This patch adds a flag to mkprofile.pl to not automatically add
'rix' permissions on executable images (but still auto-generate
ldd dependencies), for use when specifying alternate permissions
on executables.
Where appropriate, it also converts a few testcases to make use of
the option.
---
tests/regression/apparmor/coredump.sh | 4 ++--
tests/regression/apparmor/exec.sh | 4 ++--
tests/regression/apparmor/mkprofile.pl | 4 +++-
tests/regression/apparmor/prologue.inc | 8 ++++++++
4 files changed, 15 insertions(+), 5 deletions(-)
Index: b/tests/regression/apparmor/mkprofile.pl
===================================================================
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -14,6 +14,7 @@ use Cwd 'realpath';
my $help = '';
my $nowarn = '';
my $nodefault;
+my $noimage;
my $escape = '';
my %output_rules;
my $hat = "__no_hat";
@@ -24,6 +25,7 @@ GetOptions(
'nowarn' => \$nowarn,
'help|h' => \$help,
'nodefault|N' => \$nodefault,
+ 'noimage|I' => \$noimage,
);
sub usage {
@@ -121,7 +123,7 @@ sub gen_elf_binary($) {
sub gen_binary($) {
my $bin = shift;
- gen_file("$bin:rix");
+ gen_file("$bin:rix") unless $noimage;
my $hashbang = head($bin);
if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
Index: b/tests/regression/apparmor/exec.sh
===================================================================
--- a/tests/regression/apparmor/exec.sh
+++ b/tests/regression/apparmor/exec.sh
@@ -61,10 +61,10 @@ runchecktest "EXEC mmap x" fail $file
# UNCONFINED -> CONFINED
-genprofile image=$file
+genprofile image=$file
runchecktest "EXEC unconfined -> confined" pass $file
# UNCONFINED -> CONFINED no access to self binary
-genprofile -N image=$file "/lib{64,}/ld*.so*:rix" "/lib{64,}/lib*.so*:rm"
+genprofile -I image=$file
runchecktest "EXEC unconfined -> confined/no access to self" pass $file
Index: b/tests/regression/apparmor/prologue.inc
===================================================================
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -253,6 +253,11 @@ emit_profile()
mkflags="${mkflags} -N"
fi
+ if [ "$noimage" -eq 1 ]
+ then
+ mkflags="${mkflags} -I"
+ fi
+
name=$1; perm=$2; shift 2
$bin/mkprofile.pl ${mkflags} "$name" ${outfile}:w "$@" >> $profile
@@ -274,6 +279,7 @@ fi
complainflag=""
escapeflag=""
nodefaults=0
+ noimage=0
while /bin/true
do
case "$1" in
@@ -283,6 +289,8 @@ fi
;;
"-N") nodefaults=1
;;
+ "-I") noimage=1
+ ;;
*) break
;;
esac
Index: b/tests/regression/apparmor/coredump.sh
===================================================================
--- a/tests/regression/apparmor/coredump.sh
+++ b/tests/regression/apparmor/coredump.sh
@@ -81,7 +81,7 @@ checkcorefile yes "COREDUMP (no confinem
# PASS TEST, with r confinement
cleancorefile
-genprofile image=$test:$coreperm
+genprofile -I $test:$coreperm
echo
echo "*** A 'Segmentation Fault' message from bash is expected for the
following test"
@@ -90,7 +90,7 @@ checkcorefile yes "COREDUMP ($coreperm c
# FAIL TEST, with x confinement
cleancorefile
-genprofile image=$test:$nocoreperm
+genprofile -I $test:$nocoreperm
echo
echo "*** A 'Segmentation Fault' message from bash is expected for the
following test"
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
