The regression tests have issue on backport kernels when the userspace

has not been updated. The issue is that the regression tests detect the
kernel features set and generate policy that the parser may not be able
to compile.

Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>

tests/regression/apparmor/dbus_eavesdrop.sh

@@ -19,6 +19,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 args="--session"

tests/regression/apparmor/dbus_message.sh

@@ -19,6 +19,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"

tests/regression/apparmor/dbus_service.sh

@@ -18,6 +18,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"

tests/regression/apparmor/dbus_unrequested_reply.sh

@@ -18,6 +18,7 @@ bin=$pwd
 
 . $bin/prologue.inc
 requires_features dbus
+requires_parser_support "dbus,"
 . $bin/dbus.inc
 
 service="--$bus --name=$dest $path $iface"

tests/regression/apparmor/deleted.sh

@@ -65,7 +65,7 @@ okperm=rwl
 badperm=wl
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 

tests/regression/apparmor/mount.sh

@@ -102,7 +102,7 @@ runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_poin
 remove_mnt
 
 
-if [ "$(have_features mount)" != "true" ] ; then
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
 	genprofile capability:sys_admin
 	runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
 	remove_mnt

tests/regression/apparmor/named_pipe.sh

@@ -38,7 +38,7 @@ badchild=r
 # Add genprofile params that are common to all hats here
 common=""
 
-if [ "$(have_features signal)" == "true" ] ; then
+if [ "$(have_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
 	# Allow send/receive of all signals
 	common="${common} signal:ALL"
 fi

tests/regression/apparmor/pivot_root.sh

@@ -106,8 +106,8 @@ do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad"
 genprofile
 do_test "no perms" fail "$put_old" "$new_root" "$test"
 
-if [ "$(have_features mount)" != "true" ] ; then
-	# pivot_root mediation isn't supported by this kernel, so verify that
+if [ "$(have_features mount)" != "true" -o "$(parser_supports 'mount,')" != "true" ] ; then
+	# pivot_root mediation isn't supported by this kernel/parser, so verify that
 	# capability sys_admin is sufficient and skip the remaining tests
 	genprofile $cur $cap
 	do_test "cap" pass "$put_old" "$new_root" "$test"

tests/regression/apparmor/prologue.inc

@@ -58,6 +58,30 @@ requires_query_interface()
 	fi
 }
 
+parser_supports()
+{
+	for R in $@ ; do
+		echo "/test { $R }" | $subdomain ${parser_args} -qQT 2>/dev/null 1>/dev/null
+		if [ $? -ne 0 ] ; then
+			echo "Compiler does not support rule '$R'"
+			return 1;
+		fi
+	done
+
+	echo "true"
+	return 0;
+}
+
+requires_parser_support()
+{
+	local res=$(parser_supports $@)
+	if [ "$res" != "true" ] ; then
+		echo "$res. Skipping tests ..."
+		exit 0
+	fi
+}
+
+
 fatalerror()
 {
 	# global _fatal

tests/regression/apparmor/ptrace.sh

@@ -52,7 +52,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true
 runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true
 
 
-if [ "$(have_features ptrace)" == "true" ] ; then
+if [ "$(have_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
 	. $bin/ptrace_v6.inc
 else
 	. $bin/ptrace_v5.inc

tests/regression/apparmor/socketpair.sh

@@ -34,7 +34,7 @@ af_unix_create=""
 af_unix_create_label=""
 af_unix_inherit=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
 	# descriptors have send,receive perms in its profile
 	af_unix_create="unix:(create,getopt)"

tests/regression/apparmor/unix_fd_server.sh

@@ -27,7 +27,7 @@ okperm=rw
 badperm=w
 af_unix=""
 
-if [ "$(have_features network/af_unix)" == "true" ]; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	af_unix="unix:create"
 fi
 
@@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
 sleep 1
 rm -f ${socket}
 
-if [ "$(have_features policy/versions/v6)" == "true" ] ; then
+if [ "$(have_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
     # FAIL - confined client, no access to the socket file
 
     genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix 

tests/regression/apparmor/unix_socket_abstract.sh

@@ -30,6 +30,7 @@ bin=$pwd
 . $bin/unix_socket.inc
 requires_features policy/versions/v7
 requires_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket
 

tests/regression/apparmor/unix_socket_pathname.sh

@@ -52,7 +52,7 @@ fi
 # af_unix support requires 'unix getattr' to call getsockname()
 af_unix_okserver=
 af_unix_okclient=
-if [ "$(have_features network/af_unix)" == "true" ] ; then
+if [ "$(have_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
 	af_unix_okserver="create,setopt"
 	af_unix_okclient="create,getopt,setopt,getattr"
 fi

tests/regression/apparmor/unix_socket_unnamed.sh

@@ -30,6 +30,7 @@ bin=$pwd
 . $bin/unix_socket.inc
 requires_features policy/versions/v7
 requires_features network/af_unix
+requires_parser_support "unix,"
 
 settest unix_socket