[apparmor] [PATCH 2/4] tests: Improve mount rule tests
John Johansen
john.johansen at canonical.com
Wed Mar 26 22:33:43 UTC 2014
On 03/26/2014 10:17 AM, Tyler Hicks wrote:
> On 2014-03-26 12:00:46, Tyler Hicks wrote:
>> From: John Johansen <john.johansen at canonical.com>
>>
>> The mount.sh regression test script was not testing with actual AppArmor
>> mount rules. This patch improves mkprofile.pl by adding the ability to
>> generate mount rules and adds tests to mount.sh that verify mount
>> mediation is working properly.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> [tyhicks: Fixed a couple typos and added fstype tests]
>> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>
looks good, thanks Acked-by: ...
> I wanted to point out the changes that I made to your original mount test
> changes.
>
> - sbeattie noticed that gen_remount() was mistyped as gen_reount()
> - gen_umount() had a typo where the last conditional (@rules == 7) generated a
> mount rule instead of a umount rule
> - The second part of remove_mnt() incorrectly checked to see if ${mount_point}
> was mounted before unmounting ${mount_bad}
> - I added a fail test and a pass test for a "mount fstype=ext2," rule since
> lxc uses this type of rule in Ubuntu
>
> Here's the incremental diff:
>
> diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl
> index eedc70d..9572d0f 100755
> --- a/tests/regression/apparmor/mkprofile.pl
> +++ b/tests/regression/apparmor/mkprofile.pl
> @@ -230,7 +230,7 @@ sub gen_mount($) {
> }
> }
>
> -sub gen_reount($) {
> +sub gen_remount($) {
> my $rule = shift;
> my @rules = split (/:/, $rule);
> if (@rules == 2) {
> @@ -272,7 +272,7 @@ sub gen_umount($) {
> } elsif (@rules == 6) {
> push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
> } elsif (@rules == 7) {
> - push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
> + push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
> } else {
> (!$nowarn) && print STDERR "Warning: invalid umount description '$rule', ignored\n";
> }
> diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
> index f566e50..dc46601 100755
> --- a/tests/regression/apparmor/mount.sh
> +++ b/tests/regression/apparmor/mount.sh
> @@ -30,24 +30,25 @@ mount_file=$tmpdir/mountfile
> mount_point=$tmpdir/mountpoint
> mount_bad=$tmpdir/mountbad
> loop_device="unset"
> +fstype="ext2"
>
> setup_mnt() {
> - /bin/mount -text2 ${loop_device} ${mount_point}
> -# /bin/mount -text2 ${loop_device} ${mount_bad}
> + /bin/mount -t${fstype} ${loop_device} ${mount_point}
> +# /bin/mount -t${fstype} ${loop_device} ${mount_bad}
> }
> remove_mnt() {
> mountpoint -q "${mount_point}"
> if [ $? -eq 0 ] ; then
> - /bin/umount -text2 ${mount_point}
> + /bin/umount -t${fstype} ${mount_point}
> fi
> - mountpoint -q "${mount_point}"
> + mountpoint -q "${mount_bad}"
> if [ $? -eq 0 ] ; then
> - /bin/umount -text2 ${mount_bad}
> + /bin/umount -t${fstype} ${mount_bad}
> fi
> }
>
> dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
> -/sbin/mkfs -text2 -F ${mount_file} > /dev/null 2> /dev/null
> +/sbin/mkfs -t${fstype} -F ${mount_file} > /dev/null 2> /dev/null
> /bin/mkdir ${mount_point}
> /bin/mkdir ${mount_bad}
>
> @@ -145,6 +146,14 @@ else
> remove_mnt
>
>
> + genprofile cap:sys_admin "mount:fstype=${fstype}XXX"
> + runchecktest "MOUNT (confined cap mount bad fstype)" fail mount ${loop_device} ${mount_point}
> + remove_mnt
> +
> + genprofile cap:sys_admin "mount:fstype=${fstype}"
> + runchecktest "MOUNT (confined cap mount fstype)" pass mount ${loop_device} ${mount_point}
> + remove_mnt
> +
>
> genprofile cap:sys_admin umount:ALL
> setup_mnt
>
>
>
More information about the AppArmor
mailing list