[apparmor] [patch 4/5] tests: onexec test needs signal permission to stop itself

Tyler Hicks tyhicks at canonical.com
Fri Mar 18 22:21:55 UTC 2016 

On 2016-03-18 10:29:08, steve at nxnw.org wrote:
> Now that the onexec test program notices that it failed to send SIGSTOP
> to itself, causing a whole bunch of tests to be detected as failing,
> grant the ability to send and receive signals to the onexec tests.
> (The onexec tests are not tests intended to verify signal mediation.)
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks!

> ---
>  tests/regression/apparmor/onexec.sh |   30 +++++++++++++++++-------------
>  1 file changed, 17 insertions(+), 13 deletions(-)
> 
> Index: b/tests/regression/apparmor/onexec.sh
> ===================================================================
> --- a/tests/regression/apparmor/onexec.sh
> +++ b/tests/regression/apparmor/onexec.sh
> @@ -146,55 +146,59 @@ do_test "override px" unconfined $bin/rw
>  
>  #------
>  
> +# NOTE: test program pauses for the driver script to catch up by sending
> +# and recieving SIGSTOP/SIGCONT, so the onexec program needs access to
> +# signals (this is not a script to test signal mediation)
> +
>  # ONEXEC from CONFINED - don't change profile, open can't exec
> -genprofile 'change_profile->':$bin/rw $onexec:w
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL
>  do_test "no px perm" $bin/onexec nochange fail $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run unconfined
> -genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w
> +genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w signal:ALL
>  do_test "nochange rux" $bin/onexec nochange pass $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/open $file:rw
>  do_test "nochange px - no px perm" $bin/onexec nochange fail $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
> -genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w -- image=$bin/open
> +genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w signal:ALL -- image=$bin/open
>  do_test "nochange px - no file perm" $bin/onexec nochange fail $bin/open $file
>  
>  # ONEXEC from CONFINED - target does NOT exist
> -genprofile 'change_profile->':$bin/open $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':$bin/open $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "noexist px" $bin/onexec noexist fail $bin/open $file
>  
>  # ONEXEC from CONFINED - change to rw profile, no exec profile to override
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw
>  do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit access to /proc/*/attr/exec
> -genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
> +genprofile 'change_profile->':$bin/rw signal:ALL -- image=$bin/rw $bin/open:rix $file:rw
>  do_test "change profile - no onexec:w" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
> -genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
>  do_test "nochange px" $bin/onexec nochange pass $bin/open $file
>  
>  # ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "override px" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix  -- image=$bin/open $file:rw
>  do_test "override px" $bin/onexec $bin/rw fail $bin/open $file
>  
>  # ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "glob override px" $bin/onexec $bin/open fail $bin/open $file
>  
>  # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
>  do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
>  
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160318/18c591b8/attachment.pgp>

More information about the AppArmor mailing list