On Wed, Sep 06, 2017 at 01:09:05PM -0700, John Johansen wrote: > Update the tests to test whether the kernel and parser support domain > transitions on pivot_root. > > Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > tests/regression/apparmor/pivot_root.sh | 68 > ++++++++++++++++++--------------- > tests/regression/apparmor/prologue.inc | 24 ++++++++++++ > 2 files changed, 62 insertions(+), 30 deletions(-) > > diff --git a/tests/regression/apparmor/pivot_root.sh > b/tests/regression/apparmor/pivot_root.sh > index b68f6cf..0e13a0a 100755 > --- a/tests/regression/apparmor/pivot_root.sh > +++ b/tests/regression/apparmor/pivot_root.sh > @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" > "$new_root" "$test" > genprofile $cur $cap "pivot_root:oldroot=$put_old $bad" > do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test" > > -# Give sufficient perms and perform a profile transition > -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur > -do_test "transition" pass "$put_old" "$new_root" "$new_prof" > +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then > + echo " kernel does not support pivot_root domain transitions skipping > tests ..." > +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then > + #pivot_root domain transitions not supported > + echo " parser does not support pivot root domain transitions skipping > tests ..." > +else > + # Give sufficient perms and perform a profile transition > + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur > + do_test "transition" pass "$put_old" "$new_root" "$new_prof" > + > + # Ensure failure when the the new profile can't read > /proc/<PID>/attr/current > + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof > + do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" > + > + # Ensure failure when the new profile doesn't exist > + genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur > + do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" > + > + # Ensure the test binary is accurately doing post pivot_root profile > verification > + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur > + do_test "bad transition comparison" fail "$put_old" "$new_root" "$test" > + > + # Give sufficient perms with new_root and a transition > + genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof > $cur > + do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" > + > + # Ensure failure when the new profile doesn't exist and new_root is > specified > + genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur > + do_test "new_root, bad transition" fail "$put_old" "$new_root" > "$new_prof" > + > + # Give sufficient perms with new_root, put_old, and a transition > + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- > image=$new_prof $cur > + do_test "put_old, new_root, transition" pass "$put_old" "$new_root" > "$new_prof" > + > + # Ensure failure when the new profile doesn't exist and new_root and > put_old are specified > + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- > image=$new_prof $cur > + do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" > "$new_prof" > > -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current > -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof > -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" > - > -# Ensure failure when the new profile doesn't exist > -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur > -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" > - > -# Ensure the test binary is accurately doing post pivot_root profile > verification > -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur > -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test" > - > -# Give sufficient perms with new_root and a transition > -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur > -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" > - > -# Ensure failure when the new profile doesn't exist and new_root is specified > -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur > -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" > - > -# Give sufficient perms with new_root, put_old, and a transition > -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- > image=$new_prof $cur > -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" > "$new_prof" > - > -# Ensure failure when the new profile doesn't exist and new_root and put_old > are specified > -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- > image=$new_prof $cur > -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" > "$new_prof" > +fi > diff --git a/tests/regression/apparmor/prologue.inc > b/tests/regression/apparmor/prologue.inc > index a77fda5..66a0edc 100755 > --- a/tests/regression/apparmor/prologue.inc > +++ b/tests/regression/apparmor/prologue.inc > @@ -22,6 +22,30 @@ > # For this file, functions are first, entry point code is at end, see "MAIN" > > #use $() to retreive the failure message or "true" if success > + > +kernel_features_istrue() > +{ > + if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then > + echo "Kernel feature masks not supported." > + return 1; > + fi > + > + for f in $@ ; do > + if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then > + echo "Required feature '$f' not available." > + return 2; > + fi > + if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \ > + `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' > ] ; then > + echo "Required feature '$f' not available." > + return 3; > + fi > + done > + > + echo "true" > + return 0; > +} > + > kernel_features() > { > if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor