On 06/24/2016 10:24 PM, Seth Arnold wrote: > On Fri, Jun 24, 2016 at 05:15:53PM -0500, Tyler Hicks wrote: >> Add optional command line parameters to the transition test program that >> can be used to verify a certain label and/or mode that should be found >> in /proc/self/attr/exec. >> >> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > > There's a comment above verify_confinement_context() that describes the > parameters. If the mood strikes you, please add an @attr entry to describe > the "current" vs "exec" choices.
Done! > > Acked-by: Seth Arnold <seth.arn...@canonical.com> > for 2.9, 2.10, trunk, etc. Good riddence to racy tests. > > Thanks Thank you! Tyler > > e --- >> tests/regression/apparmor/transition.c | 68 >> +++++++++++++++++++++++----------- >> 1 file changed, 47 insertions(+), 21 deletions(-) >> >> diff --git a/tests/regression/apparmor/transition.c >> b/tests/regression/apparmor/transition.c >> index 0f88b56..147ed94 100644 >> --- a/tests/regression/apparmor/transition.c >> +++ b/tests/regression/apparmor/transition.c >> @@ -144,7 +144,8 @@ static bool compound_labels_equal(struct compound_label >> *cl1, >> * unconfined process calls aa_getcon(2), then @expected_mode should be >> equal >> * to NO_MODE. >> */ >> -static void verify_confinement_context(const char *expected_label, >> +static void verify_confinement_context(const char *attr, >> + const char *expected_label, >> const char *expected_mode) >> { >> char *label, *mode; >> @@ -152,10 +153,10 @@ static void verify_confinement_context(const char >> *expected_label, >> bool null_expected_mode = expected_mode ? >> strcmp(NO_MODE, expected_mode) == 0 : false; >> >> - rc = aa_getcon(&label, &mode); >> + rc = aa_getprocattr(getpid(), attr, &label, &mode); >> if (rc < 0) { >> int err = errno; >> - fprintf(stderr, "FAIL - aa_getcon: %m"); >> + fprintf(stderr, "FAIL - aa_getprocattr (%s): %m", attr); >> exit(err); >> } >> >> @@ -177,8 +178,8 @@ static void verify_confinement_context(const char >> *expected_label, >> } >> >> if (!compound_labels_equal(&cl, &expected_cl)) { >> - fprintf(stderr, "FAIL - label \"%s\" != expected_label >> \"%s\"\n", >> - label, expected_label); >> + fprintf(stderr, "FAIL - %s label \"%s\" != >> expected_label \"%s\"\n", >> + attr, label, expected_label); >> rc = EINVAL; >> goto err; >> } >> @@ -187,8 +188,8 @@ static void verify_confinement_context(const char >> *expected_label, >> if (expected_mode && >> ((!mode && !null_expected_mode) || >> (mode && strcmp(mode, expected_mode)))) { >> - fprintf(stderr, "FAIL - mode \"%s\" != expected_mode \"%s\"\n", >> - mode, expected_mode); >> + fprintf(stderr, "FAIL - %s mode \"%s\" != expected_mode >> \"%s\"\n", >> + attr, mode, expected_mode); >> rc = EINVAL; >> goto err; >> } >> @@ -220,6 +221,18 @@ err: >> exit(EINVAL); >> } >> >> +static void verify_current(const char *expected_label, >> + const char *expected_mode) >> +{ >> + verify_confinement_context("current", expected_label, expected_mode); >> +} >> + >> +static void verify_exec(const char *expected_label, >> + const char *expected_mode) >> +{ >> + verify_confinement_context("exec", expected_label, expected_mode); >> +} >> + >> static void handle_transition(int transition, const char *target) >> { >> const char *msg; >> @@ -278,24 +291,28 @@ static void exec(const char *prog, char **argv) >> static void usage(const char *prog) >> { >> fprintf(stderr, >> - "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-l >> <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- ...]]\n" >> + "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-L >> <LABEL>] [-M <MODE>] [-l <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- >> ...]]\n" >> " -O <LABEL>\tCall aa_change_onexec(LABEL)\n" >> " -P <LABEL>\tCall aa_change_profile(LABEL)\n" >> " -o <LABEL>\tCall aa_stack_onexec(LABEL)\n" >> " -p <LABEL>\tCall aa_stack_profile(LABEL)\n" >> - " -l <LABEL>\tVerify that aa_getcon() returns LABEL\n" >> - " -m <MODE>\tVerify that aa_getcon() returns MODE. Set to >> \"%s\" if a NULL mode is expected.\n" >> + " -L <LABEL>\tVerify that /proc/self/attr/exec contains >> LABEL\n" >> + " -M <MODE>\tVerify that /proc/self/attr/exec contains MODE. >> Set to \"%s\" if a NULL mode is expected.\n" >> + " -l <LABEL>\tVerify that /proc/self/attr/current contains >> LABEL\n" >> + " -m <MODE>\tVerify that /proc/self/attr/current contains >> MODE. Set to \"%s\" if a NULL mode is expected.\n" >> " -f <FILE>\tOpen FILE and attempt to write to and read from >> it\n\n" >> "If \"--\" is encountered, execv() will be called using the >> following argument\n" >> "as the program to execute and passing it all of the arguments >> following the\n" >> - "program name.\n", prog, NO_MODE); >> + "program name.\n", prog, NO_MODE, NO_MODE); >> exit(EINVAL); >> } >> >> struct options { >> const char *file; >> - const char *expected_label; >> - const char *expected_mode; >> + const char *expected_current_label; >> + const char *expected_current_mode; >> + const char *expected_exec_label; >> + const char *expected_exec_mode; >> >> int transition; /* CHANGE_PROFILE, STACK_ONEXEC, etc. */ >> const char *target; /* The target label of the transition */ >> @@ -321,16 +338,22 @@ static void parse_opts(int argc, char **argv, struct >> options *opts) >> int o; >> >> memset(opts, 0, sizeof(*opts)); >> - while ((o = getopt(argc, argv, "f:l:m:O:P:o:p:")) != -1) { >> + while ((o = getopt(argc, argv, "f:L:M:l:m:O:P:o:p:")) != -1) { >> switch (o) { >> case 'f': /* file */ >> opts->file = optarg; >> break; >> - case 'l': /* expected label */ >> - opts->expected_label = optarg; >> + case 'L': /* expected exec label */ >> + opts->expected_exec_label = optarg; >> + break; >> + case 'M': /* expected exec mode */ >> + opts->expected_exec_mode = optarg; >> break; >> - case 'm': /* expected mode */ >> - opts->expected_mode = optarg; >> + case 'l': /* expected current label */ >> + opts->expected_current_label = optarg; >> + break; >> + case 'm': /* expected current mode */ >> + opts->expected_current_mode = optarg; >> break; >> case 'O': /* aa_change_profile */ >> set_transition(prog, opts, CHANGE_ONEXEC, optarg); >> @@ -371,9 +394,12 @@ int main(int argc, char **argv) >> if (opts.file) >> file_io(opts.file); >> >> - if (opts.expected_label || opts.expected_mode) >> - verify_confinement_context(opts.expected_label, >> - opts.expected_mode); >> + if (opts.expected_current_label || opts.expected_current_mode) >> + verify_current(opts.expected_current_label, >> + opts.expected_current_mode); >> + >> + if (opts.expected_exec_label || opts.expected_exec_mode) >> + verify_exec(opts.expected_exec_label, opts.expected_exec_mode); >> >> if (opts.exec) >> exec(opts.exec, opts.exec_argv); >> >>
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor