On Sat, Mar 19, 2016 at 01:42:45AM -0500, Tyler Hicks wrote:
> On 2016-03-18 23:21:07, Steve Beattie wrote:
> > Should we have similar tests where everything is the same setupwise
> > except that $stackthirdok is alternately not allowed from the toplevel
> > stacking profile?
>
> I'll add this:
>
> @@ -106,6 +106,11 @@ runchecktest "STACKPROFILE (3 stacked - sharedfile)"
> pass -p $othertest -- $test
>
> runchecktest "STACKPROFILE (3 stacked - okcon)" pass -p $othertest -- $test
> -p $thirdtest -l "${thirdtest}//&${test}//&${othertest}" -m enforce
>
> +genprofile $fileok $sharedok $getcon $stackotherok -- \
> + image=$othertest $otherok $sharedok $test:ix $getcon $stackthirdok --
> \
> + image=$thirdtest $thirdok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - sharedfile - no
> change_profile)" fail -p $othertest -- $test -p $thirdtest -f $sharedfile
> +
> ns="ns"
> prof="stackprofile"
> nstest=":${ns}:${prof}"
>
>
> > Some additional tests to consider:
> >
> > - stacking(complain) + &othertest(enforce) both with and without the
> > change_profile rule
> > that allows the stack to happen (I'm assuming the complain mode would
> > grant the stack either way)
> >
> > - stacking(enforce) + &othertest(complain) without the change_profile
> > rule in the former that allows the stack to happen (I'm assuming
> > that the change_profile wouldn't be granted)
> >
> > - three level deep intermix with complain? (Coming up with a sensible
> > matrix makes my head hurt.)
>
> I'll add this:
>
> @@ -139,6 +144,22 @@ runchecktest "STACKPROFILE (mixed mode - sharedfile)"
> pass -p $othertest -f $sha
>
> runchecktest "STACKPROFILE (mixed mode - okcon)" pass -p $othertest -l
> "${othertest}//&${test}" -m mixed
>
> +genprofile $fileok $sharedok $getcon -- \
> + image=$othertest flag:complain $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode - okcon - no
> change_profile)" fail -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> +genprofile flag:complain $fileok $sharedok $getcon $stackotherok -- \
> + image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode 2 - file)" fail -p
> $othertest -f $file
> +runchecktest "STACKPROFILE (mixed mode 2 - otherfile)" pass -p $othertest -f
> $otherfile
> +runchecktest "STACKPROFILE (mixed mode 2 - sharedfile)" pass -p $othertest
> -f $sharedfile
> +
> +runchecktest "STACKPROFILE (mixed mode 2 - okcon)" pass -p $othertest -l
> "${othertest}//&${test}" -m mixed
> +
> +genprofile flag:complain $fileok $sharedok $getcon -- \
> + image=$othertest $otherok $sharedok $getcon
> +runchecktest "STACKPROFILE (mixed mode 2 - okcon - no change_profile)" pass
> -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> # Verify file access and contexts in complain mode
> genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f
> $file
>
>
> >
> >
> > Anyway, I don't think the additional tests are needed before committing
> > this. With the enforcec typo fixed, Acked-by: Steve Beattie
> > <[email protected]>.
>
> The additional tests all pass. Thanks for the review and suggestions.All the additional tests look good, thanks! Acked-by: Steve Beattie <[email protected]> -- Steve Beattie <[email protected]> http://NxNW.org/~steve/
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
