[apparmor] [PATCH v2 5/7] tests: Add stackonexec regression tests

Tyler Hicks tyhicks at canonical.com
Sat Mar 19 07:29:29 UTC 2016 

On 2016-03-19 00:01:29, Steve Beattie wrote:
> On Fri, Mar 18, 2016 at 04:17:14PM -0500, Tyler Hicks wrote:
> > Add tests for the aa_stack_onexec() libapparmor function.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> > ---
> >  tests/regression/apparmor/Makefile       |   1 +
> >  tests/regression/apparmor/stackonexec.sh | 158 +++++++++++++++++++++++++++++++
> >  2 files changed, 159 insertions(+)
> >  create mode 100755 tests/regression/apparmor/stackonexec.sh
> > 
> > diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> > index 46940c7..fd80611 100644
> > --- a/tests/regression/apparmor/Makefile
> > +++ b/tests/regression/apparmor/Makefile
> > @@ -218,6 +218,7 @@ TESTS=aa_exec \
> >        swap \
> >        sd_flags \
> >        setattr \
> > +      stackonexec \
> >        stackprofile \
> >        symlink \
> >        syscall \
> > diff --git a/tests/regression/apparmor/stackonexec.sh b/tests/regression/apparmor/stackonexec.sh
> > new file mode 100755
> > index 0000000..84295cb
> > --- /dev/null
> > +++ b/tests/regression/apparmor/stackonexec.sh
> > @@ -0,0 +1,158 @@
> > +#! /bin/bash
> > +#	Copyright (C) 2016 Canonical, Ltd.
> > +#
> > +#	This program is free software; you can redistribute it and/or
> > +#	modify it under the terms of the GNU General Public License as
> > +#	published by the Free Software Foundation, version 2 of the
> > +#	License.
> > +
> > +#=NAME stackonexec
> > +#=DESCRIPTION
> > +# Verifies basic file access permission checks for a parent profile and a
> > +# stacked subprofile
> > +#=END
> > +
> > +pwd=`dirname $0`
> > +pwd=`cd $pwd ; /bin/pwd`
> > +
> > +bin=$pwd
> > +
> > +. $bin/prologue.inc
> > +
> > +requires_kernel_features domain/stack
> > +settest stacking
> > +
> > +file=$tmpdir/file
> > +otherfile=$tmpdir/file2
> > +thirdfile=$tmpdir/file3
> > +sharedfile=$tmpdir/file.shared
> > +okperm=rw
> > +
> > +fileok="${file}:${okperm}"
> > +otherok="${otherfile}:${okperm}"
> > +thirdok="${thirdfile}:${okperm}"
> > +sharedok="${sharedfile}:${okperm}"
> > +testok="${test}:mrix"
> > +
> > +getcon="/proc/*/attr/current:r"
> > +onexec="/proc/*/attr/exec:w"
> > +
> > +othertest="$pwd/rename"
> > +thirdtest="$pwd/exec"
> > +
> > +stackotherok="change_profile->:&$othertest"
> > +stackthirdok="change_profile->:&$thirdtest"
> > +
> > +touch $file $otherfile $sharedfile $thirdfile
> > +
> > +# Verify file access and contexts by an unconfined process
> > +runchecktest "STACKONEXEC (unconfined - file)" pass -f $file
> > +runchecktest "STACKONEXEC (unconfined - otherfile)" pass -f $otherfile
> > +runchecktest "STACKONEXEC (unconfined - thirdfile)" pass -f $thirdfile
> > +runchecktest "STACKONEXEC (unconfined - sharedfile)" pass -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (unconfined - okcon)" pass -l unconfined -m '(null)'
> > +runchecktest "STACKONEXEC (unconfined - bad label)" fail -l "$test" -m '(null)'
> > +runchecktest "STACKONEXEC (unconfined - bad mode)" fail -l unconfined -m enforce
> > +
> > +# Verify file access and contexts by a non-stacked profile
> > +genprofile $fileok $sharedok $getcon
> > +runchecktest "STACKONEXEC (not stacked - file)" pass -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (not stacked - otherfile)" fail -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (not stacked - thirdfile)" fail -f $thirdfile
> > +runchecktest "STACKONEXEC (not stacked - sharedfile)" pass -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (not stacked - okcon)" pass -l "$test" -m enforce
> > +runchecktest "STACKONEXEC (not stacked - bad label)" fail -l "${test}XXX" -m enforce
> > +runchecktest "STACKONEXEC (not stacked - bad mode)" fail -l "$test" -m complain
> > +
> > +# Verify file access and contexts by a profile stacked with unconfined
> > +genprofile image=$othertest $otherok $sharedok $getcon
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with unconfined - file)" fail -o $othertest -- $test -f $file
> > +runchecktest "STACKONEXEC (stacked with unconfined - otherfile)" pass -o $othertest -- $test -f $otherfile
> > +runchecktest "STACKONEXEC (stacked with unconfined - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m mixed
> > +runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m mixed
> > +runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
> > +
> > +removeprofile
> > +# Verify that stacking a nonexistent file is properly handled
> > +runchecktest_errno ENOENT "STACKONEXEC (unconfined - stack nonexistent profile)" fail -o $othertest -- $test -f $file
> > +
> > +# Verify file access and contexts by 2 stacked profiles
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> > +	image=$othertest $otherok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - file)" fail -o $othertest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - otherfile)" fail -o $othertest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - thirdfile)" fail -o $othertest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (2 stacked - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (2 stacked - okcon)" pass -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> > +runchecktest "STACKONEXEC (2 stacked - bad label)" fail -o $othertest -- $test -l "${test}//&${test}" -m enforce
> > +runchecktest "STACKONEXEC (2 stacked - bad mode)" fail -o $othertest -- $test -l "${test}//&${test}" -m '(null)'
> > +
> > +# Verify that a change_profile rule is required to aa_stack_onexec()
> > +genprofile $fileok $sharedok $getcon $onexec -- \
> > +	image=$othertest $otherok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - no change_profile)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> > +
> > +# Verify file access and contexts by 3 stacked profiles
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok $stackthirdok -- \
> > +	image=$othertest $otherok $sharedok $getcon $onexec $testok $stackthirdok -- \
> > +	image=$thirdtest $thirdok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - file)" fail -o $othertest -- $test -o $thirdtest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - otherfile)" fail -o $othertest -- $test -o $thirdtest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - thirdfile)" fail -o $othertest -- $test -o $thirdtest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (3 stacked - sharedfile)" pass -o $othertest -- $test -o $thirdtest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (3 stacked - okcon)" pass -o $othertest -- $test -o $thirdtest -- $test -l "${thirdtest}//&${test}//&${othertest}" -m enforce
> > +
> > +ns="ns"
> > +prof="stackonexec"
> > +nstest=":${ns}:${prof}"
> > +# Verify file access and contexts by stacking a profile with a namespaced profile
> > +genprofile --stdin <<EOF
> > +$test {
> > +  file,
> > +  audit deny $otherfile $okperm,
> > +  audit deny $thirdfile $okperm,
> > +  change_profile -> &$nstest,
> > +}
> > +
> > +$nstest {
> > +  file,
> > +  audit deny $file $okperm,
> > +  audit deny $thirdfile $okperm,
> > +}
> > +EOF
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - file)" fail -o $nstest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - otherfile)" fail -o $nstest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - thirdfile)" fail -o $nstest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (stacked with namespaced profile - sharedfile)" pass -o $nstest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (stacked with namespaced profile - okcon)" pass -o $nstest -- $test -l $prof -m enforce
> > +
> > +# Verify file access and contexts in mixed mode
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> > +	image=$othertest flag:complain $otherok $sharedok $getcon
> > +runchecktest "STACKONEXEC (mixed mode - file)" pass -o $othertest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (mixed mode - otherfile)" fail -o $othertest -- $test -f $otherfile
> > +runchecktest "STACKONEXEC (mixed mode - sharedfile)" pass -o $othertest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (mixed mode - okcon)" pass -o $othertest -- $test -l "${othertest}//&${test}" -m mixed
> > +
> > +# Verify file access and contexts in complain mode
> > +genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> > +runchecktest "STACKONEXEC (complain mode - file)" pass -o $othertest -- $test -f $file
> > +
> > +runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -l "${test}//&${othertest}" -m complain
> > +
> > +# Verify that stacking with a bare namespace is handled
> > +genprofile --stdin <<EOF
> > +$test { file, change_profile, }
> > +$nstest { }
> > +EOF
> > +runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:"
> > +runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://"
> > +runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}"
> 
> Do you want to actually perform an exec() here to verify that things are
> in the state you think they are?

Yes, I'll make this change:

 runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -l "${test}//&${othertest}" -m complain
 
-# Verify that stacking with a bare namespace is handled
+# Verify that stacking with a bare namespace is handled. The process is placed
+# into the default profile of the namespace, which is unconfined.
 genprofile --stdin <<EOF
 $test { file, change_profile, }
 $nstest { }
 EOF
-runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:"
-runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://"
-runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}"
+runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l unconfined -m "(null)"
+runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://" -- $test -l unconfined -m "(null)"
+runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}" -- $test -l unconfined -m "(null)"


> 
> Similar test suggestions as the stackprofile.sh tests, perhaps
> along with three deep stacks where one transition occurs via
> aa_change_onexec() and the other via aa_change_profile().

@@ -108,6 +108,11 @@ runchecktest "STACKONEXEC (3 stacked - sharedfile)" pass -o $othertest -- $test
 
 runchecktest "STACKONEXEC (3 stacked - okcon)" pass -o $othertest -- $test -o $thirdtest -- $test -l "${t
hirdtest}//&${test}//&${othertest}" -m enforce
 
+genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
+       image=$othertest $otherok $sharedok $getcon $onexec $testok $stackthirdok -- \
+       image=$thirdtest $thirdok $sharedok $getcon $testok
+runchecktest_errno EACCES "STACKONEXEC (3 stacked - sharedfile - no change_profile)" fail -o $othertest -- $test -o $thirdtest -- $test -f $sharedfile
+
 ns="ns"
 prof="stackonexec"
 nstest=":${ns}:${prof}"

...

 runchecktest "STACKONEXEC (mixed mode - sharedfile)" pass -o $othertest -- $test -f $sharedfile
 
 runchecktest "STACKONEXEC (mixed mode - okcon)" pass -o $othertest -- $test -l "${othertest}//&${test}" -m mixed
 
+genprofile $fileok $sharedok $getcon $onexec -- \
+       image=$othertest flag:complain $otherok $sharedok $getcon
+runchecktest_errno EACCES "STACKONEXEC (mixed mode - okcon - no change_profile)" fail -o $othertest -- $test -l "${othertest}//&${test}" -m mixed
+
+genprofile flag:complain $fileok $sharedok $getcon $onexec -- \
+       image=$othertest $testok $otherok $sharedok $getcon
+runchecktest_errno EACCES "STACKONEXEC (mixed mode 2 - file)" fail -o $othertest -- $test -f $file
+runchecktest "STACKONEXEC (mixed mode 2 - otherfile)" pass -o $othertest -- $test -f $otherfile
+runchecktest "STACKONEXEC (mixed mode 2 - sharedfile)" pass -o $othertest -- $test -f $sharedfile
+
+runchecktest "STACKONEXEC (mixed mode 2 - okcon)" pass -o $othertest -- $test -l "${othertest}//&${test}" -m mixed
+
 # Verify file access and contexts in complain mode
 genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
 runchecktest "STACKONEXEC (complain mode - file)" pass -o $othertest -- $test -f $file


> 
> But again, doesn't block committing this as-is.
> Acked-by: Steve Beattie <steve at nxnw.org>

Thanks!

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160319/fb1b0f4c/attachment-0001.pgp>

More information about the AppArmor mailing list