[apparmor] [PATCH 1/6] tests: Add changeprofile regression tests for stacking

[Tyler Hicks]

The idea is that the $test profile grants $file access and the
$othertest profile grants $subfile access. Both profiles grant
$stacktest access. The tests verify that after changing to the stacked
$othertest//&$test profile, only $stacktest can be accessed.

Similar tests are also added for stacking with a namespaced profile.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/changeprofile.sh | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/tests/regression/apparmor/changeprofile.sh b/tests/regression/apparmor/changeprofile.sh
index 04b4cf1..dd217e9 100755
--- a/tests/regression/apparmor/changeprofile.sh
+++ b/tests/regression/apparmor/changeprofile.sh
@@ -21,6 +21,7 @@ bin=$pwd
 
 file=$tmpdir/file
 subfile=$tmpdir/file2
+stackfile=$tmpdir/file3
 okperm=rw
 
 othertest="$pwd/rename"
@@ -32,7 +33,7 @@ subtest3="$pwd//sub3"
 nstest=":ns:changeprofile"
 
 
-touch $file $subfile
+touch $file $subfile $stackfile
 
 # CHANGEPROFILE UNCONFINED
 runchecktest "CHANGEPROFILE (unconfined - nochange)" pass nochange $file
@@ -85,3 +86,26 @@ $nstest { $subfile ${okperm}, }
 EOF
 runchecktest "CHANGEPROFILE_NS (access sub file)" pass $nstest $subfile
 runchecktest "CHANGEPROFILE_NS (access file)" fail $nstest $file
+
+if [ "$(kernel_features domain/stack)" != "true" ]; then
+	echo "      WARNING: kernel does not support stacking, skipping tests ..."
+else
+	genprofile $file:$okperm $stackfile:$okperm 'change_profile->':"&$othertest" -- image=$othertest $subfile:$okperm $stackfile:$okperm
+	runchecktest "CHANGEPROFILE_STACK (nochange access file)" pass nochange $file
+	runchecktest "CHANGEPROFILE_STACK (nochange access sub file)" fail nochange $subfile
+	runchecktest "CHANGEPROFILE_STACK (nochange access stack file)" pass nochange $stackfile
+	runchecktest "CHANGEPROFILE_STACK (access sub file)" fail "&$othertest" $subfile
+	runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
+	runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
+
+	genprofile --stdin <<EOF
+$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
+$nstest { $subfile $okperm, $stackfile $okperm, }
+EOF
+	runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
+	runchecktest "CHANGEPROFILE_NS_STACK (nochange access sub file)" fail "&$nstest" $subfile
+	runchecktest "CHANGEPROFILE_NS_STACK (nochange access stack file)" pass "&$nstest" $stackfile
+	runchecktest "CHANGEPROFILE_NS_STACK (access sub file)" fail "&$nstest" $subfile
+	runchecktest "CHANGEPROFILE_NS_STACK (access file)" fail "&$nstest" $file
+	runchecktest "CHANGEPROFILE_NS_STACK (access stack file)" pass "&$nstest" $stackfile
+fi
-- 
2.7.0