mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Merge fixes on the testing infrastructure
This MR is meant to resolve warnings such as "Warning: execname '/home/username/Documents/apparmor/tests/regression/apparmor/file_unbindable_mount': no such file or directory" when running tests like the one in the current version of !1448. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1450 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
59957aa1d8
11 changed files with 67 additions and 31 deletions
|
|
@ -31,11 +31,12 @@ genprofile_aa_exec()
|
|||
mode="(complain) "
|
||||
fi
|
||||
fi
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$1 --stdin <<EOF
|
||||
$1 ${mode}{
|
||||
file,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=:${ns}:${1} --stdin <<EOF
|
||||
:${ns}:${1} ${mode}{
|
||||
file,
|
||||
}
|
||||
|
|
@ -81,11 +82,12 @@ genprofile_aa_exec "$test" 0
|
|||
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
|
||||
|
||||
if [ "$(parser_supports 'all,')" = "true" ]; then
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
all,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=:${ns}:${test} --stdin <<EOF
|
||||
:${ns}:${test} {
|
||||
all,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -80,8 +80,10 @@ runchecktest_errno EACCES "CHANGEPROFILE_RE (nochange access subfile)" fail noch
|
|||
runchecktest_errno EACCES "CHANGEPROFILE_RE (access file)" fail $fqsubtest $file
|
||||
runchecktest "CHANGEPROFILE_RE (access sub file)" pass $fqsubtest $subfile
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile -> ${nstest}, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { $subfile ${okperm}, }
|
||||
EOF
|
||||
expected_result=pass
|
||||
|
|
@ -103,8 +105,10 @@ else
|
|||
runchecktest "CHANGEPROFILE_STACK (access file)" fail "&$othertest" $file
|
||||
runchecktest "CHANGEPROFILE_STACK (access stack file)" pass "&$othertest" $stackfile
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, audit deny $subfile $okperm, $stackfile $okperm, change_profile -> &${nstest}, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { $subfile $okperm, $stackfile $okperm, }
|
||||
EOF
|
||||
runchecktest "CHANGEPROFILE_NS_STACK (nochange access file)" pass nochange $file
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
gendbusprofile()
|
||||
{
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
${__dbus_var_decl}
|
||||
$test {
|
||||
@{gen $test}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ load_and_verify() {
|
|||
# Write to cache
|
||||
parser_args="${parser_config} -q -W"
|
||||
|
||||
echo "profile $prof {}" | genprofile --stdin
|
||||
echo "profile $prof {}" | genprofile image=$prof --stdin
|
||||
|
||||
cache_md5=$(cat $cache_dir/profile | md5sum | awk '{ print $1 }')
|
||||
|
||||
|
|
|
|||
|
|
@ -111,14 +111,16 @@ ns="ns"
|
|||
prof="stackprofile"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
audit deny $thirdfile $okperm,
|
||||
$test ix -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
file,
|
||||
audit deny $file $okperm,
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ genprofile_ns() {
|
|||
|
||||
# override the sys_profiles variable with a bad path so that genprofile
|
||||
# doesn't perform profile load checking in the wrong policy namespace
|
||||
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile --stdin
|
||||
echo "${prefix}:${ns}:${prof} {}" | sys_profiles="${sys_profiles}XXX" genprofile image=:${ns}:${prof} --stdin
|
||||
echo "$ns"
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ else
|
|||
|
||||
#Verify that NNP allows stacking a new policy namespace
|
||||
#must use stdin with genprofile for namespaces
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
@{gen_bin $test}
|
||||
@{gen_def}
|
||||
|
|
@ -107,6 +107,8 @@ $test {
|
|||
/proc/*/attr/current w,
|
||||
change_profile-> &:nnp:unconfined,
|
||||
}
|
||||
EOF
|
||||
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||
:nnp:$bin/open {
|
||||
@{gen_bin $bin/open}
|
||||
@{gen_def}
|
||||
|
|
@ -120,7 +122,7 @@ EOF
|
|||
runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
|
||||
runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
|
||||
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
@{gen_bin $test}
|
||||
@{gen_def}
|
||||
|
|
@ -128,6 +130,8 @@ $test {
|
|||
/proc/*/attr/current w,
|
||||
change_profile-> &:nnp:$bin/open,
|
||||
}
|
||||
EOF
|
||||
genprofile --append image=:nnp:$bin/open --stdin <<EOF
|
||||
:nnp:$bin/open {
|
||||
@{gen_bin $bin/open}
|
||||
@{gen_def}
|
||||
|
|
|
|||
|
|
@ -420,6 +420,7 @@ fi
|
|||
|
||||
complainflag=""
|
||||
mkflags=""
|
||||
append="false"
|
||||
while /bin/true
|
||||
do
|
||||
case "$1" in
|
||||
|
|
@ -431,12 +432,15 @@ fi
|
|||
;;
|
||||
"-I") mkflags="${mkflags} -I"
|
||||
;;
|
||||
"--append") append="true"
|
||||
;;
|
||||
*) break
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [ "$append" = "false" ]; then
|
||||
# save previous profile
|
||||
if [ -f $profile ]
|
||||
then
|
||||
|
|
@ -446,10 +450,13 @@ fi
|
|||
|
||||
echo "abi <kernel>," >$profile
|
||||
num_emitted=0
|
||||
else
|
||||
num_emmited=$(wc -l < "$profilenames")
|
||||
fi
|
||||
|
||||
while /bin/true
|
||||
do
|
||||
imagename=$test
|
||||
imagename=$testbin
|
||||
|
||||
# image/subhat allows overriding of the default
|
||||
# imagename which is based on the testname
|
||||
|
|
@ -457,7 +464,7 @@ fi
|
|||
# it is most often used after --, in fact it is basically
|
||||
# mandatory after --
|
||||
case "$1" in
|
||||
image=*) imagename=`echo $1 | sed 's/^image=\([^:]*\).*$/\1/'`
|
||||
image=*) imagename=`echo $1 | sed 's/^image=\(.*\)$/\1/'`
|
||||
num_emitted=0
|
||||
shift
|
||||
;;
|
||||
|
|
@ -495,9 +502,12 @@ fi
|
|||
break
|
||||
done
|
||||
|
||||
if [ $append == "true" ]
|
||||
then
|
||||
replaceprofile
|
||||
# if old and new profiles consist of the same entries
|
||||
# we can do a replace, else remove/reload
|
||||
if [ $profileloaded -eq 1 ]
|
||||
elif [ $profileloaded -eq 1 ]
|
||||
then
|
||||
names1=$tmpdir/sorted1
|
||||
names2=$tmpdir/sorted2
|
||||
|
|
@ -622,6 +632,11 @@ settest()
|
|||
fatalerror "settest, illegal usage"
|
||||
fi
|
||||
|
||||
# store testbin name from testexec so that testexec represents
|
||||
# what will be executed - allowing for a change of username
|
||||
# with sudo -u
|
||||
testbin=$testexec
|
||||
|
||||
if [ ! -z "$username" ]
|
||||
then
|
||||
testexec="sudo -u $username $testexec"
|
||||
|
|
|
|||
|
|
@ -40,11 +40,12 @@ dbus_svc_query="session com.foo.baz"
|
|||
# granting anything specified in $@.
|
||||
genqueryprofile()
|
||||
{
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
}
|
||||
|
||||
EOF
|
||||
genprofile --append image=$qprof --stdin <<EOF
|
||||
$qprof {
|
||||
$@
|
||||
}
|
||||
|
|
|
|||
|
|
@ -116,14 +116,16 @@ ns="ns"
|
|||
prof="stackonexec"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
audit deny $thirdfile $okperm,
|
||||
change_profile -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
file,
|
||||
audit deny $file $okperm,
|
||||
|
|
@ -166,8 +168,10 @@ runchecktest "STACKONEXEC (complain mode - okcon)" pass -o $othertest -- $test -
|
|||
|
||||
# Verify that stacking with a bare namespace is handled. The process is placed
|
||||
# into the default profile of the namespace, which is unconfined.
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { }
|
||||
EOF
|
||||
runchecktest "STACKONEXEC (bare :ns:)" pass -o ":${ns}:" -- $test -l unconfined -m "(null)"
|
||||
|
|
|
|||
|
|
@ -115,13 +115,15 @@ ns="ns"
|
|||
prof="stackprofile"
|
||||
nstest=":${ns}:${prof}"
|
||||
# Verify file access and contexts by stacking a profile with a namespaced profile
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test {
|
||||
file,
|
||||
audit deny $otherfile $okperm,
|
||||
change_profile -> &$nstest,
|
||||
}
|
||||
EOF
|
||||
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest {
|
||||
$otherfile $okperm,
|
||||
$sharedfile $okperm,
|
||||
|
|
@ -167,8 +169,10 @@ runchecktest "STACKPROFILE (complain mode - file)" pass -p $othertest -f $file
|
|||
runchecktest "STACKPROFILE (complain mode - okcon)" pass -p $othertest -l "${test}//&${othertest}" -m complain
|
||||
|
||||
# Verify that stacking with a bare namespace is handled
|
||||
genprofile --stdin <<EOF
|
||||
genprofile image=$test --stdin <<EOF
|
||||
$test { file, change_profile, }
|
||||
EOF
|
||||
genprofile --append image=$nstest --stdin <<EOF
|
||||
$nstest { }
|
||||
EOF
|
||||
runchecktest "STACKPROFILE (bare :ns:)" pass -p ":${ns}:"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue