Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

John Johansen Thu, 07 Sep 2017 15:52:27 -0700

On 09/07/2017 01:27 PM, Tyler Hicks wrote:
> On 09/06/2017 03:09 PM, John Johansen wrote:
>> Update the tests to test whether the kernel and parser support domain
>> transitions on pivot_root.
>>
>> Signed-off-by: John Johansen <[email protected]>
>> ---
>>  tests/regression/apparmor/pivot_root.sh | 68 
>> ++++++++++++++++++---------------
>>  tests/regression/apparmor/prologue.inc  | 24 ++++++++++++
>>  2 files changed, 62 insertions(+), 30 deletions(-)
>>
>> diff --git a/tests/regression/apparmor/pivot_root.sh 
>> b/tests/regression/apparmor/pivot_root.sh
>> index b68f6cf..0e13a0a 100755
>> --- a/tests/regression/apparmor/pivot_root.sh
>> +++ b/tests/regression/apparmor/pivot_root.sh
>> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" 
>> "$new_root" "$test"
>>  genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
>>  do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>>  
>> -# Give sufficient perms and perform a profile transition
>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
>> +    echo "  kernel does not support pivot_root domain transitions skipping 
>> tests ..."
>> +elif [ "$(parser_supports 'pivot_root -> foo,')"  != "true" ] ; then
>> +    #pivot_root domain transitions not supported
>> +    echo "  parser does not support pivot root domain transitions skipping 
>> tests ..."
>> +else
>> +    # Give sufficient perms and perform a profile transition
>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>> +    do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>> +
>> +    # Ensure failure when the the new profile can't read 
>> /proc/<PID>/attr/current
>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>> +    do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>> +
>> +    # Ensure failure when the new profile doesn't exist
>> +    genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>> +    do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>> +
>> +    # Ensure the test binary is accurately doing post pivot_root profile 
>> verification
>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>> +    do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>> +
>> +    # Give sufficient perms with new_root and a transition
>> +    genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof 
>> $cur
>> +    do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>> +
>> +    # Ensure failure when the new profile doesn't exist and new_root is 
>> specified
>> +    genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>> +    do_test "new_root, bad transition" fail "$put_old" "$new_root" 
>> "$new_prof"
>> +
>> +    # Give sufficient perms with new_root, put_old, and a transition
>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- 
>> image=$new_prof $cur
>> +    do_test "put_old, new_root, transition" pass "$put_old" "$new_root" 
>> "$new_prof"
>> +
>> +    # Ensure failure when the new profile doesn't exist and new_root and 
>> put_old are specified
>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- 
>> image=$new_prof $cur
>> +    do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" 
>> "$new_prof"
>>  
>> -# Ensure failure when the the new profile can't read 
>> /proc/<PID>/attr/current
>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>> -
>> -# Ensure failure when the new profile doesn't exist
>> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>> -
>> -# Ensure the test binary is accurately doing post pivot_root profile 
>> verification
>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>> -
>> -# Give sufficient perms with new_root and a transition
>> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
>> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>> -
>> -# Ensure failure when the new profile doesn't exist and new_root is 
>> specified
>> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>> -
>> -# Give sufficient perms with new_root, put_old, and a transition
>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- 
>> image=$new_prof $cur
>> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" 
>> "$new_prof"
>> -
>> -# Ensure failure when the new profile doesn't exist and new_root and 
>> put_old are specified
>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- 
>> image=$new_prof $cur
>> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" 
>> "$new_prof"
>> +fi
>> diff --git a/tests/regression/apparmor/prologue.inc 
>> b/tests/regression/apparmor/prologue.inc
>> index a77fda5..66a0edc 100755
>> --- a/tests/regression/apparmor/prologue.inc
>> +++ b/tests/regression/apparmor/prologue.inc
>> @@ -22,6 +22,30 @@
>>  # For this file, functions are first, entry point code is at end, see "MAIN"
>>  
>>  #use $() to retreive the failure message or "true" if success
>> +
>> +kernel_features_istrue()
>> +{
>> +    if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>> +            echo "Kernel feature masks not supported."
>> +            return 1;
>> +    fi
>> +
>> +    for f in $@ ; do
>> +            if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
>> +                    echo "Required feature '$f' not available."
>> +                    return 2;
>> +            fi
>> +            if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
>> +                 `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' 
>> ] ; then
>> +                    echo "Required feature '$f' not available."
>> +                    return 3;
>> +            fi
>> +        done
>> +
>> +    echo "true"
>> +    return 0;
>> +}
> 
> I don't think I'd know when to call kernel_features_istrue() and when to
> call kernel_features(). Is there really a need for both of them or can
> you just add the additional check for "no" to the existing
> kernel_features()?
> 
yes, but we need to patch some of the tests that are just checking a directory
path exists vs. a file's value


I can work on a more comprehensive patch


> Tyler
> 
>> +
>>  kernel_features()
>>  {
>>      if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>>
> 
> 


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

Reply via email to