[apparmor] [PATCH v2 1/7] tests: Add changeprofile regression tests for stacking
Tyler Hicks
tyhicks at canonical.com
Sat Mar 19 06:03:35 UTC 2016
On 2016-03-18 22:20:01, Steve Beattie wrote:
> On Fri, Mar 18, 2016 at 04:17:10PM -0500, Tyler Hicks wrote:
> > The idea is that the $test profile grants $file access and the
> > $othertest profile grants $subfile access. Both profiles grant
> > $stacktest access. The tests verify that after changing to the stacked
> > $othertest//&$test profile, only $stacktest can be accessed.
> >
> > Similar tests are also added for stacking with a namespaced profile.
> >
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> > tests/regression/apparmor/changeprofile.sh | 26 +++++++++++++++++++++++++-
> > 1 file changed, 25 insertions(+), 1 deletion(-)
> >
> > diff --git a/tests/regression/apparmor/changeprofile.sh b/tests/regression/apparmor/changeprofile.sh
> > index 1105730..66b078d 100755
> > --- a/tests/regression/apparmor/changeprofile.sh
> > +++ b/tests/regression/apparmor/changeprofile.sh
> > @@ -21,6 +21,7 @@ bin=$pwd
> >
> > file=$tmpdir/file
> > subfile=$tmpdir/file2
> > +stackfile=$tmpdir/file3
> > okperm=rw
> >
> > othertest="$pwd/rename"
> > @@ -32,7 +33,7 @@ subtest3="$pwd//sub3"
> > nstest=":ns:changeprofile"
> >
> >
> > -touch $file $subfile
> > +touch $file $subfile $stackfile
> >
> > # CHANGEPROFILE UNCONFINED
> > runchecktest "CHANGEPROFILE (unconfined - nochange)" pass nochange $file
> > @@ -85,3 +86,26 @@ $nstest { $subfile ${okperm}, }
> > EOF
> > runchecktest "CHANGEPROFILE_NS (access sub file)" pass $nstest $subfile
> > runchecktest "CHANGEPROFILE_NS (access file)" fail $nstest $file
> > +
> > +if [ "$(kernel_features domain/stack)" != "true" ]; then
> > + echo " WARNING: kernel does not support stacking, skipping tests ..."
> > +else
> > + genprofile $file:$okperm $stackfile:$okperm 'change_profile->':"&$othertest" -- image=$othertest $subfile:$okperm $stackfile:$okperm
> > + runchecktest "CHANGEPROFILE_STACK (nochange access file)" pass nochange $file
> > + runchecktest "CHANGEPROFILE_STACK (nochange access sub file)" fail nochange $subfile
> > + runchecktest "CHANGEPROFILE_STACK (nochange access stack file)" pass nochange $stackfile
> > + runchecktest "CHANGEPROFILE_STACK (access sub file)" fail "&$othertest" $subfile
> > + runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
> > + runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
> > +
> > + genprofile --stdin <<EOF
> > +$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
> > +$nstest { $subfile $okperm, $stackfile $okperm, }
> > +EOF
> > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
> > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access sub file)" fail "&$nstest" $subfile
> > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access stack file)" pass "&$nstest" $stackfile
>
> Shouldn't the two above have "nochange" instead of "&$nstest"?
Yes, nice catch.
>
> With that change, Acked-by: Steve Beattie <steve at nxnw.org>. Thanks.
Thank you!
Tyler
>
> > + runchecktest "CHANGEPROFILE_NS_STACK (access sub file)" fail "&$nstest" $subfile
> > + runchecktest "CHANGEPROFILE_NS_STACK (access file)" fail "&$nstest" $file
> > + runchecktest "CHANGEPROFILE_NS_STACK (access stack file)" pass "&$nstest" $stackfile
> > +fi
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160319/1a346541/attachment-0001.pgp>
More information about the AppArmor
mailing list