[apparmor] update regression tests to account for parser support of a feature
John Johansen
john.johansen at canonical.com
Wed Apr 29 22:25:10 UTC 2015
The regression tests have issue on backport kernels when the userspace
has not been updated. The issue is that the regression tests detect the
kernel features set and generate policy that the parser may not be able
to compile.
Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
=== modified file 'tests/regression/apparmor/dbus_eavesdrop.sh'
--- tests/regression/apparmor/dbus_eavesdrop.sh 2014-03-27 02:08:59 +0000
+++ tests/regression/apparmor/dbus_eavesdrop.sh 2015-04-29 21:49:04 +0000
@@ -19,6 +19,7 @@
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
args="--session"
=== modified file 'tests/regression/apparmor/dbus_message.sh'
--- tests/regression/apparmor/dbus_message.sh 2014-03-27 02:08:59 +0000
+++ tests/regression/apparmor/dbus_message.sh 2015-04-29 21:49:04 +0000
@@ -19,6 +19,7 @@
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
=== modified file 'tests/regression/apparmor/dbus_service.sh'
--- tests/regression/apparmor/dbus_service.sh 2014-03-27 02:08:59 +0000
+++ tests/regression/apparmor/dbus_service.sh 2015-04-29 21:49:04 +0000
@@ -18,6 +18,7 @@
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
service="--$bus --name=$dest $path $iface"
=== modified file 'tests/regression/apparmor/dbus_unrequested_reply.sh'
--- tests/regression/apparmor/dbus_unrequested_reply.sh 2014-09-05 14:43:05 +0000
+++ tests/regression/apparmor/dbus_unrequested_reply.sh 2015-04-29 21:49:04 +0000
@@ -18,6 +18,7 @@
. $bin/prologue.inc
requires_features dbus
+requires_parser_support "dbus,"
. $bin/dbus.inc
service="--$bus --name=$dest $path $iface"
=== modified file 'tests/regression/apparmor/deleted.sh'
--- tests/regression/apparmor/deleted.sh 2014-09-11 02:30:20 +0000
+++ tests/regression/apparmor/deleted.sh 2015-04-29 21:49:04 +0000
@@ -65,7 +65,7 @@
badperm=wl
af_unix=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
af_unix="unix:create"
fi
=== modified file 'tests/regression/apparmor/mount.sh'
--- tests/regression/apparmor/mount.sh 2014-04-24 19:24:54 +0000
+++ tests/regression/apparmor/mount.sh 2015-04-29 21:49:04 +0000
@@ -102,7 +102,7 @@
remove_mnt
-if [ "$(have_features mount)" != "true" ] ; then
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
genprofile capability:sys_admin
runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
remove_mnt
=== modified file 'tests/regression/apparmor/named_pipe.sh'
--- tests/regression/apparmor/named_pipe.sh 2014-06-11 04:05:44 +0000
+++ tests/regression/apparmor/named_pipe.sh 2015-04-29 21:49:04 +0000
@@ -38,7 +38,7 @@
# Add genprofile params that are common to all hats here
common=""
-if [ "$(have_features signal)" == "true" ] ; then
+if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
# Allow send/receive of all signals
common="${common} signal:ALL"
fi
=== modified file 'tests/regression/apparmor/pivot_root.sh'
--- tests/regression/apparmor/pivot_root.sh 2015-03-31 09:46:45 +0000
+++ tests/regression/apparmor/pivot_root.sh 2015-04-29 21:49:04 +0000
@@ -106,8 +106,8 @@
genprofile
do_test "no perms" fail "$put_old" "$new_root" "$test"
-if [ "$(have_features mount)" != "true" ] ; then
- # pivot_root mediation isn't supported by this kernel, so verify that
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+ # pivot_root mediation isn't supported by this kernel/parser, so verify that
# capability sys_admin is sufficient and skip the remaining tests
genprofile $cur $cap
do_test "cap" pass "$put_old" "$new_root" "$test"
=== modified file 'tests/regression/apparmor/prologue.inc'
--- tests/regression/apparmor/prologue.inc 2014-10-09 19:30:34 +0000
+++ tests/regression/apparmor/prologue.inc 2015-04-29 21:49:04 +0000
@@ -58,6 +58,30 @@
fi
}
+parser_supports()
+{
+ for R in $@ ; do
+ echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
+ if [ $? -ne 0 ] ; then
+ echo "Compiler does not support rule '$R'"
+ return 1;
+ fi
+ done
+
+ echo "true"
+ return 0;
+}
+
+requires_parser_support()
+{
+ local res=$(parser_supports $@)
+ if [ "$res" != "true" ] ; then
+ echo "$res. Skipping tests ..."
+ exit 0
+ fi
+}
+
+
fatalerror()
{
# global _fatal
=== modified file 'tests/regression/apparmor/ptrace.sh'
--- tests/regression/apparmor/ptrace.sh 2014-04-23 18:44:41 +0000
+++ tests/regression/apparmor/ptrace.sh 2015-04-29 21:49:04 +0000
@@ -52,7 +52,7 @@
runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
-if [ "$(have_features ptrace)" == "true" ] ; then
+if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
. $bin/ptrace_v6.inc
else
. $bin/ptrace_v5.inc
=== modified file 'tests/regression/apparmor/socketpair.sh'
--- tests/regression/apparmor/socketpair.sh 2014-09-18 19:04:29 +0000
+++ tests/regression/apparmor/socketpair.sh 2015-04-29 21:49:04 +0000
@@ -34,7 +34,7 @@
af_unix_create_label=""
af_unix_inherit=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
# AppArmor requires that the process inheriting the sock file
# descriptors have send,receive perms in its profile
af_unix_create="unix:(create,getopt)"
=== modified file 'tests/regression/apparmor/unix_fd_server.sh'
--- tests/regression/apparmor/unix_fd_server.sh 2014-09-11 02:30:27 +0000
+++ tests/regression/apparmor/unix_fd_server.sh 2015-04-29 21:49:04 +0000
@@ -27,7 +27,7 @@
badperm=w
af_unix=""
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
af_unix="unix:create"
fi
@@ -137,7 +137,7 @@
sleep 1
rm -f ${socket}
-if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
# FAIL - confined client, no access to the socket file
genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
=== modified file 'tests/regression/apparmor/unix_socket_abstract.sh'
--- tests/regression/apparmor/unix_socket_abstract.sh 2014-09-29 23:49:13 +0000
+++ tests/regression/apparmor/unix_socket_abstract.sh 2015-04-29 21:49:04 +0000
@@ -30,6 +30,7 @@
. $bin/unix_socket.inc
requires_features policy/versions/v7
requires_features network/af_unix
+requires_parser_support "unix,"
settest unix_socket
=== modified file 'tests/regression/apparmor/unix_socket_pathname.sh'
--- tests/regression/apparmor/unix_socket_pathname.sh 2014-10-09 05:32:01 +0000
+++ tests/regression/apparmor/unix_socket_pathname.sh 2015-04-29 21:49:04 +0000
@@ -52,7 +52,7 @@
# af_unix support requires 'unix getattr' to call getsockname()
af_unix_okserver=
af_unix_okclient=
-if [ "$(have_features network/af_unix)" == "true" ] ; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
af_unix_okserver="create,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
fi
=== modified file 'tests/regression/apparmor/unix_socket_unnamed.sh'
--- tests/regression/apparmor/unix_socket_unnamed.sh 2014-09-30 17:00:10 +0000
+++ tests/regression/apparmor/unix_socket_unnamed.sh 2015-04-29 21:49:04 +0000
@@ -30,6 +30,7 @@
. $bin/unix_socket.inc
requires_features policy/versions/v7
requires_features network/af_unix
+requires_parser_support "unix,"
settest unix_socket
More information about the AppArmor
mailing list