Re: [apparmor] [patch 4/8] testsuite - add multiple binaries to generated profiles

Thu, 12 Jan 2012 02:49:00 -0800 

On 01/12/2012 10:08 AM, Steve Beattie wrote:
> This patch adds the ability to add multiple binaries to a generated
> profile and have the ldd auto-generation of rules occur on it. It
> also kills all testcase usage of $dynlibs, which had stopped being
> generated by prologue.inc in a prior patch.
> 
Acked-by: John Johansen <[email protected]>

> ---
>  tests/regression/apparmor/capabilities.sh   |    7 +----
>  tests/regression/apparmor/changehat_misc.sh |    6 -----
>  tests/regression/apparmor/environ.sh        |    2 -
>  tests/regression/apparmor/mkprofile.pl      |   14 +++++++++++
>  tests/regression/apparmor/sd_flags.sh       |   33 
> +++++++++++++---------------
>  5 files changed, 33 insertions(+), 29 deletions(-)
> 
> Index: b/tests/regression/apparmor/mkprofile.pl
> ===================================================================
> --- a/tests/regression/apparmor/mkprofile.pl
> +++ b/tests/regression/apparmor/mkprofile.pl
> @@ -121,7 +121,7 @@ sub gen_elf_binary($) {
>  sub gen_binary($) {
>    my $bin = shift;
>  
> -  gen_file("$bin:r");
> +  gen_file("$bin:rix");
>  
>    my $hashbang = head($bin);
>    if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
> @@ -199,6 +199,16 @@ sub gen_hat($) {
>    }
>  }
>  
> +sub gen_addimage($) {
> +  my $rule = shift;
> +  my @rules = split (/:/, $rule);
> +  if (@rules != 2) {
> +    (!$nowarn) && print STDERR "Warning: invalid addimage description 
> '$rule', ignored\n";
> +  } else {
> +    gen_binary($rules[1]);
> +  }
> +}
> +
>  my $bin = shift @ARGV;
>  !(-e $bin || $nowarn) && print STDERR "Warning: execname '$bin': no such 
> file or directory\n";
>  
> @@ -220,6 +230,8 @@ for my $rule (@ARGV) {
>      gen_flag($rule);
>    } elsif ($rule =~ /^hat:/) {
>      gen_hat($rule);
> +  } elsif ($rule =~ /^addimage:/) {
> +    gen_addimage($rule);
>    } else {
>      gen_file($rule);
>    }
> Index: b/tests/regression/apparmor/changehat_misc.sh
> ===================================================================
> --- a/tests/regression/apparmor/changehat_misc.sh
> +++ b/tests/regression/apparmor/changehat_misc.sh
> @@ -75,13 +75,9 @@ echo
>  echo "*** A 'Killed' message from bash is expected for the following test"
>  runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
>  
> -# Attempt to changehat out of a profile when the magic token is 0
> -# ugh, need dynlibs from open test
> -settest open
> -open_dynlibs=${dynlibs}
>  settest changehat_wrapper
>  
> -genprofile hat:open ${dynlibs} ${bin}/open:rix ${file}:${okperm}
> +genprofile hat:open addimage:${bin}/open ${file}:${okperm}
>  
>  runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open 
> ${file}
>  runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 
> --exit_hat open ${file}
> Index: b/tests/regression/apparmor/environ.sh
> ===================================================================
> --- a/tests/regression/apparmor/environ.sh
> +++ b/tests/regression/apparmor/environ.sh
> @@ -69,7 +69,7 @@ genprofile ${helper_sh}:Px -- image=${he
>  runchecktest "ENVIRON (shell script): Px & regular env" pass ${helper_sh} 
> FOO=BAR
>  runchecktest "ENVIRON (shell script): Px & sensitive env" fail ${helper_sh} 
> LD_LIBRARY_PATH=.
>  
> -genprofile ${helper_sh}:rix /bin/bash:rix "/lib*/lib*:mr"
> +genprofile addimage:${helper_sh}
>  runchecktest "ENVIRON (shell script): ix & regular env" pass ${helper_sh} 
> FOO=BAR
>  runchecktest "ENVIRON (shell script): ix & sensitive env" pass ${helper_sh} 
> LD_LIBRARY_PATH=.
>  
> Index: b/tests/regression/apparmor/capabilities.sh
> ===================================================================
> --- a/tests/regression/apparmor/capabilities.sh
> +++ b/tests/regression/apparmor/capabilities.sh
> @@ -108,11 +108,8 @@ for TEST in ${TESTS} ; do
>  
>       # okay, now check to see if the capability functions from within
>       # a subprofile.
> -     # Eww, this is ugly. subprofile tests depend on the internal
> -     # variable dynlibs defined by prologue.inc::settest
> -     test_dynlibs=${dynlibs}
>       settest ${testwrapper}
> -     genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix ${my_entries}
> +     genprofile hat:${TEST} addimage:${bin}/${TEST} ${my_entries}
>       runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg}
>       for cap in ${CAPABILITIES} ; do
>               if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
> @@ -120,7 +117,7 @@ for TEST in ${TESTS} ; do
>               else
>                       expected_result=fail
>               fi
> -             genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix 
> cap:${cap} ${my_entries}
> +             genprofile hat:${TEST} addimage:${bin}/${TEST} cap:${cap} 
> ${my_entries}
>               runchecktest "${TEST} changehat -- capability ${cap}" 
> ${expected_result} ${TEST} ${my_arg}
>       done
>  
> Index: b/tests/regression/apparmor/sd_flags.sh
> ===================================================================
> --- a/tests/regression/apparmor/sd_flags.sh
> +++ b/tests/regression/apparmor/sd_flags.sh
> @@ -54,73 +54,72 @@ genprofile flag:audit flag:complain
>  runchecktest "SD_FLAGS OPEN noaccess (audit,complain)" pass $file
>  
>  # check for flags on hats...
> -open_dynlibs=${dynlibs}
>  settest changehat_wrapper
>  
>  # audit alone
>  # PASS TEST (noflags)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file
>  
>  # PASS TEST 1 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # PASS TEST 2 (audit)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:audit
> +genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # PASS TEST 3 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$okperm 
> flag:audit
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
>  
>  # FAILURE TEST 1 (audit)
> -genprofile flag:audit  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
> +genprofile flag:audit  hat:open addimage:${bin}/open $file:$badperm1
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # FAILURE TEST 2 (audit)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:audit
> +genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # FAILURE TEST 3 (audit)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
> flag:audit
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 
> flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
>  
>  # complain alone
>  # PASS TEST 1 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # PASS TEST 2 (complain)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$okperm flag:complain
> +genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # PASS TEST 3 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$okperm 
> flag:complain
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm 
> flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
>  
>  # FAILURE TEST 1 (complain)
> -genprofile flag:complain  hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1
> +genprofile flag:complain  hat:open addimage:${bin}/open $file:$badperm1
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file
>  
>  # PASS TEST 4 (complain)
> -genprofile hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 flag:complain
> +genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # PASS TEST 5 (complain)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
> flag:complain
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 
> flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # PASS TEST 6 (complain) no hat defined
> -genprofile flag:complain 
> +genprofile flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
>  
>  # audit + complain
>  # PASS TEST 3 (audit+complain)
> -genprofile flag:audit hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
> flag:complain
> +genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 
> flag:complain
>  runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file
>  
>  # FAILURE TEST 3 (complain+audit)
> -genprofile flag:complain hat:open ${dynlibs} ${bin}/open:rix $file:$badperm1 
> flag:audit
> +genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 
> flag:audit
>  runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file
>  
> 
> 
> -- AppArmor mailing list [email protected] Modify settings or 
> unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to