Merge Add test for nfs file access

Add test to verify that file access on a mounted NFS share is determined by file rules and not network rules. This relies on a kernel patch, so the tests are marked xpass. https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/895 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2022-10-28 12:34:31 +00:00 · 2022-10-28 12:34:31 +00:00 · 7f83444f93
commit 7f83444f93
parent b911ca16d9 421223c757
2 changed files with 97 additions and 1 deletions
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@ -256,7 +256,8 @@ TESTS=aa_exec \
      unlink\
      xattrs\
      xattrs_profile\
-      longpath
+      longpath \
+      nfs

 #only do dbus if proper libs are installl
 ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
--- a/tests/regression/apparmor/nfs.sh
+++ b/tests/regression/apparmor/nfs.sh
@ -0,0 +1,95 @@
+#! /bin/bash
+#	Copyright (C) 2022 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME nfs
+#=DESCRIPTION 
+# This test verifies that file access on a mounted NFS share is determined
+# by file rules and not network rules.
+# https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+srcdir=$tmpdir/src
+mntdir=$tmpdir/mnt
+file1=$mntdir/file1
+file2=$mntdir/file2
+file3=$mntdir/file3
+file4=$mntdir/file4
+newdir=$mntdir/dir/
+exportline="$srcdir localhost(rw,sync,no_subtree_check)"
+fileperm=rw
+dirperm=w
+nfsport1=111
+nfsport2=2049
+
+cleanup_nfs()
+{
+	umount -fq "$mntdir"
+	sed -i "\|^$srcdir|d" "/etc/exports" 2>/dev/null
+	exportfs -ar >/dev/null 2>&1
+}
+
+# Skip this test if NFS server is not available
+nfs_not_available()
+{
+	echo "NFS server not available. Skipping tests ..."
+	exit 0
+}
+
+do_onexit="cleanup_nfs"
+mkdir -p $srcdir
+chmod 777 $srcdir
+mkdir -p $mntdir
+
+# Export and mount directory over NFS
+systemctl --quiet is-active nfs-server || nfs_not_available
+echo "$exportline" >> "/etc/exports"
+exportfs -ar || nfs_not_available
+mount "localhost:$srcdir" "$mntdir" || nfs_not_available
+
+settest open
+
+# PASS TEST
+# Caching can cause this test to pass even on kernels where the nfs bug is
+# present.
+genprofile $file1:$fileperm
+runchecktest "OPEN RW (nfs file create) " xpass $file1
+
+# PASS TEST
+# Dropping caches should only pass on kernels where the nfs bug has been fixed.
+genprofile $file2:$fileperm
+sync; echo 3 > /proc/sys/vm/drop_caches
+runchecktest "OPEN RW (nfs file create after cache drop) " xpass $file2
+
+if [ "$(kernel_features network)" == "true" -o \
+	   "$(kernel_features network_v8)" == "true" ]; then
+	# PASS TEST
+	# Allowing network streams and file access should pass regardless
+	genprofile "network:inet stream" $file3:$fileperm
+	sync; echo 3 > /proc/sys/vm/drop_caches
+	runchecktest "OPEN RW (nfs file create with net permissions) " pass $file3
+
+	# FAIL TEST
+	# Allowing only network streams should fail regardless
+	genprofile "network:inet stream"
+	sync; echo 3 > /proc/sys/vm/drop_caches
+	runchecktest "OPEN RW (nfs file create with net permissions without file permissions) " fail $file4
+fi
+
+# PASS TEST
+# Verify directory creation behaves as expected over nfs
+settest mkdir
+genprofile $newdir:$dirperm
+sync; echo 3 > /proc/sys/vm/drop_caches
+runchecktest "MKDIR (nfs confined)" xpass mkdir $newdir