[apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

Tyler Hicks tyhicks at canonical.com
Thu Sep 7 23:21:18 UTC 2017 

On 09/07/2017 05:50 PM, John Johansen wrote:
> On 09/07/2017 01:27 PM, Tyler Hicks wrote:
>> On 09/06/2017 03:09 PM, John Johansen wrote:
>>> Update the tests to test whether the kernel and parser support domain
>>> transitions on pivot_root.
>>>
>>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>>> ---
>>>  tests/regression/apparmor/pivot_root.sh | 68 ++++++++++++++++++---------------
>>>  tests/regression/apparmor/prologue.inc  | 24 ++++++++++++
>>>  2 files changed, 62 insertions(+), 30 deletions(-)
>>>
>>> diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh
>>> index b68f6cf..0e13a0a 100755
>>> --- a/tests/regression/apparmor/pivot_root.sh
>>> +++ b/tests/regression/apparmor/pivot_root.sh
>>> @@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
>>>  genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
>>>  do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
>>>  
>>> -# Give sufficient perms and perform a profile transition
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> -do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>>> +if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
>>> +    echo "	kernel does not support pivot_root domain transitions skipping tests ..."
>>> +elif [ "$(parser_supports 'pivot_root -> foo,')"  != "true" ] ; then
>>> +    #pivot_root domain transitions not supported
>>> +    echo "	parser does not support pivot root domain transitions skipping tests ..."
>>> +else
>>> +    # Give sufficient perms and perform a profile transition
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> +    do_test "transition" pass "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the the new profile can't read /proc/<PID>/attr/current
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>>> +    do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist
>>> +    genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>>> +    do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure the test binary is accurately doing post pivot_root profile verification
>>> +    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> +    do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>>> +
>>> +    # Give sufficient perms with new_root and a transition
>>> +    genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
>>> +    do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist and new_root is specified
>>> +    genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>>> +    do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Give sufficient perms with new_root, put_old, and a transition
>>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
>>> +    do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> +
>>> +    # Ensure failure when the new profile doesn't exist and new_root and put_old are specified
>>> +    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
>>> +    do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>>>  
>>> -# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
>>> -do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist
>>> -genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
>>> -do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure the test binary is accurately doing post pivot_root profile verification
>>> -genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
>>> -do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
>>> -
>>> -# Give sufficient perms with new_root and a transition
>>> -genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
>>> -do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist and new_root is specified
>>> -genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
>>> -do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Give sufficient perms with new_root, put_old, and a transition
>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
>>> -do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
>>> -
>>> -# Ensure failure when the new profile doesn't exist and new_root and put_old are specified
>>> -genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
>>> -do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
>>> +fi
>>> diff --git a/tests/regression/apparmor/prologue.inc b/tests/regression/apparmor/prologue.inc
>>> index a77fda5..66a0edc 100755
>>> --- a/tests/regression/apparmor/prologue.inc
>>> +++ b/tests/regression/apparmor/prologue.inc
>>> @@ -22,6 +22,30 @@
>>>  # For this file, functions are first, entry point code is at end, see "MAIN"
>>>  
>>>  #use $() to retreive the failure message or "true" if success
>>> +
>>> +kernel_features_istrue()
>>> +{
>>> +	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>>> +		echo "Kernel feature masks not supported."
>>> +		return 1;
>>> +	fi
>>> +
>>> +	for f in $@ ; do
>>> +		if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
>>> +			echo "Required feature '$f' not available."
>>> +			return 2;
>>> +		fi
>>> +		if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
>>> +		     `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then
>>> +			echo "Required feature '$f' not available."
>>> +			return 3;
>>> +		fi
>>> +        done
>>> +
>>> +	echo "true"
>>> +	return 0;
>>> +}
>>
>> I don't think I'd know when to call kernel_features_istrue() and when to
>> call kernel_features(). Is there really a need for both of them or can
>> you just add the additional check for "no" to the existing
>> kernel_features()?
>>
> yes, but we need to patch some of the tests that are just checking a directory
> path exists vs. a file's value

Ah, I didn't think about that.

> 
> I can work on a more comprehensive patch

How about just a quick couple of comments describing when to use each
function?

Tyler

> 
> 
>> Tyler
>>
>>> +
>>>  kernel_features()
>>>  {
>>>  	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
>>>
>>
>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170907/21dffdc0/attachment.sig>

More information about the AppArmor mailing list