On 01/12/2012 10:08 AM, Steve Beattie wrote:
> This patch adds a flag to mkprofile.pl to not automatically add
> 'rix' permissions on executable images (but still auto-generate
> ldd dependencies), for use when specifying alternate permissions
> on executables.
>
> Where appropriate, it also converts a few testcases to make use of
> the option.
>
Acked-by: John Johansen <[email protected]>
> ---
> tests/regression/apparmor/coredump.sh | 4 ++--
> tests/regression/apparmor/exec.sh | 4 ++--
> tests/regression/apparmor/mkprofile.pl | 4 +++-
> tests/regression/apparmor/prologue.inc | 8 ++++++++
> 4 files changed, 15 insertions(+), 5 deletions(-)
>
> Index: b/tests/regression/apparmor/mkprofile.pl
> ===================================================================
> --- a/tests/regression/apparmor/mkprofile.pl
> +++ b/tests/regression/apparmor/mkprofile.pl
> @@ -14,6 +14,7 @@ use Cwd 'realpath';
> my $help = '';
> my $nowarn = '';
> my $nodefault;
> +my $noimage;
> my $escape = '';
> my %output_rules;
> my $hat = "__no_hat";
> @@ -24,6 +25,7 @@ GetOptions(
> 'nowarn' => \$nowarn,
> 'help|h' => \$help,
> 'nodefault|N' => \$nodefault,
> + 'noimage|I' => \$noimage,
> );
>
> sub usage {
> @@ -121,7 +123,7 @@ sub gen_elf_binary($) {
> sub gen_binary($) {
> my $bin = shift;
>
> - gen_file("$bin:rix");
> + gen_file("$bin:rix") unless $noimage;
>
> my $hashbang = head($bin);
> if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) {
> Index: b/tests/regression/apparmor/exec.sh
> ===================================================================
> --- a/tests/regression/apparmor/exec.sh
> +++ b/tests/regression/apparmor/exec.sh
> @@ -61,10 +61,10 @@ runchecktest "EXEC mmap x" fail $file
>
> # UNCONFINED -> CONFINED
>
> -genprofile image=$file
> +genprofile image=$file
> runchecktest "EXEC unconfined -> confined" pass $file
>
> # UNCONFINED -> CONFINED no access to self binary
>
> -genprofile -N image=$file "/lib{64,}/ld*.so*:rix" "/lib{64,}/lib*.so*:rm"
> +genprofile -I image=$file
> runchecktest "EXEC unconfined -> confined/no access to self" pass $file
> Index: b/tests/regression/apparmor/prologue.inc
> ===================================================================
> --- a/tests/regression/apparmor/prologue.inc
> +++ b/tests/regression/apparmor/prologue.inc
> @@ -253,6 +253,11 @@ emit_profile()
> mkflags="${mkflags} -N"
> fi
>
> + if [ "$noimage" -eq 1 ]
> + then
> + mkflags="${mkflags} -I"
> + fi
> +
> name=$1; perm=$2; shift 2
>
> $bin/mkprofile.pl ${mkflags} "$name" ${outfile}:w "$@" >> $profile
> @@ -274,6 +279,7 @@ fi
> complainflag=""
> escapeflag=""
> nodefaults=0
> + noimage=0
> while /bin/true
> do
> case "$1" in
> @@ -283,6 +289,8 @@ fi
> ;;
> "-N") nodefaults=1
> ;;
> + "-I") noimage=1
> + ;;
> *) break
> ;;
> esac
> Index: b/tests/regression/apparmor/coredump.sh
> ===================================================================
> --- a/tests/regression/apparmor/coredump.sh
> +++ b/tests/regression/apparmor/coredump.sh
> @@ -81,7 +81,7 @@ checkcorefile yes "COREDUMP (no confinem
>
> # PASS TEST, with r confinement
> cleancorefile
> -genprofile image=$test:$coreperm
> +genprofile -I $test:$coreperm
>
> echo
> echo "*** A 'Segmentation Fault' message from bash is expected for the
> following test"
> @@ -90,7 +90,7 @@ checkcorefile yes "COREDUMP ($coreperm c
>
> # FAIL TEST, with x confinement
> cleancorefile
> -genprofile image=$test:$nocoreperm
> +genprofile -I $test:$nocoreperm
>
> echo
> echo "*** A 'Segmentation Fault' message from bash is expected for the
> following test"
>
>
> -- AppArmor mailing list [email protected] Modify settings or
> unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
