[apparmor] [PATCH v2 3/7] tests: Create a program for stacking tests to use
Tyler Hicks
tyhicks at canonical.com
Fri Mar 18 21:17:12 UTC 2016
Stacking is a complex feature and, in order to sufficiently test all
aspects of stacking, a relatively complex test program is needed.
This patch adds a program that can call
aa_stack_onexec()/aa_stack_profile(), perform file IO on a given file
path, verify that the current confinement context is what it is expected
to be, and/or execute itself or another program.
The confinement context verification can handle stacked labels with any
ordering.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/Makefile | 1 +
tests/regression/apparmor/stacking.c | 337 +++++++++++++++++++++++++++++++++++
2 files changed, 338 insertions(+)
create mode 100644 tests/regression/apparmor/stacking.c
diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
index a6581e0..622986f 100644
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -119,6 +119,7 @@ SRC=access.c \
readdir.c \
rw.c \
socketpair.c \
+ stacking.c \
symlink.c \
syscall_mknod.c \
swap.c \
diff --git a/tests/regression/apparmor/stacking.c b/tests/regression/apparmor/stacking.c
new file mode 100644
index 0000000..ac1afce
--- /dev/null
+++ b/tests/regression/apparmor/stacking.c
@@ -0,0 +1,337 @@
+/*
+ * Copyright (C) 2014-2016 Canonical, Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, contact Canonical Ltd.
+ */
+
+#define _GNU_SOURCE
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/apparmor.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "changehat.h" /* for do_open() */
+
+#define STACK_DELIM "//&"
+#define STACK_DELIM_LEN strlen(STACK_DELIM)
+
+#define NO_MODE "(null)"
+
+static void file_io(const char *file)
+{
+ int rc = do_open(file);
+
+ if (rc != 0)
+ exit(rc);
+}
+
+struct single_label {
+ const char *label;
+ size_t len;
+};
+
+#define MAX_LABELS 32
+
+struct compound_label {
+ size_t num_labels;
+ struct single_label labels[MAX_LABELS];
+};
+
+/**
+ * Initializes @sl by parsing @compound_label. Returns a pointer to the
+ * location of the next label in the compound label string, which should be
+ * passed in as @compound_label the next time that next_label() is called. NULL
+ * is returned when there are no more labels in @compound_label.
+ */
+static const char *next_label(struct single_label *sl,
+ const char *compound_label)
+{
+ const char *delim;
+
+ if (!compound_label || compound_label[0] == '\0')
+ return NULL;
+
+ delim = strstr(compound_label, STACK_DELIM);
+ if (!delim) {
+ sl->label = compound_label;
+ sl->len = strlen(sl->label);
+ return sl->label + sl->len;
+ }
+
+ sl->label = compound_label;
+ sl->len = delim - sl->label;
+ return delim + STACK_DELIM_LEN;
+}
+
+/* Returns true if the compound label was constructed successfully */
+static bool compound_label_init(struct compound_label *cl,
+ const char *compound_label)
+{
+ memset(cl, 0, sizeof(*cl));
+ while ((compound_label = next_label(&cl->labels[cl->num_labels],
+ compound_label))) {
+ cl->num_labels++;
+
+ if (cl->num_labels == MAX_LABELS)
+ return false;
+ }
+
+ return true;
+}
+
+/* Returns true if the compound label contains the single label */
+static bool compound_label_contains(struct compound_label *cl,
+ struct single_label *sl)
+{
+ bool matched = false;
+ size_t i;
+
+ for (i = 0; !matched && i < cl->num_labels; i++) {
+ if (cl->labels[i].len != sl->len)
+ continue;
+
+ if (strncmp(cl->labels[i].label, sl->label, sl->len))
+ continue;
+
+ matched = true;
+ }
+
+ return matched;
+}
+
+/* Returns true if the two compound labels contain the same label sets */
+static bool compound_labels_equal(struct compound_label *cl1,
+ struct compound_label *cl2)
+{
+ size_t i;
+
+ if (cl1->num_labels != cl2->num_labels)
+ return false;
+
+ for (i = 0; i < cl1->num_labels; i++) {
+ if (!compound_label_contains(cl2, &cl1->labels[i]))
+ return false;
+ }
+
+ return true;
+}
+
+/**
+ * Verifies that the current confinement context matches the expected context.
+ *
+ * Either @expected_label or @expected_mode can be NULL if their values should
+ * not be verified. If a NULL mode is expected, as what happens when an
+ * unconfined process calls aa_getcon(2), then @expected_mode should be equal
+ * to NO_MODE.
+ */
+static void verify_confinement_context(const char *expected_label,
+ const char *expected_mode)
+{
+ char *label, *mode;
+ int expected_rc, rc;
+ bool null_expected_mode = expected_mode ?
+ strcmp(NO_MODE, expected_mode) == 0 : false;
+
+ rc = aa_getcon(&label, &mode);
+ if (rc < 0) {
+ int err = errno;
+ fprintf(stderr, "FAIL - aa_getcon: %m");
+ exit(err);
+ }
+
+ if (expected_label) {
+ struct compound_label cl, expected_cl;
+
+ if (!compound_label_init(&cl, label)) {
+ fprintf(stderr, "FAIL - could not parse current compound label: %s\n",
+ label);
+ rc = EINVAL;
+ goto err;
+ }
+
+ if (!compound_label_init(&expected_cl, expected_label)) {
+ fprintf(stderr, "FAIL - could not parse expected compound label: %s\n",
+ expected_label);
+ rc = EINVAL;
+ goto err;
+ }
+
+ if (!compound_labels_equal(&cl, &expected_cl)) {
+ fprintf(stderr, "FAIL - label \"%s\" != expected_label \"%s\"\n",
+ label, expected_label);
+ rc = EINVAL;
+ goto err;
+ }
+ }
+
+ if (expected_mode &&
+ ((!mode && !null_expected_mode) ||
+ (mode && strcmp(mode, expected_mode)))) {
+ fprintf(stderr, "FAIL - mode \"%s\" != expected_mode \"%s\"\n",
+ mode, expected_mode);
+ rc = EINVAL;
+ goto err;
+ }
+
+ expected_rc = expected_label ? strlen(expected_label) : strlen(label);
+
+ /**
+ * Add the expected bytes following the returned label string:
+ *
+ * ' ' + '(' + mode + ')'
+ */
+ if (expected_mode && !null_expected_mode)
+ expected_rc += 1 + 1 + strlen(expected_mode) + 1;
+ else if (mode)
+ expected_rc += 1 + 1 + strlen(mode) + 1;
+
+ expected_rc++; /* Trailing NUL terminator */
+
+ if (rc != expected_rc) {
+ fprintf(stderr, "FAIL - rc (%d) != expected_rc (%d)\n",
+ rc, expected_rc);
+ rc = EINVAL;
+ goto err;
+ }
+
+ return;
+err:
+ free(label);
+ exit(EINVAL);
+}
+
+static void stack_onexec(const char *label)
+{
+ if (aa_stack_onexec(label) != 0) {
+ int err = errno;
+ perror("FAIL - aa_stack_onexec");
+ exit(err);
+ }
+}
+
+static void stack_profile(const char *label)
+{
+ if (aa_stack_profile(label) != 0) {
+ int err = errno;
+ perror("FAIL - aa_stack_profile");
+ exit(err);
+ }
+}
+
+static void exec(const char *prog, char **argv)
+{
+ int err;
+
+ execv(prog, argv);
+ err = errno;
+ perror("FAIL - execv");
+ exit(err);
+}
+
+static void usage(const char *prog)
+{
+ fprintf(stderr,
+ "%s: [-o <LABEL> | -p <LABEL>] [-l <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- ...]]\n"
+ " -o <LABEL>\tCall aa_stack_onexec(LABEL)\n"
+ " -p <LABEL>\tCall aa_stack_profile(LABEL)\n"
+ " -l <LABEL>\tVerify that aa_getcon() returns LABEL\n"
+ " -m <MODE>\tVerify that aa_getcon() returns MODE. Set to \"%s\" if a NULL mode is expected.\n"
+ " -f <FILE>\tOpen FILE and attempt to write to and read from it\n\n"
+ "If \"--\" is encountered, execv() will be called using the following argument\n"
+ "as the program to execute and passing it all of the arguments following the\n"
+ "program name.\n", prog, NO_MODE);
+ exit(EINVAL);
+}
+
+struct options {
+ const char *file;
+ const char *expected_label;
+ const char *expected_mode;
+ const char *stack_onexec;
+ const char *stack_profile;
+ const char *exec;
+ char **exec_argv;
+};
+
+static void parse_opts(int argc, char **argv, struct options *opts)
+{
+ int o;
+
+ memset(opts, 0, sizeof(*opts));
+ while ((o = getopt(argc, argv, "f:l:m:o:p:")) != -1) {
+ switch (o) {
+ case 'f': /* file */
+ opts->file = optarg;
+ break;
+ case 'l': /* expected label */
+ opts->expected_label = optarg;
+ break;
+ case 'm': /* expected mode */
+ opts->expected_mode = optarg;
+ break;
+ case 'o': /* aa_stack_onexec */
+ opts->stack_onexec = optarg;
+ break;
+ case 'p': /* aa_stack_profile */
+ opts->stack_profile = optarg;
+ break;
+ default: /* '?' */
+ usage(argv[0]);
+ }
+ }
+
+ /* Can only specify one or the other */
+ if (opts->stack_onexec && opts->stack_profile) {
+ usage(argv[0]);
+ }
+
+ if (optind < argc) {
+ /* Ensure that the previous option was "--" */
+ if (optind == 0 || strcmp("--", argv[optind - 1]))
+ usage(argv[0]);
+
+ opts->exec = argv[optind];
+ opts->exec_argv = &argv[optind];
+ }
+}
+
+int main(int argc, char **argv)
+{
+ struct options opts;
+
+ parse_opts(argc, argv, &opts);
+
+ if (opts.stack_onexec)
+ stack_onexec(opts.stack_onexec);
+ else if (opts.stack_profile)
+ stack_profile(opts.stack_profile);
+
+ if (opts.file)
+ file_io(opts.file);
+
+ if (opts.expected_label || opts.expected_mode)
+ verify_confinement_context(opts.expected_label,
+ opts.expected_mode);
+
+ if (opts.exec)
+ exec(opts.exec, opts.exec_argv);
+
+ printf("PASS\n");
+ exit(0);
+}
+
--
2.7.3
More information about the AppArmor
mailing list