[apparmor] [patch 23/26] Update test scripts for ptrace rules.

Steve Beattie steve at nxnw.org
Mon Apr 21 19:18:52 UTC 2014 

On Tue, Apr 15, 2014 at 10:22:30AM -0700, john.johansen at canonical.com wrote:
> Update mkprofile.pl to generate ptrace rules and update test scripts to
> test ptrace mediation.
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>

Acked-by: Steve Beattie <steve at nxnw.org> with a couple of comments
inline:

> diff --git a/tests/regression/apparmor/ptrace_v5.inc b/tests/regression/apparmor/ptrace_v5.inc
> new file mode 100644
> index 0000000..428410a
> --- /dev/null
> +++ b/tests/regression/apparmor/ptrace_v5.inc
> @@ -0,0 +1,138 @@

Can you add a copyright header here, please? (Updating the one in
ptrace.sh would be nice, too).


> diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc
> new file mode 100644
> index 0000000..f4c2088
> --- /dev/null
> +++ b/tests/regression/apparmor/ptrace_v6.inc
> @@ -0,0 +1,400 @@

Same request for a copyright header here as well.

> +## v5 ptrace tests except with failures where appropriate. Testing that capability ptrace
> +## does not grant ptrace perms
> +
> +## Note: ptrace tests need signal permissions to function correctly
> +##       signal permissions are not actually needed by all tests to function but
> +##	 we grant signal perms to all to be consistent
> +
> +echo "   using ptrace v6 tests ..."
> +
> +################################################################################
> +# v5 ptrace tests without ptrace rules
> +################################################################################
> +
> +################### cap:sys_ptrace doesn't change results from above ##########################

I think there could have been a parameterized function here that could
have ensured that duplicate tests with just the added cap:sys_ptrace
permission gave the same results, but fixing it is not necessary for
this commit to land; we can revisit in the future.

> +# fail was pass in v5 allowed to ix self
> +genprofile /bin/true:rix $helper:rix signal:ALL cap:sys_ptrace
> +runchecktest "test 12c" fail -n 100 /bin/true
> +runchecktest "test 12c -c" fail -c -n 100 /bin/true
> +runchecktest "test 12c -h" fail -h -n 100 $helper
> +runchecktest "test 12c -hc" fail -h -c -n 100 $helper
> +runchecktest "test 12c -h prog" fail -h -n 100 $helper /bin/true
> +runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper /bin/true
> +
> +#ptraced confined app traced by unconfined can px
> +genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
> +runchecktest "test 13cu -h prog" pass -h -n 100 $helper /bin/true
> +runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper /bin/true
> +
> +#ptraced confined app traced by profile without ptrace on targeted can't px
> +genprofile /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace
> +runchecktest "test 13c -h prog" fail -h -n 100 $helper /bin/true
> +runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper /bin/true
> +
> +
> +#ptraced confined app can ux - if the tracer is unconfined
> +#
> +genprofile image=$helper $helper:rix /bin/true:rux signal:ALL cap:sys_ptrace
> +runchecktest "test 14ca -h prog" pass -h -n 100 $helper /bin/true
> +runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper /bin/true
> +#ptraced confined app can't ux - if the tracer can't trace unconfined
> +genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL
> +runchecktest "test 14cb -h prog" fail -h -n 100 $helper /bin/true
> +runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper /bin/true
> +
> +#confined app can't ptrace an unconfined app
> +genprofile $helper:rux signal:ALL cap:sys_ptrace
> +runchecktest "test 15c -h" fail -h -n 100 $helper
> +runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
> +#an unconfined app can't ask a confined app to trace it
> +runchecktest "test 15c -hc" fail -h -c -n 100 $helper
> +runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
> +
> +#confined app can't ptrace an app confined by a different profile
> +genprofile $helper:rpx signal:ALL cap:sys_ptrace -- image=$helper signal:ALL cap:sys_ptrace
> +runchecktest "test 15c -h" fail -h -n 100 $helper
> +runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true
> +#a confined app can't ask another confined app with a different profile to
> +#trace it
> +runchecktest "test 15c -hc" fail -h -c -n 100 $helper
> +runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true
> +
> +
> +################################################################################
> +# v5 ptrace tests with ptrace rules
> +################################################################################
> +

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140421/18266051/attachment.pgp>

More information about the AppArmor mailing list