Re: [apparmor] [PATCH v2 5/7] tests: Add stackonexec regression tests

Tyler Hicks Sat, 19 Mar 2016 00:30:06 -0700

On 2016-03-19 00:01:29, Steve Beattie wrote:
> On Fri, Mar 18, 2016 at 04:17:14PM -0500, Tyler Hicks wrote:
> > Add tests for the aa_stack_onexec() libapparmor function.
> > 
> > Signed-off-by: Tyler Hicks <[email protected]>
> > ---
> >  tests/regression/apparmor/Makefile       |   1 +
> >  tests/regression/apparmor/stackonexec.sh | 158 
> > +++++++++++++++++++++++++++++++
> >  2 files changed, 159 insertions(+)
> >  create mode 100755 tests/regression/apparmor/stackonexec.sh
> > 
> > diff --git a/tests/regression/apparmor/Makefile 
> > b/tests/regression/apparmor/Makefile
> > index 46940c7..fd80611 100644
> > --- a/tests/regression/apparmor/Makefile
> > +++ b/tests/regression/apparmor/Makefile
> > @@ -218,6 +218,7 @@ TESTS=aa_exec \
> >        swap \
> >        sd_flags \
> >        setattr \
> > +      stackonexec \
> >        stackprofile \
> >        symlink \
> >        syscall \
> > diff --git a/tests/regression/apparmor/stackonexec.sh 
> > b/tests/regression/apparmor/stackonexec.sh
> > new file mode 100755
> > index 0000000..84295cb
> > --- /dev/null
> > +++ b/tests/regression/apparmor/stackonexec.sh
> > @@ -0,0 +1,158 @@
> > +#! /bin/bash
> > +#  Copyright (C) 2016 Canonical, Ltd.
> > +#
> > +#  This program is free software; you can redistribute it and/or
> > +#  modify it under the terms of the GNU General Public License as
> > +#  published by the Free Software Foundation, version 2 of the
> > +#  License.
> > +
> > +#=NAME stackonexec
> > +#=DESCRIPTION
> > +# Verifies basic file access permission checks for a parent profile and a
> > +# stacked subprofile
> > +#=END
> > +
> > +pwd=`dirname $0`
> > +pwd=`cd $pwd ; /bin/pwd`
> > +
> > +bin=$pwd
> > +
> > +. $bin/prologue.inc
> > +
> > +requires_kernel_features domain/stack
> > +settest stacking
> > +
> > +file=$tmpdir/file
> > +otherfile=$tmpdir/file2
> > +thirdfile=$tmpdir/file3
> > +sharedfile=$tmpdir/file.shared
> > +okperm=rw
> > +
> > +fileok="${file}:${okperm}"
> > +otherok="${otherfile}:${okperm}"
> > +thirdok="${thirdfile}:${okperm}"
> > +sharedok="${sharedfile}:${okperm}"
> > +testok="${test}:mrix"
> > +
> > +getcon="/proc/*/attr/current:r"
> > +onexec="/proc/*/attr/exec:w"
> > +
> > +othertest="$pwd/rename"
> > +thirdtest="$pwd/exec"
> > +
> > +stackotherok="change_profile->:&$othertest"
> > +stackthirdok="change_profile->:&$thirdtest"
> > +
> > +touch $file $otherfile $sharedfile $thirdfile
> > +
> > +# Verify file access and contexts by an unconfined process
> > +runchecktest "STACKONEXEC (unconfined - file)" pass -f $file
> > +runchecktest "STACKONEXEC (unconfined - otherfile)" pass -f $otherfile
> > +runchecktest "STACKONEXEC (unconfined - thirdfile)" pass -f $thirdfile
> > +runchecktest "STACKONEXEC (unconfined - sharedfile)" pass -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (unconfined - okcon)" pass -l unconfined -m 
> > '(null)'
> > +runchecktest "STACKONEXEC (unconfined - bad label)" fail -l "$test" -m 
> > '(null)'
> > +runchecktest "STACKONEXEC (unconfined - bad mode)" fail -l unconfined -m 
> > enforce
> > +
> > +# Verify file access and contexts by a non-stacked profile
> > +genprofile $fileok $sharedok $getcon
> > +runchecktest "STACKONEXEC (not stacked - file)" pass -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (not stacked - otherfile)" fail -f 
> > $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (not stacked - thirdfile)" fail -f 
> > $thirdfile
> > +runchecktest "STACKONEXEC (not stacked - sharedfile)" pass -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (not stacked - okcon)" pass -l "$test" -m enforce
> > +runchecktest "STACKONEXEC (not stacked - bad label)" fail -l "${test}XXX" 
> > -m enforce
> > +runchecktest "STACKONEXEC (not stacked - bad mode)" fail -l "$test" -m 
> > complain
> > +
> > +# Verify file access and contexts by a profile stacked with unconfined
> > +genprofile image=$othertest $otherok $sharedok $getcon
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with unconfined - file)" 
> > fail -o $othertest -- $test -f $file
> > +runchecktest "STACKONEXEC (stacked with unconfined - otherfile)" pass -o 
> > $othertest -- $test -f $otherfile
> > +runchecktest "STACKONEXEC (stacked with unconfined - sharedfile)" pass -o 
> > $othertest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o 
> > $othertest -- $test -l "unconfined//&${othertest}" -m mixed
> > +runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o 
> > $othertest -- $test -l "${test}//&${othertest}" -m mixed
> > +runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o 
> > $othertest -- $test -l "unconfined//&${othertest}" -m enforce
> > +
> > +removeprofile
> > +# Verify that stacking a nonexistent file is properly handled
> > +runchecktest_errno ENOENT "STACKONEXEC (unconfined - stack nonexistent 
> > profile)" fail -o $othertest -- $test -f $file
> > +
> > +# Verify file access and contexts by 2 stacked profiles
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> > +   image=$othertest $otherok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - file)" fail -o 
> > $othertest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - otherfile)" fail -o 
> > $othertest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - thirdfile)" fail -o 
> > $othertest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (2 stacked - sharedfile)" pass -o $othertest -- 
> > $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (2 stacked - okcon)" pass -o $othertest -- $test 
> > -l "${test}//&${othertest}" -m enforce
> > +runchecktest "STACKONEXEC (2 stacked - bad label)" fail -o $othertest -- 
> > $test -l "${test}//&${test}" -m enforce
> > +runchecktest "STACKONEXEC (2 stacked - bad mode)" fail -o $othertest -- 
> > $test -l "${test}//&${test}" -m '(null)'
> > +
> > +# Verify that a change_profile rule is required to aa_stack_onexec()
> > +genprofile $fileok $sharedok $getcon $onexec -- \
> > +   image=$othertest $otherok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (2 stacked - no change_profile)" 
> > fail -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> > +
> > +# Verify file access and contexts by 3 stacked profiles
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok $stackthirdok 
> > -- \
> > +   image=$othertest $otherok $sharedok $getcon $onexec $testok 
> > $stackthirdok -- \
> > +   image=$thirdtest $thirdok $sharedok $getcon $testok
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - file)" fail -o 
> > $othertest -- $test -o $thirdtest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - otherfile)" fail -o 
> > $othertest -- $test -o $thirdtest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (3 stacked - thirdfile)" fail -o 
> > $othertest -- $test -o $thirdtest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (3 stacked - sharedfile)" pass -o $othertest -- 
> > $test -o $thirdtest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (3 stacked - okcon)" pass -o $othertest -- $test 
> > -o $thirdtest -- $test -l "${thirdtest}//&${test}//&${othertest}" -m enforce
> > +
> > +ns="ns"
> > +prof="stackonexec"
> > +nstest=":${ns}:${prof}"
> > +# Verify file access and contexts by stacking a profile with a namespaced 
> > profile
> > +genprofile --stdin <<EOF
> > +$test {
> > +  file,
> > +  audit deny $otherfile $okperm,
> > +  audit deny $thirdfile $okperm,
> > +  change_profile -> &$nstest,
> > +}
> > +
> > +$nstest {
> > +  file,
> > +  audit deny $file $okperm,
> > +  audit deny $thirdfile $okperm,
> > +}
> > +EOF
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - 
> > file)" fail -o $nstest -- $test -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - 
> > otherfile)" fail -o $nstest -- $test -f $otherfile
> > +runchecktest_errno EACCES "STACKONEXEC (stacked with namespaced profile - 
> > thirdfile)" fail -o $nstest -- $test -f $thirdfile
> > +runchecktest "STACKONEXEC (stacked with namespaced profile - sharedfile)" 
> > pass -o $nstest -- $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (stacked with namespaced profile - okcon)" pass 
> > -o $nstest -- $test -l $prof -m enforce
> > +
> > +# Verify file access and contexts in mixed mode
> > +genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
> > +   image=$othertest flag:complain $otherok $sharedok $getcon
> > +runchecktest "STACKONEXEC (mixed mode - file)" pass -o $othertest -- $test 
> > -f $file
> > +runchecktest_errno EACCES "STACKONEXEC (mixed mode - otherfile)" fail -o 
> > $othertest -- $test -f $otherfile
> > +runchecktest "STACKONEXEC (mixed mode - sharedfile)" pass -o $othertest -- 
> > $test -f $sharedfile
> > +
> > +runchecktest "STACKONEXEC (mixed mode - okcon)" pass -o $othertest -- 
> > $test -l "${othertest}//&${test}" -m mixed
> > +
> > +# Verify file access and contexts in complain mode
> > +genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> > +runchecktest "STACKONEXEC (complain mode - file)" pass -o $othertest -- 
> > $test -f $file
> > +
> > +runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- 
> > $test -l "${test}//&${othertest}" -m complain
> > +
> > +# Verify that stacking with a bare namespace is handled
> > +genprofile --stdin <<EOF
> > +$test { file, change_profile, }
> > +$nstest { }
> > +EOF
> > +runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:"
> > +runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://"
> > +runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}"
> 
> Do you want to actually perform an exec() here to verify that things are
> in the state you think they are?


Yes, I'll make this change:

 runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test 
-l "${test}//&${othertest}" -m complain
 
-# Verify that stacking with a bare namespace is handled
+# Verify that stacking with a bare namespace is handled. The process is placed
+# into the default profile of the namespace, which is unconfined.
 genprofile --stdin <<EOF
 $test { file, change_profile, }
 $nstest { }
 EOF
-runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:"
-runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://"
-runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}"
+runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l 
unconfined -m "(null)"
+runchecktest "STACKONEXEC (bare :ns://)" pass -o ":${ns}://" -- $test -l 
unconfined -m "(null)"
+runchecktest "STACKONEXEC (bare :ns)" pass -o ":${ns}" -- $test -l unconfined 
-m "(null)"


> 
> Similar test suggestions as the stackprofile.sh tests, perhaps
> along with three deep stacks where one transition occurs via
> aa_change_onexec() and the other via aa_change_profile().

@@ -108,6 +108,11 @@ runchecktest "STACKONEXEC (3 stacked - sharedfile)" pass 
-o $othertest -- $test
 
 runchecktest "STACKONEXEC (3 stacked - okcon)" pass -o $othertest -- $test -o 
$thirdtest -- $test -l "${t
hirdtest}//&${test}//&${othertest}" -m enforce
 
+genprofile $fileok $sharedok $getcon $onexec $stackotherok -- \
+       image=$othertest $otherok $sharedok $getcon $onexec $testok 
$stackthirdok -- \
+       image=$thirdtest $thirdok $sharedok $getcon $testok
+runchecktest_errno EACCES "STACKONEXEC (3 stacked - sharedfile - no 
change_profile)" fail -o $othertest -- $test -o $thirdtest -- $test -f 
$sharedfile
+
 ns="ns"
 prof="stackonexec"
 nstest=":${ns}:${prof}"

...

 runchecktest "STACKONEXEC (mixed mode - sharedfile)" pass -o $othertest -- 
$test -f $sharedfile
 
 runchecktest "STACKONEXEC (mixed mode - okcon)" pass -o $othertest -- $test -l 
"${othertest}//&${test}" -m mixed
 
+genprofile $fileok $sharedok $getcon $onexec -- \
+       image=$othertest flag:complain $otherok $sharedok $getcon
+runchecktest_errno EACCES "STACKONEXEC (mixed mode - okcon - no 
change_profile)" fail -o $othertest -- $test -l "${othertest}//&${test}" -m 
mixed
+
+genprofile flag:complain $fileok $sharedok $getcon $onexec -- \
+       image=$othertest $testok $otherok $sharedok $getcon
+runchecktest_errno EACCES "STACKONEXEC (mixed mode 2 - file)" fail -o 
$othertest -- $test -f $file
+runchecktest "STACKONEXEC (mixed mode 2 - otherfile)" pass -o $othertest -- 
$test -f $otherfile
+runchecktest "STACKONEXEC (mixed mode 2 - sharedfile)" pass -o $othertest -- 
$test -f $sharedfile
+
+runchecktest "STACKONEXEC (mixed mode 2 - okcon)" pass -o $othertest -- $test 
-l "${othertest}//&${test}" -m mixed
+
 # Verify file access and contexts in complain mode
 genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
 runchecktest "STACKONEXEC (complain mode - file)" pass -o $othertest -- $test 
-f $file


> 
> But again, doesn't block committing this as-is.
> Acked-by: Steve Beattie <[email protected]>

Thanks!

Tyler

signature.asc
Description: PGP signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH v2 5/7] tests: Add stackonexec regression tests

Reply via email to