Merge Write basic file complain-mode regression tests

The test "Complain mode profile (file exec cx permission entry)" currently will only pass on a Ubuntu Oracular system due to a kernel bugfix patch that has not yet been upstreamed or backported. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1415 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 08:24:42 +01:00 · 2024-11-15 00:26:40 +00:00 · 2024-11-15 00:26:40 +00:00 · 926929da16
commit 926929da16
parent d0d6975a1f cb110eaf98
4 changed files with 74 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -230,6 +230,7 @@ tests/regression/apparmor/chgrp
 tests/regression/apparmor/chmod
 tests/regression/apparmor/chown
 tests/regression/apparmor/clone
+tests/regression/apparmor/complain
 tests/regression/apparmor/dbus_eavesdrop
 tests/regression/apparmor/dbus_message
 tests/regression/apparmor/dbus_service
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@ -90,6 +90,7 @@ SRC=access.c \
    chmod.c \
    chown.c \
    clone.c \
+    complain.c \
    coredump.c \
    deleted.c \
    environ.c \
@ -242,6 +243,7 @@ TESTS=aa_exec \
      changehat_misc \
      chdir \
      clone \
+      complain \
      coredump \
      deleted \
      e2e \
--- a/tests/regression/apparmor/complain.c
+++ b/tests/regression/apparmor/complain.c
@ -0,0 +1,38 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+void print_usage() {
+    fprintf(stderr, "Usage: ./complain (read|exec) [args]\n");
+}
+
+int main(int argc, char **argv) {
+    if (argc < 3) {
+        print_usage();
+        return 1;
+    }
+    if (strcmp(argv[1], "read") == 0) {
+        FILE *file = fopen(argv[2], "r");
+        if (file == NULL) {
+            perror("FAIL: Could not open file");
+            return 2;
+        }
+        long file_len = ftell(file);
+        if (file_len == -1) {
+            perror("FAIL: Could not get file len");
+            fclose(file);
+            return 1;
+        }
+        // Don't need to do anything else for now
+        fprintf(stderr, "PASS\n");
+        return 0;
+    } else if (strcmp(argv[1], "exec") == 0) {
+        execvp(argv[2], &argv[2]);
+        // execvp failed
+        fprintf(stderr, "FAIL: execvp of %s failed\n", argv[1]);
+        return 1;
+    } else {
+        print_usage();
+        return 1;
+    }
+}
--- a/tests/regression/apparmor/complain.sh
+++ b/tests/regression/apparmor/complain.sh
@ -0,0 +1,33 @@
+#! /bin/bash
+#	Copyright (C) 2024 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME complain
+#=DESCRIPTION
+# Verifies that complain-mode profiles work as expected and do not block
+# operations disallowed by policy
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. "$bin/prologue.inc"
+
+tmpfile=$tmpdir/file
+
+touch $tmpfile
+
+genprofile -C
+runchecktest "Complain mode profile (file read)" pass read $tmpfile
+runchecktest "Complain mode profile (file exec no permission entry)" pass exec echo PASS
+
+# This test will fail on a kernel that doesn't have
+# https://lists.ubuntu.com/archives/apparmor/2024-August/013338.html applied
+genprofile -C $(which echo):cx
+runchecktest "Complain mode profile (file exec cx permission entry)" pass exec echo PASS