[apparmor] fix regression tests for changed mixed mode behavior

Seth Arnold seth.arnold at canonical.com
Thu Sep 1 23:07:03 UTC 2016 

On Thu, Sep 01, 2016 at 03:54:20PM -0700, John Johansen wrote:
> Previously a stack with unconfined would cause the mode to be reported as mixed
> 
>   profile_A//&:ns1://unconfined (mixed)
> 
> this is confusing and can even break some trusted helpers. The unconfined profile
> has been special cased and now will report enforce when stacking with unconfined
>   profile_A//&:ns1://unconfined (enforce)
> 
> This patch fixes the regression tests to work with this change

Acked-by: Seth Arnold <seth.arnold at canonical.com>

.. though coordinating the change through kernel versions and so on sounds
unfun at best.

Thanks

> 
> ---
> 
> === modified file 'tests/regression/apparmor/socketpair.sh'
> --- tests/regression/apparmor/socketpair.sh	2015-06-02 08:00:29 +0000
> +++ tests/regression/apparmor/socketpair.sh	2016-07-10 02:16:46 +0000
> @@ -19,6 +19,8 @@
>  
>  . $bin/prologue.inc
>  
> +requires_kernel_features network/af_unix
> +
>  do_test()
>  {
>  	local desc="SOCKETPAIR ($1)"
> 
> === modified file 'tests/regression/apparmor/stackonexec.sh'
> --- tests/regression/apparmor/stackonexec.sh	2016-05-28 16:58:41 +0000
> +++ tests/regression/apparmor/stackonexec.sh	2016-08-07 06:12:18 +0000
> @@ -71,9 +71,9 @@
>  runchecktest "STACKONEXEC (stacked with unconfined - otherfile)" pass -o $othertest -- $test -f $otherfile
>  runchecktest "STACKONEXEC (stacked with unconfined - sharedfile)" pass -o $othertest -- $test -f $sharedfile
>  
> -runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m mixed
> -runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m mixed
> -runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
> +runchecktest "STACKONEXEC (stacked with unconfined - okcon)" pass -o $othertest -- $test -l "unconfined//&${othertest}" -m enforce
> +runchecktest "STACKONEXEC (stacked with unconfined - bad label)" fail -o $othertest -- $test -l "${test}//&${othertest}" -m enforce
> +runchecktest "STACKONEXEC (stacked with unconfined - bad mode)" fail -o $othertest -- $test -l "unconfined//&${othertest}" -m "(null)"
>  
>  removeprofile
>  # Verify that stacking a nonexistent file is properly handled
> 
> === modified file 'tests/regression/apparmor/stackprofile.sh'
> --- tests/regression/apparmor/stackprofile.sh	2016-05-28 16:58:41 +0000
> +++ tests/regression/apparmor/stackprofile.sh	2016-08-07 06:10:40 +0000
> @@ -70,8 +70,8 @@
>  runchecktest "STACKPROFILE (stacked with unconfined - otherfile)" pass -p $othertest -f $otherfile
>  runchecktest "STACKPROFILE (stacked with unconfined - sharedfile)" pass -p $othertest -f $sharedfile
>  
> -runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p $othertest -l "unconfined//&${othertest}" -m mixed
> -runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p $othertest -l "${test}//&${othertest}" -m mixed
> +runchecktest "STACKPROFILE (stacked with unconfined - okcon)" pass -p $othertest -l "unconfined//&${othertest}" -m enforce
> +runchecktest "STACKPROFILE (stacked with unconfined - bad label)" fail -p $othertest -l "${test}//&${othertest}" -m enforce
>  runchecktest "STACKPROFILE (stacked with unconfined - bad mode)" fail -p $othertest -l "unconfined//&${othertest}" -m '(null)'
>  
>  removeprofile
> 
> === modified file 'tests/regression/apparmor/xattrs.sh'
> --- tests/regression/apparmor/xattrs.sh	2010-12-20 20:29:10 +0000
> +++ tests/regression/apparmor/xattrs.sh	2016-07-29 07:39:28 +0000
> @@ -36,6 +36,8 @@
>  
>  . $bin/prologue.inc
>  
> +requires_kernel_features file/xattr
> +
>  tmpmount=$tmpdir/mountpoint
>  diskimg=$tmpdir/disk.img
>  file=$tmpmount/testfile
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160901/f303bd32/attachment.pgp>

More information about the AppArmor mailing list