On Fri, Mar 18, 2016 at 04:17:10PM -0500, Tyler Hicks wrote: > The idea is that the $test profile grants $file access and the > $othertest profile grants $subfile access. Both profiles grant > $stacktest access. The tests verify that after changing to the stacked > $othertest//&$test profile, only $stacktest can be accessed. > > Similar tests are also added for stacking with a namespaced profile. > > Signed-off-by: Tyler Hicks <[email protected]> > --- > tests/regression/apparmor/changeprofile.sh | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) > > diff --git a/tests/regression/apparmor/changeprofile.sh > b/tests/regression/apparmor/changeprofile.sh > index 1105730..66b078d 100755 > --- a/tests/regression/apparmor/changeprofile.sh > +++ b/tests/regression/apparmor/changeprofile.sh > @@ -21,6 +21,7 @@ bin=$pwd > > file=$tmpdir/file > subfile=$tmpdir/file2 > +stackfile=$tmpdir/file3 > okperm=rw > > othertest="$pwd/rename" > @@ -32,7 +33,7 @@ subtest3="$pwd//sub3" > nstest=":ns:changeprofile" > > > -touch $file $subfile > +touch $file $subfile $stackfile > > # CHANGEPROFILE UNCONFINED > runchecktest "CHANGEPROFILE (unconfined - nochange)" pass nochange $file > @@ -85,3 +86,26 @@ $nstest { $subfile ${okperm}, } > EOF > runchecktest "CHANGEPROFILE_NS (access sub file)" pass $nstest $subfile > runchecktest "CHANGEPROFILE_NS (access file)" fail $nstest $file > + > +if [ "$(kernel_features domain/stack)" != "true" ]; then > + echo " WARNING: kernel does not support stacking, skipping tests > ..." > +else > + genprofile $file:$okperm $stackfile:$okperm > 'change_profile->':"&$othertest" -- image=$othertest $subfile:$okperm > $stackfile:$okperm > + runchecktest "CHANGEPROFILE_STACK (nochange access file)" pass nochange > $file > + runchecktest "CHANGEPROFILE_STACK (nochange access sub file)" fail > nochange $subfile > + runchecktest "CHANGEPROFILE_STACK (nochange access stack file)" pass > nochange $stackfile > + runchecktest "CHANGEPROFILE_STACK (access sub file)" fail "&$othertest" > $subfile > + runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" > $file > + runchecktest "CHANGEPROFILE_STACK (access stack file)" pass > "&$othertest" $stackfile > + > + genprofile --stdin <<EOF > +$test { file, audit deny $subfile $okperm, $stackfile $okperm, > change_profile -> &${nstest}, } > +$nstest { $subfile $okperm, $stackfile $okperm, } > +EOF > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass > nochange $file > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access sub file)" fail > "&$nstest" $subfile > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access stack file)" pass > "&$nstest" $stackfile
Shouldn't the two above have "nochange" instead of "&$nstest"? With that change, Acked-by: Steve Beattie <[email protected]>. Thanks. > + runchecktest "CHANGEPROFILE_NS_STACK (access sub file)" fail "&$nstest" > $subfile > + runchecktest "CHANGEPROFILE_NS_STACK (access file)" fail "&$nstest" > $file > + runchecktest "CHANGEPROFILE_NS_STACK (access stack file)" pass > "&$nstest" $stackfile > +fi -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
