[apparmor] [PATCH v2 4/7] tests: Add stackprofile regression tests
Steve Beattie
steve at nxnw.org
Sat Mar 19 07:05:50 UTC 2016
On Sat, Mar 19, 2016 at 01:42:45AM -0500, Tyler Hicks wrote:
> On 2016-03-18 23:21:07, Steve Beattie wrote:
> > Should we have similar tests where everything is the same setupwise
> > except that $stackthirdok is alternately not allowed from the toplevel
> > stacking profile?
>
> I'll add this:
>
> @@ -106,6 +106,11 @@ runchecktest "STACKPROFILE (3 stacked - sharedfile)" pass -p $othertest -- $test
>
> runchecktest "STACKPROFILE (3 stacked - okcon)" pass -p $othertest -- $test -p $thirdtest -l "${thirdtest}//&${test}//&${othertest}" -m enforce
>
> +genprofile $fileok $sharedok $getcon $stackotherok -- \
> + image=$othertest $otherok $sharedok $test:ix $getcon $stackthirdok -- \
> + image=$thirdtest $thirdok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - sharedfile - no change_profile)" fail -p $othertest -- $test -p $thirdtest -f $sharedfile
> +
> ns="ns"
> prof="stackprofile"
> nstest=":${ns}:${prof}"
>
>
> > Some additional tests to consider:
> >
> > - stacking(complain) + &othertest(enforce) both with and without the change_profile rule
> > that allows the stack to happen (I'm assuming the complain mode would
> > grant the stack either way)
> >
> > - stacking(enforce) + &othertest(complain) without the change_profile
> > rule in the former that allows the stack to happen (I'm assuming
> > that the change_profile wouldn't be granted)
> >
> > - three level deep intermix with complain? (Coming up with a sensible
> > matrix makes my head hurt.)
>
> I'll add this:
>
> @@ -139,6 +144,22 @@ runchecktest "STACKPROFILE (mixed mode - sharedfile)" pass -p $othertest -f $sha
>
> runchecktest "STACKPROFILE (mixed mode - okcon)" pass -p $othertest -l "${othertest}//&${test}" -m mixed
>
> +genprofile $fileok $sharedok $getcon -- \
> + image=$othertest flag:complain $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode - okcon - no change_profile)" fail -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> +genprofile flag:complain $fileok $sharedok $getcon $stackotherok -- \
> + image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode 2 - file)" fail -p $othertest -f $file
> +runchecktest "STACKPROFILE (mixed mode 2 - otherfile)" pass -p $othertest -f $otherfile
> +runchecktest "STACKPROFILE (mixed mode 2 - sharedfile)" pass -p $othertest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (mixed mode 2 - okcon)" pass -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> +genprofile flag:complain $fileok $sharedok $getcon -- \
> + image=$othertest $otherok $sharedok $getcon
> +runchecktest "STACKPROFILE (mixed mode 2 - okcon - no change_profile)" pass -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> # Verify file access and contexts in complain mode
> genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f $file
>
>
> >
> >
> > Anyway, I don't think the additional tests are needed before committing
> > this. With the enforcec typo fixed, Acked-by: Steve Beattie <steve at nxnw.org>.
>
> The additional tests all pass. Thanks for the review and suggestions.
All the additional tests look good, thanks!
Acked-by: Steve Beattie <steve at nxnw.org>
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160319/594f7a9c/attachment.pgp>
More information about the AppArmor
mailing list