[apparmor] [PATCH 6/6] tests: Add exec_stack regression tests

Tyler Hicks tyhicks at canonical.com
Thu Mar 10 09:09:29 UTC 2016 

Add tests for px stacking transitions.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/Makefile      |   1 +
 tests/regression/apparmor/exec_stack.sh | 128 ++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
 create mode 100755 tests/regression/apparmor/exec_stack.sh

diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
index fd80611..21c7fb3 100644
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -190,6 +190,7 @@ TESTS=aa_exec \
       environ \
       exec \
       exec_qual \
+      exec_stack \
       fchdir \
       fd_inheritance \
       fork \
diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh
new file mode 100755
index 0000000..1dd42fb
--- /dev/null
+++ b/tests/regression/apparmor/exec_stack.sh
@@ -0,0 +1,128 @@
+#! /bin/bash
+#	Copyright (C) 2016 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME exec_stack
+#=DESCRIPTION
+# Verifies basic file access permission checks for a parent profile and a
+# stacked subprofile through exec transitions
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+requires_kernel_features domain/stack
+settest stacking
+
+file=$tmpdir/file
+otherfile=$tmpdir/file2
+thirdfile=$tmpdir/file3
+sharedfile=$tmpdir/file.shared
+okperm=rw
+
+fileok="${file}:${okperm}"
+otherok="${otherfile}:${okperm}"
+thirdok="${thirdfile}:${okperm}"
+sharedok="${sharedfile}:${okperm}"
+
+getcon="/proc/*/attr/current:r"
+
+othertest="$pwd/rename"
+thirdtest="$pwd/exec"
+
+touch $file $otherfile $sharedfile $thirdfile
+
+# Verify file access and contexts by an unconfined process
+runchecktest "EXEC_STACK (unconfined - file)" pass -f $file
+runchecktest "EXEC_STACK (unconfined - otherfile)" pass -f $otherfile
+runchecktest "EXEC_STACK (unconfined - thirdfile)" pass -f $thirdfile
+runchecktest "EXEC_STACK (unconfined - sharedfile)" pass -f $sharedfile
+
+runchecktest "EXEC_STACK (unconfined - okcon)" pass -l unconfined -m '(null)'
+runchecktest "EXEC_STACK (unconfined - bad label)" fail -l "$test" -m '(null)'
+runchecktest "EXEC_STACK (unconfined - bad mode)" fail -l unconfined -m enforce
+
+# Verify file access and contexts by a non-stacked profile
+genprofile $fileok $sharedok $getcon
+runchecktest "EXEC_STACK (not stacked - file)" pass -f $file
+runchecktest_errno EACCES "EXEC_STACK (not stacked - otherfile)" fail -f $otherfile
+runchecktest_errno EACCES "EXEC_STACK (not stacked - thirdfile)" fail -f $thirdfile
+runchecktest "EXEC_STACK (not stacked - sharedfile)" pass -f $sharedfile
+
+runchecktest "EXEC_STACK (not stacked - okcon)" pass -l "$test" -m enforce
+runchecktest "EXEC_STACK (not stacked - bad label)" fail -l "${test}XXX" -m enforce
+runchecktest "EXEC_STACK (not stacked - bad mode)" fail -l "$test" -m complain
+
+# Verify file access and contexts by 2 stacked profiles
+genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
+	image=$othertest $otherok $sharedok $getcon $test:r
+runchecktest_errno EACCES "EXEC_STACK (2 stacked - file)" fail -- $test -f $file
+runchecktest_errno EACCES "EXEC_STACK (2 stacked - otherfile)" fail -- $test -f $otherfile
+runchecktest_errno EACCES "EXEC_STACK (2 stacked - thirdfile)" fail -- $test -f $thirdfile
+runchecktest "EXEC_STACK (2 stacked - sharedfile)" pass -- $test -f $sharedfile
+
+runchecktest "EXEC_STACK (2 stacked - okcon)" pass -- $test -l "${test}//&${othertest}" -m enforce
+runchecktest "EXEC_STACK (2 stacked - bad label)" fail -- $test -l "${test}//&${test}" -m enforce
+runchecktest "EXEC_STACK (2 stacked - bad mode)" fail -- $test -l "${test}//&${test}" -m '(null)'
+
+# Verify file access and contexts by 3 stacked profiles
+genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
+	image=$othertest $otherok $sharedok $getcon $test:"rix -> &$thirdtest" -- \
+	image=$thirdtest $thirdok $sharedok $getcon $test:r
+runchecktest_errno EACCES "EXEC_STACK (3 stacked - file)" fail -- $test -- $test -f $file
+runchecktest_errno EACCES "EXEC_STACK (3 stacked - otherfile)" fail -- $test -- $test -f $otherfile
+runchecktest_errno EACCES "EXEC_STACK (3 stacked - thirdfile)" fail -- $test -- $test -f $thirdfile
+runchecktest "EXEC_STACK (3 stacked - sharedfile)" pass -- $test -- $test -f $sharedfile
+
+runchecktest "EXEC_STACK (3 stacked - okcon)" pass -- $test -- $test -l "${thirdtest}//&${test}//&${othertest}" -m enforce
+
+# Triggered a kernel BUG in the initial stacking patch set
+runchecktest "EXEC_STACK (3 stacked - BUG)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
+
+ns="ns"
+prof="stackprofile"
+nstest=":${ns}:${prof}"
+# Verify file access and contexts by stacking a profile with a namespaced profile
+genprofile --stdin <<EOF
+$test {
+  file,
+  audit deny $otherfile $okperm,
+  $test ix -> &$nstest,
+}
+
+$nstest {
+  $otherfile $okperm,
+  $sharedfile $okperm,
+  /proc/*/attr/current r,
+}
+EOF
+runchecktest_errno EACCES "EXEC_STACK (stacked with namespaced profile - file)" fail -- $test -f $file
+runchecktest_errno EACCES "EXEC_STACK (stacked with namespaced profile - otherfile)" fail -- $test -f $otherfile
+runchecktest_errno EACCES "EXEC_STACK (stacked with namespaced profile - thirdfile)" fail -- $test -f $thirdfile
+runchecktest "EXEC_STACK (stacked with namespaced profile - sharedfile)" pass -- $test -f $sharedfile
+
+runchecktest "EXEC_STACK (stacked with namespaced profile - okcon)" pass -- $test -l $prof -m enforce
+
+# Verify file access and contexts in mixed mode
+genprofile -I $fileok $sharedok $getcon $test:"ix -> &$othertest" -- \
+	image=$othertest flag:complain $otherok $sharedok $getcon $test:r
+runchecktest "EXEC_STACK (mixed mode - file)" pass -- $test -f $file
+runchecktest_errno EACCES "EXEC_STACK (mixed mode - otherfile)" fail -- $test -f $otherfile
+runchecktest "EXEC_STACK (mixed mode - sharedfile)" pass -- $test -f $sharedfile
+
+runchecktest "EXEC_STACK (mixed mode - okcon)" pass -- $test -l "${othertest}//&${test}" -m mixed
+
+# Verify file access and contexts in complain mode
+genprofile -I flag:complain $getcon $test:"ix -> &$othertest" -- \
+	image=$othertest flag:complain $getcon
+runchecktest "EXEC_STACK (complain mode - file)" pass -- $test -f $file
+
+runchecktest "EXEC_STACK (complain mode - okcon)" pass -- $test -l "${test}//&${othertest}" -m complain
-- 
2.7.0

More information about the AppArmor mailing list