On Fri, Mar 18, 2016 at 04:17:13PM -0500, Tyler Hicks wrote: > Add tests for the aa_stack_profile() libapparmor function. > > Signed-off-by: Tyler Hicks <[email protected]> > --- > tests/regression/apparmor/Makefile | 1 + > tests/regression/apparmor/stackprofile.sh | 155 > ++++++++++++++++++++++++++++++ > 2 files changed, 156 insertions(+) > create mode 100755 tests/regression/apparmor/stackprofile.sh > > diff --git a/tests/regression/apparmor/Makefile > b/tests/regression/apparmor/Makefile > index 622986f..46940c7 100644 > --- a/tests/regression/apparmor/Makefile > +++ b/tests/regression/apparmor/Makefile > @@ -218,6 +218,7 @@ TESTS=aa_exec \ > swap \ > sd_flags \ > setattr \ > + stackprofile \ > symlink \ > syscall \ > tcp \ > diff --git a/tests/regression/apparmor/stackprofile.sh > b/tests/regression/apparmor/stackprofile.sh > new file mode 100755 > index 0000000..e944d4b > --- /dev/null > +++ b/tests/regression/apparmor/stackprofile.sh > @@ -0,0 +1,155 @@ > +#! /bin/bash > +# Copyright (C) 2016 Canonical, Ltd. > +# > +# This program is free software; you can redistribute it and/or > +# modify it under the terms of the GNU General Public License as > +# published by the Free Software Foundation, version 2 of the > +# License. > + > +#=NAME stackprofile > +#=DESCRIPTION > +# Verifies basic file access permission checks for a parent profile and a > +# stacked subprofile > +#=END > + > +pwd=`dirname $0` > +pwd=`cd $pwd ; /bin/pwd` > + > +bin=$pwd > + > +. $bin/prologue.inc > + > +requires_kernel_features domain/stack > +settest stacking > + > +file=$tmpdir/file > +otherfile=$tmpdir/file2 > +thirdfile=$tmpdir/file3 > +sharedfile=$tmpdir/file.shared > +okperm=rw > + > +fileok="${file}:${okperm}" > +otherok="${otherfile}:${okperm}" > +thirdok="${thirdfile}:${okperm}" > +sharedok="${sharedfile}:${okperm}" > + > +getcon="/proc/*/attr/current:r" > + > +othertest="$pwd/rename" > +thirdtest="$pwd/exec" > + > +stackotherok="change_profile->:&$othertest" > +stackthirdok="change_profile->:&$thirdtest" > + > +touch $file $otherfile $sharedfile $thirdfile > + > +# Verify file access and contexts by an unconfined process > +runchecktest "STACKPROFILE (unconfined - file)" pass -f $file > +runchecktest "STACKPROFILE (unconfined - otherfile)" pass -f $otherfile > +runchecktest "STACKPROFILE (unconfined - thirdfile)" pass -f $thirdfile > +runchecktest "STACKPROFILE (unconfined - sharedfile)" pass -f $sharedfile > + > +runchecktest "STACKPROFILE (unconfined - okcon)" pass -l unconfined -m > '(null)' > +runchecktest "STACKPROFILE (unconfined - bad label)" fail -l "$test" -m > '(null)' > +runchecktest "STACKPROFILE (unconfined - bad mode)" fail -l unconfined -m > enforce > + > +# Verify file access and contexts by a non-stacked profile > +genprofile $fileok $sharedok $getcon > +runchecktest "STACKPROFILE (not stacked - file)" pass -f $file > +runchecktest_errno EACCES "STACKPROFILE (not stacked - otherfile)" fail -f > $otherfile > +runchecktest_errno EACCES "STACKPROFILE (not stacked - thirdfile)" fail -f > $thirdfile > +runchecktest "STACKPROFILE (not stacked - sharedfile)" pass -f $sharedfile > + > +runchecktest "STACKPROFILE (not stacked - okcon)" pass -l "$test" -m enforce > +runchecktest "STACKPROFILE (not stacked - bad label)" fail -l "${test}XXX" > -m enforce > +runchecktest "STACKPROFILE (not stacked - bad mode)" fail -l "$test" -m > complain > + > +# Verify file access and contexts by a profile stacked with unconfined > +genprofile image=$othertest $otherok $sharedok $getcon > +runchecktest_errno EACCES "STACKPROFILE (stacked with unconfined - file)" > fail -p $othertest -f $file > +runchecktest "STACKPROFILE (stacked with unconfined - otherfile)" pass -p > $othertest -f $otherfile > +runchecktest "STACKPROFILE (stacked with unconfined - sharedfile)" pass -p > $othertest -f $sharedfile > + > +runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p > $othertest -l "unconfined//&${othertest}" -m mixed > +runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p > $othertest -l "${test}//&${othertest}" -m mixed > +runchecktest "STACKPROFILE (stacked with unconfined - bad mode)" fail -p > $othertest -l "unconfined//&${othertest}" -m '(null)' > + > +removeprofile > +# Verify that stacking a nonexistent file is properly handled > +runchecktest_errno ENOENT "STACKPROFILE (unconfined - stack nonexistent > profile)" fail -p $othertest -f $file > + > +# Verify file access and contexts by 2 stacked profiles > +genprofile $fileok $sharedok $getcon $stackotherok -- \ > + image=$othertest $otherok $sharedok $getcon > +runchecktest_errno EACCES "STACKPROFILE (2 stacked - file)" fail -p > $othertest -f $file > +runchecktest_errno EACCES "STACKPROFILE (2 stacked - otherfile)" fail -p > $othertest -f $otherfile > +runchecktest_errno EACCES "STACKPROFILE (2 stacked - thirdfile)" fail -p > $othertest -f $thirdfile > +runchecktest "STACKPROFILE (2 stacked - sharedfile)" pass -p $othertest -f > $sharedfile > + > +runchecktest "STACKPROFILE (2 stacked - okcon)" pass -p $othertest -l > "${test}//&${othertest}" -m enforce > +runchecktest "STACKPROFILE (2 stacked - bad label)" fail -p $othertest -l > "${test}//&${test}" -m enforce > +runchecktest "STACKPROFILE (2 stacked - bad mode)" fail -p $othertest -l > "${test}//&${test}" -m '(null)' > + > +# Verify that a change_profile rule is required to aa_stack_profile()) > +genprofile $fileok $sharedok $getcon -- \ > + image=$othertest $otherok $sharedok $getcon > +runchecktest_errno EACCES "STACKPROFILE (2 stacked - no change_profile)" > fail -p $othertest -l "${test}//&${othertest}" -m enforcec
s/enforcec/enforce/ surely?
> +
> +# Verify file access and contexts by 3 stacked profiles
> +genprofile $fileok $sharedok $getcon $stackotherok $stackthirdok -- \
> + image=$othertest $otherok $sharedok $test:ix $getcon $stackthirdok -- \
> + image=$thirdtest $thirdok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - file)" fail -p
> $othertest -- $test -p $thirdtest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - otherfile)" fail -p
> $othertest -- $test -p $thirdtest -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - thirdfile)" fail -p
> $othertest -- $test -p $thirdtest -f $thirdfile
> +runchecktest "STACKPROFILE (3 stacked - sharedfile)" pass -p $othertest --
> $test -p $thirdtest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (3 stacked - okcon)" pass -p $othertest -- $test
> -p $thirdtest -l "${thirdtest}//&${test}//&${othertest}" -m enforce
Should we have similar tests where everything is the same setupwise
except that $stackthirdok is alternately not allowed from the toplevel
stacking profile?
> +
> +ns="ns"
> +prof="stackprofile"
> +nstest=":${ns}:${prof}"
> +# Verify file access and contexts by stacking a profile with a namespaced
> profile
> +genprofile --stdin <<EOF
> +$test {
> + file,
> + audit deny $otherfile $okperm,
> + change_profile -> &$nstest,
> +}
> +
> +$nstest {
> + $otherfile $okperm,
> + $sharedfile $okperm,
> + /proc/*/attr/current r,
> +}
> +EOF
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile -
> file)" fail -p $nstest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile -
> otherfile)" fail -p $nstest -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile -
> thirdfile)" fail -p $nstest -f $thirdfile
> +runchecktest "STACKPROFILE (stacked with namespaced profile - sharedfile)"
> pass -p $nstest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (stacked with namespaced profile - okcon)" pass
> -p $nstest -l $prof -m enforce
> +
> +# Verify file access and contexts in mixed mode
> +genprofile $fileok $sharedok $getcon $stackotherok -- \
> + image=$othertest flag:complain $otherok $sharedok $getcon
> +runchecktest "STACKPROFILE (mixed mode - file)" pass -p $othertest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode - otherfile)" fail -p
> $othertest -f $otherfile
> +runchecktest "STACKPROFILE (mixed mode - sharedfile)" pass -p $othertest -f
> $sharedfile
> +
> +runchecktest "STACKPROFILE (mixed mode - okcon)" pass -p $othertest -l
> "${othertest}//&${test}" -m mixed
> +
> +# Verify file access and contexts in complain mode
> +genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> +runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f
> $file
> +
> +runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l
> "${test}//&${othertest}" -m complain
Some additional tests to consider:
- stacking(complain) + &othertest(enforce) both with and without the
change_profile rule
that allows the stack to happen (I'm assuming the complain mode would
grant the stack either way)
- stacking(enforce) + &othertest(complain) without the change_profile
rule in the former that allows the stack to happen (I'm assuming
that the change_profile wouldn't be granted)
- three level deep intermix with complain? (Coming up with a sensible
matrix makes my head hurt.)
> +
> +# Verify that stacking with a bare namespace is handled
> +genprofile --stdin <<EOF
> +$test { file, change_profile, }
> +$nstest { }
> +EOF
> +runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
> +runchecktest "STACKPROFILE (bare :ns://)" pass -p ":${ns}://"
> +runchecktest "STACKPROFILE (bare :ns)" pass -p ":${ns}"
Anyway, I don't think the additional tests are needed before committing
this. With the enforcec typo fixed, Acked-by: Steve Beattie <[email protected]>.
Thanks.
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
