Add optional command line parameters to the transition test program that can be used to verify a certain label and/or mode that should be found in /proc/self/attr/exec.
Signed-off-by: Tyler Hicks <[email protected]> --- tests/regression/apparmor/transition.c | 68 +++++++++++++++++++++++----------- 1 file changed, 47 insertions(+), 21 deletions(-) diff --git a/tests/regression/apparmor/transition.c b/tests/regression/apparmor/transition.c index 0f88b56..147ed94 100644 --- a/tests/regression/apparmor/transition.c +++ b/tests/regression/apparmor/transition.c @@ -144,7 +144,8 @@ static bool compound_labels_equal(struct compound_label *cl1, * unconfined process calls aa_getcon(2), then @expected_mode should be equal * to NO_MODE. */ -static void verify_confinement_context(const char *expected_label, +static void verify_confinement_context(const char *attr, + const char *expected_label, const char *expected_mode) { char *label, *mode; @@ -152,10 +153,10 @@ static void verify_confinement_context(const char *expected_label, bool null_expected_mode = expected_mode ? strcmp(NO_MODE, expected_mode) == 0 : false; - rc = aa_getcon(&label, &mode); + rc = aa_getprocattr(getpid(), attr, &label, &mode); if (rc < 0) { int err = errno; - fprintf(stderr, "FAIL - aa_getcon: %m"); + fprintf(stderr, "FAIL - aa_getprocattr (%s): %m", attr); exit(err); } @@ -177,8 +178,8 @@ static void verify_confinement_context(const char *expected_label, } if (!compound_labels_equal(&cl, &expected_cl)) { - fprintf(stderr, "FAIL - label \"%s\" != expected_label \"%s\"\n", - label, expected_label); + fprintf(stderr, "FAIL - %s label \"%s\" != expected_label \"%s\"\n", + attr, label, expected_label); rc = EINVAL; goto err; } @@ -187,8 +188,8 @@ static void verify_confinement_context(const char *expected_label, if (expected_mode && ((!mode && !null_expected_mode) || (mode && strcmp(mode, expected_mode)))) { - fprintf(stderr, "FAIL - mode \"%s\" != expected_mode \"%s\"\n", - mode, expected_mode); + fprintf(stderr, "FAIL - %s mode \"%s\" != expected_mode \"%s\"\n", + attr, mode, expected_mode); rc = EINVAL; goto err; } @@ -220,6 +221,18 @@ err: exit(EINVAL); } +static void verify_current(const char *expected_label, + const char *expected_mode) +{ + verify_confinement_context("current", expected_label, expected_mode); +} + +static void verify_exec(const char *expected_label, + const char *expected_mode) +{ + verify_confinement_context("exec", expected_label, expected_mode); +} + static void handle_transition(int transition, const char *target) { const char *msg; @@ -278,24 +291,28 @@ static void exec(const char *prog, char **argv) static void usage(const char *prog) { fprintf(stderr, - "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-l <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- ...]]\n" + "%s: [-O <LABEL> | -P <LABEL> | -o <LABEL> | -p <LABEL>] [-L <LABEL>] [-M <MODE>] [-l <LABEL>] [-m <MODE>] [-f <FILE>] [-- ... [-- ...]]\n" " -O <LABEL>\tCall aa_change_onexec(LABEL)\n" " -P <LABEL>\tCall aa_change_profile(LABEL)\n" " -o <LABEL>\tCall aa_stack_onexec(LABEL)\n" " -p <LABEL>\tCall aa_stack_profile(LABEL)\n" - " -l <LABEL>\tVerify that aa_getcon() returns LABEL\n" - " -m <MODE>\tVerify that aa_getcon() returns MODE. Set to \"%s\" if a NULL mode is expected.\n" + " -L <LABEL>\tVerify that /proc/self/attr/exec contains LABEL\n" + " -M <MODE>\tVerify that /proc/self/attr/exec contains MODE. Set to \"%s\" if a NULL mode is expected.\n" + " -l <LABEL>\tVerify that /proc/self/attr/current contains LABEL\n" + " -m <MODE>\tVerify that /proc/self/attr/current contains MODE. Set to \"%s\" if a NULL mode is expected.\n" " -f <FILE>\tOpen FILE and attempt to write to and read from it\n\n" "If \"--\" is encountered, execv() will be called using the following argument\n" "as the program to execute and passing it all of the arguments following the\n" - "program name.\n", prog, NO_MODE); + "program name.\n", prog, NO_MODE, NO_MODE); exit(EINVAL); } struct options { const char *file; - const char *expected_label; - const char *expected_mode; + const char *expected_current_label; + const char *expected_current_mode; + const char *expected_exec_label; + const char *expected_exec_mode; int transition; /* CHANGE_PROFILE, STACK_ONEXEC, etc. */ const char *target; /* The target label of the transition */ @@ -321,16 +338,22 @@ static void parse_opts(int argc, char **argv, struct options *opts) int o; memset(opts, 0, sizeof(*opts)); - while ((o = getopt(argc, argv, "f:l:m:O:P:o:p:")) != -1) { + while ((o = getopt(argc, argv, "f:L:M:l:m:O:P:o:p:")) != -1) { switch (o) { case 'f': /* file */ opts->file = optarg; break; - case 'l': /* expected label */ - opts->expected_label = optarg; + case 'L': /* expected exec label */ + opts->expected_exec_label = optarg; + break; + case 'M': /* expected exec mode */ + opts->expected_exec_mode = optarg; break; - case 'm': /* expected mode */ - opts->expected_mode = optarg; + case 'l': /* expected current label */ + opts->expected_current_label = optarg; + break; + case 'm': /* expected current mode */ + opts->expected_current_mode = optarg; break; case 'O': /* aa_change_profile */ set_transition(prog, opts, CHANGE_ONEXEC, optarg); @@ -371,9 +394,12 @@ int main(int argc, char **argv) if (opts.file) file_io(opts.file); - if (opts.expected_label || opts.expected_mode) - verify_confinement_context(opts.expected_label, - opts.expected_mode); + if (opts.expected_current_label || opts.expected_current_mode) + verify_current(opts.expected_current_label, + opts.expected_current_mode); + + if (opts.expected_exec_label || opts.expected_exec_mode) + verify_exec(opts.expected_exec_label, opts.expected_exec_mode); if (opts.exec) exec(opts.exec, opts.exec_argv); -- 2.7.4 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
