mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
tests: add option to append a profile to a profile already generated
Some of the tests using the --stdin option of mkprofile.pl are adding more than one profile at a time. Whenever a profile is created in the test, its name is added to the file profile.names so the test infrastructure can tell if the profile is loaded or removed when appropriately. The issue is that the name of the second profile created by --stdin is not added, so these checks are not applied. This patch adds the option of appending a second profile (not rules). The option --append was used instead of a short -A because the short options are arguments of mkprofile.pl, which --append is not. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
parent
9cc40e2dca
commit
0307619ed9
11 changed files with 60 additions and 29 deletions
|
|
@ -31,11 +31,12 @@ genprofile_aa_exec()
|
|||
mode="(complain) "
|
||||
fi
|
||||
fi
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$1 --stdin <<EOF
|
||||
$1 ${mode}{
|
||||
file,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=:${ns}:${1} --stdin <<EOF
|
||||
:${ns}:${1} ${mode}{
|
||||
file,
|
||||
}
|
||||
|
|
@ -81,11 +82,12 @@ genprofile_aa_exec "$test" 0
|
|||
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
all,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=:${ns}:${test} --stdin <<EOF
|
||||
:${ns}:${test} {
|
||||
all,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -80,8 +80,10 @@ runchecktest_errno EACCES "CHANGEPROFILE_RE (nochange access subfile)" fail noch
|
|||
runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file
|
||||
runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile -> ${nstest}, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { $subfile ${okperm}, }
|
||||
EOF
|
||||
expected_result=pass
|
||||
|
|
@ -103,8 +105,10 @@ else
|
|||
runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
|
||||
runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { $subfile $okperm, $stackfile $okperm, }
|
||||
EOF
|
||||
runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
gendbusprofile()
|
||||
{
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
${__dbus_var_decl}
|
||||
$test {
|
||||
@{gen $test}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ load_and_verify() {
|
|||
# Write to cache
|
||||
parser_args="${parser_config} -q -W"
|
||||
|
||||
echo "profile $prof {}" | genprofile --stdin
|
||||
echo "profile $prof {}" | genprofile image=$prof --stdin
|
||||
|
||||
cache_md5=$(cat $cache_dir/profile | md5sum | awk '{ print $1 }')
|
||||
|
||||
|
|
|
|||
|
|
@ -111,14 +111,16 @@ ns="ns"
|
|||
prof="stackprofile"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
audit deny $thirdfile $okperm,
|
||||
$test ix -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
file,
|
||||
audit deny $file $okperm,
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ genprofile_ns() {
|
|||
|
||||
# override the sys_profiles variable with a bad path so that genprofile
|
||||
# doesn't perform profile load checking in the wrong policy namespace
|
||||
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile --stdin
|
||||
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile image=:${ns}:${prof} --stdin
|
||||
echo "$ns"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ else
|
|||
|
||||
#Verify that NNP allows stacking a new policy namespace
|
||||
#must use stdin with genprofile for namespaces
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
@{gen_bin $test}
|
||||
@{gen_def}
|
||||
|
|
@ -107,6 +107,8 @@ $test {
|
|||
/proc/*/attr/current w,
|
||||
change_profile-> &:nnp:unconfined,
|
||||
}
|
||||
EOF
|
||||
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||
:nnp:$bin/open {
|
||||
@{gen_bin $bin/open}
|
||||
@{gen_def}
|
||||
|
|
@ -120,7 +122,7 @@ EOF
|
|||
runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
|
||||
runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
@{gen_bin $test}
|
||||
@{gen_def}
|
||||
|
|
@ -128,6 +130,8 @@ $test {
|
|||
/proc/*/attr/current w,
|
||||
change_profile-> &:nnp:$bin/open,
|
||||
}
|
||||
EOF
|
||||
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||
:nnp:$bin/open {
|
||||
@{gen_bin $bin/open}
|
||||
@{gen_def}
|
||||
|
|
|
|||
|
|
@ -420,6 +420,7 @@ fi
|
|||
|
||||
complainflag=""
|
||||
mkflags=""
|
||||
append="false"
|
||||
while /bin/true
|
||||
do
|
||||
case "$1" in
|
||||
|
|
@ -431,21 +432,27 @@ fi
|
|||
;;
|
||||
"-I") mkflags="${mkflags} -I"
|
||||
;;
|
||||
"--append") append="true"
|
||||
;;
|
||||
*) break
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# save previous profile
|
||||
if [ -f $profile ]
|
||||
then
|
||||
mv $profile ${profile}.old
|
||||
mv $profilenames ${profilenames}.old
|
||||
fi
|
||||
if [ "$append" = "false" ]; then
|
||||
# save previous profile
|
||||
if [ -f $profile ]
|
||||
then
|
||||
mv $profile ${profile}.old
|
||||
mv $profilenames ${profilenames}.old
|
||||
fi
|
||||
|
||||
echo "abi <kernel>," >$profile
|
||||
num_emitted=0
|
||||
echo "abi <kernel>," >$profile
|
||||
num_emitted=0
|
||||
else
|
||||
num_emmited=$(wc -l < "$profilenames")
|
||||
fi
|
||||
|
||||
while /bin/true
|
||||
do
|
||||
|
|
@ -495,9 +502,12 @@ fi
|
|||
break
|
||||
done
|
||||
|
||||
if [ $append == "true" ]
|
||||
then
|
||||
replaceprofile
|
||||
# if old and new profiles consist of the same entries
|
||||
# we can do a replace, else remove/reload
|
||||
if [ $profileloaded -eq 1 ]
|
||||
elif [ $profileloaded -eq 1 ]
|
||||
then
|
||||
names1=$tmpdir/sorted1
|
||||
names2=$tmpdir/sorted2
|
||||
|
|
@ -507,13 +517,13 @@ fi
|
|||
if cmp -s $names1 $names2
|
||||
then
|
||||
replaceprofile
|
||||
else
|
||||
else
|
||||
removeprofile ${profile}.old
|
||||
loadprofile
|
||||
fi
|
||||
|
||||
rm -f $names1 $names2
|
||||
|
||||
|
||||
else
|
||||
loadprofile
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -40,11 +40,12 @@ dbus_svc_query="session com.foo.baz"
|
|||
# granting anything specified in $@.
|
||||
genqueryprofile()
|
||||
{
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=$qprof --stdin <<EOF
|
||||
$qprof {
|
||||
$@
|
||||
}
|
||||
|
|
|
|||
|
|
@ -116,14 +116,16 @@ ns="ns"
|
|||
prof="stackonexec"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
audit deny $thirdfile $okperm,
|
||||
change_profile -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
file,
|
||||
audit deny $file $okperm,
|
||||
|
|
@ -166,8 +168,10 @@ runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -
|
|||
|
||||
# Verify that stacking with a bare namespace is handled. The process is placed
|
||||
# into the default profile of the namespace, which is unconfined.
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { }
|
||||
EOF
|
||||
runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l unconfined -m "(null)"
|
||||
|
|
|
|||
|
|
@ -115,13 +115,15 @@ ns="ns"
|
|||
prof="stackprofile"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
change_profile -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
$otherfile $okperm,
|
||||
$sharedfile $okperm,
|
||||
|
|
@ -167,8 +169,10 @@ runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f $file
|
|||
runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m complain
|
||||
|
||||
# Verify that stacking with a bare namespace is handled
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { }
|
||||
EOF
|
||||
runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue