mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Merge fixes on the testing infrastructure
This MR is meant to resolve warnings such as "Warning: execname '/home/username/Documents/apparmor/tests/regression/apparmor/file_unbindable_mount': no such file or directory" when running tests like the one in the current version of !1448. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1450 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
59957aa1d8
11 changed files with 67 additions and 31 deletions
|
|
@ -31,11 +31,12 @@ genprofile_aa_exec()
|
||||||
mode="(complain) "
|
mode="(complain) "
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$1 --stdin <<EOF
|
||||||
$1 ${mode}{
|
$1 ${mode}{
|
||||||
file,
|
file,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
genprofile --append image=:${ns}:${1} --stdin <<EOF
|
||||||
:${ns}:${1} ${mode}{
|
:${ns}:${1} ${mode}{
|
||||||
file,
|
file,
|
||||||
}
|
}
|
||||||
|
|
@ -81,11 +82,12 @@ genprofile_aa_exec "$test" 0
|
||||||
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
||||||
|
|
||||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
all,
|
all,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
genprofile --append image=:${ns}:${test} --stdin <<EOF
|
||||||
:${ns}:${test} {
|
:${ns}:${test} {
|
||||||
all,
|
all,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -80,8 +80,10 @@ runchecktest_errno EACCES "CHANGEPROFILE_RE (nochange access subfile)" fail noch
|
||||||
runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file
|
runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file
|
||||||
runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile
|
runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile
|
||||||
|
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test { file, change_profile -> ${nstest}, }
|
$test { file, change_profile -> ${nstest}, }
|
||||||
|
EOF
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest { $subfile ${okperm}, }
|
$nstest { $subfile ${okperm}, }
|
||||||
EOF
|
EOF
|
||||||
expected_result=pass
|
expected_result=pass
|
||||||
|
|
@ -103,8 +105,10 @@ else
|
||||||
runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
|
runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
|
||||||
runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
|
runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
|
||||||
|
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
|
$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
|
||||||
|
EOF
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest { $subfile $okperm, $stackfile $okperm, }
|
$nstest { $subfile $okperm, $stackfile $okperm, }
|
||||||
EOF
|
EOF
|
||||||
runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
|
runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,7 @@
|
||||||
|
|
||||||
gendbusprofile()
|
gendbusprofile()
|
||||||
{
|
{
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
${__dbus_var_decl}
|
${__dbus_var_decl}
|
||||||
$test {
|
$test {
|
||||||
@{gen $test}
|
@{gen $test}
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ load_and_verify() {
|
||||||
# Write to cache
|
# Write to cache
|
||||||
parser_args="${parser_config} -q -W"
|
parser_args="${parser_config} -q -W"
|
||||||
|
|
||||||
echo "profile $prof {}" | genprofile --stdin
|
echo "profile $prof {}" | genprofile image=$prof --stdin
|
||||||
|
|
||||||
cache_md5=$(cat $cache_dir/profile | md5sum | awk '{ print $1 }')
|
cache_md5=$(cat $cache_dir/profile | md5sum | awk '{ print $1 }')
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -111,14 +111,16 @@ ns="ns"
|
||||||
prof="stackprofile"
|
prof="stackprofile"
|
||||||
nstest=":${ns}:${prof}"
|
nstest=":${ns}:${prof}"
|
||||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
file,
|
file,
|
||||||
audit deny $otherfile $okperm,
|
audit deny $otherfile $okperm,
|
||||||
audit deny $thirdfile $okperm,
|
audit deny $thirdfile $okperm,
|
||||||
$test ix -> &$nstest,
|
$test ix -> &$nstest,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest {
|
$nstest {
|
||||||
file,
|
file,
|
||||||
audit deny $file $okperm,
|
audit deny $file $okperm,
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ genprofile_ns() {
|
||||||
|
|
||||||
# override the sys_profiles variable with a bad path so that genprofile
|
# override the sys_profiles variable with a bad path so that genprofile
|
||||||
# doesn't perform profile load checking in the wrong policy namespace
|
# doesn't perform profile load checking in the wrong policy namespace
|
||||||
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile --stdin
|
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile image=:${ns}:${prof} --stdin
|
||||||
echo "$ns"
|
echo "$ns"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -99,7 +99,7 @@ else
|
||||||
|
|
||||||
#Verify that NNP allows stacking a new policy namespace
|
#Verify that NNP allows stacking a new policy namespace
|
||||||
#must use stdin with genprofile for namespaces
|
#must use stdin with genprofile for namespaces
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
@{gen_bin $test}
|
@{gen_bin $test}
|
||||||
@{gen_def}
|
@{gen_def}
|
||||||
|
|
@ -107,6 +107,8 @@ $test {
|
||||||
/proc/*/attr/current w,
|
/proc/*/attr/current w,
|
||||||
change_profile-> &:nnp:unconfined,
|
change_profile-> &:nnp:unconfined,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||||
:nnp:$bin/open {
|
:nnp:$bin/open {
|
||||||
@{gen_bin $bin/open}
|
@{gen_bin $bin/open}
|
||||||
@{gen_def}
|
@{gen_def}
|
||||||
|
|
@ -120,7 +122,7 @@ EOF
|
||||||
runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
|
runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
|
||||||
runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
|
runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
|
||||||
|
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
@{gen_bin $test}
|
@{gen_bin $test}
|
||||||
@{gen_def}
|
@{gen_def}
|
||||||
|
|
@ -128,6 +130,8 @@ $test {
|
||||||
/proc/*/attr/current w,
|
/proc/*/attr/current w,
|
||||||
change_profile-> &:nnp:$bin/open,
|
change_profile-> &:nnp:$bin/open,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||||
:nnp:$bin/open {
|
:nnp:$bin/open {
|
||||||
@{gen_bin $bin/open}
|
@{gen_bin $bin/open}
|
||||||
@{gen_def}
|
@{gen_def}
|
||||||
|
|
|
||||||
|
|
@ -420,6 +420,7 @@ fi
|
||||||
|
|
||||||
complainflag=""
|
complainflag=""
|
||||||
mkflags=""
|
mkflags=""
|
||||||
|
append="false"
|
||||||
while /bin/true
|
while /bin/true
|
||||||
do
|
do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
|
|
@ -431,25 +432,31 @@ fi
|
||||||
;;
|
;;
|
||||||
"-I") mkflags="${mkflags} -I"
|
"-I") mkflags="${mkflags} -I"
|
||||||
;;
|
;;
|
||||||
|
"--append") append="true"
|
||||||
|
;;
|
||||||
*) break
|
*) break
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
# save previous profile
|
if [ "$append" = "false" ]; then
|
||||||
if [ -f $profile ]
|
# save previous profile
|
||||||
then
|
if [ -f $profile ]
|
||||||
mv $profile ${profile}.old
|
then
|
||||||
mv $profilenames ${profilenames}.old
|
mv $profile ${profile}.old
|
||||||
fi
|
mv $profilenames ${profilenames}.old
|
||||||
|
fi
|
||||||
|
|
||||||
echo "abi <kernel>," >$profile
|
echo "abi <kernel>," >$profile
|
||||||
num_emitted=0
|
num_emitted=0
|
||||||
|
else
|
||||||
|
num_emmited=$(wc -l < "$profilenames")
|
||||||
|
fi
|
||||||
|
|
||||||
while /bin/true
|
while /bin/true
|
||||||
do
|
do
|
||||||
imagename=$test
|
imagename=$testbin
|
||||||
|
|
||||||
# image/subhat allows overriding of the default
|
# image/subhat allows overriding of the default
|
||||||
# imagename which is based on the testname
|
# imagename which is based on the testname
|
||||||
|
|
@ -457,7 +464,7 @@ fi
|
||||||
# it is most often used after --, in fact it is basically
|
# it is most often used after --, in fact it is basically
|
||||||
# mandatory after --
|
# mandatory after --
|
||||||
case "$1" in
|
case "$1" in
|
||||||
image=*) imagename=`echo $1 | sed 's/^image=\([^:]*\).*$/\1/'`
|
image=*) imagename=`echo $1 | sed 's/^image=\(.*\)$/\1/'`
|
||||||
num_emitted=0
|
num_emitted=0
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
|
|
@ -495,9 +502,12 @@ fi
|
||||||
break
|
break
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ $append == "true" ]
|
||||||
|
then
|
||||||
|
replaceprofile
|
||||||
# if old and new profiles consist of the same entries
|
# if old and new profiles consist of the same entries
|
||||||
# we can do a replace, else remove/reload
|
# we can do a replace, else remove/reload
|
||||||
if [ $profileloaded -eq 1 ]
|
elif [ $profileloaded -eq 1 ]
|
||||||
then
|
then
|
||||||
names1=$tmpdir/sorted1
|
names1=$tmpdir/sorted1
|
||||||
names2=$tmpdir/sorted2
|
names2=$tmpdir/sorted2
|
||||||
|
|
@ -507,13 +517,13 @@ fi
|
||||||
if cmp -s $names1 $names2
|
if cmp -s $names1 $names2
|
||||||
then
|
then
|
||||||
replaceprofile
|
replaceprofile
|
||||||
else
|
else
|
||||||
removeprofile ${profile}.old
|
removeprofile ${profile}.old
|
||||||
loadprofile
|
loadprofile
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f $names1 $names2
|
rm -f $names1 $names2
|
||||||
|
|
||||||
else
|
else
|
||||||
loadprofile
|
loadprofile
|
||||||
fi
|
fi
|
||||||
|
|
@ -622,6 +632,11 @@ settest()
|
||||||
fatalerror "settest, illegal usage"
|
fatalerror "settest, illegal usage"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# store testbin name from testexec so that testexec represents
|
||||||
|
# what will be executed - allowing for a change of username
|
||||||
|
# with sudo -u
|
||||||
|
testbin=$testexec
|
||||||
|
|
||||||
if [ ! -z "$username" ]
|
if [ ! -z "$username" ]
|
||||||
then
|
then
|
||||||
testexec="sudo -u $username $testexec"
|
testexec="sudo -u $username $testexec"
|
||||||
|
|
|
||||||
|
|
@ -40,11 +40,12 @@ dbus_svc_query="session com.foo.baz"
|
||||||
# granting anything specified in $@.
|
# granting anything specified in $@.
|
||||||
genqueryprofile()
|
genqueryprofile()
|
||||||
{
|
{
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
file,
|
file,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
genprofile --append image=$qprof --stdin <<EOF
|
||||||
$qprof {
|
$qprof {
|
||||||
$@
|
$@
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -116,14 +116,16 @@ ns="ns"
|
||||||
prof="stackonexec"
|
prof="stackonexec"
|
||||||
nstest=":${ns}:${prof}"
|
nstest=":${ns}:${prof}"
|
||||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
file,
|
file,
|
||||||
audit deny $otherfile $okperm,
|
audit deny $otherfile $okperm,
|
||||||
audit deny $thirdfile $okperm,
|
audit deny $thirdfile $okperm,
|
||||||
change_profile -> &$nstest,
|
change_profile -> &$nstest,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest {
|
$nstest {
|
||||||
file,
|
file,
|
||||||
audit deny $file $okperm,
|
audit deny $file $okperm,
|
||||||
|
|
@ -166,8 +168,10 @@ runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -
|
||||||
|
|
||||||
# Verify that stacking with a bare namespace is handled. The process is placed
|
# Verify that stacking with a bare namespace is handled. The process is placed
|
||||||
# into the default profile of the namespace, which is unconfined.
|
# into the default profile of the namespace, which is unconfined.
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test { file, change_profile, }
|
$test { file, change_profile, }
|
||||||
|
EOF
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest { }
|
$nstest { }
|
||||||
EOF
|
EOF
|
||||||
runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l unconfined -m "(null)"
|
runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l unconfined -m "(null)"
|
||||||
|
|
|
||||||
|
|
@ -115,13 +115,15 @@ ns="ns"
|
||||||
prof="stackprofile"
|
prof="stackprofile"
|
||||||
nstest=":${ns}:${prof}"
|
nstest=":${ns}:${prof}"
|
||||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test {
|
$test {
|
||||||
file,
|
file,
|
||||||
audit deny $otherfile $okperm,
|
audit deny $otherfile $okperm,
|
||||||
change_profile -> &$nstest,
|
change_profile -> &$nstest,
|
||||||
}
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest {
|
$nstest {
|
||||||
$otherfile $okperm,
|
$otherfile $okperm,
|
||||||
$sharedfile $okperm,
|
$sharedfile $okperm,
|
||||||
|
|
@ -167,8 +169,10 @@ runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f $file
|
||||||
runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m complain
|
runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m complain
|
||||||
|
|
||||||
# Verify that stacking with a bare namespace is handled
|
# Verify that stacking with a bare namespace is handled
|
||||||
genprofile --stdin <<EOF
|
genprofile image=$test --stdin <<EOF
|
||||||
$test { file, change_profile, }
|
$test { file, change_profile, }
|
||||||
|
EOF
|
||||||
|
genprofile --append image=$nstest --stdin <<EOF
|
||||||
$nstest { }
|
$nstest { }
|
||||||
EOF
|
EOF
|
||||||
runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
|
runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue