Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

Tyler Hicks Thu, 07 Sep 2017 16:22:26 -0700

On 09/07/2017 05:50 PM, John Johansen wrote:
> On 09/07/2017 01:27 PM, Tyler Hicks wrote:
>> On 09/06/2017 03:09 PM, John Johansen wrote:
>>> Update the tests to test whether the kernel and parser support domain
>>> transitions on pivot_root.
>>>
>>> Signed-off-by: John Johansen <john.johan...@canonical.com>
>>> ---
>>>  tests/regression/apparmor/pivot_root.sh | 68 
>>> ++++++++++++++++++---------------
>>>  tests/regression/apparmor/prologue.inc  | 24 ++++++++++++
>>>  2 files changed, 62 insertions(+), 30 deletions(-)
>>>
>>> diff --git a/tests/regression/apparmor/pivot_root.sh 
>>> b/tests/regression/apparmor/pivot_root.sh
>>> index b68f6cf..0e13a0a 100755
>>> --- a/tests/regression/apparmor/pivot_root.sh
>>> +++ b/tests/regression/apparmor/pivot_root.sh
>>> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" 
>>> "$new_root" "$test"
>>>  genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
>>>  do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>>>  
>>> -# Give sufficient perms and perform a profile transition
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>>> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
>>> +    echo " kernel does not support pivot_root domain transitions skipping 
>>> tests ..."
>>> +elif [ "$(parser_supports 'pivot_root -> foo,')"  != "true" ] ; then
>>> +    #pivot_root domain transitions not supported
>>> +    echo " parser does not support pivot root domain transitions skipping 
>>> tests ..."
>>> +else
>>> +    # Give sufficient perms and perform a profile transition
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> +    do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the the new profile can't read 
>>> /proc/<PID>/attr/current
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>>> +    do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist
>>> +    genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>>> +    do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure the test binary is accurately doing post pivot_root profile 
>>> verification
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> +    do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>>> +
>>> +    # Give sufficient perms with new_root and a transition
>>> +    genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof 
>>> $cur
>>> +    do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist and new_root is 
>>> specified
>>> +    genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>>> +    do_test "new_root, bad transition" fail "$put_old" "$new_root" 
>>> "$new_prof"
>>> +
>>> +    # Give sufficient perms with new_root, put_old, and a transition
>>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" 
>>> -- image=$new_prof $cur
>>> +    do_test "put_old, new_root, transition" pass "$put_old" "$new_root" 
>>> "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist and new_root and 
>>> put_old are specified
>>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- 
>>> image=$new_prof $cur
>>> +    do_test "put_old, new_root, bad transition" fail "$put_old" 
>>> "$new_root" "$new_prof"
>>>  
>>> -# Ensure failure when the the new profile can't read 
>>> /proc/<PID>/attr/current
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>>> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist
>>> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>>> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure the test binary is accurately doing post pivot_root profile 
>>> verification
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>>> -
>>> -# Give sufficient perms with new_root and a transition
>>> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
>>> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist and new_root is 
>>> specified
>>> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>>> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Give sufficient perms with new_root, put_old, and a transition
>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- 
>>> image=$new_prof $cur
>>> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" 
>>> "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist and new_root and 
>>> put_old are specified
>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- 
>>> image=$new_prof $cur
>>> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" 
>>> "$new_prof"
>>> +fi
>>> diff --git a/tests/regression/apparmor/prologue.inc 
>>> b/tests/regression/apparmor/prologue.inc
>>> index a77fda5..66a0edc 100755
>>> --- a/tests/regression/apparmor/prologue.inc
>>> +++ b/tests/regression/apparmor/prologue.inc
>>> @@ -22,6 +22,30 @@
>>>  # For this file, functions are first, entry point code is at end, see 
>>> "MAIN"
>>>  
>>>  #use $() to retreive the failure message or "true" if success
>>> +
>>> +kernel_features_istrue()
>>> +{
>>> +   if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>>> +           echo "Kernel feature masks not supported."
>>> +           return 1;
>>> +   fi
>>> +
>>> +   for f in $@ ; do
>>> +           if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
>>> +                   echo "Required feature '$f' not available."
>>> +                   return 2;
>>> +           fi
>>> +           if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
>>> +                `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' 
>>> ] ; then
>>> +                   echo "Required feature '$f' not available."
>>> +                   return 3;
>>> +           fi
>>> +        done
>>> +
>>> +   echo "true"
>>> +   return 0;
>>> +}
>>
>> I don't think I'd know when to call kernel_features_istrue() and when to
>> call kernel_features(). Is there really a need for both of them or can
>> you just add the additional check for "no" to the existing
>> kernel_features()?
>>
> yes, but we need to patch some of the tests that are just checking a directory
> path exists vs. a file's value


Ah, I didn't think about that.

> 
> I can work on a more comprehensive patch

How about just a quick couple of comments describing when to use each
function?

Tyler

> 
> 
>> Tyler
>>
>>> +
>>>  kernel_features()
>>>  {
>>>     if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>>>
>>
>>
>

signature.asc
Description: OpenPGP digital signature

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

Reply via email to