[apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

Seth Arnold seth.arnold at canonical.com
Wed Sep 6 20:44:19 UTC 2017 

On Wed, Sep 06, 2017 at 01:09:05PM -0700, John Johansen wrote:
> Update the tests to test whether the kernel and parser support domain
> transitions on pivot_root.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/pivot_root.sh | 68 ++++++++++++++++++---------------
>  tests/regression/apparmor/prologue.inc  | 24 ++++++++++++
>  2 files changed, 62 insertions(+), 30 deletions(-)
> 
> diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
> index b68f6cf..0e13a0a 100755
> --- a/tests/regression/apparmor/pivot_root.sh
> +++ b/tests/regression/apparmor/pivot_root.sh
> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
>  genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
>  do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>  
> -# Give sufficient perms and perform a profile transition
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
> +    echo "	kernel does not support pivot_root domain transitions skipping tests ..."
> +elif [ "$(parser_supports 'pivot_root -> foo,')"  != "true" ] ; then
> +    #pivot_root domain transitions not supported
> +    echo "	parser does not support pivot root domain transitions skipping tests ..."
> +else
> +    # Give sufficient perms and perform a profile transition
> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> +    do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +
> +    # Ensure failure when the the new profile can't read /proc/<PID>/attr/current
> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> +    do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> +
> +    # Ensure failure when the new profile doesn't exist
> +    genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> +    do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> +
> +    # Ensure the test binary is accurately doing post pivot_root profile verification
> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> +    do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> +
> +    # Give sufficient perms with new_root and a transition
> +    genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
> +    do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> +
> +    # Ensure failure when the new profile doesn't exist and new_root is specified
> +    genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> +    do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> +
> +    # Give sufficient perms with new_root, put_old, and a transition
> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
> +    do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> +
> +    # Ensure failure when the new profile doesn't exist and new_root and put_old are specified
> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
> +    do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>  
> -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist
> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure the test binary is accurately doing post pivot_root profile verification
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> -
> -# Give sufficient perms with new_root and a transition
> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root is specified
> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Give sufficient perms with new_root, put_old, and a transition
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root and put_old are specified
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> +fi
> diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
> index a77fda5..66a0edc 100755
> --- a/tests/regression/apparmor/prologue.inc
> +++ b/tests/regression/apparmor/prologue.inc
> @@ -22,6 +22,30 @@
>  # For this file, functions are first, entry point code is at end, see "MAIN"
>  
>  #use $() to retreive the failure message or "true" if success
> +
> +kernel_features_istrue()
> +{
> +	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
> +		echo "Kernel feature masks not supported."
> +		return 1;
> +	fi
> +
> +	for f in $@ ; do
> +		if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
> +			echo "Required feature '$f' not available."
> +			return 2;
> +		fi
> +		if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
> +		     `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then
> +			echo "Required feature '$f' not available."
> +			return 3;
> +		fi
> +        done
> +
> +	echo "true"
> +	return 0;
> +}
> +
>  kernel_features()
>  {
>  	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170906/2b33e81e/attachment.sig>

More information about the AppArmor mailing list