Add regression tests for the --profile, --namespace, and --immediate options of aa-exec.
A new variable is added to uservars.inc to point to the in-tree or system aa-exec depending on the presence of the USE_SYSTEM=1 make variable at build time. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/apparmor/Makefile | 34 +++++++++-- tests/regression/apparmor/aa_exec.sh | 81 +++++++++++++++++++++++++++ tests/regression/apparmor/aa_exec_wrapper.sh | 28 +++++++++ tests/regression/apparmor/uservars.inc.source | 3 + tests/regression/apparmor/uservars.inc.system | 3 + 5 files changed, 144 insertions(+), 5 deletions(-) create mode 100755 tests/regression/apparmor/aa_exec.sh create mode 100755 tests/regression/apparmor/aa_exec_wrapper.sh diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile index c0aad62..d0e4b35 100644 --- a/tests/regression/apparmor/Makefile +++ b/tests/regression/apparmor/Makefile @@ -18,7 +18,7 @@ ifdef USE_SYSTEM echo -lapparmor ; \ fi ) ifeq ($(strip $(LIBAPPARMOR)),) - ERROR_MESSAGE = $(error ${nl}\ + LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\ ************************************************************************${nl}\ Unable to find libapparmor installed on this system; either${nl}\ install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\ @@ -27,13 +27,23 @@ manually, or build against in-tree libapparmor.${nl}\ endif # LIBAPPARMOR not set LDLIBS += $(LIBAPPARMOR) + AA_EXEC = $(shell which aa-exec) + ifeq ($(AA_EXEC),) + AA_EXEC_ERROR_MESSAGE = $(error ${nl}\ +************************************************************************${nl}\ +Unable to find aa-exec installed on this system; either install the${nl}\ +apparmor package, set the AA_EXEC variable manually, or use the in-tree${nl}\ +aa-exec.${nl}\ +************************************************************************${nl}) + endif # AA_EXEC not set + else # !USE_SYSTEM # use in-tree versions LIBAPPARMOR_SRC := ../../../libraries/libapparmor/ LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/ ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),) - ERROR_MESSAGE = $(error ${nl}\ + LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\ ************************************************************************${nl}\ $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\ the in-tree libapparmor by building it first and then trying again${nl}\ @@ -42,6 +52,17 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\ ************************************************************************${nl}) endif + UTILS_SRC := ../../../utils + AA_EXEC = $(UTILS_SRC)/aa-exec + ifeq ($(realpath $(AA_EXEC)),) + AA_EXEC_ERROR_MESSAGE = $(error ${nl}\ +************************************************************************${nl}\ +$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\ +and then try again (see the top-level README for help) or use the${nl}\ +system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\ +************************************************************************${nl}) + endif + CFLAGS += -L$(LIBAPPARMOR_PATH) -I$(LIBAPPARMOR_INCLUDE) LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread endif # USE_SYSTEM @@ -152,7 +173,8 @@ endif EXEC=$(SRC:%.c=%) -TESTS=access \ +TESTS=aa_exec \ + access \ introspect \ capabilities \ changeprofile \ @@ -217,9 +239,11 @@ RISKY_TESTS= .PHONY: libapparmor_check .SILENT: libapparmor_check -libapparmor_check: ; $(ERROR_MESSAGE) +libapparmor_check: ; $(LIBAPPARMOR_ERROR_MESSAGE) + +aa_exec_check: ; $(AA_EXEC_ERROR_MESSAGE) -all: libapparmor_check $(EXEC) changehat.h uservars.inc +all: libapparmor_check aa_exec_check $(EXEC) changehat.h uservars.inc uservars.inc: uservars.inc.source uservars.inc.system ifdef USE_SYSTEM diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh new file mode 100755 index 0000000..daaefee --- /dev/null +++ b/tests/regression/apparmor/aa_exec.sh @@ -0,0 +1,81 @@ +#! /bin/bash +# Copyright (C) 2015 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, version 2 of the +# License. + +#=NAME aa_exec +#=DESCRIPTION +# This test verifies that the aa_exec command is indeed transitioning +# profiles as intended. +#=END + +#set -x + +pwd=`dirname $0` +pwd=`cd $pwd ; /bin/pwd` + +bin=$pwd + +. $bin/prologue.inc + +ns=aa_exec_ns + +genprofile_aa_exec() +{ + mode="" + if [ $# -eq 2 ]; then + if [ $2 -ne 0 ]; then + mode="(complain) " + fi + fi + genprofile --stdin <<EOF +$1 ${mode}{ + file, +} + +:${ns}:${1} ${mode}{ + file, +} +EOF +} + +settest aa_exec_profile ${bin}/aa_exec_wrapper.sh + +genprofile_aa_exec "$test" 0 +runchecktest "unconfined" pass "$aa_exec" "unconfined" + +genprofile_aa_exec "$test" 0 +runchecktest "enforce" pass "$aa_exec -p $test" "$test (enforce)" + +genprofile_aa_exec "$test" 1 +runchecktest "complain" pass "$aa_exec -p $test" "$test (complain)" + +genprofile_aa_exec "$test" 0 +runchecktest "negative test: not unconfined" fail "$aa_exec -p $test" "unconfined" + +genprofile_aa_exec "$test" 0 +runchecktest "negative test: bad mode: (complain)" fail "$aa_exec -p $test" "$test (complain)" + +genprofile_aa_exec "$test" 0 +runchecktest "negative test: bad mode: (enforceXXX)" fail "$aa_exec -p $test" "$test (enforceXXX)" + +genprofile_aa_exec "$test" 0 +runchecktest "enforce (--immediate)" pass "$aa_exec -i -p $test" "$test (enforce)" + +genprofile_aa_exec "$test" 1 +runchecktest "complain (--immediate)" pass "$aa_exec -p $test" "$test (complain)" + +genprofile_aa_exec "$test" 0 +runchecktest "negative test: bad profile (--immediate)" fail "$aa_exec -ip $test" "${test}XXX (enforce)" + +genprofile_aa_exec "$test" 0 +runchecktest "enforce (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (enforce)" + +genprofile_aa_exec "$test" 1 +runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (complain)" + +genprofile_aa_exec "$test" 0 +runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)" diff --git a/tests/regression/apparmor/aa_exec_wrapper.sh b/tests/regression/apparmor/aa_exec_wrapper.sh new file mode 100755 index 0000000..a27c566 --- /dev/null +++ b/tests/regression/apparmor/aa_exec_wrapper.sh @@ -0,0 +1,28 @@ +#! /bin/bash +# Copyright (C) 2015 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, version 2 of the +# License. + +if [ $# -ne 2 ]; then + echo "FAIL: usage: $0 AA_EXEC_CMD EXPECTED_PROC_ATTR_CURRENT" + echo "AA_EXEC_CMD The path to aa-exec and the arguments to pass" + echo "EXPECTED_PROC_ATTR_CURRENT The expected contents of /proc/self/attr/current" + exit 1 +fi + +out=$($1 -- cat /proc/self/attr/current 2>&1) +rc=$? + +if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then + echo PASS + exit 0 +elif [ $rc -ne 0 ]; then + echo "FAIL: aa-exec exited with status ${rc}:\n${out}\n" + exit 1 +else + echo "FAIL: bad confinement context: \"$out\" != \"$2 $3\"" + exit 1 +fi diff --git a/tests/regression/apparmor/uservars.inc.source b/tests/regression/apparmor/uservars.inc.source index 7fbfdec..aff53d2 100644 --- a/tests/regression/apparmor/uservars.inc.source +++ b/tests/regression/apparmor/uservars.inc.source @@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM # 4. Location of load system profiles for verification sys_profiles=/sys/kernel/security/apparmor/profiles + +# 5. Location of aa-exec +aa_exec=${PWD}/../../../utils/aa-exec diff --git a/tests/regression/apparmor/uservars.inc.system b/tests/regression/apparmor/uservars.inc.system index d304ea7..c448a6b 100644 --- a/tests/regression/apparmor/uservars.inc.system +++ b/tests/regression/apparmor/uservars.inc.system @@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM # 4. Location of load system profiles for verification sys_profiles=/sys/kernel/security/apparmor/profiles + +# 5. Location of aa-exec +aa_exec=$(which aa-exec) -- 2.5.0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor