On Wed, Sep 06, 2017 at 01:09:05PM -0700, John Johansen wrote: > Update the tests to test whether the kernel and parser support domain > transitions on pivot_root. > > Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> tests/regression/apparmor/pivot_root.sh | 68
> ++++++++++++++++++---------------
> tests/regression/apparmor/prologue.inc | 24 ++++++++++++
> 2 files changed, 62 insertions(+), 30 deletions(-)
>
> diff --git a/tests/regression/apparmor/pivot_root.sh
> b/tests/regression/apparmor/pivot_root.sh
> index b68f6cf..0e13a0a 100755
> --- a/tests/regression/apparmor/pivot_root.sh
> +++ b/tests/regression/apparmor/pivot_root.sh
> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old"
> "$new_root" "$test"
> genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
> do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>
> -# Give sufficient perms and perform a profile transition
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
> + echo " kernel does not support pivot_root domain transitions skipping
> tests ..."
> +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then
> + #pivot_root domain transitions not supported
> + echo " parser does not support pivot root domain transitions skipping
> tests ..."
> +else
> + # Give sufficient perms and perform a profile transition
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> + do_test "transition" pass "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the the new profile can't read
> /proc/<PID>/attr/current
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> + do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist
> + genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> + do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure the test binary is accurately doing post pivot_root profile
> verification
> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> + do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> +
> + # Give sufficient perms with new_root and a transition
> + genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof
> $cur
> + do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist and new_root is
> specified
> + genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> + do_test "new_root, bad transition" fail "$put_old" "$new_root"
> "$new_prof"
> +
> + # Give sufficient perms with new_root, put_old, and a transition
> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" --
> image=$new_prof $cur
> + do_test "put_old, new_root, transition" pass "$put_old" "$new_root"
> "$new_prof"
> +
> + # Ensure failure when the new profile doesn't exist and new_root and
> put_old are specified
> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" --
> image=$new_prof $cur
> + do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root"
> "$new_prof"
>
> -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist
> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure the test binary is accurately doing post pivot_root profile
> verification
> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
> -
> -# Give sufficient perms with new_root and a transition
> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root is specified
> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
> -
> -# Give sufficient perms with new_root, put_old, and a transition
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" --
> image=$new_prof $cur
> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root"
> "$new_prof"
> -
> -# Ensure failure when the new profile doesn't exist and new_root and put_old
> are specified
> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" --
> image=$new_prof $cur
> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root"
> "$new_prof"
> +fi
> diff --git a/tests/regression/apparmor/prologue.inc
> b/tests/regression/apparmor/prologue.inc
> index a77fda5..66a0edc 100755
> --- a/tests/regression/apparmor/prologue.inc
> +++ b/tests/regression/apparmor/prologue.inc
> @@ -22,6 +22,30 @@
> # For this file, functions are first, entry point code is at end, see "MAIN"
>
> #use $() to retreive the failure message or "true" if success
> +
> +kernel_features_istrue()
> +{
> + if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
> + echo "Kernel feature masks not supported."
> + return 1;
> + fi
> +
> + for f in $@ ; do
> + if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
> + echo "Required feature '$f' not available."
> + return 2;
> + fi
> + if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
> + `cat "/sys/kernel/security/apparmor/features/$f"` == 'no'
> ] ; then
> + echo "Required feature '$f' not available."
> + return 3;
> + fi
> + done
> +
> + echo "true"
> + return 0;
> +}
> +
> kernel_features()
> {
> if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
