[apparmor] update regression tests to account for parser support of a feature
John Johansen
john.johansen at canonical.com
Thu Apr 30 01:31:43 UTC 2015
On 04/29/2015 04:42 PM, Seth Arnold wrote:
> On Wed, Apr 29, 2015 at 03:25:10PM -0700, John Johansen wrote:
>> The regression tests have issue on backport kernels when the userspace
>> has not been updated. The issue is that the regression tests detect the
>> kernel features set and generate policy that the parser may not be able
>> to compile.
>>
>> Augment the regressions tests with a couple simple functions to test what
>> is supported by the parser, and update the test conditionals to use them.
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>
> This looks good to me as-is; but I think the existing requires_features
> and have_features ought to be renamed to reflect that they are testing the
> kernel for those features.
>
right I was thinking of a couple follow on patches
rename have_features -> kernel_features
requires_features -> requires_kernel_features
and then another patch that reintroduces have_features and requires_features
for the common uses. I think we would have to specify the current sets as
pairs unless we can come up with a good way to provide a mapping, so
requires_features "network/af_unix" "unix,"
and it would expand into
$(requires_kernel_features "network/af_unix") == "true" -a $(parser_supports "unix,") == "true"
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
>
> Thanks
>
>>
>> ---
>>
>> === modified file 'tests/regression/apparmor/dbus_eavesdrop.sh'
>> --- tests/regression/apparmor/dbus_eavesdrop.sh 2014-03-27 02:08:59 +0000
>> +++ tests/regression/apparmor/dbus_eavesdrop.sh 2015-04-29 21:49:04 +0000
>> @@ -19,6 +19,7 @@
>>
>> . $bin/prologue.inc
>> requires_features dbus
>> +requires_parser_support "dbus,"
>> . $bin/dbus.inc
>>
>> args="--session"
>>
>> === modified file 'tests/regression/apparmor/dbus_message.sh'
>> --- tests/regression/apparmor/dbus_message.sh 2014-03-27 02:08:59 +0000
>> +++ tests/regression/apparmor/dbus_message.sh 2015-04-29 21:49:04 +0000
>> @@ -19,6 +19,7 @@
>>
>> . $bin/prologue.inc
>> requires_features dbus
>> +requires_parser_support "dbus,"
>> . $bin/dbus.inc
>>
>> listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
>>
>> === modified file 'tests/regression/apparmor/dbus_service.sh'
>> --- tests/regression/apparmor/dbus_service.sh 2014-03-27 02:08:59 +0000
>> +++ tests/regression/apparmor/dbus_service.sh 2015-04-29 21:49:04 +0000
>> @@ -18,6 +18,7 @@
>>
>> . $bin/prologue.inc
>> requires_features dbus
>> +requires_parser_support "dbus,"
>> . $bin/dbus.inc
>>
>> service="--$bus --name=$dest $path $iface"
>>
>> === modified file 'tests/regression/apparmor/dbus_unrequested_reply.sh'
>> --- tests/regression/apparmor/dbus_unrequested_reply.sh 2014-09-05 14:43:05 +0000
>> +++ tests/regression/apparmor/dbus_unrequested_reply.sh 2015-04-29 21:49:04 +0000
>> @@ -18,6 +18,7 @@
>>
>> . $bin/prologue.inc
>> requires_features dbus
>> +requires_parser_support "dbus,"
>> . $bin/dbus.inc
>>
>> service="--$bus --name=$dest $path $iface"
>>
>> === modified file 'tests/regression/apparmor/deleted.sh'
>> --- tests/regression/apparmor/deleted.sh 2014-09-11 02:30:20 +0000
>> +++ tests/regression/apparmor/deleted.sh 2015-04-29 21:49:04 +0000
>> @@ -65,7 +65,7 @@
>> badperm=wl
>> af_unix=""
>>
>> -if [ "$(have_features network/af_unix)" == "true" ]; then
>> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>> af_unix="unix:create"
>> fi
>>
>>
>> === modified file 'tests/regression/apparmor/mount.sh'
>> --- tests/regression/apparmor/mount.sh 2014-04-24 19:24:54 +0000
>> +++ tests/regression/apparmor/mount.sh 2015-04-29 21:49:04 +0000
>> @@ -102,7 +102,7 @@
>> remove_mnt
>>
>>
>> -if [ "$(have_features mount)" != "true" ] ; then
>> +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
>> genprofile capability:sys_admin
>> runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
>> remove_mnt
>>
>> === modified file 'tests/regression/apparmor/named_pipe.sh'
>> --- tests/regression/apparmor/named_pipe.sh 2014-06-11 04:05:44 +0000
>> +++ tests/regression/apparmor/named_pipe.sh 2015-04-29 21:49:04 +0000
>> @@ -38,7 +38,7 @@
>> # Add genprofile params that are common to all hats here
>> common=""
>>
>> -if [ "$(have_features signal)" == "true" ] ; then
>> +if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
>> # Allow send/receive of all signals
>> common="${common} signal:ALL"
>> fi
>>
>> === modified file 'tests/regression/apparmor/pivot_root.sh'
>> --- tests/regression/apparmor/pivot_root.sh 2015-03-31 09:46:45 +0000
>> +++ tests/regression/apparmor/pivot_root.sh 2015-04-29 21:49:04 +0000
>> @@ -106,8 +106,8 @@
>> genprofile
>> do_test "no perms" fail "$put_old" "$new_root" "$test"
>>
>> -if [ "$(have_features mount)" != "true" ] ; then
>> - # pivot_root mediation isn't supported by this kernel, so verify that
>> +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
>> + # pivot_root mediation isn't supported by this kernel/parser, so verify that
>> # capability sys_admin is sufficient and skip the remaining tests
>> genprofile $cur $cap
>> do_test "cap" pass "$put_old" "$new_root" "$test"
>>
>> === modified file 'tests/regression/apparmor/prologue.inc'
>> --- tests/regression/apparmor/prologue.inc 2014-10-09 19:30:34 +0000
>> +++ tests/regression/apparmor/prologue.inc 2015-04-29 21:49:04 +0000
>> @@ -58,6 +58,30 @@
>> fi
>> }
>>
>> +parser_supports()
>> +{
>> + for R in $@ ; do
>> + echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
>> + if [ $? -ne 0 ] ; then
>> + echo "Compiler does not support rule '$R'"
>> + return 1;
>> + fi
>> + done
>> +
>> + echo "true"
>> + return 0;
>> +}
>> +
>> +requires_parser_support()
>> +{
>> + local res=$(parser_supports $@)
>> + if [ "$res" != "true" ] ; then
>> + echo "$res. Skipping tests ..."
>> + exit 0
>> + fi
>> +}
>> +
>> +
>> fatalerror()
>> {
>> # global _fatal
>>
>> === modified file 'tests/regression/apparmor/ptrace.sh'
>> --- tests/regression/apparmor/ptrace.sh 2014-04-23 18:44:41 +0000
>> +++ tests/regression/apparmor/ptrace.sh 2015-04-29 21:49:04 +0000
>> @@ -52,7 +52,7 @@
>> runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
>>
>>
>> -if [ "$(have_features ptrace)" == "true" ] ; then
>> +if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
>> . $bin/ptrace_v6.inc
>> else
>> . $bin/ptrace_v5.inc
>>
>> === modified file 'tests/regression/apparmor/socketpair.sh'
>> --- tests/regression/apparmor/socketpair.sh 2014-09-18 19:04:29 +0000
>> +++ tests/regression/apparmor/socketpair.sh 2015-04-29 21:49:04 +0000
>> @@ -34,7 +34,7 @@
>> af_unix_create_label=""
>> af_unix_inherit=""
>>
>> -if [ "$(have_features network/af_unix)" == "true" ]; then
>> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>> # AppArmor requires that the process inheriting the sock file
>> # descriptors have send,receive perms in its profile
>> af_unix_create="unix:(create,getopt)"
>>
>> === modified file 'tests/regression/apparmor/unix_fd_server.sh'
>> --- tests/regression/apparmor/unix_fd_server.sh 2014-09-11 02:30:27 +0000
>> +++ tests/regression/apparmor/unix_fd_server.sh 2015-04-29 21:49:04 +0000
>> @@ -27,7 +27,7 @@
>> badperm=w
>> af_unix=""
>>
>> -if [ "$(have_features network/af_unix)" == "true" ]; then
>> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
>> af_unix="unix:create"
>> fi
>>
>> @@ -137,7 +137,7 @@
>> sleep 1
>> rm -f ${socket}
>>
>> -if [ "$(have_features policy/versions/v6)" == "true" ] ; then
>> +if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
>> # FAIL - confined client, no access to the socket file
>>
>> genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
>>
>> === modified file 'tests/regression/apparmor/unix_socket_abstract.sh'
>> --- tests/regression/apparmor/unix_socket_abstract.sh 2014-09-29 23:49:13 +0000
>> +++ tests/regression/apparmor/unix_socket_abstract.sh 2015-04-29 21:49:04 +0000
>> @@ -30,6 +30,7 @@
>> . $bin/unix_socket.inc
>> requires_features policy/versions/v7
>> requires_features network/af_unix
>> +requires_parser_support "unix,"
>>
>> settest unix_socket
>>
>>
>> === modified file 'tests/regression/apparmor/unix_socket_pathname.sh'
>> --- tests/regression/apparmor/unix_socket_pathname.sh 2014-10-09 05:32:01 +0000
>> +++ tests/regression/apparmor/unix_socket_pathname.sh 2015-04-29 21:49:04 +0000
>> @@ -52,7 +52,7 @@
>> # af_unix support requires 'unix getattr' to call getsockname()
>> af_unix_okserver=
>> af_unix_okclient=
>> -if [ "$(have_features network/af_unix)" == "true" ] ; then
>> +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
>> af_unix_okserver="create,setopt"
>> af_unix_okclient="create,getopt,setopt,getattr"
>> fi
>>
>> === modified file 'tests/regression/apparmor/unix_socket_unnamed.sh'
>> --- tests/regression/apparmor/unix_socket_unnamed.sh 2014-09-30 17:00:10 +0000
>> +++ tests/regression/apparmor/unix_socket_unnamed.sh 2015-04-29 21:49:04 +0000
>> @@ -30,6 +30,7 @@
>> . $bin/unix_socket.inc
>> requires_features policy/versions/v7
>> requires_features network/af_unix
>> +requires_parser_support "unix,"
>>
>> settest unix_socket
>>
>>
>>
>> --
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>>
>>
More information about the AppArmor
mailing list