[apparmor] [PATCH v2 5/7] tests: Add stackonexec regression tests

Steve Beattie steve at nxnw.org
Sat Mar 19 07:01:29 UTC 2016 

On Fri, Mar 18, 2016 at 04:17:14PM -0500, Tyler Hicks wrote:
> Add tests for the aa_stack_onexec() libapparmor function.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  tests/regression/apparmor/Makefile       |   1 +
>  tests/regression/apparmor/stackonexec.sh | 158 +++++++++++++++++++++++++++++++
>  2 files changed, 159 insertions(+)
>  create mode 100755 tests/regression/apparmor/stackonexec.sh
> 
> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> index 46940c7..fd80611 100644
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -218,6 +218,7 @@ TESTS=aa_exec \
>        swap \
>        sd_flags \
>        setattr \
> +      stackonexec \
>        stackprofile \
>        symlink \
>        syscall \
> diff --git a/tests/regression/apparmor/stackonexec.sh b/tests/regression/apparmor/stackonexec.sh
> new file mode 100755
> index 0000000..84295cb
> --- /dev/null
> +++ b/tests/regression/apparmor/stackonexec.sh
> @@ -0,0 +1,158 @@
> +#! /bin/bash
> +#	Copyright (C) 2016 Canonical, Ltd.
> +#
> +#	This program is free software; you can redistribute it and/or
> +#	modify it under the terms of the GNU General Public License as
> +#	published by the Free Software Foundation, version 2 of the
> +#	License.
> +
> +#=NAME stackonexec
> +#=DESCRIPTION
> +# Verifies basic file access permission checks for a parent profile and a
> +# stacked subprofile
> +#=END
> +
> +pwd=`dirname $0`
> +pwd=`cd $pwd ; /bin/pwd`
> +
> +bin=$pwd
> +
> +. $bin/prologue.inc
> +
> +requires_kernel_features domain/stack
> +settest stacking
> +
> +file=$tmpdir/file
> +otherfile=$tmpdir/file2
> +thirdfile=$tmpdir/file3
> +sharedfile=$tmpdir/file.shared
> +okperm=rw
> +
> +fileok="${file}:${okperm}"
> +otherok="${otherfile}:${okperm}"
> +thirdok="${thirdfile}:${okperm}"
> +sharedok="${sharedfile}:${okperm}"
> +testok="${test}:mrix"
> +
> +getcon="/proc/*/attr/current:r"
> +onexec="/proc/*/attr/exec:w"
> +
> +othertest="$pwd/rename"
> +thirdtest="$pwd/exec"
> +
> +stackotherok="change_profile->:&$othertest"
> +stackthirdok="change_profile->:&$thirdtest"
> +
> +touch $file $otherfile $sharedfile $thirdfile
> +
> +# Verify file access and contexts by an unconfined process
> +runchecktest "STACKONEXEC (unconfined - file)" pass -f $file
> +runchecktest "STACKONEXEC (unconfined - otherfile)" pass -f $otherfile
> +runchecktest "STACKONEXEC (unconfined - thirdfile)" pass -f $thirdfile
> +runchecktest "STACKONEXEC (unconfined - sharedfile)" pass -f $sharedfile
> +
> +runchecktest "STACKONEXEC (unconfined - okcon)" pass -l unconfined -m '(null)'
> +runchecktest "STACKONEXEC (unconfined - bad label)" fail -l "$test" -m '(null)'
> +runchecktest "STACKONEXEC (unconfined - bad mode)" fail -l unconfined -m enforce
> +
> +# Verify file access and contexts by a non-stacked profile
> +genprofile $fileok $sharedok $getcon
> +runchecktest "STACKONEXEC (not stacked - file)" pass -f $file
> +runchecktest_errno EACCES "STACKONEXEC (not stacked - otherfile)" fail -f $otherfile
> +runchecktest_errno EACCES "STACKONEXEC (not stacked - thirdfile)" fail -f $thirdfile
> +runchecktest "STACKONEXEC (not stacked - sharedfile)" pass -f $sharedfile
> +
> +runchecktest "STACKONEXEC (not stacked - okcon)" pass -l "$test" -m enforce
> +runchecktest "STACKONEXEC (not stacked - bad label)" fail -l "${test}XXX" -m enforce
> +runchecktest "STACKONEXEC (not stacked - bad mode)" fail -l "$test" -m complain
> +
> +# Verify file access and contexts by a profile stacked with unconfined
> +genprofile image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKONEXEC (stacked with unconfined - file)" fail -o $othertest -- $test -f $file
> +runchecktest "STACKONEXEC (stacked with unconfined - otherfile)" pass -o $othertest -- $test -f $otherfile
> +runchecktest "STACKONEXEC (stacked with unconfined - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> +
> +runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m mixed
> +runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m mixed
> +runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
> +
> +removeprofile
> +# Verify that stacking a nonexistent file is properly handled
> +runchecktest_errno ENOENT "STACKONEXEC (unconfined - stack nonexistent profile)" fail -o $othertest -- $test -f $file
> +
> +# Verify file access and contexts by 2 stacked profiles
> +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> +	image=$othertest $otherok $sharedok $getcon $testok
> +runchecktest_errno EACCES "STACKONEXEC (2 stacked - file)" fail -o $othertest -- $test -f $file
> +runchecktest_errno EACCES "STACKONEXEC (2 stacked - otherfile)" fail -o $othertest -- $test -f $otherfile
> +runchecktest_errno EACCES "STACKONEXEC (2 stacked - thirdfile)" fail -o $othertest -- $test -f $thirdfile
> +runchecktest "STACKONEXEC (2 stacked - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> +
> +runchecktest "STACKONEXEC (2 stacked - okcon)" pass -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> +runchecktest "STACKONEXEC (2 stacked - bad label)" fail -o $othertest -- $test -l "${test}//&${test}" -m enforce
> +runchecktest "STACKONEXEC (2 stacked - bad mode)" fail -o $othertest -- $test -l "${test}//&${test}" -m '(null)'
> +
> +# Verify that a change_profile rule is required to aa_stack_onexec()
> +genprofile $fileok $sharedok $getcon $onexec -- \
> +	image=$othertest $otherok $sharedok $getcon $testok
> +runchecktest_errno EACCES "STACKONEXEC (2 stacked - no change_profile)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> +
> +# Verify file access and contexts by 3 stacked profiles
> +genprofile $fileok $sharedok $getcon $onexec $stackotherok $stackthirdok -- \
> +	image=$othertest $otherok $sharedok $getcon $onexec $testok $stackthirdok -- \
> +	image=$thirdtest $thirdok $sharedok $getcon $testok
> +runchecktest_errno EACCES "STACKONEXEC (3 stacked - file)" fail -o $othertest -- $test -o $thirdtest -- $test -f $file
> +runchecktest_errno EACCES "STACKONEXEC (3 stacked - otherfile)" fail -o $othertest -- $test -o $thirdtest -- $test -f $otherfile
> +runchecktest_errno EACCES "STACKONEXEC (3 stacked - thirdfile)" fail -o $othertest -- $test -o $thirdtest -- $test -f $thirdfile
> +runchecktest "STACKONEXEC (3 stacked - sharedfile)" pass -o $othertest -- $test -o $thirdtest -- $test -f $sharedfile
> +
> +runchecktest "STACKONEXEC (3 stacked - okcon)" pass -o $othertest -- $test -o $thirdtest -- $test -l "${thirdtest}//&${test}//&${othertest}" -m enforce
> +
> +ns="ns"
> +prof="stackonexec"
> +nstest=":${ns}:${prof}"
> +# Verify file access and contexts by stacking a profile with a namespaced profile
> +genprofile --stdin <<EOF
> +$test {
> +  file,
> +  audit deny $otherfile $okperm,
> +  audit deny $thirdfile $okperm,
> +  change_profile -> &$nstest,
> +}
> +
> +$nstest {
> +  file,
> +  audit deny $file $okperm,
> +  audit deny $thirdfile $okperm,
> +}
> +EOF
> +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - file)" fail -o $nstest -- $test -f $file
> +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - otherfile)" fail -o $nstest -- $test -f $otherfile
> +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - thirdfile)" fail -o $nstest -- $test -f $thirdfile
> +runchecktest "STACKONEXEC (stacked with namespaced profile - sharedfile)" pass -o $nstest -- $test -f $sharedfile
> +
> +runchecktest "STACKONEXEC (stacked with namespaced profile - okcon)" pass -o $nstest -- $test -l $prof -m enforce
> +
> +# Verify file access and contexts in mixed mode
> +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> +	image=$othertest flag:complain $otherok $sharedok $getcon
> +runchecktest "STACKONEXEC (mixed mode - file)" pass -o $othertest -- $test -f $file
> +runchecktest_errno EACCES "STACKONEXEC (mixed mode - otherfile)" fail -o $othertest -- $test -f $otherfile
> +runchecktest "STACKONEXEC (mixed mode - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> +
> +runchecktest "STACKONEXEC (mixed mode - okcon)" pass -o $othertest -- $test -l "${othertest}//&${test}" -m mixed
> +
> +# Verify file access and contexts in complain mode
> +genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> +runchecktest "STACKONEXEC (complain mode - file)" pass -o $othertest -- $test -f $file
> +
> +runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -l "${test}//&${othertest}" -m complain
> +
> +# Verify that stacking with a bare namespace is handled
> +genprofile --stdin <<EOF
> +$test { file, change_profile, }
> +$nstest { }
> +EOF
> +runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:"
> +runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://"
> +runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}"

Do you want to actually perform an exec() here to verify that things are
in the state you think they are?

Similar test suggestions as the stackprofile.sh tests, perhaps
along with three deep stacks where one transition occurs via
aa_change_onexec() and the other via aa_change_profile().

But again, doesn't block committing this as-is.
Acked-by: Steve Beattie <steve at nxnw.org>

Thanks!

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160319/b6fff978/attachment.pgp>

More information about the AppArmor mailing list