[apparmor] fix regression tests for changed mixed mode behavior

John Johansen john.johansen at canonical.com
Thu Sep 1 23:39:58 UTC 2016 

On 09/01/2016 04:07 PM, Seth Arnold wrote:
> On Thu, Sep 01, 2016 at 03:54:20PM -0700, John Johansen wrote:
>> Previously a stack with unconfined would cause the mode to be reported as mixed
>>
>>   profile_A//&:ns1://unconfined (mixed)
>>
>> this is confusing and can even break some trusted helpers. The unconfined profile
>> has been special cased and now will report enforce when stacking with unconfined
>>   profile_A//&:ns1://unconfined (enforce)
>>
>> This patch fixes the regression tests to work with this change
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
> 
> .. though coordinating the change through kernel versions and so on sounds
> unfun at best.

well its an abi/api breakage. Though the previous behavior was wrong and we should
have fixed it instead of coding the tests to report mixed.

The only kernel that has released with the old behavior is xenial, and the fix
will land there soon.


> 
> Thanks
> 
>>
>> ---
>>
>> === modified file 'tests/regression/apparmor/socketpair.sh'
>> --- tests/regression/apparmor/socketpair.sh	2015-06-02 08:00:29 +0000
>> +++ tests/regression/apparmor/socketpair.sh	2016-07-10 02:16:46 +0000
>> @@ -19,6 +19,8 @@
>>  
>>  . $bin/prologue.inc
>>  
>> +requires_kernel_features network/af_unix
>> +
>>  do_test()
>>  {
>>  	local desc="SOCKETPAIR ($1)"
>>
>> === modified file 'tests/regression/apparmor/stackonexec.sh'
>> --- tests/regression/apparmor/stackonexec.sh	2016-05-28 16:58:41 +0000
>> +++ tests/regression/apparmor/stackonexec.sh	2016-08-07 06:12:18 +0000
>> @@ -71,9 +71,9 @@
>>  runchecktest "STACKONEXEC (stacked with unconfined - otherfile)" pass -o $othertest -- $test -f $otherfile
>>  runchecktest "STACKONEXEC (stacked with unconfined - sharedfile)" pass -o $othertest -- $test -f $sharedfile
>>  
>> -runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m mixed
>> -runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m mixed
>> -runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
>> +runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
>> +runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
>> +runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m "(null)"
>>  
>>  removeprofile
>>  # Verify that stacking a nonexistent file is properly handled
>>
>> === modified file 'tests/regression/apparmor/stackprofile.sh'
>> --- tests/regression/apparmor/stackprofile.sh	2016-05-28 16:58:41 +0000
>> +++ tests/regression/apparmor/stackprofile.sh	2016-08-07 06:10:40 +0000
>> @@ -70,8 +70,8 @@
>>  runchecktest "STACKPROFILE (stacked with unconfined - otherfile)" pass -p $othertest -f $otherfile
>>  runchecktest "STACKPROFILE (stacked with unconfined - sharedfile)" pass -p $othertest -f $sharedfile
>>  
>> -runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p $othertest -l "unconfined//&${othertest}" -m mixed
>> -runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p $othertest -l "${test}//&${othertest}" -m mixed
>> +runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p $othertest -l "unconfined//&${othertest}" -m enforce
>> +runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p $othertest -l "${test}//&${othertest}" -m enforce
>>  runchecktest "STACKPROFILE (stacked with unconfined - bad mode)" fail -p $othertest -l "unconfined//&${othertest}" -m '(null)'
>>  
>>  removeprofile
>>
>> === modified file 'tests/regression/apparmor/xattrs.sh'
>> --- tests/regression/apparmor/xattrs.sh	2010-12-20 20:29:10 +0000
>> +++ tests/regression/apparmor/xattrs.sh	2016-07-29 07:39:28 +0000
>> @@ -36,6 +36,8 @@
>>  
>>  . $bin/prologue.inc
>>  
>> +requires_kernel_features file/xattr
>> +
>>  tmpmount=$tmpdir/mountpoint
>>  diskimg=$tmpdir/disk.img
>>  file=$tmpmount/testfile
>>
>>
>> -- 
>> AppArmor mailing list
>> AppArmor at lists.ubuntu.com
>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>
>>
>>

More information about the AppArmor mailing list