On 05/25/2016 01:59 PM, Tyler Hicks wrote: > Add logic to the at_secure.sh test script to verifies that the parser is > new enough to support change_profile exec modes and determine what the > kernel's support for change_profile exec modes before verifying that > AT_SECURE is set correctly after various exec transitions. > > Signed-off-by: Tyler Hicks <[email protected]>
Acked-by: John Johansen <[email protected]> > --- > tests/regression/apparmor/at_secure.sh | 55 > ++++++++++++++++++++++++++++++++++ > 1 file changed, 55 insertions(+) > > diff --git a/tests/regression/apparmor/at_secure.sh > b/tests/regression/apparmor/at_secure.sh > index 7c507e7..77fe0a7 100755 > --- a/tests/regression/apparmor/at_secure.sh > +++ b/tests/regression/apparmor/at_secure.sh > @@ -151,3 +151,58 @@ else > runchecktest "AT_SECURE (confined -> &confined - stack_onexec)" \ > pass -o $test_prof -- $at_secure $onexec_default > fi > + > +if [ "$(parser_supports 'change_profile safe /a -> /b,')" != "true" ]; then > + echo "Warning: parser doesn't support change_profile (un)safe rules. > Skipping tests..." > +else > + safe_at_secure=1 > + if [ "$stacking_supported" != "true" ]; then > + # Pre-stacking kernels can't properly support the > + # change_profile safe modifier: > + # change_profile safe /a -> /b, > + # > + # The parser downgrades 'safe' to 'unsafe' in this situation. > + safe_at_secure=0 > + fi > + > + # Verify AT_SECURE after (un)safe confined -> unconfined transition > + genprofile "change_profile:unsafe:$at_secure:unconfined" > + runchecktest "AT_SECURE (confined -> unconfined - unsafe > change_onexec)" \ > + pass -O unconfined -- $at_secure 0 > + > + genprofile "change_profile:safe:$at_secure:unconfined" > + runchecktest "AT_SECURE (confined -> unconfined - safe change_onexec)" \ > + pass -O unconfined -- $at_secure $safe_at_secure > + > + # Verify AT_SECURE after (un)safe confined -> confined transition > + genprofile "change_profile:unsafe:$at_secure:$test_prof" -- > image=$test_prof addimage:$at_secure > + runchecktest "AT_SECURE (confined -> confined - unsafe change_onexec)" \ > + pass -O $test_prof -- $at_secure 0 > + > + genprofile "change_profile:safe:$at_secure:$test_prof" -- > image=$test_prof addimage:$at_secure > + runchecktest "AT_SECURE (confined -> confined - safe change_onexec)" \ > + pass -O $test_prof -- $at_secure $safe_at_secure > + > + if [ "$stacking_supported" != "true" ]; then > + # We've already warned the user that we're skipping stacking > tests > + : > + else > + # Verify AT_SECURE after (un)safe confined -> &unconfined > stacking transition > + genprofile "change_profile:unsafe:$at_secure:&unconfined" > + runchecktest "AT_SECURE (confined -> &unconfined - unsafe > stack_onexec)" \ > + pass -o unconfined -- $at_secure 0 > + > + genprofile "change_profile:safe:$at_secure:&unconfined" > + runchecktest "AT_SECURE (confined -> &unconfined - safe > stack_onexec)" \ > + pass -o unconfined -- $at_secure 1 > + > + # Verify AT_SECURE after (un)safe confined -> &confined > stacking transition > + genprofile "change_profile:unsafe:$at_secure:&$test_prof" -- > image=$test_prof addimage:$at_secure > + runchecktest "AT_SECURE (confined -> &confined - unsafe > stack_onexec)" \ > + pass -o $test_prof -- $at_secure 0 > + > + genprofile "change_profile:safe:$at_secure:&$test_prof" -- > image=$test_prof addimage:$at_secure > + runchecktest "AT_SECURE (confined -> &confined - safe > stack_onexec)" \ > + pass -o $test_prof -- $at_secure 1 > + fi > +fi > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
