diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh index bb1a4ec99..57241a72c 100755 --- a/tests/regression/apparmor/aa_exec.sh +++ b/tests/regression/apparmor/aa_exec.sh @@ -42,7 +42,7 @@ $1 ${mode}{ EOF } -settest aa_exec_profile ${bin}/aa_exec_wrapper.sh +settest aa_exec_profile "${bin}/aa_exec_wrapper.sh" genprofile_aa_exec "$test" 0 runchecktest "unconfined" pass "$aa_exec" "unconfined" diff --git a/tests/regression/apparmor/attach_disconnected.sh b/tests/regression/apparmor/attach_disconnected.sh index c764b89db..74a1a213c 100644 --- a/tests/regression/apparmor/attach_disconnected.sh +++ b/tests/regression/apparmor/attach_disconnected.sh @@ -28,7 +28,7 @@ file=$tmpdir/file socket=$tmpdir/unix_fd_test att_dis_client=$pwd/attach_disconnected -. $bin/mount.inc +. "$bin/mount.inc" attach_disconnected_cleanup() { if [ ! -z "$loop_device" ]; then diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh index 1e3bf3fce..c3ff7d61c 100755 --- a/tests/regression/apparmor/capabilities.sh +++ b/tests/regression/apparmor/capabilities.sh @@ -139,18 +139,18 @@ for TEST in ${TESTS} ; do # okay, now check to see if the capability functions from within # a subprofile. settest ${testwrapper} - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" ${my_entries} if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule # capability + ptrace rule needed between pids - runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg} + runchecktest "${TEST} changehat -- no caps" pass "$bin/${TEST}" ${my_arg} else - runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg} + runchecktest "${TEST} changehat -- no caps" fail "$bin/${TEST}" ${my_arg} fi # all capabilities allowed - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries} - runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:ALL ${my_entries} + runchecktest "${TEST} changehat -- all caps" ${expected} "$bin/${TEST}" ${my_arg} for cap in ${CAPABILITIES} ; do if [ ${expected} = "fail" ]; then @@ -162,8 +162,8 @@ for TEST in ${TESTS} ; do else expected_result=fail fi - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries} - runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:${cap} ${my_entries} + runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} "$bin/${TEST}" ${my_arg} done done diff --git a/tests/regression/apparmor/changehat_misc.sh b/tests/regression/apparmor/changehat_misc.sh index 89b78525e..5ccba2794 100755 --- a/tests/regression/apparmor/changehat_misc.sh +++ b/tests/regression/apparmor/changehat_misc.sh @@ -77,7 +77,7 @@ runchecktest "CHANGEHAT (bad token)" signal9 ${subtest} settest changehat_wrapper -genprofile hat:open addimage:${bin}/open ${file}:${okperm} +genprofile hat:open "addimage:${bin}/open" ${file}:${okperm} runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file} runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file} diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh index 5888bcdad..2022667fb 100755 --- a/tests/regression/apparmor/dbus_eavesdrop.sh +++ b/tests/regression/apparmor/dbus_eavesdrop.sh @@ -20,7 +20,7 @@ bin=$pwd . "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" args="--session" diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh index 4654211f6..dda03cc23 100755 --- a/tests/regression/apparmor/dbus_message.sh +++ b/tests/regression/apparmor/dbus_message.sh @@ -20,7 +20,7 @@ bin=$pwd . "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames" diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh index 9abaff302..d44965af4 100755 --- a/tests/regression/apparmor/dbus_service.sh +++ b/tests/regression/apparmor/dbus_service.sh @@ -19,7 +19,7 @@ bin=$pwd . "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" service="--$bus --name=$dest $path $iface" unconfined_log="${tmpdir}/unconfined.log" diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh index 1263f5d7f..3b9260653 100644 --- a/tests/regression/apparmor/dbus_unrequested_reply.sh +++ b/tests/regression/apparmor/dbus_unrequested_reply.sh @@ -19,7 +19,7 @@ bin=$pwd . "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" service="--$bus --name=$dest $path $iface" unconfined_log="${tmpdir}/unconfined.log" diff --git a/tests/regression/apparmor/link_subset.sh b/tests/regression/apparmor/link_subset.sh index 46ecf29d7..6ab723fa6 100644 --- a/tests/regression/apparmor/link_subset.sh +++ b/tests/regression/apparmor/link_subset.sh @@ -25,8 +25,8 @@ bin=$pwd target=$tmpdir/target_ linkfile=$tmpdir/link_ -tfiles=`$bin/link_subset --filenames $target` -lfiles=`$bin/link_subset --filenames $linkfile` +tfiles=`"$bin/link_subset" --filenames $target` +lfiles=`"$bin/link_subset" --filenames $linkfile` # unconfined test - no target file #runchecktest "unconfined - no target" fail $target $linkfile diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh index bc82619fb..fd87898b0 100755 --- a/tests/regression/apparmor/mount.sh +++ b/tests/regression/apparmor/mount.sh @@ -33,7 +33,7 @@ mount_bad=$tmpdir/mountbad loop_device="unset" fstype="ext2" -. $bin/mount.inc +. "$bin/mount.inc" setup_mnt() { /bin/mount -n -t${fstype} ${loop_device} ${mount_point} diff --git a/tests/regression/apparmor/onexec.sh b/tests/regression/apparmor/onexec.sh index f15f66fa4..df2566ea5 100644 --- a/tests/regression/apparmor/onexec.sh +++ b/tests/regression/apparmor/onexec.sh @@ -53,75 +53,75 @@ do_test() # ONEXEC from UNCONFINED - don't change profile -do_test "" unconfined nochange pass $bin/open $file +do_test "" unconfined nochange pass "$bin/open" $file # ONEXEC from UNCONFINED - target does NOT exist -genprofile image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "" unconfined noexist fail $bin/open $file +genprofile "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "" unconfined noexist fail "$bin/open" $file # ONEXEC from UNCONFINED - change to rw profile, no exec profile to override -genprofile image=$bin/rw $bin/open:rix $file:rw -do_test "no px profile" unconfined $bin/rw pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "no px profile" unconfined "$bin/rw" pass "$bin/open" $file # ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied -genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open $file:rw -do_test "nochange px" unconfined nochange pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open" $file:rw +do_test "nochange px" unconfined nochange pass "$bin/open" $file # ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms -genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open -do_test "override px" unconfined $bin/rw pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open" +do_test "override px" unconfined "$bin/rw" pass "$bin/open" $file #------ # ONEXEC from CONFINED - don't change profile, open can't exec -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -do_test "no px perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r +do_test "no px perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run unconfined -genprofile 'change_profile->':$bin/rw $bin/open:rux $exec_w $attrs_r -do_test "nochange rux" $test nochange pass $bin/open $file +genprofile "change_profile->:$bin/rw" "$bin/open:rux" $exec_w $attrs_r +do_test "nochange rux" $test nochange pass "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/open $file:rw -do_test "nochange px - no px perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/open" $file:rw +do_test "nochange px - no px perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms -genprofile 'change_profile->':$bin/rw $bin/open:rpx $exec_w $attrs_r -- image=$bin/open -do_test "nochange px - no file perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" "$bin/open:rpx" $exec_w $attrs_r -- "image=$bin/open" +do_test "nochange px - no file perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - target does NOT exist -genprofile 'change_profile->':$bin/open $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "noexist px" $test noexist fail $bin/open $file +genprofile "change_profile->:$bin/open" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "noexist px" $test noexist fail "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, no exec profile to override -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -do_test "change profile - override rix" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "change profile - override rix" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit write access to /proc/*/attr/exec -genprofile 'change_profile->':$bin/rw $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -do_test "change profile - no exec_w" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "change profile - no exec_w" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw -do_test "nochange px" $test nochange pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r "$bin/open:rpx" -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw +do_test "nochange px" $test nochange pass "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "override px" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "override px" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix -- image=$bin/open $file:rw -do_test "override px" $test $bin/rw fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" -- "image=$bin/open" $file:rw +do_test "override px" $test "$bin/rw" fail "$bin/open" $file # ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "glob override px" $test $bin/rw pass $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "glob override px" $test $bin/open fail $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "glob override px" $test "$bin/open" fail "$bin/open" $file # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw -do_test "glob override px" $test $bin/rw pass $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw +do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh index 84dd1c669..ee13cc97e 100755 --- a/tests/regression/apparmor/pivot_root.sh +++ b/tests/regression/apparmor/pivot_root.sh @@ -26,7 +26,7 @@ bad=$tmpdir/BAD/ proc=$new_root/proc fstype="ext2" -. $bin/mount.inc +. "$bin/mount.inc" pivot_root_cleanup() { mountpoint -q "$proc" diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh index eb183aa6f..2dfc60e81 100755 --- a/tests/regression/apparmor/ptrace.sh +++ b/tests/regression/apparmor/ptrace.sh @@ -56,7 +56,7 @@ runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true} if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then - . $bin/ptrace_v6.inc + . "$bin/ptrace_v6.inc" else - . $bin/ptrace_v5.inc + . "$bin/ptrace_v5.inc" fi diff --git a/tests/regression/apparmor/sd_flags.sh b/tests/regression/apparmor/sd_flags.sh index 67e389caa..41481219c 100755 --- a/tests/regression/apparmor/sd_flags.sh +++ b/tests/regression/apparmor/sd_flags.sh @@ -58,56 +58,56 @@ settest changehat_wrapper # audit alone # PASS TEST (noflags) -genprofile hat:open addimage:${bin}/open $file:$okperm +genprofile hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file # PASS TEST 1 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # PASS TEST 2 (audit) -genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit +genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:audit runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # PASS TEST 3 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm flag:audit runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # FAILURE TEST 1 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # FAILURE TEST 2 (audit) -genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # FAILURE TEST 3 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # complain alone # PASS TEST 1 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # PASS TEST 2 (complain) -genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain +genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # PASS TEST 3 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm flag:complain +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # FAILURE TEST 1 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file # PASS TEST 4 (complain) -genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # PASS TEST 5 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # PASS TEST 6 (complain) no hat defined @@ -116,10 +116,10 @@ runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # audit + complain # PASS TEST 3 (audit+complain) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file # FAILURE TEST 3 (complain+audit) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh index 6f96dd1f3..a1e496950 100644 --- a/tests/regression/apparmor/unix_socket_abstract.sh +++ b/tests/regression/apparmor/unix_socket_abstract.sh @@ -27,7 +27,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd . "$bin/prologue.inc" -. $bin/unix_socket.inc +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/unix_socket_autobind.sh b/tests/regression/apparmor/unix_socket_autobind.sh index bbc021090..de0a3774f 100644 --- a/tests/regression/apparmor/unix_socket_autobind.sh +++ b/tests/regression/apparmor/unix_socket_autobind.sh @@ -32,7 +32,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd . "$bin/prologue.inc" -. $bin/unix_socket.inc +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh index f51417592..f1b3102c0 100644 --- a/tests/regression/apparmor/unix_socket_unnamed.sh +++ b/tests/regression/apparmor/unix_socket_unnamed.sh @@ -27,7 +27,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd . "$bin/prologue.inc" -. $bin/unix_socket.inc +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/userns.sh b/tests/regression/apparmor/userns.sh index e04223eb4..e71b927b3 100755 --- a/tests/regression/apparmor/userns.sh +++ b/tests/regression/apparmor/userns.sh @@ -59,7 +59,7 @@ do_test() # add profile for userns_setns_bin # ptrace is needed because userns_bin needs to # access userns_setns_bin's /proc/pid/ns/user - generate_setns_profile="$generate_profile $userns_setns_bin:px $parentpipe:rw $childpipe:rw cap:sys_ptrace ptrace:read -- image=$userns_setns_bin userns $parentpipe:rw $childpipe:wr ptrace:readby cap:sys_admin" + generate_setns_profile="$generate_profile "$userns_setns_bin:px" $parentpipe:rw $childpipe:rw cap:sys_ptrace ptrace:read -- "image=$userns_setns_bin" userns $parentpipe:rw $childpipe:wr ptrace:readby cap:sys_admin" fi settest userns @@ -68,7 +68,7 @@ do_test() runchecktest "$desc unshare - root" $expect_root -u # unshare $generate_setns_profile - runchecktest "$desc setns - root" $expect_setns_root -s $userns_setns_bin -p $pipe # setns + runchecktest "$desc setns - root" $expect_setns_root -s "$userns_setns_bin" -p $pipe # setns settest -u "foo" userns # run tests as user foo $generate_profile # settest removes the profile, so load it here @@ -76,7 +76,7 @@ do_test() runchecktest "$desc unshare - user" $expect_user -u # unshare $generate_setns_profile - runchecktest "$desc setns - user" $expect_setns_user -s $userns_setns_bin -p $pipe # setns + runchecktest "$desc setns - user" $expect_setns_user -s "$userns_setns_bin" -p $pipe # setns } if [ -e $unprivileged_userns_clone_path ] && [ $unprivileged_userns_clone -eq 0 ]; then @@ -152,9 +152,9 @@ detail="apparmor_restrict_unprivileged_userns enabled" do_test "unconfined $detail" pass $user_testresult pass pass # it should work when running as user with cap_sys_admin -setcap cap_sys_admin+pie $bin/userns +setcap cap_sys_admin+pie "$bin/userns" do_test "unconfined cap_sys_admin $detail" pass pass pass pass # remove cap_sys_admin from binary -setcap cap_sys_admin= $bin/userns +setcap cap_sys_admin= "$bin/userns" run_confined_tests "$detail"