tests: Add regression tests for aa-exec

Add regression tests for the --profile, --namespace, and --immediate options of aa-exec. A new variable is added to uservars.inc to point to the in-tree or system aa-exec depending on the presence of the USE_SYSTEM=1 make variable at build time. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-04 16:35:02 +01:00 · 2015-12-17 16:07:51 -06:00 · 2015-12-17 16:07:51 -06:00 · 3073160aca
commit 3073160aca
parent 0ccfb7f52e
5 changed files with 144 additions and 5 deletions
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@ -18,7 +18,7 @@ ifdef USE_SYSTEM
 				echo -lapparmor ; \
 			fi )
  ifeq ($(strip $(LIBAPPARMOR)),)
-    ERROR_MESSAGE = $(error ${nl}\
+    LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
 ************************************************************************${nl}\
 Unable to find libapparmor installed on this system; either${nl}\
 install libapparmor devel packages, set the LIBAPPARMOR variable${nl}\
@ -27,13 +27,23 @@ manually, or build against in-tree libapparmor.${nl}\
  endif # LIBAPPARMOR not set
  LDLIBS += $(LIBAPPARMOR)

+  AA_EXEC = $(shell which aa-exec)
+  ifeq ($(AA_EXEC),)
+    AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
+************************************************************************${nl}\
+Unable to find aa-exec installed on this system; either install the${nl}\
+apparmor package, set the AA_EXEC variable manually, or use the in-tree${nl}\
+aa-exec.${nl}\
+************************************************************************${nl})
+  endif # AA_EXEC not set
+
 else # !USE_SYSTEM
  # use in-tree versions
  LIBAPPARMOR_SRC := ../../../libraries/libapparmor/
  LIBAPPARMOR_INCLUDE = $(LIBAPPARMOR_SRC)/include
  LIBAPPARMOR_PATH := $(LIBAPPARMOR_SRC)/src/.libs/
  ifeq ($(realpath $(LIBAPPARMOR_PATH)/libapparmor.a),)
-        ERROR_MESSAGE = $(error ${nl}\
+        LIBAPPARMOR_ERROR_MESSAGE = $(error ${nl}\
 ************************************************************************${nl}\
 $(LIBAPPARMOR_PATH)/libapparmor.a is missing; either build against${nl}\
 the in-tree libapparmor by building it first and then trying again${nl}\
@ -42,6 +52,17 @@ libapparmor by adding USE_SYSTEM=1 to your make command.${nl}\
 ************************************************************************${nl})
  endif

+  UTILS_SRC := ../../../utils
+  AA_EXEC = $(UTILS_SRC)/aa-exec
+  ifeq ($(realpath $(AA_EXEC)),)
+        AA_EXEC_ERROR_MESSAGE = $(error ${nl}\
+************************************************************************${nl}\
+$(AA_EXEC) is missing; either build the $(UTILS_SRC) directory${nl}\
+and then try again (see the top-level README for help) or use the${nl}\
+system aa-exec by adding USE_SYSTEM=1 to your make command.${nl}\
+************************************************************************${nl})
+  endif
+
  CFLAGS += -L$(LIBAPPARMOR_PATH) -I$(LIBAPPARMOR_INCLUDE)
  LDLIBS += -Wl,-Bstatic -lapparmor -Wl,-Bdynamic -lpthread
 endif # USE_SYSTEM
@ -152,7 +173,8 @@ endif

 EXEC=$(SRC:%.c=%)

-TESTS=access \
+TESTS=aa_exec \
+      access \
      introspect \
      capabilities \
      changeprofile \
@ -217,9 +239,11 @@ RISKY_TESTS=

 .PHONY: libapparmor_check
 .SILENT: libapparmor_check
-libapparmor_check: ; $(ERROR_MESSAGE)
+libapparmor_check: ; $(LIBAPPARMOR_ERROR_MESSAGE)

-all: libapparmor_check $(EXEC) changehat.h uservars.inc
+aa_exec_check: ; $(AA_EXEC_ERROR_MESSAGE)
+
+all: libapparmor_check aa_exec_check $(EXEC) changehat.h uservars.inc

 uservars.inc: uservars.inc.source uservars.inc.system
 ifdef USE_SYSTEM
--- a/tests/regression/apparmor/aa_exec.sh
+++ b/tests/regression/apparmor/aa_exec.sh
@ -0,0 +1,81 @@
+#! /bin/bash
+#	Copyright (C) 2015 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME aa_exec
+#=DESCRIPTION
+# This test verifies that the aa_exec command is indeed transitioning
+# profiles as intended.
+#=END
+
+#set -x
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+ns=aa_exec_ns
+
+genprofile_aa_exec()
+{
+	mode=""
+	if [ $# -eq 2 ]; then
+		if [ $2 -ne 0 ]; then
+			mode="(complain) "
+		fi
+	fi
+	genprofile --stdin <<EOF
+$1 ${mode}{
+  file,
+}
+
+:${ns}:${1} ${mode}{
+  file,
+}
+EOF
+}
+
+settest aa_exec_profile ${bin}/aa_exec_wrapper.sh
+
+genprofile_aa_exec "$test" 0
+runchecktest "unconfined" pass "$aa_exec" "unconfined"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce" pass "$aa_exec -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain" pass "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: not unconfined" fail "$aa_exec -p $test" "unconfined"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad mode: (complain)" fail "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad mode: (enforceXXX)" fail "$aa_exec -p $test" "$test (enforceXXX)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce (--immediate)" pass "$aa_exec -i -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain (--immediate)" pass "$aa_exec -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad profile (--immediate)" fail "$aa_exec -ip $test" "${test}XXX (enforce)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "enforce (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (enforce)"
+
+genprofile_aa_exec "$test" 1
+runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$test (complain)"
+
+genprofile_aa_exec "$test" 0
+runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
--- a/tests/regression/apparmor/aa_exec_wrapper.sh
+++ b/tests/regression/apparmor/aa_exec_wrapper.sh
@ -0,0 +1,28 @@
+#! /bin/bash
+#	Copyright (C) 2015 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+if [ $# -ne 2 ]; then
+	echo "FAIL: usage: $0 AA_EXEC_CMD EXPECTED_PROC_ATTR_CURRENT"
+	echo "AA_EXEC_CMD			The path to aa-exec and the arguments to pass"
+	echo "EXPECTED_PROC_ATTR_CURRENT	The expected contents of /proc/self/attr/current"
+	exit 1
+fi
+
+out=$($1 -- cat /proc/self/attr/current 2>&1)
+rc=$?
+
+if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then
+	echo PASS
+	exit 0
+elif [ $rc -ne 0 ]; then
+	echo "FAIL: aa-exec exited with status ${rc}:\n${out}\n"
+	exit 1
+else
+	echo "FAIL: bad confinement context: \"$out\" != \"$2 $3\""
+	exit 1
+fi
--- a/tests/regression/apparmor/uservars.inc.source
+++ b/tests/regression/apparmor/uservars.inc.source
@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM

 # 4. Location of load system profiles for verification
 sys_profiles=/sys/kernel/security/apparmor/profiles
+
+# 5. Location of aa-exec
+aa_exec=${PWD}/../../../utils/aa-exec
--- a/tests/regression/apparmor/uservars.inc.system
+++ b/tests/regression/apparmor/uservars.inc.system
@ -12,3 +12,6 @@ tmpdir=/tmp/sdtest.$$-$RANDOM

 # 4. Location of load system profiles for verification
 sys_profiles=/sys/kernel/security/apparmor/profiles
+
+# 5. Location of aa-exec
+aa_exec=$(which aa-exec)