[apparmor] [PATCH v2 4/7] tests: Add stackprofile regression tests

Steve Beattie steve at nxnw.org
Sat Mar 19 06:21:07 UTC 2016 

On Fri, Mar 18, 2016 at 04:17:13PM -0500, Tyler Hicks wrote:
> Add tests for the aa_stack_profile() libapparmor function.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  tests/regression/apparmor/Makefile        |   1 +
>  tests/regression/apparmor/stackprofile.sh | 155 ++++++++++++++++++++++++++++++
>  2 files changed, 156 insertions(+)
>  create mode 100755 tests/regression/apparmor/stackprofile.sh
> 
> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> index 622986f..46940c7 100644
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -218,6 +218,7 @@ TESTS=aa_exec \
>        swap \
>        sd_flags \
>        setattr \
> +      stackprofile \
>        symlink \
>        syscall \
>        tcp \
> diff --git a/tests/regression/apparmor/stackprofile.sh b/tests/regression/apparmor/stackprofile.sh
> new file mode 100755
> index 0000000..e944d4b
> --- /dev/null
> +++ b/tests/regression/apparmor/stackprofile.sh
> @@ -0,0 +1,155 @@
> +#! /bin/bash
> +#	Copyright (C) 2016 Canonical, Ltd.
> +#
> +#	This program is free software; you can redistribute it and/or
> +#	modify it under the terms of the GNU General Public License as
> +#	published by the Free Software Foundation, version 2 of the
> +#	License.
> +
> +#=NAME stackprofile
> +#=DESCRIPTION
> +# Verifies basic file access permission checks for a parent profile and a
> +# stacked subprofile
> +#=END
> +
> +pwd=`dirname $0`
> +pwd=`cd $pwd ; /bin/pwd`
> +
> +bin=$pwd
> +
> +. $bin/prologue.inc
> +
> +requires_kernel_features domain/stack
> +settest stacking
> +
> +file=$tmpdir/file
> +otherfile=$tmpdir/file2
> +thirdfile=$tmpdir/file3
> +sharedfile=$tmpdir/file.shared
> +okperm=rw
> +
> +fileok="${file}:${okperm}"
> +otherok="${otherfile}:${okperm}"
> +thirdok="${thirdfile}:${okperm}"
> +sharedok="${sharedfile}:${okperm}"
> +
> +getcon="/proc/*/attr/current:r"
> +
> +othertest="$pwd/rename"
> +thirdtest="$pwd/exec"
> +
> +stackotherok="change_profile->:&$othertest"
> +stackthirdok="change_profile->:&$thirdtest"
> +
> +touch $file $otherfile $sharedfile $thirdfile
> +
> +# Verify file access and contexts by an unconfined process
> +runchecktest "STACKPROFILE (unconfined - file)" pass -f $file
> +runchecktest "STACKPROFILE (unconfined - otherfile)" pass -f $otherfile
> +runchecktest "STACKPROFILE (unconfined - thirdfile)" pass -f $thirdfile
> +runchecktest "STACKPROFILE (unconfined - sharedfile)" pass -f $sharedfile
> +
> +runchecktest "STACKPROFILE (unconfined - okcon)" pass -l unconfined -m '(null)'
> +runchecktest "STACKPROFILE (unconfined - bad label)" fail -l "$test" -m '(null)'
> +runchecktest "STACKPROFILE (unconfined - bad mode)" fail -l unconfined -m enforce
> +
> +# Verify file access and contexts by a non-stacked profile
> +genprofile $fileok $sharedok $getcon
> +runchecktest "STACKPROFILE (not stacked - file)" pass -f $file
> +runchecktest_errno EACCES "STACKPROFILE (not stacked - otherfile)" fail -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (not stacked - thirdfile)" fail -f $thirdfile
> +runchecktest "STACKPROFILE (not stacked - sharedfile)" pass -f $sharedfile
> +
> +runchecktest "STACKPROFILE (not stacked - okcon)" pass -l "$test" -m enforce
> +runchecktest "STACKPROFILE (not stacked - bad label)" fail -l "${test}XXX" -m enforce
> +runchecktest "STACKPROFILE (not stacked - bad mode)" fail -l "$test" -m complain
> +
> +# Verify file access and contexts by a profile stacked with unconfined
> +genprofile image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (stacked with unconfined - file)" fail -p $othertest -f $file
> +runchecktest "STACKPROFILE (stacked with unconfined - otherfile)" pass -p $othertest -f $otherfile
> +runchecktest "STACKPROFILE (stacked with unconfined - sharedfile)" pass -p $othertest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p $othertest -l "unconfined//&${othertest}" -m mixed
> +runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p $othertest -l "${test}//&${othertest}" -m mixed
> +runchecktest "STACKPROFILE (stacked with unconfined - bad mode)" fail -p $othertest -l "unconfined//&${othertest}" -m '(null)'
> +
> +removeprofile
> +# Verify that stacking a nonexistent file is properly handled
> +runchecktest_errno ENOENT "STACKPROFILE (unconfined - stack nonexistent profile)" fail -p $othertest -f $file
> +
> +# Verify file access and contexts by 2 stacked profiles
> +genprofile $fileok $sharedok $getcon $stackotherok -- \
> +	image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (2 stacked - file)" fail -p $othertest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (2 stacked - otherfile)" fail -p $othertest -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (2 stacked - thirdfile)" fail -p $othertest -f $thirdfile
> +runchecktest "STACKPROFILE (2 stacked - sharedfile)" pass -p $othertest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (2 stacked - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m enforce
> +runchecktest "STACKPROFILE (2 stacked - bad label)" fail -p $othertest -l "${test}//&${test}" -m enforce
> +runchecktest "STACKPROFILE (2 stacked - bad mode)" fail -p $othertest -l "${test}//&${test}" -m '(null)'
> +
> +# Verify that a change_profile rule is required to aa_stack_profile())
> +genprofile $fileok $sharedok $getcon -- \
> +	image=$othertest $otherok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (2 stacked - no change_profile)" fail -p $othertest -l "${test}//&${othertest}" -m enforcec

s/enforcec/enforce/ surely?

> +
> +# Verify file access and contexts by 3 stacked profiles
> +genprofile $fileok $sharedok $getcon $stackotherok $stackthirdok -- \
> +	image=$othertest $otherok $sharedok $test:ix $getcon $stackthirdok -- \
> +	image=$thirdtest $thirdok $sharedok $getcon
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - file)" fail -p $othertest -- $test -p $thirdtest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - otherfile)" fail -p $othertest -- $test -p $thirdtest -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (3 stacked - thirdfile)" fail -p $othertest -- $test -p $thirdtest -f $thirdfile
> +runchecktest "STACKPROFILE (3 stacked - sharedfile)" pass -p $othertest -- $test -p $thirdtest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (3 stacked - okcon)" pass -p $othertest -- $test -p $thirdtest -l "${thirdtest}//&${test}//&${othertest}" -m enforce

Should we have similar tests where everything is the same setupwise
except that $stackthirdok is alternately not allowed from the toplevel
stacking profile?

> +
> +ns="ns"
> +prof="stackprofile"
> +nstest=":${ns}:${prof}"
> +# Verify file access and contexts by stacking a profile with a namespaced profile
> +genprofile --stdin <<EOF
> +$test {
> +  file,
> +  audit deny $otherfile $okperm,
> +  change_profile -> &$nstest,
> +}
> +
> +$nstest {
> +  $otherfile $okperm,
> +  $sharedfile $okperm,
> +  /proc/*/attr/current r,
> +}
> +EOF
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile - file)" fail -p $nstest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile - otherfile)" fail -p $nstest -f $otherfile
> +runchecktest_errno EACCES "STACKPROFILE (stacked with namespaced profile - thirdfile)" fail -p $nstest -f $thirdfile
> +runchecktest "STACKPROFILE (stacked with namespaced profile - sharedfile)" pass -p $nstest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (stacked with namespaced profile - okcon)" pass -p $nstest -l $prof -m enforce
> +
> +# Verify file access and contexts in mixed mode
> +genprofile $fileok $sharedok $getcon $stackotherok -- \
> +	image=$othertest flag:complain $otherok $sharedok $getcon
> +runchecktest "STACKPROFILE (mixed mode - file)" pass -p $othertest -f $file
> +runchecktest_errno EACCES "STACKPROFILE (mixed mode - otherfile)" fail -p $othertest -f $otherfile
> +runchecktest "STACKPROFILE (mixed mode - sharedfile)" pass -p $othertest -f $sharedfile
> +
> +runchecktest "STACKPROFILE (mixed mode - okcon)" pass -p $othertest -l "${othertest}//&${test}" -m mixed
> +
> +# Verify file access and contexts in complain mode
> +genprofile flag:complain $getcon -- image=$othertest flag:complain $getcon
> +runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f $file
> +
> +runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m complain

Some additional tests to consider:

  - stacking(complain) + &othertest(enforce) both with and without the change_profile rule
    that allows the stack to happen (I'm assuming the complain mode would
    grant the stack either way)

  - stacking(enforce) + &othertest(complain) without the change_profile
    rule in the former that allows the stack to happen (I'm assuming
    that the change_profile wouldn't be granted)

  - three level deep intermix with complain? (Coming up with a sensible
    matrix makes my head hurt.)

> +
> +# Verify that stacking with a bare namespace is handled
> +genprofile --stdin <<EOF
> +$test { file, change_profile, }
> +$nstest { }
> +EOF
> +runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
> +runchecktest "STACKPROFILE (bare :ns://)" pass -p ":${ns}://"
> +runchecktest "STACKPROFILE (bare :ns)" pass -p ":${ns}"

Anyway, I don't think the additional tests are needed before committing
this. With the enforcec typo fixed, Acked-by: Steve Beattie <steve at nxnw.org>.

Thanks.
-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160318/6f79cbdf/attachment.pgp>

More information about the AppArmor mailing list