[apparmor] update regression tests to account for parser support of a feature

Seth Arnold seth.arnold at canonical.com
Wed Apr 29 23:42:19 UTC 2015 

On Wed, Apr 29, 2015 at 03:25:10PM -0700, John Johansen wrote:
> The regression tests have issue on backport kernels when the userspace
> has not been updated. The issue is that the regression tests detect the
> kernel features set and generate policy that the parser may not be able
> to compile.
> 
> Augment the regressions tests with a couple simple functions to test what
> is supported by the parser, and update the test conditionals to use them.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

This looks good to me as-is; but I think the existing requires_features
and have_features ought to be renamed to reflect that they are testing the
kernel for those features.

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> 
> ---
> 
> === modified file 'tests/regression/apparmor/dbus_eavesdrop.sh'
> --- tests/regression/apparmor/dbus_eavesdrop.sh	2014-03-27 02:08:59 +0000
> +++ tests/regression/apparmor/dbus_eavesdrop.sh	2015-04-29 21:49:04 +0000
> @@ -19,6 +19,7 @@
>  
>  . $bin/prologue.inc
>  requires_features dbus
> +requires_parser_support "dbus,"
>  . $bin/dbus.inc
>  
>  args="--session"
> 
> === modified file 'tests/regression/apparmor/dbus_message.sh'
> --- tests/regression/apparmor/dbus_message.sh	2014-03-27 02:08:59 +0000
> +++ tests/regression/apparmor/dbus_message.sh	2015-04-29 21:49:04 +0000
> @@ -19,6 +19,7 @@
>  
>  . $bin/prologue.inc
>  requires_features dbus
> +requires_parser_support "dbus,"
>  . $bin/dbus.inc
>  
>  listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
> 
> === modified file 'tests/regression/apparmor/dbus_service.sh'
> --- tests/regression/apparmor/dbus_service.sh	2014-03-27 02:08:59 +0000
> +++ tests/regression/apparmor/dbus_service.sh	2015-04-29 21:49:04 +0000
> @@ -18,6 +18,7 @@
>  
>  . $bin/prologue.inc
>  requires_features dbus
> +requires_parser_support "dbus,"
>  . $bin/dbus.inc
>  
>  service="--$bus --name=$dest $path $iface"
> 
> === modified file 'tests/regression/apparmor/dbus_unrequested_reply.sh'
> --- tests/regression/apparmor/dbus_unrequested_reply.sh	2014-09-05 14:43:05 +0000
> +++ tests/regression/apparmor/dbus_unrequested_reply.sh	2015-04-29 21:49:04 +0000
> @@ -18,6 +18,7 @@
>  
>  . $bin/prologue.inc
>  requires_features dbus
> +requires_parser_support "dbus,"
>  . $bin/dbus.inc
>  
>  service="--$bus --name=$dest $path $iface"
> 
> === modified file 'tests/regression/apparmor/deleted.sh'
> --- tests/regression/apparmor/deleted.sh	2014-09-11 02:30:20 +0000
> +++ tests/regression/apparmor/deleted.sh	2015-04-29 21:49:04 +0000
> @@ -65,7 +65,7 @@
>  badperm=wl
>  af_unix=""
>  
> -if [ "$(have_features network/af_unix)" == "true" ]; then
> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>  	af_unix="unix:create"
>  fi
>  
> 
> === modified file 'tests/regression/apparmor/mount.sh'
> --- tests/regression/apparmor/mount.sh	2014-04-24 19:24:54 +0000
> +++ tests/regression/apparmor/mount.sh	2015-04-29 21:49:04 +0000
> @@ -102,7 +102,7 @@
>  remove_mnt
>  
>  
> -if [ "$(have_features mount)" != "true" ] ; then
> +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
>  	genprofile capability:sys_admin
>  	runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
>  	remove_mnt
> 
> === modified file 'tests/regression/apparmor/named_pipe.sh'
> --- tests/regression/apparmor/named_pipe.sh	2014-06-11 04:05:44 +0000
> +++ tests/regression/apparmor/named_pipe.sh	2015-04-29 21:49:04 +0000
> @@ -38,7 +38,7 @@
>  # Add genprofile params that are common to all hats here
>  common=""
>  
> -if [ "$(have_features signal)" == "true" ] ; then
> +if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
>  	# Allow send/receive of all signals
>  	common="${common} signal:ALL"
>  fi
> 
> === modified file 'tests/regression/apparmor/pivot_root.sh'
> --- tests/regression/apparmor/pivot_root.sh	2015-03-31 09:46:45 +0000
> +++ tests/regression/apparmor/pivot_root.sh	2015-04-29 21:49:04 +0000
> @@ -106,8 +106,8 @@
>  genprofile
>  do_test "no perms" fail "$put_old" "$new_root" "$test"
>  
> -if [ "$(have_features mount)" != "true" ] ; then
> -	# pivot_root mediation isn't supported by this kernel, so verify that
> +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
> +	# pivot_root mediation isn't supported by this kernel/parser, so verify that
>  	# capability sys_admin is sufficient and skip the remaining tests
>  	genprofile $cur $cap
>  	do_test "cap" pass "$put_old" "$new_root" "$test"
> 
> === modified file 'tests/regression/apparmor/prologue.inc'
> --- tests/regression/apparmor/prologue.inc	2014-10-09 19:30:34 +0000
> +++ tests/regression/apparmor/prologue.inc	2015-04-29 21:49:04 +0000
> @@ -58,6 +58,30 @@
>  	fi
>  }
>  
> +parser_supports()
> +{
> +	for R in $@ ; do
> +		echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
> +		if [ $? -ne 0 ] ; then
> +			echo "Compiler does not support rule '$R'"
> +			return 1;
> +		fi
> +	done
> +
> +	echo "true"
> +	return 0;
> +}
> +
> +requires_parser_support()
> +{
> +	local res=$(parser_supports $@)
> +	if [ "$res" != "true" ] ; then
> +		echo "$res. Skipping tests ..."
> +		exit 0
> +	fi
> +}
> +
> +
>  fatalerror()
>  {
>  	# global _fatal
> 
> === modified file 'tests/regression/apparmor/ptrace.sh'
> --- tests/regression/apparmor/ptrace.sh	2014-04-23 18:44:41 +0000
> +++ tests/regression/apparmor/ptrace.sh	2015-04-29 21:49:04 +0000
> @@ -52,7 +52,7 @@
>  runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
>  
>  
> -if [ "$(have_features ptrace)" == "true" ] ; then
> +if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
>  	. $bin/ptrace_v6.inc
>  else
>  	. $bin/ptrace_v5.inc
> 
> === modified file 'tests/regression/apparmor/socketpair.sh'
> --- tests/regression/apparmor/socketpair.sh	2014-09-18 19:04:29 +0000
> +++ tests/regression/apparmor/socketpair.sh	2015-04-29 21:49:04 +0000
> @@ -34,7 +34,7 @@
>  af_unix_create_label=""
>  af_unix_inherit=""
>  
> -if [ "$(have_features network/af_unix)" == "true" ]; then
> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>  	# AppArmor requires that the process inheriting the sock file
>  	# descriptors have send,receive perms in its profile
>  	af_unix_create="unix:(create,getopt)"
> 
> === modified file 'tests/regression/apparmor/unix_fd_server.sh'
> --- tests/regression/apparmor/unix_fd_server.sh	2014-09-11 02:30:27 +0000
> +++ tests/regression/apparmor/unix_fd_server.sh	2015-04-29 21:49:04 +0000
> @@ -27,7 +27,7 @@
>  badperm=w
>  af_unix=""
>  
> -if [ "$(have_features network/af_unix)" == "true" ]; then
> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>  	af_unix="unix:create"
>  fi
>  
> @@ -137,7 +137,7 @@
>  sleep 1
>  rm -f ${socket}
>  
> -if [ "$(have_features policy/versions/v6)" == "true" ] ; then
> +if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
>      # FAIL - confined client, no access to the socket file
>  
>      genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix 
> 
> === modified file 'tests/regression/apparmor/unix_socket_abstract.sh'
> --- tests/regression/apparmor/unix_socket_abstract.sh	2014-09-29 23:49:13 +0000
> +++ tests/regression/apparmor/unix_socket_abstract.sh	2015-04-29 21:49:04 +0000
> @@ -30,6 +30,7 @@
>  . $bin/unix_socket.inc
>  requires_features policy/versions/v7
>  requires_features network/af_unix
> +requires_parser_support "unix,"
>  
>  settest unix_socket
>  
> 
> === modified file 'tests/regression/apparmor/unix_socket_pathname.sh'
> --- tests/regression/apparmor/unix_socket_pathname.sh	2014-10-09 05:32:01 +0000
> +++ tests/regression/apparmor/unix_socket_pathname.sh	2015-04-29 21:49:04 +0000
> @@ -52,7 +52,7 @@
>  # af_unix support requires 'unix getattr' to call getsockname()
>  af_unix_okserver=
>  af_unix_okclient=
> -if [ "$(have_features network/af_unix)" == "true" ] ; then
> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
>  	af_unix_okserver="create,setopt"
>  	af_unix_okclient="create,getopt,setopt,getattr"
>  fi
> 
> === modified file 'tests/regression/apparmor/unix_socket_unnamed.sh'
> --- tests/regression/apparmor/unix_socket_unnamed.sh	2014-09-30 17:00:10 +0000
> +++ tests/regression/apparmor/unix_socket_unnamed.sh	2015-04-29 21:49:04 +0000
> @@ -30,6 +30,7 @@
>  . $bin/unix_socket.inc
>  requires_features policy/versions/v7
>  requires_features network/af_unix
> +requires_parser_support "unix,"
>  
>  settest unix_socket
>  
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150429/664c738a/attachment.pgp>

More information about the AppArmor mailing list