[apparmor] [PATCH v2 1/6] tests: Add regression tests for aa-exec

John Johansen john.johansen at canonical.com
Thu Dec 17 21:56:28 UTC 2015 

On 12/16/2015 07:25 PM, Tyler Hicks wrote:
> Add regression tests for the --profile, --namespace, and --immediate
> options of aa-exec.
> 
> A new variable is added to uservars.inc to point to the in-tree or
> system aa-exec depending on the presence of the USE_SYSTEM=1 make
> variable at build time.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: John Johansen <john.johansen at canonical.com>

> ---
>  tests/regression/apparmor/Makefile            | 34 +++++++++--
>  tests/regression/apparmor/aa_exec.sh          | 81 +++++++++++++++++++++++++++
>  tests/regression/apparmor/aa_exec_wrapper.sh  | 28 +++++++++
>  tests/regression/apparmor/uservars.inc.source |  3 +
>  tests/regression/apparmor/uservars.inc.system |  3 +
>  5 files changed, 144 insertions(+), 5 deletions(-)
>  create mode 100755 tests/regression/apparmor/aa_exec.sh
>  create mode 100755 tests/regression/apparmor/aa_exec_wrapper.sh
> 
> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> index c0aad62..d0e4b35 100644
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -18,7 +18,7 @@ ifdef USE_SYSTEM
>  				echo -lapparmor ; \
>  			fi )
>    ifeq ($(strip $(LIBAPPARMOR)),)
> -    ERROR_MESSAGE = $(error ${nl}\
> +    LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
>  ************************************************************************${nl}\
>  Unable to find libapparmor installed on this system; either${nl}\
>  install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\
> @@ -27,13 +27,23 @@ manually, or build against in-tree libapparmor.${nl}\
>    endif # LIBAPPARMOR not set
>    LDLIBS += $(LIBAPPARMOR)
>  
> +  AA_EXEC = $(shell which aa-exec)
> +  ifeq ($(AA_EXEC),)
> +    AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
> +************************************************************************${nl}\
> +Unable to find aa-exec installed on this system; either install the${nl}\
> +apparmor package, set the AA_EXEC variable manually, or use the in-tree${nl}\
> +aa-exec.${nl}\
> +************************************************************************${nl})
> +  endif # AA_EXEC not set
> +
>  else # !USE_SYSTEM
>    # use in-tree versions
>    LIBAPPARMOR_SRC := ../../../libraries/libapparmor/
>    LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
>    LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
>    ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
> -        ERROR_MESSAGE = $(error ${nl}\
> +        LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
>  ************************************************************************${nl}\
>  $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\
>  the in-tree libapparmor by building it first and then trying again${nl}\
> @@ -42,6 +52,17 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
>  ************************************************************************${nl})
>    endif
>  
> +  UTILS_SRC := ../../../utils
> +  AA_EXEC = $(UTILS_SRC)/aa-exec
> +  ifeq ($(realpath $(AA_EXEC)),)
> +        AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
> +************************************************************************${nl}\
> +$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
> +and then try again (see the top-level README for help) or use the${nl}\
> +system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
> +************************************************************************${nl})
> +  endif
> +
>    CFLAGS += -L$(LIBAPPARMOR_PATH) -I$(LIBAPPARMOR_INCLUDE)
>    LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
>  endif # USE_SYSTEM
> @@ -152,7 +173,8 @@ endif
>  
>  EXEC=$(SRC:%.c=%)
>  
> -TESTS=access \
> +TESTS=aa_exec \
> +      access \
>        introspect \
>        capabilities \
>        changeprofile \
> @@ -217,9 +239,11 @@ RISKY_TESTS=
>  
>  .PHONY: libapparmor_check
>  .SILENT: libapparmor_check
> -libapparmor_check: ; $(ERROR_MESSAGE)
> +libapparmor_check: ; $(LIBAPPARMOR_ERROR_MESSAGE)
> +
> +aa_exec_check: ; $(AA_EXEC_ERROR_MESSAGE)
>  
> -all: libapparmor_check $(EXEC) changehat.h uservars.inc
> +all: libapparmor_check aa_exec_check $(EXEC) changehat.h uservars.inc
>  
>  uservars.inc: uservars.inc.source uservars.inc.system
>  ifdef USE_SYSTEM
> diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh
> new file mode 100755
> index 0000000..daaefee
> --- /dev/null
> +++ b/tests/regression/apparmor/aa_exec.sh
> @@ -0,0 +1,81 @@
> +#! /bin/bash
> +#	Copyright (C) 2015 Canonical, Ltd.
> +#
> +#	This program is free software; you can redistribute it and/or
> +#	modify it under the terms of the GNU General Public License as
> +#	published by the Free Software Foundation, version 2 of the
> +#	License.
> +
> +#=NAME aa_exec
> +#=DESCRIPTION
> +# This test verifies that the aa_exec command is indeed transitioning
> +# profiles as intended.
> +#=END
> +
> +#set -x
> +
> +pwd=`dirname $0`
> +pwd=`cd $pwd ; /bin/pwd`
> +
> +bin=$pwd
> +
> +. $bin/prologue.inc
> +
> +ns=aa_exec_ns
> +
> +genprofile_aa_exec()
> +{
> +	mode=""
> +	if [ $# -eq 2 ]; then
> +		if [ $2 -ne 0 ]; then
> +			mode="(complain) "
> +		fi
> +	fi
> +	genprofile --stdin <<EOF
> +$1 ${mode}{
> +  file,
> +}
> +
> +:${ns}:${1} ${mode}{
> +  file,
> +}
> +EOF
> +}
> +
> +settest aa_exec_profile ${bin}/aa_exec_wrapper.sh
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "unconfined" pass "$aa_exec" "unconfined"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "enforce" pass "$aa_exec -p $test" "$test (enforce)"
> +
> +genprofile_aa_exec "$test" 1
> +runchecktest "complain" pass "$aa_exec -p $test" "$test (complain)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "negative test: not unconfined" fail "$aa_exec -p $test" "unconfined"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "negative test: bad mode: (complain)" fail "$aa_exec -p $test" "$test (complain)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "negative test: bad mode: (enforceXXX)" fail "$aa_exec -p $test" "$test (enforceXXX)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "enforce (--immediate)" pass "$aa_exec -i -p $test" "$test (enforce)"
> +
> +genprofile_aa_exec "$test" 1
> +runchecktest "complain (--immediate)" pass "$aa_exec -p $test" "$test (complain)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "negative test: bad profile (--immediate)" fail "$aa_exec -ip $test" "${test}XXX (enforce)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "enforce (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (enforce)"
> +
> +genprofile_aa_exec "$test" 1
> +runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (complain)"
> +
> +genprofile_aa_exec "$test" 0
> +runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
> diff --git a/tests/regression/apparmor/aa_exec_wrapper.sh b/tests/regression/apparmor/aa_exec_wrapper.sh
> new file mode 100755
> index 0000000..a27c566
> --- /dev/null
> +++ b/tests/regression/apparmor/aa_exec_wrapper.sh
> @@ -0,0 +1,28 @@
> +#! /bin/bash
> +#	Copyright (C) 2015 Canonical, Ltd.
> +#
> +#	This program is free software; you can redistribute it and/or
> +#	modify it under the terms of the GNU General Public License as
> +#	published by the Free Software Foundation, version 2 of the
> +#	License.
> +
> +if [ $# -ne 2 ]; then
> +	echo "FAIL: usage: $0 AA_EXEC_CMD EXPECTED_PROC_ATTR_CURRENT"
> +	echo "AA_EXEC_CMD			The path to aa-exec and the arguments to pass"
> +	echo "EXPECTED_PROC_ATTR_CURRENT	The expected contents of /proc/self/attr/current"
> +	exit 1
> +fi
> +
> +out=$($1 -- cat /proc/self/attr/current 2>&1)
> +rc=$?
> +
> +if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then
> +	echo PASS
> +	exit 0
> +elif [ $rc -ne 0 ]; then
> +	echo "FAIL: aa-exec exited with status ${rc}:\n${out}\n"
> +	exit 1
> +else
> +	echo "FAIL: bad confinement context: \"$out\" != \"$2 $3\""
> +	exit 1
> +fi
> diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source
> index 7fbfdec..aff53d2 100644
> --- a/tests/regression/apparmor/uservars.inc.source
> +++ b/tests/regression/apparmor/uservars.inc.source
> @@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
>  
>  # 4. Location of load system profiles for verification
>  sys_profiles=/sys/kernel/security/apparmor/profiles
> +
> +# 5. Location of aa-exec
> +aa_exec=${PWD}/../../../utils/aa-exec
> diff --git a/tests/regression/apparmor/uservars.inc.system b/tests/regression/apparmor/uservars.inc.system
> index d304ea7..c448a6b 100644
> --- a/tests/regression/apparmor/uservars.inc.system
> +++ b/tests/regression/apparmor/uservars.inc.system
> @@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM
>  
>  # 4. Location of load system profiles for verification
>  sys_profiles=/sys/kernel/security/apparmor/profiles
> +
> +# 5. Location of aa-exec
> +aa_exec=$(which aa-exec)
>

More information about the AppArmor mailing list