Merge add dbus-broker support on regression tests

dbus-broker requires some modification of the test suite. In summary: * refactor to support starting and stopping both dbus and dbus-broker. * Make it so we can run the tests on each, where appropriate * skip unrequested reply and eavesdrop tests for dbus broker because they are not supported. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net> (cherry picked from commit 223036d952) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 16:35:02 +01:00 · 2023-01-07 00:08:10 +00:00 · 2023-01-07 00:08:10 +00:00 · 0295fadab3
commit 0295fadab3
parent 5bc35342ed
5 changed files with 396 additions and 213 deletions
--- a/tests/regression/apparmor/dbus.inc
+++ b/tests/regression/apparmor/dbus.inc
@ -13,6 +13,7 @@ gendbusprofile()
 ${__dbus_var_decl}
 $test {
  @{gen $test}
+  $outfile w,
  unix,
  $*
  signal receive peer=unconfined,
@ -30,12 +31,108 @@ set_dbus_var()
  __dbus_var_decl=$@
 }

-start_bus()
+cleanup_dbus_broker()
 {
+	rm -f /etc/systemd/system/dbus-apparmor-test.socket
+	rm -f /etc/systemd/system/dbus-apparmor-test.service
+	# don't stop test execution if systemctl is not available
+	systemctl daemon-reload 2>/dev/null || true
+}
+
+kill_dbus_broker()
+{
+	if [ $(systemctl is-active dbus-apparmor-test.service) == "active" ]
+	then
+		if ! systemctl -q stop dbus-apparmor-test.service
+		then
+			echo "Failed to stop DBus broker service"
+		fi
+	fi
+
+	if [ $(systemctl is-active dbus-apparmor-test.socket) == "active" ]
+	then
+		if ! systemctl -q stop dbus-apparmor-test.socket
+		then
+			echo "Failed to stop DBus broker socket"
+		fi
+	fi
+
+	cleanup_dbus_broker
+}
+
+start_dbus_broker()
+{
+	# TODO: remove systemd dependency from DBus Broker tests
+	if [ ! -d /run/systemd/system/ ]
+	then
+		echo "Error: DBus Broker tests require systemd"
+		return 1
+	fi
+
+	if [ $(which dbus-broker-launch > /dev/null; echo $?) -ne 0 ]
+	then
+		echo "Error: dbus-broker-launch not available"
+		return 1
+	fi
+
+	bus_addr=$(mktemp --dry-run /tmp/dbus-XXXXXX)
+
+	dbus_test_socket="
+[Unit]
+Description=AppArmor D-Bus Broker Test Socket
+
+[Socket]
+ListenStream=@$bus_addr
+"
+	dbus_test_service="
+[Unit]
+Description=AppArmor D-Bus Broker Test Service
+After=dbus-apparmor-test.socket
+Requires=dbus-apparmor-test.socket
+
+[Service]
+Sockets=dbus-apparmor-test.socket
+StartLimitBurst=0
+ExecStart=dbus-broker-launch --scope system --audit --config-file=$(pwd)/dbus.conf
+
+[Install]
+WantedBy=default.target
+"
+	echo "$dbus_test_socket" > /etc/systemd/system/dbus-apparmor-test.socket
+	echo "$dbus_test_service" > /etc/systemd/system/dbus-apparmor-test.service
+
+	systemctl daemon-reload
+
+	if ! systemctl -q start dbus-apparmor-test
+	then
+		echo "Error: Failed to start DBus broker launcher"
+		return 1
+	fi
+
+	do_onexit="kill_dbus_broker"
+
+	export DBUS_SESSION_BUS_ADDRESS="unix:abstract=$bus_addr"
+	return 0
+}
+
+kill_dbus_daemon()
+{
+	kill $bus_pid >/dev/null 2>&1 || true
+}
+
+start_dbus_daemon()
+{
+	if [ $(which dbus-daemon > /dev/null; echo $?) -ne 0 ]
+	then
+		echo "Error: dbus-daemon not available"
+		return 1
+	fi
+
 	out=$(dbus-daemon --fork --print-pid --print-address --config-file=dbus.conf)
 	if [ $? -ne 0 ]
 	then
-		fatalerror "Failed to start DBus daemon"
+		echo "Failed to start DBus daemon"
+		return 1
 	fi

 	bus_addr=$(echo $out | cut -d\  -f 1)
@ -48,11 +145,13 @@ start_bus()
 	kill -0 $bus_pid 2>/dev/null
 	if [ $? -ne 0 ]
 	then
-		fatalerror "DBus daemon unexpectedly stopped"
+		echo "DBus daemon unexpectedly stopped"
+		return 1
 	fi

-	do_onexit="kill $bus_pid"
+	do_onexit="kill_dbus_daemon"
 	export DBUS_SESSION_BUS_ADDRESS=$bus_addr
+	return 0
 }

 bus="session"
--- a/tests/regression/apparmor/dbus_eavesdrop.sh
+++ b/tests/regression/apparmor/dbus_eavesdrop.sh
@ -24,55 +24,77 @@ requires_parser_support "dbus,"

 args="--session"

-start_bus
-
-# Make sure we can eavesdrop unconfined
-
 settest dbus_eavesdrop

-runchecktest "eavesdrop (unconfined)" pass $args
+run_tests()
+{
+	# Make sure we can eavesdrop unconfined

-# Make sure we get denials when confined but not allowed
+	runchecktest "eavesdrop (unconfined)" pass $args

-genprofile
-runchecktest "eavesdrop (confined w/o dbus perms)" fail $args
+	# Make sure we get denials when confined but not allowed

-gendbusprofile "dbus send,"
-runchecktest "eavesdrop (confined w/ only send allowed)" fail $args
+	gendbusprofile
+	runchecktest "eavesdrop (confined w/o dbus perms)" fail $args

-gendbusprofile "dbus eavesdrop,"
-runchecktest "eavesdrop (confined w/ only eavesdrop allowed)" fail $args
+	gendbusprofile "dbus send,"
+	runchecktest "eavesdrop (confined w/ only send allowed)" fail $args

-# Make sure we're okay when confined with appropriate permissions
+	gendbusprofile "dbus eavesdrop,"
+	runchecktest "eavesdrop (confined w/ only eavesdrop allowed)" fail $args

-gendbusprofile "dbus,"
-runchecktest "eavesdrop (dbus allowed)" pass $args
+	# Make sure we're okay when confined with appropriate permissions

-gendbusprofile "dbus (send eavesdrop),"
-runchecktest "eavesdrop (send, eavesdrop allowed)" pass $args
+	gendbusprofile "dbus,"
+	runchecktest "eavesdrop (dbus allowed)" pass $args

-gendbusprofile "dbus (send eavesdrop) bus=session,"
-runchecktest "eavesdrop (send, eavesdrop allowed w/ bus conditional)" pass $args
+	gendbusprofile "dbus (send eavesdrop),"
+	runchecktest "eavesdrop (send, eavesdrop allowed)" pass $args

-gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus \
+	gendbusprofile "dbus (send eavesdrop) bus=session,"
+	runchecktest "eavesdrop (send, eavesdrop allowed w/ bus conditional)" pass $args
+
+	gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus \
 			interface=org.freedesktop.DBus \
 			member=Hello, \
 		dbus send bus=session path=/org/freedesktop/DBus \
 			interface=org.freedesktop.DBus \
 			member=AddMatch, \
 		dbus eavesdrop bus=session,"
-runchecktest "eavesdrop (send, eavesdrop allowed w/ bus and send member conditionals)" pass $args
+	runchecktest "eavesdrop (send, eavesdrop allowed w/ bus and send member conditionals)" pass $args

-gendbusprofile "dbus send, \
+	gendbusprofile "dbus send, \
 		audit dbus eavesdrop,"
-runchecktest "eavesdrop (send allowed, eavesdrop audited)" pass $args
+	runchecktest "eavesdrop (send allowed, eavesdrop audited)" pass $args

-# Make sure we're denied when confined without appropriate conditionals
+	# Make sure we're denied when confined without appropriate conditionals

-gendbusprofile "dbus send bus=session, \
+	gendbusprofile "dbus send bus=session, \
 		dbus eavesdrop bus=system,"
-runchecktest "eavesdrop (wrong bus)" fail $args
+	runchecktest "eavesdrop (wrong bus)" fail $args

-gendbusprofile "dbus send, \
+	gendbusprofile "dbus send, \
 		deny dbus eavesdrop,"
-runchecktest "eavesdrop (send allowed, eavesdrop denied)" fail $args
+	runchecktest "eavesdrop (send allowed, eavesdrop denied)" fail $args
+
+	# don't forget to remove the profile so the test can run again
+	removeprofile
+}
+
+if start_dbus_daemon
+then
+	run_tests
+	kill_dbus_daemon
+else
+	echo "Starting DBus Daemon failed. Skipping tests..."
+fi
+
+# Eavesdropping is deprecated in DBus Broker
+# from https://github.com/bus1/dbus-broker/wiki/Deviations
+#
+# "The concept of eavesdropping has been deprecated in favor of
+# monitoring upstream ... For the time being eavesdropping is not
+# implemented in dbus-broker."
+#
+# TODO: add tests for the "BecomeMonitor" method
+echo "DBus Broker does not support eavesdrop. Skipping tests..."
--- a/tests/regression/apparmor/dbus_message.sh
+++ b/tests/regression/apparmor/dbus_message.sh
@ -36,120 +36,141 @@ message_gendbusprofile()
  $*"
 }

-start_bus
-
 settest dbus_message

-# Make sure can send unconfined
+run_tests()
+{
+	# Make sure can send unconfined

-runchecktest "message (unconfined)" pass $unconfined_args
+	runchecktest "message (unconfined)" pass $unconfined_args

-# Make sure send is denied when confined but not allowed
+	# Make sure send is denied when confined but not allowed

-message_gendbusprofile
-runchecktest "message (confined w/o dbus allowed)" fail $confined_args
+	message_gendbusprofile
+	runchecktest "message (confined w/o dbus allowed)" fail $confined_args

-message_gendbusprofile "dbus receive,"
-runchecktest "message (receive allowed)" fail $confined_args
+	message_gendbusprofile "dbus receive,"
+	runchecktest "message (receive allowed)" fail $confined_args

-message_gendbusprofile "dbus bind,"
-runchecktest "message (bind allowed)" fail $confined_args
+	message_gendbusprofile "dbus bind,"
+	runchecktest "message (bind allowed)" fail $confined_args

-message_gendbusprofile "dbus (receive, bind),"
-runchecktest "message (receive bind allowed)" fail $confined_args
+	message_gendbusprofile "dbus (receive, bind),"
+	runchecktest "message (receive bind allowed)" fail $confined_args

-# Make sure send is allowed when confined with appropriate permissions
+	# Make sure send is allowed when confined with appropriate permissions

-message_gendbusprofile "dbus,"
-runtestfg "message (dbus allowed)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus,"
+	runtestfg "message (dbus allowed)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus send,"
-runtestfg "message (send allowed)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send,"
+	runtestfg "message (send allowed)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus (send, receive),"
-runtestfg "message (send receive allowed)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus (send, receive),"
+	runtestfg "message (send receive allowed)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus (send, bind),"
-runtestfg "message (send bind allowed)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus (send, bind),"
+	runtestfg "message (send bind allowed)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus (send, receive, bind),"
-runtestfg "message (send receive bind allowed)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus (send, receive, bind),"
+	runtestfg "message (send receive bind allowed)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-# Make sure send is allowed when confined with appropriate permissions along
-# with conditionals
+	# Make sure send is allowed when confined with appropriate permissions along
+	# with conditionals

-message_gendbusprofile "dbus send bus=session,"
-runtestfg "message (send allowed w/ bus)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send bus=session,"
+	runtestfg "message (send allowed w/ bus)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus send bus=session peer=(name=org.freedesktop.DBus),"
-runtestfg "message (send allowed w/ bus, dest)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send bus=session peer=(name=org.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ bus, dest)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus peer=(name=org.freedesktop.DBus),"
-runchecktest "message (send allowed w/ bus, dest, path)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus peer=(name=org.freedesktop.DBus),"
+	runchecktest "message (send allowed w/ bus, dest, path)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus peer=(name=org.freedesktop.DBus),"
-runtestfg "message (send allowed w/ bus, dest, path, interface)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus peer=(name=org.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ bus, dest, path, interface)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,ListNames} peer=(name=org.freedesktop.DBus),"
-runtestfg "message (send allowed w/ bus, dest, path, interface, method)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,ListNames} peer=(name=org.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ bus, dest, path, interface, method)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-# Make sure send is allowed when confined with appropriate permissions along
-# with conditionals and variables (same tests as above, with vars)
+	# Make sure send is allowed when confined with appropriate permissions along
+	# with conditionals and variables (same tests as above, with vars)

-set_dbus_var "@{BUSES}=session system"
-message_gendbusprofile "dbus send bus=@{BUSES},"
-runtestfg "message (send allowed w/ bus)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	set_dbus_var "@{BUSES}=session system"
+	message_gendbusprofile "dbus send bus=@{BUSES},"
+	runtestfg "message (send allowed w/ bus)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-set_dbus_var "@{PEERNAMES}=com.ubuntu.what net.apparmor.wiki org.freedesktop.DBus"
-message_gendbusprofile "dbus send bus=session peer=(name=@{PEERNAMES}),"
-runtestfg "message (send allowed w/ bus, dest)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	set_dbus_var "@{PEERNAMES}=com.ubuntu.what net.apparmor.wiki org.freedesktop.DBus"
+	message_gendbusprofile "dbus send bus=session peer=(name=@{PEERNAMES}),"
+	runtestfg "message (send allowed w/ bus, dest)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-set_dbus_var "@{PATHNAMES}=DBus spork spoon spork"
-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/@{PATHNAMES} peer=(name=org.freedesktop.DBus),"
-runchecktest "message (send allowed w/ bus, dest, path)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	set_dbus_var "@{PATHNAMES}=DBus spork spoon spork"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/@{PATHNAMES} peer=(name=org.freedesktop.DBus),"
+	runchecktest "message (send allowed w/ bus, dest, path)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-set_dbus_var "@{INTERFACE_NAMES}=DBus spork spoon spork"
-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.@{INTERFACE_NAMES} peer=(name=org.freedesktop.DBus),"
-runtestfg "message (send allowed w/ bus, dest, path, interface)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	set_dbus_var "@{INTERFACE_NAMES}=DBus spork spoon spork"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.@{INTERFACE_NAMES} peer=(name=org.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ bus, dest, path, interface)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-set_dbus_var "@{MEMBERS}=Hello ListNames Spork Spoon"
-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=@{MEMBERS} peer=(name=org.freedesktop.DBus),"
-runtestfg "message (send allowed w/ bus, dest, path, interface, method)" pass $confined_args
-checktestfg "compare_logs $unconfined_log eq $confined_log"
+	set_dbus_var "@{MEMBERS}=Hello ListNames Spork Spoon"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=@{MEMBERS} peer=(name=org.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ bus, dest, path, interface, method)" pass $confined_args
+	checktestfg "compare_logs $unconfined_log eq $confined_log"

-# Make sure send is denied when confined with appropriate permissions along
-# with incorrect conditionals
+	# Make sure send is denied when confined with appropriate permissions along
+	# with incorrect conditionals

-message_gendbusprofile "dbus send bus=system,"
-runtestfg "message (send allowed w/ wrong bus)" fail $confined_args
-checktestfg "compare_logs $unconfined_log ne $confined_log"
+	message_gendbusprofile "dbus send bus=system,"
+	runtestfg "message (send allowed w/ wrong bus)" fail $confined_args
+	checktestfg "compare_logs $unconfined_log ne $confined_log"

-message_gendbusprofile "dbus send bus=session peer=(name=com.freedesktop.DBus),"
-runtestfg "message (send allowed w/ wrong dest)" fail $confined_args
-checktestfg "compare_logs $unconfined_log ne $confined_log"
+	message_gendbusprofile "dbus send bus=session peer=(name=com.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ wrong dest)" fail $confined_args
+	checktestfg "compare_logs $unconfined_log ne $confined_log"

-message_gendbusprofile "dbus send bus=session path=/bad/freedesktop/DBus peer=(name=bad.freedesktop.DBus),"
-runtestfg "message (send allowed w/ wrong path)" fail $confined_args
-checktestfg "compare_logs $unconfined_log ne $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/bad/freedesktop/DBus peer=(name=bad.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ wrong path)" fail $confined_args
+	checktestfg "compare_logs $unconfined_log ne $confined_log"

-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=bad.freedesktop.DBus peer=(name=bad.freedesktop.DBus),"
-runtestfg "message (send allowed w/ wrong interface)" fail $confined_args
-checktestfg "compare_logs $unconfined_log ne $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=bad.freedesktop.DBus peer=(name=bad.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ wrong interface)" fail $confined_args
+	checktestfg "compare_logs $unconfined_log ne $confined_log"

-message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=com.freedesktop.DBus member=Hello peer=(name=bad.freedesktop.DBus),"
-runtestfg "message (send allowed w/ wrong method)" fail $confined_args
-checktestfg "compare_logs $unconfined_log ne $confined_log"
+	message_gendbusprofile "dbus send bus=session path=/org/freedesktop/DBus interface=com.freedesktop.DBus member=Hello peer=(name=bad.freedesktop.DBus),"
+	runtestfg "message (send allowed w/ wrong method)" fail $confined_args
+	checktestfg "compare_logs $unconfined_log ne $confined_log"
+
+	# don't forget to remove the profile so the test can run again
+	removeprofile
+}
+
+if start_dbus_daemon
+then
+	run_tests
+	kill_dbus_daemon
+else
+	echo "Starting DBus Daemon failed. Skipping tests..."
+fi
+
+if start_dbus_broker
+then
+	run_tests
+	kill_dbus_broker
+else
+	echo "Starting DBus Broker failed. Skipping tests..."
+	cleanup_dbus_broker
+fi
--- a/tests/regression/apparmor/dbus_service.sh
+++ b/tests/regression/apparmor/dbus_service.sh
@ -65,75 +65,96 @@ service_gendbusprofile()
  $*"
 }

-start_bus
-
-# Make sure we can bind a bus name and receive a message unconfined
-
 settest dbus_service

-service_runtestbg "service (unconfined)" pass $confined_log
-sendmethod
-sendsignal
-service_checktestbg
+run_tests()
+{
+	# Make sure we can bind a bus name and receive a message unconfined

-# Make sure we get denials when confined but not allowed
+	service_runtestbg "service (unconfined)" pass $confined_log
+	sendmethod
+	sendsignal
+	service_checktestbg

-genprofile
-service_runchecktest "service (confined w/o dbus perms)" fail
+	# Make sure we get denials when confined but not allowed

-service_gendbusprofile "dbus send,"
-service_runchecktest "service (send allowed)" fail
+	genprofile
+	service_runchecktest "service (confined w/o dbus perms)" fail

-service_gendbusprofile "dbus receive,"
-service_runchecktest "service (receive allowed)" fail
+	service_gendbusprofile "dbus send,"
+	service_runchecktest "service (send allowed)" fail

-service_gendbusprofile "dbus bind,"
-service_runchecktest "service (bind allowed)" fail
+	service_gendbusprofile "dbus receive,"
+	service_runchecktest "service (receive allowed)" fail

-# Make sure we're okay when confined with appropriate permissions
+	service_gendbusprofile "dbus bind,"
+	service_runchecktest "service (bind allowed)" fail

-service_gendbusprofile "dbus,"
-service_runtestbg "service (dbus allowed)" pass $unconfined_log
-sendmethod
-sendsignal
-service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	# Make sure we're okay when confined with appropriate permissions

-service_gendbusprofile "dbus (send, receive, bind),"
-service_runtestbg "service (send receive bind allowed)" pass $unconfined_log
-sendmethod
-sendsignal
-service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	service_gendbusprofile "dbus,"
+	service_runtestbg "service (dbus allowed)" pass $unconfined_log
+	sendmethod
+	sendsignal
+	service_checktestbg "compare_logs $unconfined_log eq $confined_log"

-service_gendbusprofile "dbus (send receive bind) bus=session,"
-service_runtestbg "service (send receive bind w/ bus)" pass $unconfined_log
-sendmethod
-sendsignal
-service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	service_gendbusprofile "dbus (send, receive, bind),"
+	service_runtestbg "service (send receive bind allowed)" pass $unconfined_log
+	sendmethod
+	sendsignal
+	service_checktestbg "compare_logs $unconfined_log eq $confined_log"

-service_gendbusprofile "dbus bind bus=session name=$dest, \
+	service_gendbusprofile "dbus (send receive bind) bus=session,"
+	service_runtestbg "service (send receive bind w/ bus)" pass $unconfined_log
+	sendmethod
+	sendsignal
+	service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+
+	service_gendbusprofile "dbus bind bus=session name=$dest, \
 		dbus receive bus=session, \
 		dbus send bus=session peer=(name=org.freedesktop.DBus),"
-service_runtestbg "service (receive bind w/ bus, dest)" pass $unconfined_log
-sendmethod
-sendsignal
-service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	service_runtestbg "service (receive bind w/ bus, dest)" pass $unconfined_log
+	sendmethod
+	sendsignal
+	service_checktestbg "compare_logs $unconfined_log eq $confined_log"

-service_gendbusprofile "dbus bind bus=session name=$dest, \
+	service_gendbusprofile "dbus bind bus=session name=$dest, \
 		dbus receive bus=session, \
 		dbus send bus=session peer=(name=org.freedesktop.DBus),"
-service_runtestbg "service (receive bind w/ bus, dest)" pass $unconfined_log
-sendmethod
-sendsignal
-service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	service_runtestbg "service (receive bind w/ bus, dest)" pass $unconfined_log
+	sendmethod
+	sendsignal
+	service_checktestbg "compare_logs $unconfined_log eq $confined_log"

-# Make sure we're denied when confined without appropriate conditionals
+	# Make sure we're denied when confined without appropriate conditionals

-service_gendbusprofile "dbus bind bus=system name=$dest, \
+	service_gendbusprofile "dbus bind bus=system name=$dest, \
 		dbus receive bus=system, \
 		dbus send bus=session peer=(name=org.freedesktop.DBus),"
-service_runchecktest "service (receive bind w/ wrong bus)" fail
+	service_runchecktest "service (receive bind w/ wrong bus)" fail

-service_gendbusprofile "dbus bind bus=session name=${dest}.BAD, \
+	service_gendbusprofile "dbus bind bus=session name=${dest}.BAD, \
 		dbus receive bus=session, \
 		dbus send bus=session peer=(name=org.freedesktop.DBus),"
-service_runchecktest "service (receive bind w/ wrong dest)" fail
+	service_runchecktest "service (receive bind w/ wrong dest)" fail
+
+	# don't forget to remove the profile so the test can run again
+	removeprofile
+}
+
+if start_dbus_daemon
+then
+	run_tests
+	kill_dbus_daemon
+else
+	echo "Starting DBus Daemon failed. Skipping tests..."
+fi
+
+if start_dbus_broker
+then
+	run_tests
+	kill_dbus_broker
+else
+	echo "Starting DBus Broker failed. Skipping tests..."
+	cleanup_dbus_broker
+fi
--- a/tests/regression/apparmor/dbus_unrequested_reply.sh
+++ b/tests/regression/apparmor/dbus_unrequested_reply.sh
@ -66,62 +66,82 @@ ur_gendbusprofile()
  $*"
 }

-start_bus
-
 settest dbus_service

-# Start a dbus service and send unrequested method_return and error messages to
-# the service. The service should always start and stop just fine. The test
-# results hinge on comparing the message log from confined services to the
-# message log from the initial unconfined run.
+run_tests()
+{
+	# Start a dbus service and send unrequested method_return and error messages to
+	# the service. The service should always start and stop just fine. The test
+	# results hinge on comparing the message log from confined services to the
+	# message log from the initial unconfined run.

-# Do an unconfined run to get an "expected" log for comparisons
-ur_runtestbg "unrequested_reply (method_return, unconfined)" pass $unconfined_log
-sendmethodreturn
-ur_checktestbg
+	# Do an unconfined run to get an "expected" log for comparisons
+	ur_runtestbg "unrequested_reply (method_return, unconfined)" pass $unconfined_log
+	sendmethodreturn
+	ur_checktestbg

-# All dbus perms are granted so the logs should be equal
-ur_gendbusprofile "dbus,"
-ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
-sendmethodreturn
-ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	# All dbus perms are granted so the logs should be equal
+	ur_gendbusprofile "dbus,"
+	ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
+	sendmethodreturn
+	ur_checktestbg "compare_logs $unconfined_log eq $confined_log"

-# Only send perm is granted so the confined service should not be able to
-# receive unrequested replies from the client
-ur_gendbusprofile "dbus send,"
-ur_runtestbg "unrequested_reply (method_return, send allowed)" pass $confined_log
-sendmethodreturn
-ur_checktestbg "compare_logs $unconfined_log ne $confined_log"
+	# Only send perm is granted so the confined service should not be able to
+	# receive unrequested replies from the client
+	ur_gendbusprofile "dbus send,"
+	ur_runtestbg "unrequested_reply (method_return, send allowed)" pass $confined_log
+	sendmethodreturn
+	ur_checktestbg "compare_logs $unconfined_log ne $confined_log"

-# Send and receive perms are granted so the logs should be equal
-ur_gendbusprofile "dbus (send receive),"
-ur_runtestbg "unrequested_reply (method_return, send receive allowed)" pass $confined_log
-sendmethodreturn
-ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	# Send and receive perms are granted so the logs should be equal
+	ur_gendbusprofile "dbus (send receive),"
+	ur_runtestbg "unrequested_reply (method_return, send receive allowed)" pass $confined_log
+	sendmethodreturn
+	ur_checktestbg "compare_logs $unconfined_log eq $confined_log"

-# Now test unrequested error replies
+	# Now test unrequested error replies

-# Do an unconfined run to get an "expected" log for comparisons
-removeprofile
-ur_runtestbg "unrequested_reply (error, unconfined)" pass $unconfined_log
-senderror
-ur_checktestbg
+	# Do an unconfined run to get an "expected" log for comparisons
+	removeprofile
+	ur_runtestbg "unrequested_reply (error, unconfined)" pass $unconfined_log
+	senderror
+	ur_checktestbg

-# All dbus perms are granted so the logs should be equal
-ur_gendbusprofile "dbus,"
-ur_runtestbg "unrequested_reply (error, dbus allowed)" pass $confined_log
-senderror
-ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	# All dbus perms are granted so the logs should be equal
+	ur_gendbusprofile "dbus,"
+	ur_runtestbg "unrequested_reply (error, dbus allowed)" pass $confined_log
+	senderror
+	ur_checktestbg "compare_logs $unconfined_log eq $confined_log"

-# Only send perm is granted so the confined service should not be able to
-# receive unrequested replies from the client
-ur_gendbusprofile "dbus send,"
-ur_runtestbg "unrequested_reply (error, send allowed)" pass $confined_log
-senderror
-ur_checktestbg "compare_logs $unconfined_log ne $confined_log"
+	# Only send perm is granted so the confined service should not be able to
+	# receive unrequested replies from the client
+	ur_gendbusprofile "dbus send,"
+	ur_runtestbg "unrequested_reply (error, send allowed)" pass $confined_log
+	senderror
+	ur_checktestbg "compare_logs $unconfined_log ne $confined_log"

-# Send and receive perms are granted so the logs should be equal
-ur_gendbusprofile "dbus (send receive),"
-ur_runtestbg "unrequested_reply (error, send receive allowed)" pass $confined_log
-senderror
-ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	# Send and receive perms are granted so the logs should be equal
+	ur_gendbusprofile "dbus (send receive),"
+	ur_runtestbg "unrequested_reply (error, send receive allowed)" pass $confined_log
+	senderror
+	ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+
+	# don't forget to remove the profile so the test can run again
+	removeprofile
+}
+
+if start_dbus_daemon
+then
+	run_tests
+	kill_dbus_daemon
+else
+	echo "Starting DBus Daemon failed. Skipping tests..."
+fi
+
+# Unrequested replies are not supported by DBus Broker
+# from https://github.com/bus1/dbus-broker/wiki/Deviations
+#
+# "... dbus-broker only allows expected replies, and those are allowed
+# unconditionally. Unexpected-replies and Reply-filtering have no
+# known users (nor use-cases), hence support has been dropped..."
+echo "DBus Broker does not support unrequested replies. Skipping tests..."