mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix: query_label regression test failures

Browse source 
1. The test is using the wrong defines: It is using the defines from the
parser for the packed dfa permissions. This set of permissions is not
meant to be exposed to the outside world

2. The kernel is using the wrong mapping function for the permissions
in the file class. This results in partially exposing the packed
permissions, but even then it doesn't fully line up with the packed
permissions, and is not correct for several of the potential permissions.

Attached is a patch that fixes the test, and moves the two tests that
fail due to the kernel to xpass.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
This commit is contained in:
John Johansen 2015-07-14 10:35:01 -07:00
parent 1ef4417f5d
commit 4ff04c991c
2 changed files with 69 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
tests/regression/apparmor/query_label.c
View file

@ -35,28 +35,68 @@
#define AA_MAY_APPEND (1 << 3) #define AA_MAY_APPEND (1 << 3)
#endif #endif
#ifndef AA_MAY_LINK #ifndef AA_MAY_CREATE
#define AA_MAY_LINK (1 << 4) #define AA_MAY_CREATE (1 << 4)
#endif
#ifndef AA_MAY_DELETE
#define AA_MAY_DELETE (1 << 5)
#endif
#ifndef AA_MAY_OPEN
#define AA_MAY_OPEN (1 << 6)
#endif
#ifndef AA_MAY_RENAME
#define AA_MAY_RENAME (1 << 7)
#endif
#ifndef AA_MAY_SETATTR
#define AA_MAY_SETATTR (1 << 8)
#endif
#ifndef AA_MAY_GETATTR
#define AA_MAY_GETATTR (1 << 9)
#endif
#ifndef AA_MAY_SETCRED
#define AA_MAY_SETCRED (1 << 10)
#endif
#ifndef AA_MAY_GETCRED
#define AA_MAY_GETCRED (1 << 11)
#endif
#ifndef AA_MAY_CHMOD
#define AA_MAY_CHMOD (1 << 12)
#endif
#ifndef AA_MAY_CHOWN
#define AA_MAY_CHOWN (1 << 13)
#endif #endif
#ifndef AA_MAY_LOCK #ifndef AA_MAY_LOCK
#define AA_MAY_LOCK (1 << 5) #define AA_MAY_LOCK 0x8000
#endif #endif
#ifndef AA_EXEC_MMAP #ifndef AA_EXEC_MMAP
#define AA_EXEC_MMAP (1 << 6) #define AA_EXEC_MMAP 0x10000
#endif #endif
#ifndef AA_EXEC_PUX #ifndef AA_MAY_LINK
#define AA_EXEC_PUX (1 << 7) #define AA_MAY_LINK 0x40000
#endif #endif
#ifndef AA_EXEC_UNSAFE #ifndef AA_LINK_SUBSET /* overlayed perm in pair */
#define AA_EXEC_UNSAFE (1 << 8) #define AA_LINK_SUBSET AA_MAY_LOCK
#endif #endif
#ifndef AA_EXEC_INHERIT #ifndef AA_MAY_ONEXEC
#define AA_EXEC_INHERIT (1 << 9) #define AA_MAY_ONEXEC 0x20000000
#endif
#ifndef AA_MAY_CHANGE_PROFILE
#define AA_MAY_CHANGE_PROFILE 0x40000000
#endif #endif
static char *progname = NULL; static char *progname = NULL;
@ -148,18 +188,26 @@ static int parse_file_perms(uint32_t *mask, char *perms)
*mask |= AA_MAY_READ; *mask |= AA_MAY_READ;
else if (!strcmp(perm, "append")) else if (!strcmp(perm, "append"))
*mask |= AA_MAY_APPEND; *mask |= AA_MAY_APPEND;
else if (!strcmp(perm, "create"))
*mask |= AA_MAY_CREATE;
else if (!strcmp(perm, "delete"))
*mask |= AA_MAY_DELETE;
else if (!strcmp(perm, "setattr"))
*mask |= AA_MAY_SETATTR;
else if (!strcmp(perm, "getattr"))
*mask |= AA_MAY_GETATTR;
else if (!strcmp(perm, "chmod"))
*mask |= AA_MAY_CHMOD;
else if (!strcmp(perm, "chown"))
*mask |= AA_MAY_CHOWN;
else if (!strcmp(perm, "link")) else if (!strcmp(perm, "link"))
*mask |= AA_MAY_LINK; *mask |= AA_MAY_LINK;
else if (!strcmp(perm, "lock")) else if (!strcmp(perm, "lock"))
*mask |= AA_MAY_LOCK; *mask |= AA_MAY_LOCK;
else if (!strcmp(perm, "linksubset"))
*mask |= AA_LINK_SUBSET;
else if (!strcmp(perm, "exec_mmap")) else if (!strcmp(perm, "exec_mmap"))
*mask |= AA_EXEC_MMAP; *mask |= AA_EXEC_MMAP;
else if (!strcmp(perm, "exec_pux"))
*mask |= AA_EXEC_PUX;
else if (!strcmp(perm, "exec_unsafe"))
*mask |= AA_EXEC_UNSAFE;
else if (!strcmp(perm, "exec_inherit"))
*mask |= AA_EXEC_INHERIT;
else { else {
fprintf(stderr, "FAIL: unknown perm: %s\n", perm); fprintf(stderr, "FAIL: unknown perm: %s\n", perm);
return 1; return 1;
@ -264,8 +312,8 @@ int main(int argc, char **argv)
(allowed == should_allow && audited == should_audit)) { (allowed == should_allow && audited == should_audit)) {
printf("PASS\n"); printf("PASS\n");
} else { } else {
fprintf(stderr, "FAIL: the access should %sbe allowed and should %sbe audited\n", fprintf(stderr, "FAIL: the access should %sbe allowed and should %sbe audited. mask 0x%x\n",
allowed ? "" : "not ", audited ? "" : "not "); allowed ? "" : "not ", audited ? "" : "not ", mask);
exit(1); exit(1);
} }

6
tests/regression/apparmor/query_label.sh
View file

@ -212,9 +212,9 @@ querytest "QUERY dbus (svc receive)" fail $dbus_svc_query
genqueryprofile "file," genqueryprofile "file,"
expect allow expect allow
perms file exec,write,read,append,link,lock perms file exec,write,read,append,create,delete,setattr,getattr,chmod,chown,link,linksubset,lock,exec_mmap
querytest "QUERY file (all base perms #1)" pass /anything querytest "QUERY file (all base perms #1)" xpass /anything
querytest "QUERY file (all base perms #2)" pass /everything querytest "QUERY file (all base perms #2)" xpass /everything
genqueryprofile "/etc/passwd r," genqueryprofile "/etc/passwd r,"
expect allow expect allow