On Thu, Apr 24, 2014 at 12:09:42AM -0700, Steve Beattie wrote: > With the recent addition of features like ptrace and signals that > give warnings and then ignore the subset of rules when the features > directory indicates that the kernel does not support mediating such > features, at least one of the language tests fails in a chroot > environment where the apparmor securityfs tree is not mounted > inside it. > > To compensate, a features file containing the current supported features > is included, and the simple.pl test driver is modified to pass it as an > argument to the parser, so that it will act as if the environment > supports all our current features. > > A simple python script is included that was used to generate the > features file based on the current feature set. I'm not sure how to > keep it up to date in an automated fashion as we add more supported > features, however. (make check can't just fail on the features > directory being different; we want builds and tests to run successfully > on older releases where the kernel may not support mediating all the > features we include.)
This looks like a useful start but I wouldn't be surprised if there's more
pain to be had before we find a solution that makes sense for the
"optionally supported" mediations. The first thing that comes to mind is
maintaining two piles of "expected" outcomes for each feature, but I
really don't care for that much.
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Anyway, this code as-is looks like a useful improvement while we can
consider future options.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> parser/tst/features_files/features.all | 49
> +++++++++++++++++++++++++++++++++
> parser/tst/mk_features_file.py | 37 ++++++++++++++++++++++++
> parser/tst/simple.pl | 2 -
> 3 files changed, 87 insertions(+), 1 deletion(-)
>
> Index: b/parser/tst/features_files/features.all
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/features_files/features.all
> @@ -0,0 +1,49 @@
> +dbus {mask {acquire send receive
> +}
> +}
> +signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe
> alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch
> io pwr sys emt lost
> +}
> +}
> +ptrace {mask {read trace
> +}
> +}
> +caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid
> setuid setpcap linux_immutable net_bind_service net_broadcast net_admin
> net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace
> sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config
> mknod lease audit_write audit_control setfcap mac_override mac_admin syslog
> wake_alarm block_suspend
> +}
> +}
> +rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks
> sigpending msgqueue nice rtprio rttime
> +}
> +}
> +capability {0xffffff
> +}
> +namespaces {pivot_root {yes
> +}
> +profile {yes
> +}
> +}
> +mount {mask {mount umount
> +}
> +}
> +network {af_mask {unspec unix local inet ax25 ipx appletalk netrom bridge
> atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc
> rds sna irda pppox wanpipe llc ib can tipc bluetooth iucv rxrpc isdn phonet
> ieee802154 caif alg nfc vsock max
> +}
> +}
> +file {mask {create read write exec append mmap_exec link lock
> +}
> +}
> +domain {change_profile {yes
> +}
> +change_onexec {yes
> +}
> +change_hatv {yes
> +}
> +change_hat {yes
> +}
> +}
> +policy {set_load {yes
> +}
> +versions {v6 {yes
> +}
> +v5 {yes
> +}
> +}
> +}
> +
> Index: b/parser/tst/simple.pl
> ===================================================================
> --- a/parser/tst/simple.pl
> +++ b/parser/tst/simple.pl
> @@ -81,7 +81,7 @@ sub test_profile {
> # child
> open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT";
> open(STDERR, ">/dev/null") or die "Failed to redirect STDERR";
> - exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die
> "Bail out! couldn't open parser";
> + exec("$config{'parser'}", "-M", "features_files/features.all", "-S",
> "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser";
> # noreturn
> }
>
> Index: b/parser/tst/mk_features_file.py
> ===================================================================
> --- /dev/null
> +++ b/parser/tst/mk_features_file.py
> @@ -0,0 +1,37 @@
> +#!/usr/bin/env python3
> +# ------------------------------------------------------------------
> +#
> +# Copyright (C) 2014 Canonical Ltd.
> +# Author: Steve Beattie <st...@nxnw.org>
> +#
> +# This program is free software; you can redistribute it and/or
> +# modify it under the terms of version 2 of the GNU General Public
> +# License published by the Free Software Foundation.
> +#
> +# ------------------------------------------------------------------
> +
> +from testlib import read_features_dir
> +from argparse import ArgumentParser
> +import os
> +from sys import stderr, exit
> +
> +DEFAULT_FEATURES_DIR='/sys/kernel/security/apparmor/features'
> +
> +def main():
> + p = ArgumentParser()
> +
> + p.add_argument('fdir', action="store", nargs='?', metavar="features_dir",
> + default=DEFAULT_FEATURES_DIR, help="path to features
> directory")
> + config = p.parse_args()
> +
> + if not os.path.exists(config.fdir):
> + print('Unable to find apparmor features directory "%s"' %
> config.fdir, file=stderr)
> + return 1
> +
> + features = read_features_dir(config.fdir)
> + print(features)
> +
> + return 0
> +
> +if __name__ == "__main__":
> + exit(main())
>
> --
> Steve Beattie
> <sbeat...@ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
