On 2016-03-18 22:20:01, Steve Beattie wrote: > On Fri, Mar 18, 2016 at 04:17:10PM -0500, Tyler Hicks wrote: > > The idea is that the $test profile grants $file access and the > > $othertest profile grants $subfile access. Both profiles grant > > $stacktest access. The tests verify that after changing to the stacked > > $othertest//&$test profile, only $stacktest can be accessed. > > > > Similar tests are also added for stacking with a namespaced profile. > > > > Signed-off-by: Tyler Hicks <[email protected]> > > --- > > tests/regression/apparmor/changeprofile.sh | 26 +++++++++++++++++++++++++- > > 1 file changed, 25 insertions(+), 1 deletion(-) > > > > diff --git a/tests/regression/apparmor/changeprofile.sh > > b/tests/regression/apparmor/changeprofile.sh > > index 1105730..66b078d 100755 > > --- a/tests/regression/apparmor/changeprofile.sh > > +++ b/tests/regression/apparmor/changeprofile.sh > > @@ -21,6 +21,7 @@ bin=$pwd > > > > file=$tmpdir/file > > subfile=$tmpdir/file2 > > +stackfile=$tmpdir/file3 > > okperm=rw > > > > othertest="$pwd/rename" > > @@ -32,7 +33,7 @@ subtest3="$pwd//sub3" > > nstest=":ns:changeprofile" > > > > > > -touch $file $subfile > > +touch $file $subfile $stackfile > > > > # CHANGEPROFILE UNCONFINED > > runchecktest "CHANGEPROFILE (unconfined - nochange)" pass nochange $file > > @@ -85,3 +86,26 @@ $nstest { $subfile ${okperm}, } > > EOF > > runchecktest "CHANGEPROFILE_NS (access sub file)" pass $nstest $subfile > > runchecktest "CHANGEPROFILE_NS (access file)" fail $nstest $file > > + > > +if [ "$(kernel_features domain/stack)" != "true" ]; then > > + echo " WARNING: kernel does not support stacking, skipping tests > > ..." > > +else > > + genprofile $file:$okperm $stackfile:$okperm > > 'change_profile->':"&$othertest" -- image=$othertest $subfile:$okperm > > $stackfile:$okperm > > + runchecktest "CHANGEPROFILE_STACK (nochange access file)" pass nochange > > $file > > + runchecktest "CHANGEPROFILE_STACK (nochange access sub file)" fail > > nochange $subfile > > + runchecktest "CHANGEPROFILE_STACK (nochange access stack file)" pass > > nochange $stackfile > > + runchecktest "CHANGEPROFILE_STACK (access sub file)" fail "&$othertest" > > $subfile > > + runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" > > $file > > + runchecktest "CHANGEPROFILE_STACK (access stack file)" pass > > "&$othertest" $stackfile > > + > > + genprofile --stdin <<EOF > > +$test { file, audit deny $subfile $okperm, $stackfile $okperm, > > change_profile -> &${nstest}, } > > +$nstest { $subfile $okperm, $stackfile $okperm, } > > +EOF > > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass > > nochange $file > > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access sub file)" fail > > "&$nstest" $subfile > > + runchecktest "CHANGEPROFILE_NS_STACK (nochange access stack file)" pass > > "&$nstest" $stackfile > > Shouldn't the two above have "nochange" instead of "&$nstest"?
Yes, nice catch. > > With that change, Acked-by: Steve Beattie <[email protected]>. Thanks. Thank you! Tyler > > > + runchecktest "CHANGEPROFILE_NS_STACK (access sub file)" fail "&$nstest" > > $subfile > > + runchecktest "CHANGEPROFILE_NS_STACK (access file)" fail "&$nstest" > > $file > > + runchecktest "CHANGEPROFILE_NS_STACK (access stack file)" pass > > "&$nstest" $stackfile > > +fi > > -- > Steve Beattie > <[email protected]> > http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
