Update mkprofile.pl to generate ptrace rules and update test scripts to
test ptrace mediation.
Signed-off-by: John Johansen <john.johan...@canonical.com>
---
tests/regression/apparmor/capabilities.sh | 23 +-
tests/regression/apparmor/mkprofile.pl | 18 ++
tests/regression/apparmor/ptrace.sh | 144 +----------
tests/regression/apparmor/ptrace_v5.inc | 138 +++++++++++
tests/regression/apparmor/ptrace_v6.inc | 400 ++++++++++++++++++++++++++++++
5 files changed, 582 insertions(+), 141 deletions(-)
create mode 100644 tests/regression/apparmor/ptrace_v5.inc
create mode 100644 tests/regression/apparmor/ptrace_v6.inc
diff --git a/tests/regression/apparmor/capabilities.sh
b/tests/regression/apparmor/capabilities.sh
index 4eb7068..1b50445 100644
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@@ -64,6 +64,7 @@ net_raw_net_raw=TRUE
# we completely disable ptrace(), but it's not clear if we should allow it
# when the sys_ptrace cap is specified.
+# NOTE: we handle special casing of v6 ptrace not needing ptrace cap inline
syscall_ptrace_sys_ptrace=TRUE
# if a test case requires arguments, add them here.
@@ -77,7 +78,7 @@ syscall_ptrace_args=sub
# if a testcase requires extra subdomain rules, add them here
syscall_chroot_extra_entries="/:r ${tmpdir}/:r"
-syscall_ptrace_extra_entries="hat:sub"
+syscall_ptrace_extra_entries="ptrace:ALL hat:sub ptrace:ALL"
net_raw_extra_entries="network:"
testwrapper=changehat_wrapper
@@ -96,7 +97,13 @@ for TEST in ${TESTS} ; do
# no capabilities allowed
genprofile ${my_entries}
- runchecktest "${TEST} -- no caps" fail ${my_arg}
+ if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" ==
"true" ] ; then
+ # ptrace between profiles confining tasks of same pid is controlled
by the ptrace rule
+ # capability + ptrace rule needed between pids
+ runchecktest "${TEST} -- no caps" pass ${my_arg}
+ else
+ runchecktest "${TEST} -- no caps" fail ${my_arg}
+ fi
# all capabilities allowed
genprofile cap:ALL ${my_entries}
@@ -106,6 +113,8 @@ for TEST in ${TESTS} ; do
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
+ elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features
ptrace)" == "true" ]; then
+ expected_result=pass
else
expected_result=fail
fi
@@ -117,7 +126,13 @@ for TEST in ${TESTS} ; do
# a subprofile.
settest ${testwrapper}
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
- runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
+ if [ "${TEST}" == "syscall_ptrace" -a "$(have_features ptrace)" ==
"true" ] ; then
+ # ptrace between profiles confining tasks of same pid is controlled
by the ptrace rule
+ # capability + ptrace rule needed between pids
+ runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST}
${my_arg}
+ else
+ runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST}
${my_arg}
+ fi
# all capabilities allowed
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL
${my_entries}
@@ -126,6 +141,8 @@ for TEST in ${TESTS} ; do
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
+ elif [ "${TEST}" == "syscall_ptrace" -a "$(have_features
ptrace)" == "true" ]; then
+ expected_result=pass
else
expected_result=fail
fi
diff --git a/tests/regression/apparmor/mkprofile.pl
b/tests/regression/apparmor/mkprofile.pl
index fb9ae1b..9572d0f 100755
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -174,6 +174,22 @@ sub gen_cap($) {
}
}
+sub gen_ptrace($) {
+ my $rule = shift;
+ my @rules = split (/:/, $rule);
+ if (@rules == 2) {
+ if ($rules[1] =~ /^ALL$/) {
+ push (@{$output_rules{$hat}}, " ptrace,\n");
+ } else {
+ push (@{$output_rules{$hat}}, " ptrace $rules[1],\n");
+ }
+ } elsif (@rules == 3) {
+ push (@{$output_rules{$hat}}, " ptrace $rules[1] $rules[2],\n");
+ } else {
+ (!$nowarn) && print STDERR "Warning: invalid ptrace description
'$rule', ignored\n";
+ }
+}
+
sub gen_signal($) {
my $rule = shift;
my @rules = split (/:/, $rule);
@@ -348,6 +364,8 @@ sub gen_from_args() {
gen_network($rule);
} elsif ($rule =~ /^cap:/) {
gen_cap($rule);
+ } elsif ($rule =~ /^ptrace:/) {
+ gen_ptrace($rule);
} elsif ($rule =~ /^signal:/) {
gen_signal($rule);
} elsif ($rule =~ /^mount:/) {
diff --git a/tests/regression/apparmor/ptrace.sh
b/tests/regression/apparmor/ptrace.sh
index 00d24c7..9ad851d 100755
--- a/tests/regression/apparmor/ptrace.sh
+++ b/tests/regression/apparmor/ptrace.sh
@@ -40,7 +40,7 @@ runchecktest "test 1 -h prog" pass -h -n 100 $helper /bin/true
runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper /bin/true
# test that unconfined can ptrace before profile attaches
-genprofile image=/bin/true
+genprofile image=/bin/true signal:ALL
runchecktest "test 2" pass -n 100 /bin/true
runchecktest "test 2 -c" pass -c -n 100 /bin/true
runchecktest "test 2 -h" pass -h -n 100 $helper
@@ -48,141 +48,9 @@ runchecktest "test 2 -hc" pass -h -c -n 100 $helper
runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
-#unconfined tracing confined helper
-#confined helper asking unconfined process to ptrace it
-genprofile image=$helper
-runchecktest "test 3 -h" pass -h -n 100 $helper
-runchecktest "test 3 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
-# lack of 'r' perm is currently not working
-genprofile image=$helper $helper:ix
-runchecktest "test 4 -h" pass -h -n 100 $helper
-runchecktest "test 4 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:rix
-runchecktest "test 5 -h" pass -h -n 100 $helper
-runchecktest "test 5 -hc " pass -h -c -n 100 $helper
-# can't exec /bin/true so fail
-runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:ix /bin/true:rix
-runchecktest "test 6 -h" pass -h -n 100 $helper
-runchecktest "test 6 -hc " pass -h -c -n 100 $helper
-runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced child can ptrace_me to unconfined have unconfined trace them
-genprofile image=/bin/true
-runchecktest "test 7" pass -n 100 /bin/true
-# pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -c " pass -c -n 100 /bin/true
-runchecktest "test 7 -h" pass -h -n 100 $helper
-# pass - ptrace_attach is done in unconfined helper
-runchecktest "test 7 -hc " pass -h -c -n 100 $helper
-runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-genprofile image=$helper $helper:ix /bin/true:rix
-runchecktest "test 7a" pass -n 100 /bin/true
-# pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -c " pass -c -n 100 /bin/true
-runchecktest "test 7a -h" pass -h -n 100 $helper
-# pass - ptrace_attach is allowed from confined process to unconfined
-runchecktest "test 7a -hc " pass -h -c -n 100 $helper
-runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
-runchecktest "test 8" pass -n 100 /bin/true
-# pass - ptrace_attach is done before exec
-runchecktest "test 8 -c " pass -c -n 100 /bin/true
-runchecktest "test 8 -h" pass -h -n 100 $helper
-runchecktest "test 8 -hc " pass -h -c -n 100 $helper
-# pass - can px if tracer can ptrace target
-runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#traced helper from unconfined
-genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
-runchecktest "test 9" pass -n 100 /bin/true
-# pass - ptrace_attach is done before exec
-runchecktest "test 9 -c " pass -c -n 100 /bin/true
-runchecktest "test 9 -h" pass -h -n 100 $helper
-runchecktest "test 9 -hc " pass -h -c -n 100 $helper
-# pass - can ux if tracer can ptrace target
-runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-genprofile
-# fail due to no exec permission
-runchecktest "test 10" fail -n 100 /bin/true
-runchecktest "test 10 -c" fail -c -n 100 /bin/true
-runchecktest "test 10 -h" fail -h -n 100 $helper
-runchecktest "test 10 -hc" fail -h -c -n 100 $helper
-runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-genprofile /bin/true:ix $helper:ix
-# fail due to missing r permission
-#runchecktest "test 11" fail -n 100 /bin/true
-#runchecktest "test 11 -c" fail -c -n 100 /bin/true
-#runchecktest "test 11 -h" fail -h -n 100 $helper
-#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
-#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
-#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-# pass allowed to ix self
-genprofile /bin/true:rix $helper:rix
-runchecktest "test 12" pass -n 100 /bin/true
-runchecktest "test 12 -c" pass -c -n 100 /bin/true
-runchecktest "test 12 -h" pass -h -n 100 $helper
-runchecktest "test 12 -hc" pass -h -c -n 100 $helper
-runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true
-
-#ptraced confined app can't px - fails to unset profile
-genprofile image=$helper $helper:rix /bin/true:rpx
-runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-#ptraced confined app can ux - if the tracer is unconfined
-#
-genprofile image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
-runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
-#ptraced confined app can't ux - if the tracer can't trace unconfined
-genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux
-runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
-
-#confined app can't ptrace an unconfined app
-genprofile $helper:rux
-runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-#an unconfined app can't ask a confined app to trace it
-runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-#confined app can't ptrace an app confined by a different profile
-genprofile $helper:rpx -- image=$helper
-runchecktest "test 15 -h" fail -h -n 100 $helper
-runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
-#a confined app can't ask another confined app with a different profile to
-#trace it
-runchecktest "test 15 -hc" fail -h -c -n 100 $helper
-runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
-
-
-
-
-# need to do a confined process trying to attach to an unconfined
-# need attaching, and ptrace_me of different confinement
+if [ "$(have_features ptrace)" == "true" ] ; then
+ . $bin/ptrace_v6.inc
+else
+ . $bin/ptrace_v5.inc
+fi
diff --git a/tests/regression/apparmor/ptrace_v5.inc
b/tests/regression/apparmor/ptrace_v5.inc
new file mode 100644
index 0000000..428410a
--- /dev/null
+++ b/tests/regression/apparmor/ptrace_v5.inc
@@ -0,0 +1,138 @@
+#unconfined tracing confined helper
+#confined helper asking unconfined process to ptrace it
+genprofile image=$helper
+runchecktest "test 3 -h" pass -h -n 100 $helper
+runchecktest "test 3 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# lack of 'r' perm is currently not working
+genprofile image=$helper $helper:ix
+runchecktest "test 4 -h" pass -h -n 100 $helper
+runchecktest "test 4 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:rix
+runchecktest "test 5 -h" pass -h -n 100 $helper
+runchecktest "test 5 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix
+runchecktest "test 6 -h" pass -h -n 100 $helper
+runchecktest "test 6 -hc " pass -h -c -n 100 $helper
+runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced child can ptrace_me to unconfined have unconfined trace them
+genprofile image=/bin/true
+runchecktest "test 7" pass -n 100 /bin/true
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -c " pass -c -n 100 /bin/true
+runchecktest "test 7 -h" pass -h -n 100 $helper
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -hc " pass -h -c -n 100 $helper
+runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix
+runchecktest "test 7a" pass -n 100 /bin/true
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -c " pass -c -n 100 /bin/true
+runchecktest "test 7a -h" pass -h -n 100 $helper
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -hc " pass -h -c -n 100 $helper
+runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
+runchecktest "test 8" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 8 -c " pass -c -n 100 /bin/true
+runchecktest "test 8 -h" pass -h -n 100 $helper
+runchecktest "test 8 -hc " pass -h -c -n 100 $helper
+# pass - can px if tracer can ptrace target
+runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
+runchecktest "test 9" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 9 -c " pass -c -n 100 /bin/true
+runchecktest "test 9 -h" pass -h -n 100 $helper
+runchecktest "test 9 -hc " pass -h -c -n 100 $helper
+# pass - can ux if tracer can ptrace target
+runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile
+# fail due to no exec permission
+runchecktest "test 10" fail -n 100 /bin/true
+runchecktest "test 10 -c" fail -c -n 100 /bin/true
+runchecktest "test 10 -h" fail -h -n 100 $helper
+runchecktest "test 10 -hc" fail -h -c -n 100 $helper
+runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:ix $helper:ix
+# fail due to missing r permission
+#runchecktest "test 11" fail -n 100 /bin/true
+#runchecktest "test 11 -c" fail -c -n 100 /bin/true
+#runchecktest "test 11 -h" fail -h -n 100 $helper
+#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
+#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# pass allowed to ix self
+genprofile /bin/true:rix $helper:rix
+runchecktest "test 12" pass -n 100 /bin/true
+runchecktest "test 12 -c" pass -c -n 100 /bin/true
+runchecktest "test 12 -h" pass -h -n 100 $helper
+runchecktest "test 12 -hc" pass -h -c -n 100 $helper
+runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app can't px - fails to unset profile
+genprofile image=$helper $helper:rix /bin/true:rpx
+runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux
+runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux
+runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx -- image=$helper
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+
+
+# need to do a confined process trying to attach to an unconfined
+# need attaching, and ptrace_me of different confinement
diff --git a/tests/regression/apparmor/ptrace_v6.inc
b/tests/regression/apparmor/ptrace_v6.inc
new file mode 100644
index 0000000..f4c2088
--- /dev/null
+++ b/tests/regression/apparmor/ptrace_v6.inc
@@ -0,0 +1,400 @@
+## v5 ptrace tests except with failures where appropriate. Testing that
capability ptrace
+## does not grant ptrace perms
+
+## Note: ptrace tests need signal permissions to function correctly
+## signal permissions are not actually needed by all tests to function
but
+## we grant signal perms to all to be consistent
+
+echo " using ptrace v6 tests ..."
+
+################################################################################
+# v5 ptrace tests without ptrace rules
+################################################################################
+
+#unconfined tracing confined helper
+#confined helper asking unconfined process to ptrace it
+genprofile image=$helper signal:ALL
+
+runchecktest "test 3 -h" pass -h -n 100 $helper
+runchecktest "test 3 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# lack of 'r' perm is currently not working
+genprofile image=$helper $helper:ix signal:ALL
+runchecktest "test 4 -h" pass -h -n 100 $helper
+runchecktest "test 4 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:rix signal:ALL
+runchecktest "test 5 -h" pass -h -n 100 $helper
+runchecktest "test 5 -hc " pass -h -c -n 100 $helper
+# can't exec /bin/true so fail
+runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
+runchecktest "test 6 -h" pass -h -n 100 $helper
+runchecktest "test 6 -hc " pass -h -c -n 100 $helper
+runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced child can ptrace_me to unconfined have unconfined trace them
+genprofile image=/bin/true signal:ALL
+runchecktest "test 7" pass -n 100 /bin/true
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -c " pass -c -n 100 /bin/true
+runchecktest "test 7 -h" pass -h -n 100 $helper
+# pass - ptrace_attach is done in unconfined helper
+runchecktest "test 7 -hc " pass -h -c -n 100 $helper
+runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile image=$helper $helper:ix /bin/true:rix signal:ALL
+runchecktest "test 7a" pass -n 100 /bin/true
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -c " pass -c -n 100 /bin/true
+runchecktest "test 7a -h" pass -h -n 100 $helper
+# pass - ptrace_attach is allowed from confined process to unconfined
+runchecktest "test 7a -hc " pass -h -c -n 100 $helper
+runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rpx signal:ALL --
image=/bin/true signal:ALL
+runchecktest "test 8" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 8 -c " pass -c -n 100 /bin/true
+runchecktest "test 8 -h" pass -h -n 100 $helper
+runchecktest "test 8 -hc " pass -h -c -n 100 $helper
+# pass - can px if tracer can ptrace target
+runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#traced helper from unconfined
+genprofile image=$helper $helper:ix /bin/true:rux signal:ALL --
image=/bin/true signal:ALL
+runchecktest "test 9" pass -n 100 /bin/true
+# pass - ptrace_attach is done before exec
+runchecktest "test 9 -c " pass -c -n 100 /bin/true
+runchecktest "test 9 -h" pass -h -n 100 $helper
+runchecktest "test 9 -hc " pass -h -c -n 100 $helper
+# pass - can ux if tracer can ptrace target
+runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true
+
+genprofile signal:ALL
+# fail due to no exec permission
+runchecktest "test 10" fail -n 100 /bin/true
+runchecktest "test 10 -c" fail -c -n 100 /bin/true
+runchecktest "test 10 -h" fail -h -n 100 $helper
+runchecktest "test 10 -hc" fail -h -c -n 100 $helper
+runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:ix $helper:ix signal:ALL
+# fail due to missing r permission
+#runchecktest "test 11" fail -n 100 /bin/true
+#runchecktest "test 11 -c" fail -c -n 100 /bin/true
+#runchecktest "test 11 -h" fail -h -n 100 $helper
+#runchecktest "test 11 -hc" fail -h -c -n 100 $helper
+#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true
+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+# fail was pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL
+runchecktest "test 12" fail -n 100 /bin/true
+runchecktest "test 12 -c" fail -c -n 100 /bin/true
+runchecktest "test 12 -h" fail -h -n 100 $helper
+runchecktest "test 12 -hc" fail -h -c -n 100 $helper
+runchecktest "test 12 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by unconfined can px
+genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL --
image=/bin/true /bin/true:rix
+runchecktest "test 13u -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by profile without ptrace on targeted can't px
+genprofile /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix
+runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux
signal:ALL
+runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
+runchecktest "test 15 -h" fail -h -n 100 $helper
+runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15 -hc" fail -h -c -n 100 $helper
+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+################### cap:sys_ptrace doesn't change results from above
##########################
+# fail was pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL cap:sys_ptrace
+runchecktest "test 12c" fail -n 100 /bin/true
+runchecktest "test 12c -c" fail -c -n 100 /bin/true
+runchecktest "test 12c -h" fail -h -n 100 $helper
+runchecktest "test 12c -hc" fail -h -c -n 100 $helper
+runchecktest "test 12c -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by unconfined can px
+genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL cap:sys_ptrace
-- image=/bin/true /bin/true:rix cap:sys_ptrace
+runchecktest "test 13cu -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper /bin/true
+
+#ptraced confined app traced by profile without ptrace on targeted can't px
+genprofile /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true
/bin/true:rix cap:sys_ptrace
+runchecktest "test 13c -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL cap:sys_ptrace
+runchecktest "test 14ca -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux
signal:ALL
+runchecktest "test 14cb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL cap:sys_ptrace
+runchecktest "test 15c -h" fail -h -n 100 $helper
+runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15c -hc" fail -h -c -n 100 $helper
+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL cap:sys_ptrace -- image=$helper signal:ALL
cap:sys_ptrace
+runchecktest "test 15c -h" fail -h -n 100 $helper
+runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15c -hc" fail -h -c -n 100 $helper
+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+################################################################################
+# v5 ptrace tests with ptrace rules
+################################################################################
+
+##### Now do tests with ptrace rules in profiles #######
+# pass in v5 allowed to ix self
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:ALL
+runchecktest "test 12p" pass -n 100 /bin/true
+runchecktest "test 12p -c" pass -c -n 100 /bin/true
+runchecktest "test 12p -h" pass -h -n 100 $helper
+runchecktest "test 12p -hc" pass -h -c -n 100 $helper
+runchecktest "test 12p -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:$test
+runchecktest "test 12p1" pass -n 100 /bin/true
+runchecktest "test 12p1 -c" pass -c -n 100 /bin/true
+runchecktest "test 12p1 -h" pass -h -n 100 $helper
+runchecktest "test 12p1 -hc" pass -h -c -n 100 $helper
+runchecktest "test 12p1 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rix $helper:rix signal:ALL ptrace:notaprofile
+runchecktest "test 12p2" fail -n 100 /bin/true
+runchecktest "test 12p2 -c" fail -c -n 100 /bin/true
+runchecktest "test 12p2 -h" fail -h -n 100 $helper
+runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
+runchecktest "test 12p2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+#ptraced confined app traced by profile can px
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix
+runchecktest "test 13p1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p3 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p5 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p7 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p9 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:/bin/true
-- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix
+runchecktest "test 13p11 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p31 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p51 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix
ptrace:tracedby:notaprofile
+runchecktest "test 13p71 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p91 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:trace:/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix
+runchecktest "test 13p12 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p32 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p52 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p72 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p92 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:ALL --
image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix
+runchecktest "test 13p13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p33 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p53 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p73 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p93 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test ptrace:tracedby
-- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix
+runchecktest "test 13p14 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p34 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix
ptrace:tracedby:$test
+runchecktest "test 13p54 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix
ptrace:tracedby:notaprofile
+runchecktest "test 13p74 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p94 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:tracedby:notaprofile -- image=/bin/true /bin/true:rix
ptrace:trace:notaprofile
+runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix
+runchecktest "test 13p15 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby
+runchecktest "test 13p35 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:$test
+runchecktest "test 13p55 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:notaprofile
+runchecktest "test 13p75 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace
+runchecktest "test 13p95 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:$test
+runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper /bin/true
+genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:$test
ptrace:notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:notaprofile
+runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+### todo Variations of below tests
+
+
+#ptraced confined app can ux - if the tracer is unconfined
+#
+genprofile image=$helper $helper:rix /bin/true:rux signal:ALL
+runchecktest "test 14pa -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper /bin/true
+#ptraced confined app can't ux - if the tracer can't trace unconfined
+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux
signal:ALL
+runchecktest "test 14pb -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an unconfined app
+genprofile $helper:rux signal:ALL
+runchecktest "test 15p -h" fail -h -n 100 $helper
+runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
+#an unconfined app can't ask a confined app to trace it
+runchecktest "test 15p -hc" fail -h -c -n 100 $helper
+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
+
+#confined app can't ptrace an app confined by a different profile
+genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL
+runchecktest "test 15p -h" fail -h -n 100 $helper
+runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true
+#a confined app can't ask another confined app with a different profile to
+#trace it
+runchecktest "test 15p -hc" fail -h -c -n 100 $helper
+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true
+
+
+## TODO: ptrace read tests
+## TODO: ptrace + change_profile
+## TODO: ptrace + change_hat
-- 1.9.1
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
