[apparmor] [PATCH] tests: Add ptrace tests for LP: #1390592

[Tyler Hicks]

These regression tests are for an Ubuntu-specific bug. However, they
should benefit the upstream project, as well. Ubuntu took an incomplete
version of a patch, which introduced the bug. The version of that patch
that landed upstream did not contain the bug.

The bug was in policy compilation of certain combinations of rule types,
conditionals, and conditional values. The easiest such combination to
test is a rule such as:

  ptrace peer=ABC,

Buggy parsers will generate binary policy that causes the kernel to deny
a ptrace of a process confined by ABC, despite the presence of the above
rule.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/ptrace_v6.inc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc
index d691b4e..3778155 100644
--- a/tests/regression/apparmor/ptrace_v6.inc
+++ b/tests/regression/apparmor/ptrace_v6.inc
@@ -402,6 +402,15 @@ runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
 runchecktest "test 15p -hc" fail -h -c -n 100 $helper
 runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
 
+# Test LP: #1390592
+# The bug was a policy compilation bug that triggers in a rule such as
+# 'ptrace peer=ABC,'. The first character of the peer conditional value must be
+# a-f|A-F|0-9 to trigger the bug. A parser affected by this bug will create a
+# bad binary policy that causes the kernel to unexpectedly deny the ptrace
+# 'trace' of a process confined by profile ABC.
+genprofile "$helper rpx -> ABC" signal:ALL ptrace:trace:peer=ABC -- image=ABC addimage:$helper /bin/true:rix signal:ALL ptrace:tracedby:peer=$test
+runchecktest "test LP: #1390592 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test LP: #1390592 -hc prog" pass -h -c -n 100 $helper /bin/true
 
 ## TODO: ptrace read tests
 ## TODO: ptrace + change_profile
-- 
2.1.0