Augment the regressions tests with a couple simple functions to test what is supported by the parser, and update the test conditionals to use them.
Signed-off-by: John Johansen <[email protected]> Acked-by: Seth Arnold <[email protected]> --- tests/regression/apparmor/dbus_eavesdrop.sh | 1 + tests/regression/apparmor/dbus_message.sh | 1 + tests/regression/apparmor/dbus_service.sh | 1 + .../regression/apparmor/dbus_unrequested_reply.sh | 1 + tests/regression/apparmor/deleted.sh | 2 +- tests/regression/apparmor/mount.sh | 2 +- tests/regression/apparmor/named_pipe.sh | 2 +- tests/regression/apparmor/pivot_root.sh | 4 ++-- tests/regression/apparmor/prologue.inc | 24 ++++++++++++++++++++++ tests/regression/apparmor/ptrace.sh | 2 +- tests/regression/apparmor/socketpair.sh | 2 +- tests/regression/apparmor/unix_fd_server.sh | 4 ++-- tests/regression/apparmor/unix_socket_abstract.sh | 1 + tests/regression/apparmor/unix_socket_pathname.sh | 2 +- tests/regression/apparmor/unix_socket_unnamed.sh | 1 + 15 files changed, 40 insertions(+), 10 deletions(-) diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh index fe26b91..2792900 100755 --- a/tests/regression/apparmor/dbus_eavesdrop.sh +++ b/tests/regression/apparmor/dbus_eavesdrop.sh @@ -19,6 +19,7 @@ bin=$pwd . $bin/prologue.inc requires_features dbus +requires_parser_support "dbus," . $bin/dbus.inc args="--session" diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh index 30b1592..cc52745 100755 --- a/tests/regression/apparmor/dbus_message.sh +++ b/tests/regression/apparmor/dbus_message.sh @@ -19,6 +19,7 @@ bin=$pwd . $bin/prologue.inc requires_features dbus +requires_parser_support "dbus," . $bin/dbus.inc listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames" diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh index 451a661..322853b 100755 --- a/tests/regression/apparmor/dbus_service.sh +++ b/tests/regression/apparmor/dbus_service.sh @@ -18,6 +18,7 @@ bin=$pwd . $bin/prologue.inc requires_features dbus +requires_parser_support "dbus," . $bin/dbus.inc service="--$bus --name=$dest $path $iface" diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh index 1cfd8d4..e91f3ad 100644 --- a/tests/regression/apparmor/dbus_unrequested_reply.sh +++ b/tests/regression/apparmor/dbus_unrequested_reply.sh @@ -18,6 +18,7 @@ bin=$pwd . $bin/prologue.inc requires_features dbus +requires_parser_support "dbus," . $bin/dbus.inc service="--$bus --name=$dest $path $iface" diff --git a/tests/regression/apparmor/deleted.sh b/tests/regression/apparmor/deleted.sh index 84a51fc..8d4c5b4 100755 --- a/tests/regression/apparmor/deleted.sh +++ b/tests/regression/apparmor/deleted.sh @@ -65,7 +65,7 @@ okperm=rwl badperm=wl af_unix="" -if [ "$(have_features network/af_unix)" == "true" ]; then +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then af_unix="unix:create" fi diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh index 86bfecb..0840199 100755 --- a/tests/regression/apparmor/mount.sh +++ b/tests/regression/apparmor/mount.sh @@ -102,7 +102,7 @@ runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_poin remove_mnt -if [ "$(have_features mount)" != "true" ] ; then +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then genprofile capability:sys_admin runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point} remove_mnt diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh index e63456f..52037e5 100755 --- a/tests/regression/apparmor/named_pipe.sh +++ b/tests/regression/apparmor/named_pipe.sh @@ -38,7 +38,7 @@ badchild=r # Add genprofile params that are common to all hats here common="" -if [ "$(have_features signal)" == "true" ] ; then +if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then # Allow send/receive of all signals common="${common} signal:ALL" fi diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh index 35004fc..faea755 100755 --- a/tests/regression/apparmor/pivot_root.sh +++ b/tests/regression/apparmor/pivot_root.sh @@ -106,8 +106,8 @@ do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad" genprofile do_test "no perms" fail "$put_old" "$new_root" "$test" -if [ "$(have_features mount)" != "true" ] ; then - # pivot_root mediation isn't supported by this kernel, so verify that +if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then + # pivot_root mediation isn't supported by this kernel/parser, so verify that # capability sys_admin is sufficient and skip the remaining tests genprofile $cur $cap do_test "cap" pass "$put_old" "$new_root" "$test" diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc index 3036cbb..bcbe7ea 100755 --- a/tests/regression/apparmor/prologue.inc +++ b/tests/regression/apparmor/prologue.inc @@ -58,6 +58,30 @@ requires_query_interface() fi } +parser_supports() +{ + for R in $@ ; do + echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null + if [ $? -ne 0 ] ; then + echo "Compiler does not support rule '$R'" + return 1; + fi + done + + echo "true" + return 0; +} + +requires_parser_support() +{ + local res=$(parser_supports $@) + if [ "$res" != "true" ] ; then + echo "$res. Skipping tests ..." + exit 0 + fi +} + + fatalerror() { # global _fatal diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh index 64cdf24..17771d0 100755 --- a/tests/regression/apparmor/ptrace.sh +++ b/tests/regression/apparmor/ptrace.sh @@ -52,7 +52,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true -if [ "$(have_features ptrace)" == "true" ] ; then +if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then . $bin/ptrace_v6.inc else . $bin/ptrace_v5.inc diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh index 378fc08..4e56707 100755 --- a/tests/regression/apparmor/socketpair.sh +++ b/tests/regression/apparmor/socketpair.sh @@ -34,7 +34,7 @@ af_unix_create="" af_unix_create_label="" af_unix_inherit="" -if [ "$(have_features network/af_unix)" == "true" ]; then +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then # AppArmor requires that the process inheriting the sock file # descriptors have send,receive perms in its profile af_unix_create="unix:(create,getopt)" diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh index b38ec68..fc2b947 100755 --- a/tests/regression/apparmor/unix_fd_server.sh +++ b/tests/regression/apparmor/unix_fd_server.sh @@ -27,7 +27,7 @@ okperm=rw badperm=w af_unix="" -if [ "$(have_features network/af_unix)" == "true" ]; then +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then af_unix="unix:create" fi @@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd sleep 1 rm -f ${socket} -if [ "$(have_features policy/versions/v6)" == "true" ] ; then +if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then # FAIL - confined client, no access to the socket file genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh index 7c14f3e..6a949c1 100644 --- a/tests/regression/apparmor/unix_socket_abstract.sh +++ b/tests/regression/apparmor/unix_socket_abstract.sh @@ -30,6 +30,7 @@ bin=$pwd . $bin/unix_socket.inc requires_features policy/versions/v7 requires_features network/af_unix +requires_parser_support "unix," settest unix_socket diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh index 078e557..be3631d 100755 --- a/tests/regression/apparmor/unix_socket_pathname.sh +++ b/tests/regression/apparmor/unix_socket_pathname.sh @@ -52,7 +52,7 @@ fi # af_unix support requires 'unix getattr' to call getsockname() af_unix_okserver= af_unix_okclient= -if [ "$(have_features network/af_unix)" == "true" ] ; then +if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then af_unix_okserver="create,setopt" af_unix_okclient="create,getopt,setopt,getattr" fi diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh index 3293fec..b834888 100644 --- a/tests/regression/apparmor/unix_socket_unnamed.sh +++ b/tests/regression/apparmor/unix_socket_unnamed.sh @@ -30,6 +30,7 @@ bin=$pwd . $bin/unix_socket.inc requires_features policy/versions/v7 requires_features network/af_unix +requires_parser_support "unix," settest unix_socket -- 2.1.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
