mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Quote all uses of $bin and ${bin}
... to avoid issues with spaces in a parent directory's name.
This commit is contained in:
Christian Boltz
parent
e1972eb22f
commit
22cf88b7c7
18 changed files with 78 additions and 78 deletions
|
|
@ -42,7 +42,7 @@ $1 ${mode}{
|
|||
EOF
|
||||
}
|
||||
|
||||
settest aa_exec_profile ${bin}/aa_exec_wrapper.sh
|
||||
settest aa_exec_profile "${bin}/aa_exec_wrapper.sh"
|
||||
|
||||
genprofile_aa_exec "$test" 0
|
||||
runchecktest "unconfined" pass "$aa_exec" "unconfined"
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ file=$tmpdir/file
|
|||
socket=$tmpdir/unix_fd_test
|
||||
att_dis_client=$pwd/attach_disconnected
|
||||
|
||||
. $bin/mount.inc
|
||||
. "$bin/mount.inc"
|
||||
|
||||
attach_disconnected_cleanup() {
|
||||
if [ ! -z "$loop_device" ]; then
|
||||
|
|
|
|||
|
|
@ -139,18 +139,18 @@ for TEST in ${TESTS} ; do
|
|||
# okay, now check to see if the capability functions from within
|
||||
# a subprofile.
|
||||
settest ${testwrapper}
|
||||
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
|
||||
genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" ${my_entries}
|
||||
if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
|
||||
# ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
|
||||
# capability + ptrace rule needed between pids
|
||||
runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
|
||||
runchecktest "${TEST} changehat -- no caps" pass "$bin/${TEST}" ${my_arg}
|
||||
else
|
||||
runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg}
|
||||
runchecktest "${TEST} changehat -- no caps" fail "$bin/${TEST}" ${my_arg}
|
||||
fi
|
||||
|
||||
# all capabilities allowed
|
||||
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
|
||||
runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
|
||||
genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:ALL ${my_entries}
|
||||
runchecktest "${TEST} changehat -- all caps" ${expected} "$bin/${TEST}" ${my_arg}
|
||||
|
||||
for cap in ${CAPABILITIES} ; do
|
||||
if [ ${expected} = "fail" ]; then
|
||||
|
|
@ -162,8 +162,8 @@ for TEST in ${TESTS} ; do
|
|||
else
|
||||
expected_result=fail
|
||||
fi
|
||||
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries}
|
||||
runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg}
|
||||
genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:${cap} ${my_entries}
|
||||
runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} "$bin/${TEST}" ${my_arg}
|
||||
done
|
||||
|
||||
done
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
|
|||
|
||||
settest changehat_wrapper
|
||||
|
||||
genprofile hat:open addimage:${bin}/open ${file}:${okperm}
|
||||
genprofile hat:open "addimage:${bin}/open" ${file}:${okperm}
|
||||
|
||||
runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file}
|
||||
runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ bin=$pwd
|
|||
. "$bin/prologue.inc"
|
||||
requires_kernel_features dbus
|
||||
requires_parser_support "dbus,"
|
||||
. $bin/dbus.inc
|
||||
. "$bin/dbus.inc"
|
||||
|
||||
args="--session"
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ bin=$pwd
|
|||
. "$bin/prologue.inc"
|
||||
requires_kernel_features dbus
|
||||
requires_parser_support "dbus,"
|
||||
. $bin/dbus.inc
|
||||
. "$bin/dbus.inc"
|
||||
|
||||
listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
|
||||
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ bin=$pwd
|
|||
. "$bin/prologue.inc"
|
||||
requires_kernel_features dbus
|
||||
requires_parser_support "dbus,"
|
||||
. $bin/dbus.inc
|
||||
. "$bin/dbus.inc"
|
||||
|
||||
service="--$bus --name=$dest $path $iface"
|
||||
unconfined_log="${tmpdir}/unconfined.log"
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ bin=$pwd
|
|||
. "$bin/prologue.inc"
|
||||
requires_kernel_features dbus
|
||||
requires_parser_support "dbus,"
|
||||
. $bin/dbus.inc
|
||||
. "$bin/dbus.inc"
|
||||
|
||||
service="--$bus --name=$dest $path $iface"
|
||||
unconfined_log="${tmpdir}/unconfined.log"
|
||||
|
|
|
|||
|
|
@ -25,8 +25,8 @@ bin=$pwd
|
|||
target=$tmpdir/target_
|
||||
linkfile=$tmpdir/link_
|
||||
|
||||
tfiles=`$bin/link_subset --filenames $target`
|
||||
lfiles=`$bin/link_subset --filenames $linkfile`
|
||||
tfiles=`"$bin/link_subset" --filenames $target`
|
||||
lfiles=`"$bin/link_subset" --filenames $linkfile`
|
||||
|
||||
# unconfined test - no target file
|
||||
#runchecktest "unconfined - no target" fail $target $linkfile
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ mount_bad=$tmpdir/mountbad
|
|||
loop_device="unset"
|
||||
fstype="ext2"
|
||||
|
||||
. $bin/mount.inc
|
||||
. "$bin/mount.inc"
|
||||
|
||||
setup_mnt() {
|
||||
/bin/mount -n -t${fstype} ${loop_device} ${mount_point}
|
||||
|
|
|
|||
|
|
@ -53,75 +53,75 @@ do_test()
|
|||
|
||||
|
||||
# ONEXEC from UNCONFINED - don't change profile
|
||||
do_test "" unconfined nochange pass $bin/open $file
|
||||
do_test "" unconfined nochange pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from UNCONFINED - target does NOT exist
|
||||
genprofile image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
|
||||
do_test "" unconfined noexist fail $bin/open $file
|
||||
genprofile "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open"
|
||||
do_test "" unconfined noexist fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from UNCONFINED - change to rw profile, no exec profile to override
|
||||
genprofile image=$bin/rw $bin/open:rix $file:rw
|
||||
do_test "no px profile" unconfined $bin/rw pass $bin/open $file
|
||||
genprofile "image=$bin/rw" "$bin/open:rix" $file:rw
|
||||
do_test "no px profile" unconfined "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied
|
||||
genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open $file:rw
|
||||
do_test "nochange px" unconfined nochange pass $bin/open $file
|
||||
genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open" $file:rw
|
||||
do_test "nochange px" unconfined nochange pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
|
||||
genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open
|
||||
do_test "override px" unconfined $bin/rw pass $bin/open $file
|
||||
genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open"
|
||||
do_test "override px" unconfined "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
#------
|
||||
|
||||
# ONEXEC from CONFINED - don't change profile, open can't exec
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r
|
||||
do_test "no px perm" $test nochange fail $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r
|
||||
do_test "no px perm" $test nochange fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - don't change profile, open is run unconfined
|
||||
genprofile 'change_profile->':$bin/rw $bin/open:rux $exec_w $attrs_r
|
||||
do_test "nochange rux" $test nochange pass $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" "$bin/open:rux" $exec_w $attrs_r
|
||||
do_test "nochange rux" $test nochange pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/open $file:rw
|
||||
do_test "nochange px - no px perm" $test nochange fail $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/open" $file:rw
|
||||
do_test "nochange px - no px perm" $test nochange fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
|
||||
genprofile 'change_profile->':$bin/rw $bin/open:rpx $exec_w $attrs_r -- image=$bin/open
|
||||
do_test "nochange px - no file perm" $test nochange fail $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" "$bin/open:rpx" $exec_w $attrs_r -- "image=$bin/open"
|
||||
do_test "nochange px - no file perm" $test nochange fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - target does NOT exist
|
||||
genprofile 'change_profile->':$bin/open $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
|
||||
do_test "noexist px" $test noexist fail $bin/open $file
|
||||
genprofile "change_profile->:$bin/open" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open"
|
||||
do_test "noexist px" $test noexist fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - change to rw profile, no exec profile to override
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw
|
||||
do_test "change profile - override rix" $test $bin/rw pass $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw
|
||||
do_test "change profile - override rix" $test "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit write access to /proc/*/attr/exec
|
||||
genprofile 'change_profile->':$bin/rw $attrs_r -- image=$bin/rw $bin/open:rix $file:rw
|
||||
do_test "change profile - no exec_w" $test $bin/rw pass $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw
|
||||
do_test "change profile - no exec_w" $test "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw
|
||||
do_test "nochange px" $test nochange pass $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r "$bin/open:rpx" -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw
|
||||
do_test "nochange px" $test nochange pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
|
||||
do_test "override px" $test $bin/rw pass $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open"
|
||||
do_test "override px" $test "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
|
||||
genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix -- image=$bin/open $file:rw
|
||||
do_test "override px" $test $bin/rw fail $bin/open $file
|
||||
genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" -- "image=$bin/open" $file:rw
|
||||
do_test "override px" $test "$bin/rw" fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
|
||||
do_test "glob override px" $test $bin/rw pass $bin/open $file
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open"
|
||||
do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
|
||||
do_test "glob override px" $test $bin/open fail $bin/open $file
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open"
|
||||
do_test "glob override px" $test "$bin/open" fail "$bin/open" $file
|
||||
|
||||
# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw
|
||||
do_test "glob override px" $test $bin/rw pass $bin/open $file
|
||||
genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw
|
||||
do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file
|
||||
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ bad=$tmpdir/BAD/
|
|||
proc=$new_root/proc
|
||||
fstype="ext2"
|
||||
|
||||
. $bin/mount.inc
|
||||
. "$bin/mount.inc"
|
||||
|
||||
pivot_root_cleanup() {
|
||||
mountpoint -q "$proc"
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true}
|
|||
|
||||
|
||||
if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then
|
||||
. $bin/ptrace_v6.inc
|
||||
. "$bin/ptrace_v6.inc"
|
||||
else
|
||||
. $bin/ptrace_v5.inc
|
||||
. "$bin/ptrace_v5.inc"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -58,56 +58,56 @@ settest changehat_wrapper
|
|||
|
||||
# audit alone
|
||||
# PASS TEST (noflags)
|
||||
genprofile hat:open addimage:${bin}/open $file:$okperm
|
||||
genprofile hat:open "addimage:${bin}/open" $file:$okperm
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file
|
||||
|
||||
# PASS TEST 1 (audit)
|
||||
genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm
|
||||
genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
|
||||
|
||||
# PASS TEST 2 (audit)
|
||||
genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit
|
||||
genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:audit
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
|
||||
|
||||
# PASS TEST 3 (audit)
|
||||
genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit
|
||||
genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm flag:audit
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file
|
||||
|
||||
# FAILURE TEST 1 (audit)
|
||||
genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1
|
||||
genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
|
||||
|
||||
# FAILURE TEST 2 (audit)
|
||||
genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit
|
||||
genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
|
||||
|
||||
# FAILURE TEST 3 (audit)
|
||||
genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit
|
||||
genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file
|
||||
|
||||
# complain alone
|
||||
# PASS TEST 1 (complain)
|
||||
genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm
|
||||
genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
|
||||
|
||||
# PASS TEST 2 (complain)
|
||||
genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain
|
||||
genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:complain
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
|
||||
|
||||
# PASS TEST 3 (complain)
|
||||
genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm flag:complain
|
||||
genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm flag:complain
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file
|
||||
|
||||
# FAILURE TEST 1 (complain)
|
||||
genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1
|
||||
genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file
|
||||
|
||||
# PASS TEST 4 (complain)
|
||||
genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain
|
||||
genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
|
||||
|
||||
# PASS TEST 5 (complain)
|
||||
genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:complain
|
||||
genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
|
||||
|
||||
# PASS TEST 6 (complain) no hat defined
|
||||
|
|
@ -116,10 +116,10 @@ runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file
|
|||
|
||||
# audit + complain
|
||||
# PASS TEST 3 (audit+complain)
|
||||
genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:complain
|
||||
genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain
|
||||
runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file
|
||||
|
||||
# FAILURE TEST 3 (complain+audit)
|
||||
genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:audit
|
||||
genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit
|
||||
runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ pwd=`cd $pwd ; /bin/pwd`
|
|||
bin=$pwd
|
||||
|
||||
. "$bin/prologue.inc"
|
||||
. $bin/unix_socket.inc
|
||||
. "$bin/unix_socket.inc"
|
||||
requires_kernel_features policy/versions/v7
|
||||
requires_kernel_features network/af_unix
|
||||
requires_parser_support "unix,"
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@ pwd=`cd $pwd ; /bin/pwd`
|
|||
bin=$pwd
|
||||
|
||||
. "$bin/prologue.inc"
|
||||
. $bin/unix_socket.inc
|
||||
. "$bin/unix_socket.inc"
|
||||
requires_kernel_features policy/versions/v7
|
||||
requires_kernel_features network/af_unix
|
||||
requires_parser_support "unix,"
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ pwd=`cd $pwd ; /bin/pwd`
|
|||
bin=$pwd
|
||||
|
||||
. "$bin/prologue.inc"
|
||||
. $bin/unix_socket.inc
|
||||
. "$bin/unix_socket.inc"
|
||||
requires_kernel_features policy/versions/v7
|
||||
requires_kernel_features network/af_unix
|
||||
requires_parser_support "unix,"
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ do_test()
|
|||
# add profile for userns_setns_bin
|
||||
# ptrace is needed because userns_bin needs to
|
||||
# access userns_setns_bin's /proc/pid/ns/user
|
||||
generate_setns_profile="$generate_profile $userns_setns_bin:px $parentpipe:rw $childpipe:rw cap:sys_ptrace ptrace:read -- image=$userns_setns_bin userns $parentpipe:rw $childpipe:wr ptrace:readby cap:sys_admin"
|
||||
generate_setns_profile="$generate_profile "$userns_setns_bin:px" $parentpipe:rw $childpipe:rw cap:sys_ptrace ptrace:read -- "image=$userns_setns_bin" userns $parentpipe:rw $childpipe:wr ptrace:readby cap:sys_admin"
|
||||
fi
|
||||
|
||||
settest userns
|
||||
|
|
@ -68,7 +68,7 @@ do_test()
|
|||
runchecktest "$desc unshare - root" $expect_root -u # unshare
|
||||
|
||||
$generate_setns_profile
|
||||
runchecktest "$desc setns - root" $expect_setns_root -s $userns_setns_bin -p $pipe # setns
|
||||
runchecktest "$desc setns - root" $expect_setns_root -s "$userns_setns_bin" -p $pipe # setns
|
||||
|
||||
settest -u "foo" userns # run tests as user foo
|
||||
$generate_profile # settest removes the profile, so load it here
|
||||
|
|
@ -76,7 +76,7 @@ do_test()
|
|||
runchecktest "$desc unshare - user" $expect_user -u # unshare
|
||||
|
||||
$generate_setns_profile
|
||||
runchecktest "$desc setns - user" $expect_setns_user -s $userns_setns_bin -p $pipe # setns
|
||||
runchecktest "$desc setns - user" $expect_setns_user -s "$userns_setns_bin" -p $pipe # setns
|
||||
}
|
||||
|
||||
if [ -e $unprivileged_userns_clone_path ] && [ $unprivileged_userns_clone -eq 0 ]; then
|
||||
|
|
@ -152,9 +152,9 @@ detail="apparmor_restrict_unprivileged_userns enabled"
|
|||
do_test "unconfined $detail" pass $user_testresult pass pass
|
||||
|
||||
# it should work when running as user with cap_sys_admin
|
||||
setcap cap_sys_admin+pie $bin/userns
|
||||
setcap cap_sys_admin+pie "$bin/userns"
|
||||
do_test "unconfined cap_sys_admin $detail" pass pass pass pass
|
||||
# remove cap_sys_admin from binary
|
||||
setcap cap_sys_admin= $bin/userns
|
||||
setcap cap_sys_admin= "$bin/userns"
|
||||
|
||||
run_confined_tests "$detail"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue