On 06/24/2016 10:24 PM, Seth Arnold wrote: > On Fri, Jun 24, 2016 at 05:15:53PM -0500, Tyler Hicks wrote: >> Add optional command line parameters to the transition test program that >> can be used to verify a certain label and/or mode that should be found >> in /proc/self/attr/exec. >> >> Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > > There's a comment above verify_confinement_context() that describes the > parameters. If the mood strikes you, please add an @attr entry to describe > the "current" vs "exec" choices.
Done!
>
> Acked-by: Seth Arnold <seth.arn...@canonical.com>
> for 2.9, 2.10, trunk, etc. Good riddence to racy tests.
>
> Thanks
Thank you!
Tyler
>
> e ---
>> tests/regression/apparmor/transition.c | 68
>> +++++++++++++++++++++++-----------
>> 1 file changed, 47 insertions(+), 21 deletions(-)
>>
>> diff --git a/tests/regression/apparmor/transition.c
>> b/tests/regression/apparmor/transition.c
>> index 0f88b56..147ed94 100644
>> --- a/tests/regression/apparmor/transition.c
>> +++ b/tests/regression/apparmor/transition.c
>> @@ -144,7 +144,8 @@ static bool compound_labels_equal(struct compound_label
>> *cl1,
>> * unconfined process calls aa_getcon(2), then @expected_mode should be
>> equal
>> * to NO_MODE.
>> */
>> -static void verify_confinement_context(const char *expected_label,
>> +static void verify_confinement_context(const char *attr,
>> + const char *expected_label,
>> const char *expected_mode)
>> {
>> char *label, *mode;
>> @@ -152,10 +153,10 @@ static void verify_confinement_context(const char
>> *expected_label,
>> bool null_expected_mode = expected_mode ?
>> strcmp(NO_MODE, expected_mode) == 0 : false;
>>
>> - rc = aa_getcon(&label, &mode);
>> + rc = aa_getprocattr(getpid(), attr, &label, &mode);
>> if (rc < 0) {
>> int err = errno;
>> - fprintf(stderr, "FAIL - aa_getcon: %m");
>> + fprintf(stderr, "FAIL - aa_getprocattr (%s): %m", attr);
>> exit(err);
>> }
>>
>> @@ -177,8 +178,8 @@ static void verify_confinement_context(const char
>> *expected_label,
>> }
>>
>> if (!compound_labels_equal(&cl, &expected_cl)) {
>> - fprintf(stderr, "FAIL - label \"%s\" != expected_label
>> \"%s\"\n",
>> - label, expected_label);
>> + fprintf(stderr, "FAIL - %s label \"%s\" !=
>> expected_label \"%s\"\n",
>> + attr, label, expected_label);
>> rc = EINVAL;
>> goto err;
>> }
>> @@ -187,8 +188,8 @@ static void verify_confinement_context(const char
>> *expected_label,
>> if (expected_mode &&
>> ((!mode && !null_expected_mode) ||
>> (mode && strcmp(mode, expected_mode)))) {
>> - fprintf(stderr, "FAIL - mode \"%s\" != expected_mode \"%s\"\n",
>> - mode, expected_mode);
>> + fprintf(stderr, "FAIL - %s mode \"%s\" != expected_mode
>> \"%s\"\n",
>> + attr, mode, expected_mode);
>> rc = EINVAL;
>> goto err;
>> }
>> @@ -220,6 +221,18 @@ err:
>> exit(EINVAL);
>> }
>>
>> +static void verify_current(const char *expected_label,
>> + const char *expected_mode)
>> +{
>> + verify_confinement_context("current", expected_label, expected_mode);
>> +}
>> +
>> +static void verify_exec(const char *expected_label,
>> + const char *expected_mode)
>> +{
>> + verify_confinement_context("exec", expected_label, expected_mode);
>> +}
>> +
>> static void handle_transition(int transition, const char *target)
>> {
>> const char *msg;
>> @@ -278,24 +291,28 @@ static void exec(const char *prog, char **argv)
>> static void usage(const char *prog)
>> {
>> fprintf(stderr,
>> - "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-l
>> <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- ...]]\n"
>> + "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-L
>> <LABEL>] [-M <MODE>] [-l <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [--
>> ...]]\n"
>> " -O <LABEL>\tCall aa_change_onexec(LABEL)\n"
>> " -P <LABEL>\tCall aa_change_profile(LABEL)\n"
>> " -o <LABEL>\tCall aa_stack_onexec(LABEL)\n"
>> " -p <LABEL>\tCall aa_stack_profile(LABEL)\n"
>> - " -l <LABEL>\tVerify that aa_getcon() returns LABEL\n"
>> - " -m <MODE>\tVerify that aa_getcon() returns MODE. Set to
>> \"%s\" if a NULL mode is expected.\n"
>> + " -L <LABEL>\tVerify that /proc/self/attr/exec contains
>> LABEL\n"
>> + " -M <MODE>\tVerify that /proc/self/attr/exec contains MODE.
>> Set to \"%s\" if a NULL mode is expected.\n"
>> + " -l <LABEL>\tVerify that /proc/self/attr/current contains
>> LABEL\n"
>> + " -m <MODE>\tVerify that /proc/self/attr/current contains
>> MODE. Set to \"%s\" if a NULL mode is expected.\n"
>> " -f <FILE>\tOpen FILE and attempt to write to and read from
>> it\n\n"
>> "If \"--\" is encountered, execv() will be called using the
>> following argument\n"
>> "as the program to execute and passing it all of the arguments
>> following the\n"
>> - "program name.\n", prog, NO_MODE);
>> + "program name.\n", prog, NO_MODE, NO_MODE);
>> exit(EINVAL);
>> }
>>
>> struct options {
>> const char *file;
>> - const char *expected_label;
>> - const char *expected_mode;
>> + const char *expected_current_label;
>> + const char *expected_current_mode;
>> + const char *expected_exec_label;
>> + const char *expected_exec_mode;
>>
>> int transition; /* CHANGE_PROFILE, STACK_ONEXEC, etc. */
>> const char *target; /* The target label of the transition */
>> @@ -321,16 +338,22 @@ static void parse_opts(int argc, char **argv, struct
>> options *opts)
>> int o;
>>
>> memset(opts, 0, sizeof(*opts));
>> - while ((o = getopt(argc, argv, "f:l:m:O:P:o:p:")) != -1) {
>> + while ((o = getopt(argc, argv, "f:L:M:l:m:O:P:o:p:")) != -1) {
>> switch (o) {
>> case 'f': /* file */
>> opts->file = optarg;
>> break;
>> - case 'l': /* expected label */
>> - opts->expected_label = optarg;
>> + case 'L': /* expected exec label */
>> + opts->expected_exec_label = optarg;
>> + break;
>> + case 'M': /* expected exec mode */
>> + opts->expected_exec_mode = optarg;
>> break;
>> - case 'm': /* expected mode */
>> - opts->expected_mode = optarg;
>> + case 'l': /* expected current label */
>> + opts->expected_current_label = optarg;
>> + break;
>> + case 'm': /* expected current mode */
>> + opts->expected_current_mode = optarg;
>> break;
>> case 'O': /* aa_change_profile */
>> set_transition(prog, opts, CHANGE_ONEXEC, optarg);
>> @@ -371,9 +394,12 @@ int main(int argc, char **argv)
>> if (opts.file)
>> file_io(opts.file);
>>
>> - if (opts.expected_label || opts.expected_mode)
>> - verify_confinement_context(opts.expected_label,
>> - opts.expected_mode);
>> + if (opts.expected_current_label || opts.expected_current_mode)
>> + verify_current(opts.expected_current_label,
>> + opts.expected_current_mode);
>> +
>> + if (opts.expected_exec_label || opts.expected_exec_mode)
>> + verify_exec(opts.expected_exec_label, opts.expected_exec_mode);
>>
>> if (opts.exec)
>> exec(opts.exec, opts.exec_argv);
>>
>>
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
