Update the tests to test whether the kernel and parser support domain transitions on pivot_root.
Signed-off-by: John Johansen <[email protected]> --- tests/regression/apparmor/pivot_root.sh | 68 ++++++++++++++++++--------------- tests/regression/apparmor/prologue.inc | 24 ++++++++++++ 2 files changed, 62 insertions(+), 30 deletions(-) diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh index b68f6cf..0e13a0a 100755 --- a/tests/regression/apparmor/pivot_root.sh +++ b/tests/regression/apparmor/pivot_root.sh @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test" genprofile $cur $cap "pivot_root:oldroot=$put_old $bad" do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test" -# Give sufficient perms and perform a profile transition -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur -do_test "transition" pass "$put_old" "$new_root" "$new_prof" +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then + echo " kernel does not support pivot_root domain transitions skipping tests ..." +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then + #pivot_root domain transitions not supported + echo " parser does not support pivot root domain transitions skipping tests ..." +else + # Give sufficient perms and perform a profile transition + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur + do_test "transition" pass "$put_old" "$new_root" "$new_prof" + + # Ensure failure when the the new profile can't read /proc/<PID>/attr/current + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof + do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" + + # Ensure failure when the new profile doesn't exist + genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur + do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" + + # Ensure the test binary is accurately doing post pivot_root profile verification + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur + do_test "bad transition comparison" fail "$put_old" "$new_root" "$test" + + # Give sufficient perms with new_root and a transition + genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur + do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" + + # Ensure failure when the new profile doesn't exist and new_root is specified + genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur + do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" + + # Give sufficient perms with new_root, put_old, and a transition + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur + do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof" + + # Ensure failure when the new profile doesn't exist and new_root and put_old are specified + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur + do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" - -# Ensure failure when the new profile doesn't exist -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" - -# Ensure the test binary is accurately doing post pivot_root profile verification -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test" - -# Give sufficient perms with new_root and a transition -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" - -# Ensure failure when the new profile doesn't exist and new_root is specified -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" - -# Give sufficient perms with new_root, put_old, and a transition -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof" - -# Ensure failure when the new profile doesn't exist and new_root and put_old are specified -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" +fi diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc index a77fda5..66a0edc 100755 --- a/tests/regression/apparmor/prologue.inc +++ b/tests/regression/apparmor/prologue.inc @@ -22,6 +22,30 @@ # For this file, functions are first, entry point code is at end, see "MAIN" #use $() to retreive the failure message or "true" if success + +kernel_features_istrue() +{ + if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then + echo "Kernel feature masks not supported." + return 1; + fi + + for f in $@ ; do + if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then + echo "Required feature '$f' not available." + return 2; + fi + if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \ + `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then + echo "Required feature '$f' not available." + return 3; + fi + done + + echo "true" + return 0; +} + kernel_features() { if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then -- 2.11.0 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
