On Thu, Apr 24, 2014 at 12:09:42AM -0700, Steve Beattie wrote: > With the recent addition of features like ptrace and signals that > give warnings and then ignore the subset of rules when the features > directory indicates that the kernel does not support mediating such > features, at least one of the language tests fails in a chroot > environment where the apparmor securityfs tree is not mounted > inside it. > > To compensate, a features file containing the current supported features > is included, and the simple.pl test driver is modified to pass it as an > argument to the parser, so that it will act as if the environment > supports all our current features. > > A simple python script is included that was used to generate the > features file based on the current feature set. I'm not sure how to > keep it up to date in an automated fashion as we add more supported > features, however. (make check can't just fail on the features > directory being different; we want builds and tests to run successfully > on older releases where the kernel may not support mediating all the > features we include.)
This looks like a useful start but I wouldn't be surprised if there's more pain to be had before we find a solution that makes sense for the "optionally supported" mediations. The first thing that comes to mind is maintaining two piles of "expected" outcomes for each feature, but I really don't care for that much. > Signed-off-by: Steve Beattie <st...@nxnw.org> Anyway, this code as-is looks like a useful improvement while we can consider future options. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > parser/tst/features_files/features.all | 49 > +++++++++++++++++++++++++++++++++ > parser/tst/mk_features_file.py | 37 ++++++++++++++++++++++++ > parser/tst/simple.pl | 2 - > 3 files changed, 87 insertions(+), 1 deletion(-) > > Index: b/parser/tst/features_files/features.all > =================================================================== > --- /dev/null > +++ b/parser/tst/features_files/features.all > @@ -0,0 +1,49 @@ > +dbus {mask {acquire send receive > +} > +} > +signal {mask {hup int quit ill trap abrt bus fpe kill usr1 segv usr2 pipe > alrm term stkflt chld cont stop stp ttin ttou urg xcpu xfsz vtalrm prof winch > io pwr sys emt lost > +} > +} > +ptrace {mask {read trace > +} > +} > +caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid > setuid setpcap linux_immutable net_bind_service net_broadcast net_admin > net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace > sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config > mknod lease audit_write audit_control setfcap mac_override mac_admin syslog > wake_alarm block_suspend > +} > +} > +rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks > sigpending msgqueue nice rtprio rttime > +} > +} > +capability {0xffffff > +} > +namespaces {pivot_root {yes > +} > +profile {yes > +} > +} > +mount {mask {mount umount > +} > +} > +network {af_mask {unspec unix local inet ax25 ipx appletalk netrom bridge > atmpvc x25 inet6 rose netbeui security key netlink packet ash econet atmsvc > rds sna irda pppox wanpipe llc ib can tipc bluetooth iucv rxrpc isdn phonet > ieee802154 caif alg nfc vsock max > +} > +} > +file {mask {create read write exec append mmap_exec link lock > +} > +} > +domain {change_profile {yes > +} > +change_onexec {yes > +} > +change_hatv {yes > +} > +change_hat {yes > +} > +} > +policy {set_load {yes > +} > +versions {v6 {yes > +} > +v5 {yes > +} > +} > +} > + > Index: b/parser/tst/simple.pl > =================================================================== > --- a/parser/tst/simple.pl > +++ b/parser/tst/simple.pl > @@ -81,7 +81,7 @@ sub test_profile { > # child > open(STDOUT, ">/dev/null") or die "Failed to redirect STDOUT"; > open(STDERR, ">/dev/null") or die "Failed to redirect STDERR"; > - exec("$config{'parser'}", "-S", "-I", "$config{'includedir'}") or die > "Bail out! couldn't open parser"; > + exec("$config{'parser'}", "-M", "features_files/features.all", "-S", > "-I", "$config{'includedir'}") or die "Bail out! couldn't open parser"; > # noreturn > } > > Index: b/parser/tst/mk_features_file.py > =================================================================== > --- /dev/null > +++ b/parser/tst/mk_features_file.py > @@ -0,0 +1,37 @@ > +#!/usr/bin/env python3 > +# ------------------------------------------------------------------ > +# > +# Copyright (C) 2014 Canonical Ltd. > +# Author: Steve Beattie <st...@nxnw.org> > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of version 2 of the GNU General Public > +# License published by the Free Software Foundation. > +# > +# ------------------------------------------------------------------ > + > +from testlib import read_features_dir > +from argparse import ArgumentParser > +import os > +from sys import stderr, exit > + > +DEFAULT_FEATURES_DIR='/sys/kernel/security/apparmor/features' > + > +def main(): > + p = ArgumentParser() > + > + p.add_argument('fdir', action="store", nargs='?', metavar="features_dir", > + default=DEFAULT_FEATURES_DIR, help="path to features > directory") > + config = p.parse_args() > + > + if not os.path.exists(config.fdir): > + print('Unable to find apparmor features directory "%s"' % > config.fdir, file=stderr) > + return 1 > + > + features = read_features_dir(config.fdir) > + print(features) > + > + return 0 > + > +if __name__ == "__main__": > + exit(main()) > > -- > Steve Beattie > <sbeat...@ubuntu.com> > http://NxNW.org/~steve/ > -- > AppArmor mailing list > AppArmor@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor