[apparmor] [PATCH v2 1/6] tests: Add regression tests for aa-exec
Tyler Hicks
tyhicks at canonical.com
Thu Dec 17 03:25:02 UTC 2015
Add regression tests for the --profile, --namespace, and --immediate
options of aa-exec.
A new variable is added to uservars.inc to point to the in-tree or
system aa-exec depending on the presence of the USE_SYSTEM=1 make
variable at build time.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/Makefile | 34 +++++++++--
tests/regression/apparmor/aa_exec.sh | 81 +++++++++++++++++++++++++++
tests/regression/apparmor/aa_exec_wrapper.sh | 28 +++++++++
tests/regression/apparmor/uservars.inc.source | 3 +
tests/regression/apparmor/uservars.inc.system | 3 +
5 files changed, 144 insertions(+), 5 deletions(-)
create mode 100755 tests/regression/apparmor/aa_exec.sh
create mode 100755 tests/regression/apparmor/aa_exec_wrapper.sh
diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
index c0aad62..d0e4b35 100644
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -18,7 +18,7 @@ ifdef USE_SYSTEM
echo -lapparmor ; \
fi )
ifeq ($(strip $(LIBAPPARMOR)),)
- ERROR_MESSAGE = $(error ${nl}\
+ LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
************************************************************************${nl}\
Unable to find libapparmor installed on this system; either${nl}\
install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\
@@ -27,13 +27,23 @@ manually, or build against in-tree libapparmor.${nl}\
endif # LIBAPPARMOR not set
LDLIBS += $(LIBAPPARMOR)
+ AA_EXEC = $(shell which aa-exec)
+ ifeq ($(AA_EXEC),)
+ AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
+************************************************************************${nl}\
+Unable to find aa-exec installed on this system; either install the${nl}\
+apparmor package, set the AA_EXEC variable manually, or use the in-tree${nl}\
+aa-exec.${nl}\
+************************************************************************${nl})
+ endif # AA_EXEC not set
+
else # !USE_SYSTEM
# use in-tree versions
LIBAPPARMOR_SRC := ../../../libraries/libapparmor/
LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
- ERROR_MESSAGE = $(error ${nl}\
+ LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
************************************************************************${nl}\
$(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\
the in-tree libapparmor by building it first and then trying again${nl}\
@@ -42,6 +52,17 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
************************************************************************${nl})
endif
+ UTILS_SRC := ../../../utils
+ AA_EXEC = $(UTILS_SRC)/aa-exec
+ ifeq ($(realpath $(AA_EXEC)),)
+ AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
+************************************************************************${nl}\
+$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
+and then try again (see the top-level README for help) or use the${nl}\
+system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
+************************************************************************${nl})
+ endif
+
CFLAGS += -L$(LIBAPPARMOR_PATH) -I$(LIBAPPARMOR_INCLUDE)
LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
endif # USE_SYSTEM
@@ -152,7 +173,8 @@ endif
EXEC=$(SRC:%.c=%)
-TESTS=access \
+TESTS=aa_exec \
+ access \
introspect \
capabilities \
changeprofile \
@@ -217,9 +239,11 @@ RISKY_TESTS=
.PHONY: libapparmor_check
.SILENT: libapparmor_check
-libapparmor_check: ; $(ERROR_MESSAGE)
+libapparmor_check: ; $(LIBAPPARMOR_ERROR_MESSAGE)
+
+aa_exec_check: ; $(AA_EXEC_ERROR_MESSAGE)
-all: libapparmor_check $(EXEC) changehat.h uservars.inc
+all: libapparmor_check aa_exec_check $(EXEC) changehat.h uservars.inc
uservars.inc: uservars.inc.source uservars.inc.system
ifdef USE_SYSTEM
diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh
new file mode 100755
index 0000000..daaefee
--- /dev/null
+++ b/tests/regression/apparmor/aa_exec.sh
@@ -0,0 +1,81 @@
+#! /bin/bash
+# Copyright (C) 2015 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, version 2 of the
+# License.
+
+#=NAME aa_exec
+#=DESCRIPTION
+# This test verifies that the aa_exec command is indeed transitioning
+# profiles as intended.
+#=END
+
+#set -x
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+ns=aa_exec_ns
+
+genprofile_aa_exec()
+{
+ mode=""
+ if [ $# -eq 2 ]; then
+ if [ $2 -ne 0 ]; then
+ mode="(complain) "
+ fi
+ fi
+ genprofile --stdin <<EOF
+$1 ${mode}{
+ file,
+}
+
+:${ns}:${1} ${mode}{
+ file,
+}
+EOF
+}
+
+settest aa_exec_profile ${bin}/aa_exec_wrapper.sh
+
+genprofile_aa_exec "$test" 0
+runchecktest "unconfined" pass "$aa_exec" "unconfined"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce" pass "$aa_exec -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain" pass "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: not unconfined" fail "$aa_exec -p $test" "unconfined"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad mode: (complain)" fail "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad mode: (enforceXXX)" fail "$aa_exec -p $test" "$test (enforceXXX)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce (--immediate)" pass "$aa_exec -i -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain (--immediate)" pass "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad profile (--immediate)" fail "$aa_exec -ip $test" "${test}XXX (enforce)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
diff --git a/tests/regression/apparmor/aa_exec_wrapper.sh b/tests/regression/apparmor/aa_exec_wrapper.sh
new file mode 100755
index 0000000..a27c566
--- /dev/null
+++ b/tests/regression/apparmor/aa_exec_wrapper.sh
@@ -0,0 +1,28 @@
+#! /bin/bash
+# Copyright (C) 2015 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, version 2 of the
+# License.
+
+if [ $# -ne 2 ]; then
+ echo "FAIL: usage: $0 AA_EXEC_CMD EXPECTED_PROC_ATTR_CURRENT"
+ echo "AA_EXEC_CMD The path to aa-exec and the arguments to pass"
+ echo "EXPECTED_PROC_ATTR_CURRENT The expected contents of /proc/self/attr/current"
+ exit 1
+fi
+
+out=$($1 -- cat /proc/self/attr/current 2>&1)
+rc=$?
+
+if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then
+ echo PASS
+ exit 0
+elif [ $rc -ne 0 ]; then
+ echo "FAIL: aa-exec exited with status ${rc}:\n${out}\n"
+ exit 1
+else
+ echo "FAIL: bad confinement context: \"$out\" != \"$2 $3\""
+ exit 1
+fi
diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
index 7fbfdec..aff53d2 100644
--- a/tests/regression/apparmor/uservars.inc.source
+++ b/tests/regression/apparmor/uservars.inc.source
@@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
# 4. Location of load system profiles for verification
sys_profiles=/sys/kernel/security/apparmor/profiles
+
+# 5. Location of aa-exec
+aa_exec=${PWD}/../../../utils/aa-exec
diff --git a/tests/regression/apparmor/uservars.inc.system b/tests/regression/apparmor/uservars.inc.system
index d304ea7..c448a6b 100644
--- a/tests/regression/apparmor/uservars.inc.system
+++ b/tests/regression/apparmor/uservars.inc.system
@@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
# 4. Location of load system profiles for verification
sys_profiles=/sys/kernel/security/apparmor/profiles
+
+# 5. Location of aa-exec
+aa_exec=$(which aa-exec)
--
2.5.0
More information about the AppArmor
mailing list