On 09/07/2017 04:21 PM, Tyler Hicks wrote: > On 09/07/2017 05:50 PM, John Johansen wrote: >> On 09/07/2017 01:27 PM, Tyler Hicks wrote: >>> On 09/06/2017 03:09 PM, John Johansen wrote: >>>> Update the tests to test whether the kernel and parser support domain >>>> transitions on pivot_root. >>>> >>>> Signed-off-by: John Johansen <[email protected]> >>>> --- >>>> tests/regression/apparmor/pivot_root.sh | 68 >>>> ++++++++++++++++++--------------- >>>> tests/regression/apparmor/prologue.inc | 24 ++++++++++++ >>>> 2 files changed, 62 insertions(+), 30 deletions(-) >>>> >>>> diff --git a/tests/regression/apparmor/pivot_root.sh >>>> b/tests/regression/apparmor/pivot_root.sh >>>> index b68f6cf..0e13a0a 100755 >>>> --- a/tests/regression/apparmor/pivot_root.sh >>>> +++ b/tests/regression/apparmor/pivot_root.sh >>>> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" >>>> "$new_root" "$test" >>>> genprofile $cur $cap "pivot_root:oldroot=$put_old $bad" >>>> do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test" >>>> >>>> -# Give sufficient perms and perform a profile transition >>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur >>>> -do_test "transition" pass "$put_old" "$new_root" "$new_prof" >>>> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then >>>> + echo " kernel does not support pivot_root domain transitions >>>> skipping tests ..." >>>> +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then >>>> + #pivot_root domain transitions not supported >>>> + echo " parser does not support pivot root domain transitions >>>> skipping tests ..." >>>> +else >>>> + # Give sufficient perms and perform a profile transition >>>> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur >>>> + do_test "transition" pass "$put_old" "$new_root" "$new_prof" >>>> + >>>> + # Ensure failure when the the new profile can't read >>>> /proc/<PID>/attr/current >>>> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof >>>> + do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" >>>> + >>>> + # Ensure failure when the new profile doesn't exist >>>> + genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur >>>> + do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" >>>> + >>>> + # Ensure the test binary is accurately doing post pivot_root profile >>>> verification >>>> + genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur >>>> + do_test "bad transition comparison" fail "$put_old" "$new_root" >>>> "$test" >>>> + >>>> + # Give sufficient perms with new_root and a transition >>>> + genprofile $cap "pivot_root:$new_root -> $new_prof" -- >>>> image=$new_prof $cur >>>> + do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" >>>> + >>>> + # Ensure failure when the new profile doesn't exist and new_root is >>>> specified >>>> + genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur >>>> + do_test "new_root, bad transition" fail "$put_old" "$new_root" >>>> "$new_prof" >>>> + >>>> + # Give sufficient perms with new_root, put_old, and a transition >>>> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" >>>> -- image=$new_prof $cur >>>> + do_test "put_old, new_root, transition" pass "$put_old" "$new_root" >>>> "$new_prof" >>>> + >>>> + # Ensure failure when the new profile doesn't exist and new_root and >>>> put_old are specified >>>> + genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- >>>> image=$new_prof $cur >>>> + do_test "put_old, new_root, bad transition" fail "$put_old" >>>> "$new_root" "$new_prof" >>>> >>>> -# Ensure failure when the the new profile can't read >>>> /proc/<PID>/attr/current >>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof >>>> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof" >>>> - >>>> -# Ensure failure when the new profile doesn't exist >>>> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur >>>> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof" >>>> - >>>> -# Ensure the test binary is accurately doing post pivot_root profile >>>> verification >>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur >>>> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test" >>>> - >>>> -# Give sufficient perms with new_root and a transition >>>> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof >>>> $cur >>>> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof" >>>> - >>>> -# Ensure failure when the new profile doesn't exist and new_root is >>>> specified >>>> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur >>>> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" >>>> - >>>> -# Give sufficient perms with new_root, put_old, and a transition >>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- >>>> image=$new_prof $cur >>>> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" >>>> "$new_prof" >>>> - >>>> -# Ensure failure when the new profile doesn't exist and new_root and >>>> put_old are specified >>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- >>>> image=$new_prof $cur >>>> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" >>>> "$new_prof" >>>> +fi >>>> diff --git a/tests/regression/apparmor/prologue.inc >>>> b/tests/regression/apparmor/prologue.inc >>>> index a77fda5..66a0edc 100755 >>>> --- a/tests/regression/apparmor/prologue.inc >>>> +++ b/tests/regression/apparmor/prologue.inc >>>> @@ -22,6 +22,30 @@ >>>> # For this file, functions are first, entry point code is at end, see >>>> "MAIN" >>>> >>>> #use $() to retreive the failure message or "true" if success >>>> + >>>> +kernel_features_istrue() >>>> +{ >>>> + if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then >>>> + echo "Kernel feature masks not supported." >>>> + return 1; >>>> + fi >>>> + >>>> + for f in $@ ; do >>>> + if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then >>>> + echo "Required feature '$f' not available." >>>> + return 2; >>>> + fi >>>> + if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \ >>>> + `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' >>>> ] ; then >>>> + echo "Required feature '$f' not available." >>>> + return 3; >>>> + fi >>>> + done >>>> + >>>> + echo "true" >>>> + return 0; >>>> +} >>> >>> I don't think I'd know when to call kernel_features_istrue() and when to >>> call kernel_features(). Is there really a need for both of them or can >>> you just add the additional check for "no" to the existing >>> kernel_features()? >>> >> yes, but we need to patch some of the tests that are just checking a >> directory >> path exists vs. a file's value > > Ah, I didn't think about that. > >> >> I can work on a more comprehensive patch > > How about just a quick couple of comments describing when to use each > function? >
Certainly, I can do that one right now, and worry about a broader cleanup later -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
