[apparmor] [patch 26/26] Update test scripts for ptrace rules.
John Johansen
john.johansen at canonical.com
Fri Mar 28 14:25:40 UTC 2014
This is a partial update of the test patches for the newer ptrace and
signal semantics around unconfined.
diff -u ../tests.bak/exec_qual.sh ./exec_qual.sh
--- ../tests.bak/exec_qual.sh 2014-03-28 06:47:51.782735000 -0700
+++ ./exec_qual.sh 2014-03-28 06:56:05.694735000 -0700
@@ -72,28 +72,28 @@
# child profile grants access
# expected behaviour: child should be able to access resource
-genprofile $test2:px $file:$fileperm -- image=$test2 $file:$fileperm
+genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm
local_runchecktest "enforce px case1" pass $test2 $test2 $file
# case 2: parent profile grants access (should be irrelevant)
# child profile disallows access
# expected behaviour: child should be unable to access resource
-genprofile $test2:px $file:$fileperm -- image=$test2
+genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2
local_runchecktest "enforce px case2" fail $test2 $test2 $file
# case 3: parent profile disallows access (should be irrelevant)
# child profile allows access
# expected behaviour: child should be able to access resource
-genprofile $test2:px -- image=$test2 $file:$fileperm
+genprofile $test2:px signal:receive:peer=unconfined -- image=$test2 $file:$fileperm
local_runchecktest "enforce px case3" pass $test2 $test2 $file
# case 4: parent profile grants access (should be irrelevant)
# missing child profile
# expected behaviour: exec of child fails
-genprofile $test2:px $file:$fileperm
+genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined
local_runchecktest "enforce px case4" fail "n/a" $test2 $file
# confined parent, exec child with 'ix'
@@ -101,41 +101,41 @@
# child profile grants access (should be irrelevant)
# expected behaviour: child should be able to access resource
-genprofile $test2:rix $file:$fileperm -- image=$test2 $file:$fileperm
+genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm
local_runchecktest "enforce ix case1" pass $test1 $test2 $file
# case 2: parent profile grants access
# child profile disallows access (should be irrelevant)
# expected behaviour: child should be able to access resource
-genprofile $test2:rix $file:$fileperm -- image=$test2
+genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2
local_runchecktest "enforce ix case2" pass $test1 $test2 $file
# case 3: parent profile disallows access
# child profile allows access (should be irrelevant)
# expected behaviour: child should be unable to access resource
-genprofile $test2:rix -- image=$test2 $file:$fileperm
+genprofile $test2:rix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm
local_runchecktest "enforce ix case3" fail $test1 $test2 $file
# case 4: parent profile grants access
# missing child profile (irrelvant)
# expected behaviour: child should be able to access resource
-genprofile $test2:rix $file:$fileperm
+genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined
local_runchecktest "enforce ix case4" pass $test1 $test2 $file
# confined parent, exec child with 'ux'
# case 1: parent profile grants access (should be irrelevant)
# expected behaviour, child should be able to access resource
-genprofile $test2:ux $file:$fileperm
+genprofile $test2:ux $file:$fileperm signal:receive:peer=unconfined
local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file
# case 2: parent profile denies access (should be irrelevant)
# expected behaviour, child should be able to access resource
-genprofile $test2:ux
+genprofile $test2:ux signal:receive:peer=unconfined
local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file
# confined parent, exec child with conflicting exec qualifiers
@@ -144,20 +144,20 @@
# case 1:
# expected behaviour: exec of child passes
-genprofile $test2:px $test2_rex1:ix -- image=$test2 $file:$fileperm
+genprofile $test2:px $test2_rex1:ix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm
local_runchecktest "enforce conflicting exec qual" pass $test2 $test2 $file
# unconfined parent
# case 1: child profile exists, child profile grants access
# expected behaviour: child should be able to access resource
-genprofile image=$test2 $file:$fileperm
+genprofile image=$test2 $file:$fileperm signal:receive:peer=unconfined
local_runchecktest "enforce unconfined case1" pass $test2 $test2 $file
# case 2: child profile exists, child profile denies access
# expected behaviour: child should be unable to access resource
-genprofile image=$test2
+genprofile image=$test2 signal:receive:peer=unconfined
local_runchecktest "enforce unconfined case2" fail $test2 $test2 $file
# case 3: no child profile exists, unconfined
diff -u ../tests.bak/mmap.sh ./mmap.sh
--- ../tests.bak/mmap.sh 2014-03-28 06:47:51.758735000 -0700
+++ ./mmap.sh 2014-03-28 06:52:27.254735000 -0700
@@ -29,7 +29,7 @@
# PASS TEST (pt 1)
-genprofile $file:$okperm
+genprofile $file:$okperm signal:receive:peer=unconfined
runtestbg "READ/WRITE pass1" pass $file
@@ -47,13 +47,13 @@
# FAILURE TEST (pt 1)
-genprofile $file:$okperm
+genprofile $file:$okperm signal:receive:peer=unconfined
runtestbg "READ/WRITE pass2" pass $file
sleep 2
-genprofile $file:$badperm
+genprofile $file:$badperm signal:receive:peer=unconfined
# FAILURE TEST (pt 2)
Common subdirectories: ../tests.bak/netdomain and ./netdomain
diff -u ../tests.bak/pwrite.sh ./pwrite.sh
--- ../tests.bak/pwrite.sh 2014-03-28 06:47:51.758735000 -0700
+++ ./pwrite.sh 2014-03-28 06:53:20.586735000 -0700
@@ -23,7 +23,7 @@
# PASS TEST (pass 1)
-genprofile $file:$okperm
+genprofile $file:$okperm signal:receive:peer=unconfined
runtestbg "PREAD/PWRITE with rw" pass $file
diff -u ../tests.bak/rw.sh ./rw.sh
--- ../tests.bak/rw.sh 2014-03-28 06:47:51.754735000 -0700
+++ ./rw.sh 2014-03-28 06:49:24.822735000 -0700
@@ -29,7 +29,7 @@
# PASS TEST (pt 1)
-genprofile $file:$okperm
+genprofile $file:$okperm signal:receive:peer=unconfined
runtestbg "READ/WRITE pass" pass $file
Common subdirectories: ../tests.bak/scripts and ./scripts
Common subdirectories: ../tests.bak/TODO and ./TODO
Only in ./: update.patch
More information about the AppArmor
mailing list