Re: [apparmor] [patch 4/5] tests: onexec test needs signal permission to stop itself

Tyler Hicks Fri, 18 Mar 2016 20:13:03 -0700

On 2016-03-18 10:29:08, [email protected] wrote:
> Now that the onexec test program notices that it failed to send SIGSTOP
> to itself, causing a whole bunch of tests to be detected as failing,
> grant the ability to send and receive signals to the onexec tests.
> (The onexec tests are not tests intended to verify signal mediation.)
> 
> Signed-off-by: Steve Beattie <[email protected]>


Acked-by: Tyler Hicks <[email protected]>

Thanks!

> ---
>  tests/regression/apparmor/onexec.sh |   30 +++++++++++++++++-------------
>  1 file changed, 17 insertions(+), 13 deletions(-)
> 
> Index: b/tests/regression/apparmor/onexec.sh
> ===================================================================
> --- a/tests/regression/apparmor/onexec.sh
> +++ b/tests/regression/apparmor/onexec.sh
> @@ -146,55 +146,59 @@ do_test "override px" unconfined $bin/rw
>  
>  #------
>  
> +# NOTE: test program pauses for the driver script to catch up by sending
> +# and recieving SIGSTOP/SIGCONT, so the onexec program needs access to
> +# signals (this is not a script to test signal mediation)
> +
>  # ONEXEC from CONFINED - don't change profile, open can't exec
> -genprofile 'change_profile->':$bin/rw $onexec:w
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL
>  do_test "no px perm" $bin/onexec nochange fail $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run unconfined
> -genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w
> +genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w signal:ALL
>  do_test "nochange rux" $bin/onexec nochange pass $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run confined without 
> necessary perms
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- 
> image=$bin/open $file:rw
>  do_test "nochange px - no px perm" $bin/onexec nochange fail $bin/open $file
>  
>  # ONEXEC from CONFINED - don't change profile, open is run confined without 
> necessary perms
> -genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w -- 
> image=$bin/open
> +genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w signal:ALL -- 
> image=$bin/open
>  do_test "nochange px - no file perm" $bin/onexec nochange fail $bin/open 
> $file
>  
>  # ONEXEC from CONFINED - target does NOT exist
> -genprofile 'change_profile->':$bin/open $onexec:w -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':$bin/open $onexec:w signal:ALL -- 
> image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "noexist px" $bin/onexec noexist fail $bin/open $file
>  
>  # ONEXEC from CONFINED - change to rw profile, no exec profile to override
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw 
> $bin/open:rix $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw
>  do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open 
> $file
>  
>  # ONEXEC from CONFINED - change to rw profile, no exec profile to override, 
> no explicit access to /proc/*/attr/exec
> -genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
> +genprofile 'change_profile->':$bin/rw signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw
>  do_test "change profile - no onexec:w" $bin/onexec $bin/rw pass $bin/open 
> $file
>  
>  # ONEXEC from CONFINED - don't change profile, make sure exec profile is 
> applied
> -genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- 
> image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx signal:ALL -- 
> image=$bin/rw $bin/open:rix $file:rw  -- image=$bin/open $file:rw
>  do_test "nochange px" $bin/onexec nochange pass $bin/open $file
>  
>  # ONEXEC from CONFINED - change to rw profile, override regular exec 
> profile, exec profile doesn't have perms
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "override px" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from - change to rw profile, override regular exec profile, exec 
> profile has perms, rw doesn't
> -genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw 
> $bin/open:rix  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':$bin/rw $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix  -- image=$bin/open $file:rw
>  do_test "override px" $bin/onexec $bin/rw fail $bin/open $file
>  
>  # ONEXEC from COFINED - change to rw profile via glob rule, override exec 
> profile, exec profile doesn't have perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix 
> $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
>  
>  # ONEXEC from COFINED - change to exec profile via glob rule, override exec 
> profile, exec profile doesn't have perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix 
> $file:rw  -- image=$bin/open
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open
>  do_test "glob override px" $bin/onexec $bin/open fail $bin/open $file
>  
>  # ONEXEC from COFINED - change to exec profile via glob rule, override exec 
> profile, exec profile has perms
> -genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix 
> $file:rw  -- image=$bin/open $file:rw
> +genprofile 'change_profile->':/** $onexec:w signal:ALL -- image=$bin/rw 
> $bin/open:rix $file:rw  -- image=$bin/open $file:rw
>  do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
>  
> 
> 
> -- 
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor

signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch 4/5] tests: onexec test needs signal permission to stop itself

Reply via email to