[apparmor] [PATCH 06/20] The regression tests have issue on backport kernels when the userspace has not been updated. The issue is that the regression tests detect the kernel features set and generate policy that the parser may not be able to compile.
John Johansen
john.johansen at canonical.com
Fri May 29 08:39:12 UTC 2015
Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.
Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
---
tests/regression/apparmor/dbus_eavesdrop.sh | 1 +
tests/regression/apparmor/dbus_message.sh | 1 +
tests/regression/apparmor/dbus_service.sh | 1 +
.../regression/apparmor/dbus_unrequested_reply.sh | 1 +
tests/regression/apparmor/deleted.sh | 2 +-
tests/regression/apparmor/mount.sh | 2 +-
tests/regression/apparmor/named_pipe.sh | 2 +-
tests/regression/apparmor/pivot_root.sh | 4 ++--
tests/regression/apparmor/prologue.inc | 24 ++++++++++++++++++++++
tests/regression/apparmor/ptrace.sh | 2 +-
tests/regression/apparmor/socketpair.sh | 2 +-
tests/regression/apparmor/unix_fd_server.sh | 4 ++--
tests/regression/apparmor/unix_socket_abstract.sh | 1 +
tests/regression/apparmor/unix_socket_pathname.sh | 2 +-
tests/regression/apparmor/unix_socket_unnamed.sh | 1 +
15 files changed, 40 insertions(+), 10 deletions(-)
diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh
index fe26b91..2792900 100755
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@@ -19,6 +19,7 @@ bin=$pwd
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
args="--session"
diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh
index 30b1592..cc52745 100755
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@@ -19,6 +19,7 @@ bin=$pwd
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh
index 451a661..322853b 100755
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@@ -18,6 +18,7 @@ bin=$pwd
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh
index 1cfd8d4..e91f3ad 100644
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@@ -18,6 +18,7 @@ bin=$pwd
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
service="--$bus --name=$dest $path $iface"
diff --git a/tests/regression/apparmor/deleted.sh b/tests/regression/apparmor/deleted.sh
index 84a51fc..8d4c5b4 100755
--- a/tests/regression/apparmor/deleted.sh
+++ b/tests/regression/apparmor/deleted.sh
@@ -65,7 +65,7 @@ okperm=rwl
badperm=wl
af_unix=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
af_unix="unix:create"
fi
diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh
index 86bfecb..0840199 100755
--- a/tests/regression/apparmor/mount.sh
+++ b/tests/regression/apparmor/mount.sh
@@ -102,7 +102,7 @@ runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_poin
remove_mnt
-if [ "$(have_features mount)" != "true" ] ; then
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
genprofile capability:sys_admin
runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
remove_mnt
diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index e63456f..52037e5 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -38,7 +38,7 @@ badchild=r
# Add genprofile params that are common to all hats here
common=""
-if [ "$(have_features signal)" == "true" ] ; then
+if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
# Allow send/receive of all signals
common="${common} signal:ALL"
fi
diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
index 35004fc..faea755 100755
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -106,8 +106,8 @@ do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad"
genprofile
do_test "no perms" fail "$put_old" "$new_root" "$test"
-if [ "$(have_features mount)" != "true" ] ; then
- # pivot_root mediation isn't supported by this kernel, so verify that
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+ # pivot_root mediation isn't supported by this kernel/parser, so verify that
# capability sys_admin is sufficient and skip the remaining tests
genprofile $cur $cap
do_test "cap" pass "$put_old" "$new_root" "$test"
diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
index 3036cbb..bcbe7ea 100755
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -58,6 +58,30 @@ requires_query_interface()
fi
}
+parser_supports()
+{
+ for R in $@ ; do
+ echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
+ if [ $? -ne 0 ] ; then
+ echo "Compiler does not support rule '$R'"
+ return 1;
+ fi
+ done
+
+ echo "true"
+ return 0;
+}
+
+requires_parser_support()
+{
+ local res=$(parser_supports $@)
+ if [ "$res" != "true" ] ; then
+ echo "$res. Skipping tests ..."
+ exit 0
+ fi
+}
+
+
fatalerror()
{
# global _fatal
diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh
index 64cdf24..17771d0 100755
--- a/tests/regression/apparmor/ptrace.sh
+++ b/tests/regression/apparmor/ptrace.sh
@@ -52,7 +52,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
-if [ "$(have_features ptrace)" == "true" ] ; then
+if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
. $bin/ptrace_v6.inc
else
. $bin/ptrace_v5.inc
diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh
index 378fc08..4e56707 100755
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@@ -34,7 +34,7 @@ af_unix_create=""
af_unix_create_label=""
af_unix_inherit=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
# AppArmor requires that the process inheriting the sock file
# descriptors have send,receive perms in its profile
af_unix_create="unix:(create,getopt)"
diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
index b38ec68..fc2b947 100755
--- a/tests/regression/apparmor/unix_fd_server.sh
+++ b/tests/regression/apparmor/unix_fd_server.sh
@@ -27,7 +27,7 @@ okperm=rw
badperm=w
af_unix=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
af_unix="unix:create"
fi
@@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
sleep 1
rm -f ${socket}
-if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
# FAIL - confined client, no access to the socket file
genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh
index 7c14f3e..6a949c1 100644
--- a/tests/regression/apparmor/unix_socket_abstract.sh
+++ b/tests/regression/apparmor/unix_socket_abstract.sh
@@ -30,6 +30,7 @@ bin=$pwd
. $bin/unix_socket.inc
requires_features policy/versions/v7
requires_features network/af_unix
+requires_parser_support "unix,"
settest unix_socket
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 078e557..be3631d 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -52,7 +52,7 @@ fi
# af_unix support requires 'unix getattr' to call getsockname()
af_unix_okserver=
af_unix_okclient=
-if [ "$(have_features network/af_unix)" == "true" ] ; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
af_unix_okserver="create,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
fi
diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh
index 3293fec..b834888 100644
--- a/tests/regression/apparmor/unix_socket_unnamed.sh
+++ b/tests/regression/apparmor/unix_socket_unnamed.sh
@@ -30,6 +30,7 @@ bin=$pwd
. $bin/unix_socket.inc
requires_features policy/versions/v7
requires_features network/af_unix
+requires_parser_support "unix,"
settest unix_socket
--
2.1.4
More information about the AppArmor
mailing list