[apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions
Seth Arnold
seth.arnold at canonical.com
Wed Sep 6 20:44:19 UTC 2017
On Wed, Sep 06, 2017 at 01:09:05PM -0700, John Johansen wrote:
> Update the tests to test whether the kernel and parser support domain
> transitions on pivot_root.
>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> tests/regression/apparmor/pivot_root.sh | 68 ++++++++++++++++++---------------
> tests/regression/apparmor/prologue.inc | 24 ++++++++++++
> 2 files changed, 62 insertions(+), 30 deletions(-)
>
> diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
> index b68f6cf..0e13a0a 100755
> --- a/tests/regression/apparmor/pivot_root.sh
> +++ b/tests/regression/apparmor/pivot_root.sh
> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
> genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
> do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>
> -# Give sufficient perms and perform a profile transition
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
> + echo " kernel does not support pivot_root domain transitions skipping tests ..."
> +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then
> + #pivot_root domain transitions not supported
> + echo " parser does not support pivot root domain transitions skipping tests ..."
> +else
> + # Give sufficient perms and perform a profile transition
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> + do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the the new profile can't read /proc/<PID>/attr/current
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> + do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist
> + genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> + do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure the test binary is accurately doing post pivot_root profile verification
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> + do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> +
> + # Give sufficient perms with new_root and a transition
> + genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
> + do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist and new_root is specified
> + genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> + do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> +
> + # Give sufficient perms with new_root, put_old, and a transition
> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
> + do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist and new_root and put_old are specified
> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
> + do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>
> -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist
> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure the test binary is accurately doing post pivot_root profile verification
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> -
> -# Give sufficient perms with new_root and a transition
> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root is specified
> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Give sufficient perms with new_root, put_old, and a transition
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root and put_old are specified
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> +fi
> diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
> index a77fda5..66a0edc 100755
> --- a/tests/regression/apparmor/prologue.inc
> +++ b/tests/regression/apparmor/prologue.inc
> @@ -22,6 +22,30 @@
> # For this file, functions are first, entry point code is at end, see "MAIN"
>
> #use $() to retreive the failure message or "true" if success
> +
> +kernel_features_istrue()
> +{
> + if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
> + echo "Kernel feature masks not supported."
> + return 1;
> + fi
> +
> + for f in $@ ; do
> + if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
> + echo "Required feature '$f' not available."
> + return 2;
> + fi
> + if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
> + `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then
> + echo "Required feature '$f' not available."
> + return 3;
> + fi
> + done
> +
> + echo "true"
> + return 0;
> +}
> +
> kernel_features()
> {
> if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170906/2b33e81e/attachment.sig>
More information about the AppArmor
mailing list