}
fi
}
dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
-/sbin/mkfs -text2 -F ${mount_file} > /dev/null 2> /dev/null
+/sbin/mkfs -t${fstype} -F ${mount_file} > /dev/null 2> /dev/null
/bin/mkdir ${mount_point}
/bin/mkdir ${mount_bad}
@@ -145,6 +146,14 @@ else
remove_mnt
+ genprofile cap:sys_admin "mount:fstype=${fstype}XXX"
+ runchecktest "MOUNT (confined cap mount bad fstype)" fail mount ${loop_device} ${mount_point}
+ remove_mnt
+
+ genprofile cap:sys_admin "mount:fstype=${fstype}"
+ runchecktest "MOUNT (confined cap mount fstype)" pass mount ${loop_device} ${mount_point}
+ remove_mnt
+
genprofile cap:sys_admin umount:ALL
setup_mnt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140326/fefdaa6e/attachment-0001.pgp>
More information about the AppArmor
mailing list