[apparmor] [patch 4/8] testsuite - add multiple binaries to generated profiles

Steve Beattie Thu, 12 Jan 2012 01:10:21 -0800

This patch adds the ability to add multiple binaries to a generated
profile and have the ldd auto-generation of rules occur on it. It
also kills all testcase usage of $dynlibs, which had stopped being
generated by prologue.inc in a prior patch.


---
 tests/regression/apparmor/capabilities.sh   |    7 +----
 tests/regression/apparmor/changehat_misc.sh |    6 -----
 tests/regression/apparmor/environ.sh        |    2 -
 tests/regression/apparmor/mkprofile.pl      |   14 +++++++++++
 tests/regression/apparmor/sd_flags.sh       |   33 +++++++++++++---------------
 5 files changed, 33 insertions(+), 29 deletions(-)

Index: b/tests/regression/apparmor/mkprofile.pl
===================================================================
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -121,7 +121,7 @@ sub gen_elf_binary($) {
 sub gen_binary($) {
   my $bin = shift;
 
-  gen_file("$bin:r");
+  gen_file("$bin:rix");
 
   my $hashbang = head($bin);
   if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
@@ -199,6 +199,16 @@ sub gen_hat($) {
   }
 }
 
+sub gen_addimage($) {
+  my $rule = shift;
+  my @rules = split (/:/, $rule);
+  if (@rules != 2) {
+    (!$nowarn) && print STDERR "Warning: invalid addimage description '$rule', 
ignored\n";
+  } else {
+    gen_binary($rules[1]);
+  }
+}
+
 my $bin = shift @ARGV;
 !(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such file 
or directory\n";
 
@@ -220,6 +230,8 @@ for my $rule (@ARGV) {
     gen_flag($rule);
   } elsif ($rule =~ /^hat:/) {
     gen_hat($rule);
+  } elsif ($rule =~ /^addimage:/) {
+    gen_addimage($rule);
   } else {
     gen_file($rule);
   }
Index: b/tests/regression/apparmor/changehat_misc.sh
===================================================================
--- a/tests/regression/apparmor/changehat_misc.sh
+++ b/tests/regression/apparmor/changehat_misc.sh
@@ -75,13 +75,9 @@ echo
 echo "*** A 'Killed' message from bash is expected for the following test"
 runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
 
-# Attempt to changehat out of a profile when the magic token is 0
-# ugh, need dynlibs from open test
-settest open
-open_dynlibs=${dynlibs}
 settest changehat_wrapper
 
-genprofile hat:open ${dynlibs} ${bin}/open:rix ${file}:${okperm}
+genprofile hat:open addimage:${bin}/open ${file}:${okperm}
 
 runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open 
${file}
 runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 
--exit_hat open ${file}
Index: b/tests/regression/apparmor/environ.sh
===================================================================
--- a/tests/regression/apparmor/environ.sh
+++ b/tests/regression/apparmor/environ.sh
@@ -69,7 +69,7 @@ genprofile ${helper_sh}:Px -- image=${he
 runchecktest "ENVIRON (shell script): Px & regular env" pass ${helper_sh} 
FOO=BAR
 runchecktest "ENVIRON (shell script): Px & sensitive env" fail ${helper_sh} 
LD_LIBRARY_PATH=.
 
-genprofile ${helper_sh}:rix /bin/bash:rix "/lib*/lib*:mr"
+genprofile addimage:${helper_sh}
 runchecktest "ENVIRON (shell script): ix & regular env" pass ${helper_sh} 
FOO=BAR
 runchecktest "ENVIRON (shell script): ix & sensitive env" pass ${helper_sh} 
LD_LIBRARY_PATH=.
 
Index: b/tests/regression/apparmor/capabilities.sh
===================================================================
--- a/tests/regression/apparmor/capabilities.sh
+++ b/tests/regression/apparmor/capabilities.sh
@@ -108,11 +108,8 @@ for TEST in ${TESTS} ; do
 
        # okay, now check to see if the capability functions from within
        # a subprofile.
-       # Eww, this is ugly. subprofile tests depend on the internal
-       # variable dynlibs defined by prologue.inc::settest
-       test_dynlibs=${dynlibs}
        settest ${testwrapper}
-       genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix ${my_entries}
+       genprofile hat:${TEST} addimage:${bin}/${TEST} ${my_entries}
        runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg}
        for cap in ${CAPABILITIES} ; do
                if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
@@ -120,7 +117,7 @@ for TEST in ${TESTS} ; do
                else
                        expected_result=fail
                fi
-               genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix 
cap:${cap} ${my_entries}
+               genprofile hat:${TEST} addimage:${bin}/${TEST} cap:${cap} 
${my_entries}
                runchecktest "${TEST} changehat -- capability ${cap}" 
${expected_result} ${TEST} ${my_arg}
        done
 
Index: b/tests/regression/apparmor/sd_flags.sh
===================================================================
--- a/tests/regression/apparmor/sd_flags.sh
+++ b/tests/regression/apparmor/sd_flags.sh
@@ -54,73 +54,72 @@ genprofile flag:audit flag:complain
 runchecktest "SD_FLAGS OPEN noaccess (audit,complain)" pass $file
 
 # check for flags on hats...
-open_dynlibs=${dynlibs}
 settest changehat_wrapper
 
 # audit alone
 # PASS TEST (noflags)
-genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
+genprofile hat:open addimage:${bin}/open $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file
 
 # PASS TEST 1 (audit)
-genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
+genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
 
 # PASS TEST 2 (audit)
-genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:audit
+genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
 
 # PASS TEST 3 (audit)
-genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm 
flag:audit
+genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit
 runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
 
 # FAILURE TEST 1 (audit)
-genprofile flag:audit  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
+genprofile flag:audit  hat:open addimage:${bin}/open $file:$badperm1
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
 
 # FAILURE TEST 2 (audit)
-genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:audit
+genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
 
 # FAILURE TEST 3 (audit)
-genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
flag:audit
+genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
 
 # complain alone
 # PASS TEST 1 (complain)
-genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
+genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
 
 # PASS TEST 2 (complain)
-genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:complain
+genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
 
 # PASS TEST 3 (complain)
-genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm 
flag:complain
+genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm 
flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
 
 # FAILURE TEST 1 (complain)
-genprofile flag:complain  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
+genprofile flag:complain  hat:open addimage:${bin}/open $file:$badperm1
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file
 
 # PASS TEST 4 (complain)
-genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:complain
+genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
 
 # PASS TEST 5 (complain)
-genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
flag:complain
+genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 
flag:complain
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
 
 # PASS TEST 6 (complain) no hat defined
-genprofile flag:complain 
+genprofile flag:complain
 runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
 
 # audit + complain
 # PASS TEST 3 (audit+complain)
-genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
flag:complain
+genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 
flag:complain
 runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file
 
 # FAILURE TEST 3 (complain+audit)
-genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
flag:audit
+genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 
flag:audit
 runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file
 


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch 4/8] testsuite - add multiple binaries to generated profiles

Reply via email to