[apparmor] [PATCH 06/20] The regression tests have issue on backport kernels when the userspace has not been updated. The issue is that the regression tests detect the kernel features set and generate policy that the parser may not be able to compile.

Fri May 29 08:39:12 UTC 2015

Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.

Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
---
 tests/regression/apparmor/dbus_eavesdrop.sh        |  1 +
 tests/regression/apparmor/dbus_message.sh          |  1 +
 tests/regression/apparmor/dbus_service.sh          |  1 +
 .../regression/apparmor/dbus_unrequested_reply.sh  |  1 +
 tests/regression/apparmor/deleted.sh               |  2 +-
 tests/regression/apparmor/mount.sh                 |  2 +-
 tests/regression/apparmor/named_pipe.sh            |  2 +-
 tests/regression/apparmor/pivot_root.sh            |  4 ++--
 tests/regression/apparmor/prologue.inc             | 24 ++++++++++++++++++++++
 tests/regression/apparmor/ptrace.sh                |  2 +-
 tests/regression/apparmor/socketpair.sh            |  2 +-
 tests/regression/apparmor/unix_fd_server.sh        |  4 ++--
 tests/regression/apparmor/unix_socket_abstract.sh  |  1 +
 tests/regression/apparmor/unix_socket_pathname.sh  |  2 +-
 tests/regression/apparmor/unix_socket_unnamed.sh   |  1 +
 15 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh
index fe26b91..2792900 100755
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@@ -19,6 +19,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 args="--session"
diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh
index 30b1592..cc52745 100755
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@@ -19,6 +19,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh
index 451a661..322853b 100755
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@@ -18,6 +18,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh
index 1cfd8d4..e91f3ad 100644
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@@ -18,6 +18,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/deleted.sh b/tests/regression/apparmor/deleted.sh
index 84a51fc..8d4c5b4 100755
--- a/tests/regression/apparmor/deleted.sh
+++ b/tests/regression/apparmor/deleted.sh
@@ -65,7 +65,7 @@ okperm=rwl
 badperm=wl
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index 86bfecb..0840199 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -102,7 +102,7 @@ runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_poin
 remove_mnt
 
 
-if [ "$(have_features mount)" != "true" ] ; then
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
 	genprofile capability:sys_admin
 	runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
 	remove_mnt
diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index e63456f..52037e5 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -38,7 +38,7 @@ badchild=r
 # Add genprofile params that are common to all hats here
 common=""
 
-if [ "$(have_features signal)" == "true" ] ; then
+if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
 	# Allow send/receive of all signals
 	common="${common} signal:ALL"
 fi
diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
index 35004fc..faea755 100755
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -106,8 +106,8 @@ do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad"
 genprofile
 do_test "no perms" fail "$put_old" "$new_root" "$test"
 
-if [ "$(have_features mount)" != "true" ] ; then
-	# pivot_root mediation isn't supported by this kernel, so verify that
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+	# pivot_root mediation isn't supported by this kernel/parser, so verify that
 	# capability sys_admin is sufficient and skip the remaining tests
 	genprofile $cur $cap
 	do_test "cap" pass "$put_old" "$new_root" "$test"
diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
index 3036cbb..bcbe7ea 100755
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -58,6 +58,30 @@ requires_query_interface()
 	fi
 }
 
+parser_supports()
+{
+	for R in $@ ; do
+		echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
+		if [ $? -ne 0 ] ; then
+			echo "Compiler does not support rule '$R'"
+			return 1;
+		fi
+	done
+
+	echo "true"
+	return 0;
+}
+
+requires_parser_support()
+{
+	local res=$(parser_supports $@)
+	if [ "$res" != "true" ] ; then
+		echo "$res. Skipping tests ..."
+		exit 0
+	fi
+}
+
+
 fatalerror()
 {
 	# global _fatal
diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh
index 64cdf24..17771d0 100755
--- a/tests/regression/apparmor/ptrace.sh
+++ b/tests/regression/apparmor/ptrace.sh
@@ -52,7 +52,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
 runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
 
 
-if [ "$(have_features ptrace)" == "true" ] ; then
+if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
 	. $bin/ptrace_v6.inc
 else
 	. $bin/ptrace_v5.inc
diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh
index 378fc08..4e56707 100755
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@@ -34,7 +34,7 @@ af_unix_create=""
 af_unix_create_label=""
 af_unix_inherit=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
 	# descriptors have send,receive perms in its profile
 	af_unix_create="unix:(create,getopt)"
diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
index b38ec68..fc2b947 100755
--- a/tests/regression/apparmor/unix_fd_server.sh
+++ b/tests/regression/apparmor/unix_fd_server.sh
@@ -27,7 +27,7 @@ okperm=rw
 badperm=w
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 
@@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
 sleep 1
 rm -f ${socket}
 
-if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
     # FAIL - confined client, no access to the socket file
 
     genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix 
diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh
index 7c14f3e..6a949c1 100644
--- a/tests/regression/apparmor/unix_socket_abstract.sh
+++ b/tests/regression/apparmor/unix_socket_abstract.sh
@@ -30,6 +30,7 @@ bin=$pwd
 . $bin/unix_socket.inc
 requires_features policy/versions/v7
 requires_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket
 
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 078e557..be3631d 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -52,7 +52,7 @@ fi
 # af_unix support requires 'unix getattr' to call getsockname()
 af_unix_okserver=
 af_unix_okclient=
-if [ "$(have_features network/af_unix)" == "true" ] ; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
 	af_unix_okserver="create,setopt"
 	af_unix_okclient="create,getopt,setopt,getattr"
 fi
diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh
index 3293fec..b834888 100644
--- a/tests/regression/apparmor/unix_socket_unnamed.sh
+++ b/tests/regression/apparmor/unix_socket_unnamed.sh
@@ -30,6 +30,7 @@ bin=$pwd
 . $bin/unix_socket.inc
 requires_features policy/versions/v7
 requires_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket
 
-- 
2.1.4


