From 449c8d3e3ab3ce0f434c730c7c3169fc691f5425 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:16:03 +0100 Subject: [PATCH 1/2] tests(integration): add more tests. --- tests/bats/chsh.bats | 28 +++++++++++++++++++++++ tests/bats/lsusb.bats | 28 +++++++++++++++++++++++ tests/bats/useradd.bats | 49 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 tests/bats/chsh.bats create mode 100644 tests/bats/lsusb.bats create mode 100644 tests/bats/useradd.bats diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 00000000..42cfa115 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=chsh +@test "chsh: [l]ist available shells" { + chsh --list-shells + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a specific login [s]hell for the current user" { + chsh --shell /usr/bin/bash + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root + aa_check +} diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats new file mode 100644 index 00000000..530841a2 --- /dev/null +++ b/tests/bats/lsusb.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=lsusb +@test "lsusb: List all the USB devices available" { + lsusb + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose + aa_check +} diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats new file mode 100644 index 00000000..833e0160 --- /dev/null +++ b/tests/bats/useradd.bats @@ -0,0 +1,49 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 + aa_check +} + + +# bats test_tags=useradd +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 + aa_check +} From 5240dcbdd1290644041afa034c73c27f01b76e55 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:38:42 +0100 Subject: [PATCH 2/2] fix(test): minor fixes. --- apparmor.d/profiles-a-f/chsh | 11 +++-------- apparmor.d/profiles-s-z/useradd | 4 ++-- tests/bats/chsh.bats | 2 +- tests/bats/lsusb.bats | 6 +++--- 4 files changed, 9 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 61885ed4..f73ae670 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,26 +10,19 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pid}/loginuid r, - /etc/shells r, /etc/passwd rw, @@ -44,6 +37,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 42ab8760..0fbb9aa6 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,9 +53,9 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/.** w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index 42cfa115..5365fea6 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -11,7 +11,7 @@ setup_file() { # bats test_tags=chsh @test "chsh: [l]ist available shells" { - chsh --list-shells + chsh --list-shells || true aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 530841a2..8f646d89 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -11,18 +11,18 @@ setup_file() { # bats test_tags=lsusb @test "lsusb: List all the USB devices available" { - lsusb + lsusb || true aa_check } # bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { - lsusb -t + lsusb -t || true aa_check } # bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { - lsusb --verbose + lsusb --verbose || true aa_check }