[apparmor] [patch 4/5] tests: onexec test needs signal permission to stop itself

steve at nxnw.org steve at nxnw.org
Fri Mar 18 17:29:08 UTC 2016 

Now that the onexec test program notices that it failed to send SIGSTOP
to itself, causing a whole bunch of tests to be detected as failing,
grant the ability to send and receive signals to the onexec tests.
(The onexec tests are not tests intended to verify signal mediation.)

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 tests/regression/apparmor/onexec.sh |   30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

Index: b/tests/regression/apparmor/onexec.sh
===================================================================
--- a/tests/regression/apparmor/onexec.sh
+++ b/tests/regression/apparmor/onexec.sh
@@ -146,55 +146,59 @@ do_test "override px" unconfined $bin/rw
 
 #------
 
+# NOTE: test program pauses for the driver script to catch up by sending
+# and recieving SIGSTOP/SIGCONT, so the onexec program needs access to
+# signals (this is not a script to test signal mediation)
+
 # ONEXEC from CONFINED - don't change profile, open can't exec
-genprofile 'change_profile->':$bin/rw $onexec:w
+genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL
 do_test "no px perm" $bin/onexec nochange fail $bin/open $file
 
 # ONEXEC from CONFINED - don't change profile, open is run unconfined
-genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w
+genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w signal:ALL
 do_test "nochange rux" $bin/onexec nochange pass $bin/open $file
 
 # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
-genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/open $file:rw
+genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/open $file:rw
 do_test "nochange px - no px perm" $bin/onexec nochange fail $bin/open $file
 
 # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
-genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w -- image=$bin/open
+genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w signal:ALL -- image=$bin/open
 do_test "nochange px - no file perm" $bin/onexec nochange fail $bin/open $file
 
 # ONEXEC from CONFINED - target does NOT exist
-genprofile 'change_profile->':$bin/open $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+genprofile 'change_profile->':$bin/open $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
 do_test "noexist px" $bin/onexec noexist fail $bin/open $file
 
 # ONEXEC from CONFINED - change to rw profile, no exec profile to override
-genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw
+genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw
 do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open $file
 
 # ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit access to /proc/*/attr/exec
-genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
+genprofile 'change_profile->':$bin/rw signal:ALL -- image=$bin/rw $bin/open:rix $file:rw
 do_test "change profile - no onexec:w" $bin/onexec $bin/rw pass $bin/open $file
 
 # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
-genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
+genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
 do_test "nochange px" $bin/onexec nochange pass $bin/open $file
 
 # ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
 do_test "override px" $bin/onexec $bin/rw pass $bin/open $file
 
 # ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
-genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
+genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
 do_test "override px" $bin/onexec $bin/rw fail $bin/open $file
 
 # ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
 do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
 
 # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
-genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
+genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
 do_test "glob override px" $bin/onexec $bin/open fail $bin/open $file
 
 # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
-genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
+genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
 do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file

More information about the AppArmor mailing list