diff --git a/tests/regression/apparmor/aa_exec.sh b/tests/regression/apparmor/aa_exec.sh index 9ef1f5355..57241a72c 100755 --- a/tests/regression/apparmor/aa_exec.sh +++ b/tests/regression/apparmor/aa_exec.sh @@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ns=aa_exec_ns @@ -42,7 +42,7 @@ $1 ${mode}{ EOF } -settest aa_exec_profile ${bin}/aa_exec_wrapper.sh +settest aa_exec_profile "${bin}/aa_exec_wrapper.sh" genprofile_aa_exec "$test" 0 runchecktest "unconfined" pass "$aa_exec" "unconfined" diff --git a/tests/regression/apparmor/aa_policy_cache.sh b/tests/regression/apparmor/aa_policy_cache.sh index 1bac452e6..72c9760ff 100755 --- a/tests/regression/apparmor/aa_policy_cache.sh +++ b/tests/regression/apparmor/aa_policy_cache.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" # cacheloc is the top level directory of cache directories cacheloc="$tmpdir/cache" diff --git a/tests/regression/apparmor/access.sh b/tests/regression/apparmor/access.sh index 189526ec0..56252f6b4 100644 --- a/tests/regression/apparmor/access.sh +++ b/tests/regression/apparmor/access.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file diff --git a/tests/regression/apparmor/at_secure.sh b/tests/regression/apparmor/at_secure.sh index 452114e8c..7a05983eb 100755 --- a/tests/regression/apparmor/at_secure.sh +++ b/tests/regression/apparmor/at_secure.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" settest transition at_secure=$pwd/at_secure diff --git a/tests/regression/apparmor/attach_disconnected.sh b/tests/regression/apparmor/attach_disconnected.sh index b0a43862f..74a1a213c 100644 --- a/tests/regression/apparmor/attach_disconnected.sh +++ b/tests/regression/apparmor/attach_disconnected.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" settest unix_fd_server disk_img=$tmpdir/disk_img @@ -28,7 +28,7 @@ file=$tmpdir/file socket=$tmpdir/unix_fd_test att_dis_client=$pwd/attach_disconnected -. $bin/mount.inc +. "$bin/mount.inc" attach_disconnected_cleanup() { if [ ! -z "$loop_device" ]; then diff --git a/tests/regression/apparmor/capabilities.sh b/tests/regression/apparmor/capabilities.sh index 446a28372..c3ff7d61c 100755 --- a/tests/regression/apparmor/capabilities.sh +++ b/tests/regression/apparmor/capabilities.sh @@ -27,7 +27,7 @@ pwd=`dirname $0` pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" TESTS="syscall_ptrace syscall_sethostname \ syscall_setdomainname syscall_setpriority syscall_setscheduler \ @@ -139,18 +139,18 @@ for TEST in ${TESTS} ; do # okay, now check to see if the capability functions from within # a subprofile. settest ${testwrapper} - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" ${my_entries} if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then # ptrace between profiles confining tasks of same pid is controlled by the ptrace rule # capability + ptrace rule needed between pids - runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg} + runchecktest "${TEST} changehat -- no caps" pass "$bin/${TEST}" ${my_arg} else - runchecktest "${TEST} changehat -- no caps" fail $bin/${TEST} ${my_arg} + runchecktest "${TEST} changehat -- no caps" fail "$bin/${TEST}" ${my_arg} fi # all capabilities allowed - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries} - runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:ALL ${my_entries} + runchecktest "${TEST} changehat -- all caps" ${expected} "$bin/${TEST}" ${my_arg} for cap in ${CAPABILITIES} ; do if [ ${expected} = "fail" ]; then @@ -162,8 +162,8 @@ for TEST in ${TESTS} ; do else expected_result=fail fi - genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:${cap} ${my_entries} - runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} $bin/${TEST} ${my_arg} + genprofile "hat:$bin/${TEST}" "addimage:${bin}/${TEST}" cap:${cap} ${my_entries} + runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} "$bin/${TEST}" ${my_arg} done done diff --git a/tests/regression/apparmor/changehat.sh b/tests/regression/apparmor/changehat.sh index 64f74eb40..53a4aab09 100755 --- a/tests/regression/apparmor/changehat.sh +++ b/tests/regression/apparmor/changehat.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file subfile=$tmpdir/file2 diff --git a/tests/regression/apparmor/changehat_fork.sh b/tests/regression/apparmor/changehat_fork.sh index ecf0151de..240e85643 100755 --- a/tests/regression/apparmor/changehat_fork.sh +++ b/tests/regression/apparmor/changehat_fork.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file subfile=$tmpdir/file2 diff --git a/tests/regression/apparmor/changehat_misc.sh b/tests/regression/apparmor/changehat_misc.sh index d6876a1dc..5ccba2794 100755 --- a/tests/regression/apparmor/changehat_misc.sh +++ b/tests/regression/apparmor/changehat_misc.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file subfile=$tmpdir/file2 @@ -77,7 +77,7 @@ runchecktest "CHANGEHAT (bad token)" signal9 ${subtest} settest changehat_wrapper -genprofile hat:open addimage:${bin}/open ${file}:${okperm} +genprofile hat:open "addimage:${bin}/open" ${file}:${okperm} runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file} runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file} diff --git a/tests/regression/apparmor/changeprofile.sh b/tests/regression/apparmor/changeprofile.sh index 2c57e210f..f79e67735 100755 --- a/tests/regression/apparmor/changeprofile.sh +++ b/tests/regression/apparmor/changeprofile.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file subfile=$tmpdir/file2 diff --git a/tests/regression/apparmor/chdir.sh b/tests/regression/apparmor/chdir.sh index 63ae62f45..96d799b2f 100755 --- a/tests/regression/apparmor/chdir.sh +++ b/tests/regression/apparmor/chdir.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=$tmpdir/tmpdir diff --git a/tests/regression/apparmor/clone.sh b/tests/regression/apparmor/clone.sh index feec8a154..411e9e0ce 100644 --- a/tests/regression/apparmor/clone.sh +++ b/tests/regression/apparmor/clone.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" # TEST1 unconfined diff --git a/tests/regression/apparmor/coredump.sh b/tests/regression/apparmor/coredump.sh index acfd89c99..a8e22e0c2 100644 --- a/tests/regression/apparmor/coredump.sh +++ b/tests/regression/apparmor/coredump.sh @@ -63,7 +63,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" coreperm=r nocoreperm=ix diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh index 189fc16b9..2022667fb 100755 --- a/tests/regression/apparmor/dbus_eavesdrop.sh +++ b/tests/regression/apparmor/dbus_eavesdrop.sh @@ -17,10 +17,10 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" args="--session" diff --git a/tests/regression/apparmor/dbus_message.sh b/tests/regression/apparmor/dbus_message.sh index 882997eb6..dda03cc23 100755 --- a/tests/regression/apparmor/dbus_message.sh +++ b/tests/regression/apparmor/dbus_message.sh @@ -17,10 +17,10 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames" diff --git a/tests/regression/apparmor/dbus_service.sh b/tests/regression/apparmor/dbus_service.sh index 4daf74dd7..d44965af4 100755 --- a/tests/regression/apparmor/dbus_service.sh +++ b/tests/regression/apparmor/dbus_service.sh @@ -16,10 +16,10 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" service="--$bus --name=$dest $path $iface" unconfined_log="${tmpdir}/unconfined.log" diff --git a/tests/regression/apparmor/dbus_unrequested_reply.sh b/tests/regression/apparmor/dbus_unrequested_reply.sh index 6b6d658c3..3b9260653 100644 --- a/tests/regression/apparmor/dbus_unrequested_reply.sh +++ b/tests/regression/apparmor/dbus_unrequested_reply.sh @@ -16,10 +16,10 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features dbus requires_parser_support "dbus," -. $bin/dbus.inc +. "$bin/dbus.inc" service="--$bus --name=$dest $path $iface" unconfined_log="${tmpdir}/unconfined.log" diff --git a/tests/regression/apparmor/deleted.sh b/tests/regression/apparmor/deleted.sh index 01bb035a2..cef2c3950 100755 --- a/tests/regression/apparmor/deleted.sh +++ b/tests/regression/apparmor/deleted.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file file2="$tmpdir/file (deleted)" diff --git a/tests/regression/apparmor/e2e.sh b/tests/regression/apparmor/e2e.sh index cceba8992..fd238859a 100755 --- a/tests/regression/apparmor/e2e.sh +++ b/tests/regression/apparmor/e2e.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" # load_and_verify - Generate and load a profile, then verify that raw_data # matches the generated cached policy diff --git a/tests/regression/apparmor/environ.sh b/tests/regression/apparmor/environ.sh index 33a0c8bd5..fe6f49053 100644 --- a/tests/regression/apparmor/environ.sh +++ b/tests/regression/apparmor/environ.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" helper=$pwd/env_check setuid_helper=${tmpdir}/env_check diff --git a/tests/regression/apparmor/exec.sh b/tests/regression/apparmor/exec.sh index 3172dc124..366baa80c 100755 --- a/tests/regression/apparmor/exec.sh +++ b/tests/regression/apparmor/exec.sh @@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" cp -pL /bin/true ${tmpdir}/true file=${tmpdir}/true diff --git a/tests/regression/apparmor/exec_qual.sh b/tests/regression/apparmor/exec_qual.sh index 5f80735eb..d1088f056 100755 --- a/tests/regression/apparmor/exec_qual.sh +++ b/tests/regression/apparmor/exec_qual.sh @@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=/etc/group @@ -72,71 +72,71 @@ local_runchecktest() # child profile grants access # expected behaviour: child should be able to access resource -genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive -local_runchecktest "enforce px case1" pass $test2 $test2 $file +genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive +local_runchecktest "enforce px case1" pass "$test2" "$test2" $file # case 2: parent profile grants access (should be irrelevant) # child profile disallows access # expected behaviour: child should be unable to access resource -genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -- image=$test2 signal:receive -local_runchecktest "enforce px case2" fail $test2 $test2 $file +genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" signal:receive +local_runchecktest "enforce px case2" fail "$test2" "$test2" $file # case 3: parent profile disallows access (should be irrelevant) # child profile allows access # expected behaviour: child should be able to access resource -genprofile $test2:px signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive -local_runchecktest "enforce px case3" pass $test2 $test2 $file +genprofile "$test2:px" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive +local_runchecktest "enforce px case3" pass "$test2" "$test2" $file # case 4: parent profile grants access (should be irrelevant) # missing child profile # expected behaviour: exec of child fails -genprofile $test2:px $file:$fileperm signal:receive:peer=unconfined -local_runchecktest "enforce px case4" fail "n/a" $test2 $file +genprofile "$test2:px" $file:$fileperm signal:receive:peer=unconfined +local_runchecktest "enforce px case4" fail "n/a" "$test2" $file # confined parent, exec child with 'ix' # case 1: parent profile grants access # child profile grants access (should be irrelevant) # expected behaviour: child should be able to access resource -genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive -local_runchecktest "enforce ix case1" pass $test1 $test2 $file +genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive +local_runchecktest "enforce ix case1" pass "$test1" "$test2" $file # case 2: parent profile grants access # child profile disallows access (should be irrelevant) # expected behaviour: child should be able to access resource -genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -- image=$test2 signal:receive -local_runchecktest "enforce ix case2" pass $test1 $test2 $file +genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined -- "image=$test2" signal:receive +local_runchecktest "enforce ix case2" pass "$test1" "$test2" $file # case 3: parent profile disallows access # child profile allows access (should be irrelevant) # expected behaviour: child should be unable to access resource -genprofile $test2:rix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive -local_runchecktest "enforce ix case3" fail $test1 $test2 $file +genprofile "$test2:rix" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive +local_runchecktest "enforce ix case3" fail "$test1" "$test2" $file # case 4: parent profile grants access # missing child profile (irrelevant) # expected behaviour: child should be able to access resource -genprofile $test2:rix $file:$fileperm signal:receive:peer=unconfined -local_runchecktest "enforce ix case4" pass $test1 $test2 $file +genprofile "$test2:rix" $file:$fileperm signal:receive:peer=unconfined +local_runchecktest "enforce ix case4" pass "$test1" "$test2" $file # confined parent, exec child with 'ux' # case 1: parent profile grants access (should be irrelevant) # expected behaviour, child should be able to access resource genprofile $test2:ux $file:$fileperm signal:receive:peer=unconfined -local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file +local_runchecktest "enforce ux case1" pass "unconfined" "$test2" $file # case 2: parent profile denies access (should be irrelevant) # expected behaviour, child should be able to access resource genprofile $test2:ux signal:receive:peer=unconfined -local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file +local_runchecktest "enforce ux case1" pass "unconfined" "$test2" $file # confined parent, exec child with conflicting exec qualifiers # that overlap in such away that px is preferred (ix is glob, px is exact @@ -144,27 +144,27 @@ local_runchecktest "enforce ux case1" pass "unconfined" $test2 $file # case 1: # expected behaviour: exec of child passes -genprofile $test2:px $test2_rex1:ix signal:receive:peer=unconfined -- image=$test2 $file:$fileperm signal:receive -local_runchecktest "enforce conflicting exec qual" pass $test2 $test2 $file +genprofile "$test2:px" "$test2_rex1:ix" signal:receive:peer=unconfined -- "image=$test2" $file:$fileperm signal:receive +local_runchecktest "enforce conflicting exec qual" pass "$test2" "$test2" $file # unconfined parent # case 1: child profile exists, child profile grants access # expected behaviour: child should be able to access resource -genprofile image=$test2 $file:$fileperm signal:receive:peer=unconfined -local_runchecktest "enforce unconfined case1" pass $test2 $test2 $file +genprofile "image=$test2" $file:$fileperm signal:receive:peer=unconfined +local_runchecktest "enforce unconfined case1" pass "$test2" "$test2" $file # case 2: child profile exists, child profile denies access # expected behaviour: child should be unable to access resource -genprofile image=$test2 signal:receive:peer=unconfined -local_runchecktest "enforce unconfined case2" fail $test2 $test2 $file +genprofile "image=$test2" signal:receive:peer=unconfined +local_runchecktest "enforce unconfined case2" fail "$test2" "$test2" $file # case 3: no child profile exists, unconfined # expected behaviour: child should be able to access resource removeprofile -local_runchecktest "enforce unconfined case3" pass "unconfined" $test2 $file +local_runchecktest "enforce unconfined case3" pass "unconfined" "$test2" $file # ----------------------------------------------------------------------- diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_stack.sh index 417ad92df..d6fa8ec4c 100755 --- a/tests/regression/apparmor/exec_stack.sh +++ b/tests/regression/apparmor/exec_stack.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features domain/stack settest transition diff --git a/tests/regression/apparmor/fchdir.sh b/tests/regression/apparmor/fchdir.sh index 0db338e77..4dd92ca69 100755 --- a/tests/regression/apparmor/fchdir.sh +++ b/tests/regression/apparmor/fchdir.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=$tmpdir/tmpdir/ diff --git a/tests/regression/apparmor/fd_inheritance.sh b/tests/regression/apparmor/fd_inheritance.sh index 1356ae823..6f2725a90 100755 --- a/tests/regression/apparmor/fd_inheritance.sh +++ b/tests/regression/apparmor/fd_inheritance.sh @@ -29,7 +29,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file inheritor=$bin/fd_inheritor @@ -43,34 +43,34 @@ d3e773e2a4a0cc9d7e28eb217a4241ce 1437d6c55ef788d3bcd27ab14e9382a9 EOF -runchecktest "fd inheritance; unconfined -> unconfined" pass $file $inheritor +runchecktest "fd inheritance; unconfined -> unconfined" pass $file "$inheritor" -genprofile $file:$okperm $inheritor:Ux -runchecktest "fd inheritance; confined -> unconfined" pass $file $inheritor +genprofile $file:$okperm "$inheritor:Ux" +runchecktest "fd inheritance; confined -> unconfined" pass $file "$inheritor" -genprofile $file:$badperm $inheritor:Ux -runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file $inheritor +genprofile $file:$badperm "$inheritor:Ux" +runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file "$inheritor" -genprofile $inheritor:Ux -runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file $inheritor +genprofile "$inheritor:Ux" +runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file "$inheritor" -genprofile image=$inheritor $file:$okperm -runchecktest "fd inheritance; unconfined -> confined" pass $file $inheritor +genprofile "image=$inheritor" $file:$okperm +runchecktest "fd inheritance; unconfined -> confined" pass $file "$inheritor" -genprofile image=$inheritor -runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file $inheritor +genprofile "image=$inheritor" +runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file "$inheritor" -genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$okperm -runchecktest "fd inheritance; confined -> confined" pass $file $inheritor +genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor" $file:$okperm +runchecktest "fd inheritance; confined -> confined" pass $file "$inheritor" -genprofile $file:$badperm $inheritor:Px -- image=$inheritor $file:$okperm -runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file $inheritor +genprofile $file:$badperm "$inheritor:Px" -- "image=$inheritor" $file:$okperm +runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file "$inheritor" -genprofile $inheritor:Px -- image=$inheritor $file:$okperm -runchecktest "fd inheritance; confined (no perm) -> confined" fail $file $inheritor +genprofile "$inheritor:Px" -- "image=$inheritor" $file:$okperm +runchecktest "fd inheritance; confined (no perm) -> confined" fail $file "$inheritor" -genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$badperm -runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file $inheritor +genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor" $file:$badperm +runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file "$inheritor" -genprofile $file:$okperm $inheritor:Px -- image=$inheritor -runchecktest "fd inheritance; confined -> confined (no perm)" fail $file $inheritor +genprofile $file:$okperm "$inheritor:Px" -- "image=$inheritor" +runchecktest "fd inheritance; confined -> confined (no perm)" fail $file "$inheritor" diff --git a/tests/regression/apparmor/fork.sh b/tests/regression/apparmor/fork.sh index 36fddf32f..efc52feb2 100755 --- a/tests/regression/apparmor/fork.sh +++ b/tests/regression/apparmor/fork.sh @@ -19,7 +19,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file1=$tmpdir/file1 file2=$tmpdir/file2 diff --git a/tests/regression/apparmor/i18n.sh b/tests/regression/apparmor/i18n.sh index 43e4fab23..f8ae8d43f 100755 --- a/tests/regression/apparmor/i18n.sh +++ b/tests/regression/apparmor/i18n.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" okperm=rw badperm1=r diff --git a/tests/regression/apparmor/introspect.sh b/tests/regression/apparmor/introspect.sh index e397da4f0..87a11fd40 100644 --- a/tests/regression/apparmor/introspect.sh +++ b/tests/regression/apparmor/introspect.sh @@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ok_ix_perm=rix badperm=r diff --git a/tests/regression/apparmor/io_uring.sh b/tests/regression/apparmor/io_uring.sh index 92e8002a2..a399c62be 100755 --- a/tests/regression/apparmor/io_uring.sh +++ b/tests/regression/apparmor/io_uring.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features io_uring requires_parser_support "io_uring," diff --git a/tests/regression/apparmor/link.sh b/tests/regression/apparmor/link.sh index d670c463a..ef6114ff0 100755 --- a/tests/regression/apparmor/link.sh +++ b/tests/regression/apparmor/link.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" target=$tmpdir/target linkfile=$tmpdir/linkfile diff --git a/tests/regression/apparmor/link_subset.sh b/tests/regression/apparmor/link_subset.sh index 73b3a1881..6ab723fa6 100644 --- a/tests/regression/apparmor/link_subset.sh +++ b/tests/regression/apparmor/link_subset.sh @@ -20,13 +20,13 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" target=$tmpdir/target_ linkfile=$tmpdir/link_ -tfiles=`$bin/link_subset --filenames $target` -lfiles=`$bin/link_subset --filenames $linkfile` +tfiles=`"$bin/link_subset" --filenames $target` +lfiles=`"$bin/link_subset" --filenames $linkfile` # unconfined test - no target file #runchecktest "unconfined - no target" fail $target $linkfile diff --git a/tests/regression/apparmor/longpath.sh b/tests/regression/apparmor/longpath.sh index e10e1a4b4..2fb5bd848 100644 --- a/tests/regression/apparmor/longpath.sh +++ b/tests/regression/apparmor/longpath.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" genrandname() { diff --git a/tests/regression/apparmor/mkdir.sh b/tests/regression/apparmor/mkdir.sh index beb027855..ce31b59bc 100755 --- a/tests/regression/apparmor/mkdir.sh +++ b/tests/regression/apparmor/mkdir.sh @@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=$tmpdir/tmpdir/ perms=w diff --git a/tests/regression/apparmor/mmap.sh b/tests/regression/apparmor/mmap.sh index 1d3a90289..c18162761 100755 --- a/tests/regression/apparmor/mmap.sh +++ b/tests/regression/apparmor/mmap.sh @@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/src okperm=rw diff --git a/tests/regression/apparmor/mount.sh b/tests/regression/apparmor/mount.sh index 046252f41..fd87898b0 100755 --- a/tests/regression/apparmor/mount.sh +++ b/tests/regression/apparmor/mount.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ## ## A. MOUNT @@ -33,7 +33,7 @@ mount_bad=$tmpdir/mountbad loop_device="unset" fstype="ext2" -. $bin/mount.inc +. "$bin/mount.inc" setup_mnt() { /bin/mount -n -t${fstype} ${loop_device} ${mount_point} diff --git a/tests/regression/apparmor/mult_mount.sh b/tests/regression/apparmor/mult_mount.sh index ae4749a3e..e5f4fce5f 100644 --- a/tests/regression/apparmor/mult_mount.sh +++ b/tests/regression/apparmor/mult_mount.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" cleandir() { diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh index ded5f1990..a8859aa30 100755 --- a/tests/regression/apparmor/named_pipe.sh +++ b/tests/regression/apparmor/named_pipe.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" fifo=${tmpdir}/pipe diff --git a/tests/regression/apparmor/namespaces.sh b/tests/regression/apparmor/namespaces.sh index 9cd2bc3dd..8533f56c5 100755 --- a/tests/regression/apparmor/namespaces.sh +++ b/tests/regression/apparmor/namespaces.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_namespace_interface # unique_ns - Print a randomly generated, unused namespace identifier to stdout diff --git a/tests/regression/apparmor/net_inet.sh b/tests/regression/apparmor/net_inet.sh index 5504e5e8f..8451c9c12 100644 --- a/tests/regression/apparmor/net_inet.sh +++ b/tests/regression/apparmor/net_inet.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features network_v8/af_inet requires_parser_support "network ip=::1," @@ -67,11 +67,11 @@ do_tests() settest net_inet_rcv $generate_profile - do_test "$prefix - root" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender + do_test "$prefix - root" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender "$sender" settest -u "foo" net_inet_rcv $generate_profile - do_test "$prefix - user" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender $sender + do_test "$prefix - user" $expect_rcv --bind_ip $bind_ip --bind_port $bind_port --remote_ip $remote_ip --remote_port $remote_port --protocol $protocol --timeout 5 --sender "$sender" } diff --git a/tests/regression/apparmor/net_raw.sh b/tests/regression/apparmor/net_raw.sh index 6b4304ca6..61ecfad2a 100755 --- a/tests/regression/apparmor/net_raw.sh +++ b/tests/regression/apparmor/net_raw.sh @@ -17,7 +17,7 @@ pwd=$(cd $pwd ; /bin/pwd) bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=$tmpdir/tmpdir diff --git a/tests/regression/apparmor/nfs.sh b/tests/regression/apparmor/nfs.sh index e31cc00fc..43d16e243 100755 --- a/tests/regression/apparmor/nfs.sh +++ b/tests/regression/apparmor/nfs.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" srcdir=$tmpdir/src mntdir=$tmpdir/mnt diff --git a/tests/regression/apparmor/nnp.sh b/tests/regression/apparmor/nnp.sh index b948f8947..6a03c3b85 100755 --- a/tests/regression/apparmor/nnp.sh +++ b/tests/regression/apparmor/nnp.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" settest transition diff --git a/tests/regression/apparmor/onexec.sh b/tests/regression/apparmor/onexec.sh index a1223b317..df2566ea5 100644 --- a/tests/regression/apparmor/onexec.sh +++ b/tests/regression/apparmor/onexec.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" settest transition file=$tmpdir/file @@ -53,75 +53,75 @@ do_test() # ONEXEC from UNCONFINED - don't change profile -do_test "" unconfined nochange pass $bin/open $file +do_test "" unconfined nochange pass "$bin/open" $file # ONEXEC from UNCONFINED - target does NOT exist -genprofile image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "" unconfined noexist fail $bin/open $file +genprofile "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "" unconfined noexist fail "$bin/open" $file # ONEXEC from UNCONFINED - change to rw profile, no exec profile to override -genprofile image=$bin/rw $bin/open:rix $file:rw -do_test "no px profile" unconfined $bin/rw pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "no px profile" unconfined "$bin/rw" pass "$bin/open" $file # ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied -genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open $file:rw -do_test "nochange px" unconfined nochange pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open" $file:rw +do_test "nochange px" unconfined nochange pass "$bin/open" $file # ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms -genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open -do_test "override px" unconfined $bin/rw pass $bin/open $file +genprofile "image=$bin/rw" "$bin/open:px" $file:rw -- "image=$bin/open" +do_test "override px" unconfined "$bin/rw" pass "$bin/open" $file #------ # ONEXEC from CONFINED - don't change profile, open can't exec -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -do_test "no px perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r +do_test "no px perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run unconfined -genprofile 'change_profile->':$bin/rw $bin/open:rux $exec_w $attrs_r -do_test "nochange rux" $test nochange pass $bin/open $file +genprofile "change_profile->:$bin/rw" "$bin/open:rux" $exec_w $attrs_r +do_test "nochange rux" $test nochange pass "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/open $file:rw -do_test "nochange px - no px perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/open" $file:rw +do_test "nochange px - no px perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms -genprofile 'change_profile->':$bin/rw $bin/open:rpx $exec_w $attrs_r -- image=$bin/open -do_test "nochange px - no file perm" $test nochange fail $bin/open $file +genprofile "change_profile->:$bin/rw" "$bin/open:rpx" $exec_w $attrs_r -- "image=$bin/open" +do_test "nochange px - no file perm" $test nochange fail "$bin/open" $file # ONEXEC from CONFINED - target does NOT exist -genprofile 'change_profile->':$bin/open $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "noexist px" $test noexist fail $bin/open $file +genprofile "change_profile->:$bin/open" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "noexist px" $test noexist fail "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, no exec profile to override -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -do_test "change profile - override rix" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "change profile - override rix" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit write access to /proc/*/attr/exec -genprofile 'change_profile->':$bin/rw $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -do_test "change profile - no exec_w" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw +do_test "change profile - no exec_w" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from CONFINED - don't change profile, make sure exec profile is applied -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw -do_test "nochange px" $test nochange pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r "$bin/open:rpx" -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw +do_test "nochange px" $test nochange pass "$bin/open" $file # ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "override px" $test $bin/rw pass $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "override px" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't -genprofile 'change_profile->':$bin/rw $exec_w $attrs_r -- image=$bin/rw $bin/open:rix -- image=$bin/open $file:rw -do_test "override px" $test $bin/rw fail $bin/open $file +genprofile "change_profile->:$bin/rw" $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" -- "image=$bin/open" $file:rw +do_test "override px" $test "$bin/rw" fail "$bin/open" $file # ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "glob override px" $test $bin/rw pass $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open -do_test "glob override px" $test $bin/open fail $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" +do_test "glob override px" $test "$bin/open" fail "$bin/open" $file # ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms -genprofile 'change_profile->':/** $exec_w $attrs_r -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw -do_test "glob override px" $test $bin/rw pass $bin/open $file +genprofile 'change_profile->':/** $exec_w $attrs_r -- "image=$bin/rw" "$bin/open:rix" $file:rw -- "image=$bin/open" $file:rw +do_test "glob override px" $test "$bin/rw" pass "$bin/open" $file diff --git a/tests/regression/apparmor/open.sh b/tests/regression/apparmor/open.sh index 0c8b0c2a6..1d666fd47 100755 --- a/tests/regression/apparmor/open.sh +++ b/tests/regression/apparmor/open.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file okperm=rw diff --git a/tests/regression/apparmor/openat.sh b/tests/regression/apparmor/openat.sh index d814ba0c4..a681466bb 100755 --- a/tests/regression/apparmor/openat.sh +++ b/tests/regression/apparmor/openat.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=${tmpdir} subdir=deleteme diff --git a/tests/regression/apparmor/owlsm.sh b/tests/regression/apparmor/owlsm.sh index f25937d33..282a9e999 100644 --- a/tests/regression/apparmor/owlsm.sh +++ b/tests/regression/apparmor/owlsm.sh @@ -26,7 +26,7 @@ pwd=$(cd ${pwd} ; /bin/pwd) bin=${pwd} -. ${bin}/prologue.inc +. "${bin}/prologue.inc" target=file1 source=file2 diff --git a/tests/regression/apparmor/pipe.sh b/tests/regression/apparmor/pipe.sh index de8bd23bd..11b9b960c 100755 --- a/tests/regression/apparmor/pipe.sh +++ b/tests/regression/apparmor/pipe.sh @@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" subtest=sub diff --git a/tests/regression/apparmor/pivot_root.sh b/tests/regression/apparmor/pivot_root.sh index 5643eb851..ee13cc97e 100755 --- a/tests/regression/apparmor/pivot_root.sh +++ b/tests/regression/apparmor/pivot_root.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" disk_img=$tmpdir/disk_img new_root=$tmpdir/new_root/ @@ -26,7 +26,7 @@ bad=$tmpdir/BAD/ proc=$new_root/proc fstype="ext2" -. $bin/mount.inc +. "$bin/mount.inc" pivot_root_cleanup() { mountpoint -q "$proc" diff --git a/tests/regression/apparmor/posix_mq.sh b/tests/regression/apparmor/posix_mq.sh index 9a2c92edd..40c3919d7 100755 --- a/tests/regression/apparmor/posix_mq.sh +++ b/tests/regression/apparmor/posix_mq.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features ipc/posix_mqueue requires_parser_support "mqueue," @@ -35,8 +35,8 @@ echo "$user:password" | sudo chpasswd userid=$(id -u $user) # workaround to not have to set o+x -chmod 6755 $receiver -setcap cap_dac_read_search+pie $receiver +chmod 6755 "$receiver" +setcap cap_dac_read_search+pie "$receiver" cleanup() { @@ -65,16 +65,16 @@ do_tests() all_args=("$@") rest_args=("${all_args[@]:5}") - do_test "$prefix" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename "${rest_args[@]}" + do_test "$prefix" "$expect_send" "$sender" "$expect_recv" -c "$sender" -k $queuename "${rest_args[@]}" # notify requires netlink permissions - do_test "$prefix : mq_notify" "$expect_send" $sender "$expect_recv" -c $sender -k $queuename -n mq_notify -p $pipe "${rest_args[@]}" + do_test "$prefix : mq_notify" "$expect_send" "$sender" "$expect_recv" -c "$sender" -k $queuename -n mq_notify -p $pipe "${rest_args[@]}" - do_test "$prefix : select" "$expect_open" -c $sender -k $queuename -n select "${rest_args[@]}" + do_test "$prefix : select" "$expect_open" -c "$sender" -k $queuename -n select "${rest_args[@]}" - do_test "$prefix : poll" "$expect_open" -c $sender -k $queuename -n poll "${rest_args[@]}" + do_test "$prefix : poll" "$expect_open" -c "$sender" -k $queuename -n poll "${rest_args[@]}" - do_test "$prefix : epoll" "$expect_open" -c $sender -k $queuename -n epoll "${rest_args[@]}" + do_test "$prefix : epoll" "$expect_open" -c "$sender" -k $queuename -n epoll "${rest_args[@]}" } @@ -88,15 +88,15 @@ for username in "root" "$userid" ; do do_tests "unconfined $username" pass pass pass pass $usercmd # No mqueue perms - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" "$pipe:rw" -- image=$sender "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" "$pipe:rw" -- "image=$sender" "$pipe:rw" do_tests "confined $username - no perms" fail fail fail fail $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "deny mqueue" "$pipe:rw" do_tests "confined $username - deny perms" fail fail fail fail $usercmd if [ "$(parser_supports 'all,')" = "true" ]; then - genprofile "all" -- image=$sender "all" + genprofile "all" -- "image=$sender" "all" do_tests "confined $username - allow all" pass pass pass pass $usercmd fi @@ -108,50 +108,50 @@ for username in "root" "$userid" ; do # apparmor when doing "root" username tests # * if doing the $userid set of tests and you see # Permission denied in the test output - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue" "$pipe:rw" do_tests "confined $username - mqueue" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:type=posix" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:type=posix" "$pipe:rw" do_tests "confined $username - mqueue type=posix" pass pass pass pass $usercmd # queue name - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename" "$pipe:rw" do_tests "confined $username - mqueue /name 1" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename" "$pipe:rw" do_tests "confined $username - mqueue /name 2" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue" "$pipe:rw" do_tests "confined $username - mqueue /name 3" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:$queuename2" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:$queuename2" "$pipe:rw" do_tests "confined $username - mqueue /name 4" fail fail fail fail $usercmd -t 1 # specific permissions - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 1" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 2" fail fail fail fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 3" fail fail fail fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 4" fail fail fail fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 5" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:write" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:write" "$pipe:rw" do_tests "confined $username - specific 6" pass pass pass pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:read" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:read" "$pipe:rw" do_tests "confined $username - specific 7" fail fail fail fail $usercmd -t 1 # unconfined receiver - genprofile image=$sender "mqueue" + genprofile "image=$sender" "mqueue" do_tests "confined sender $username - unconfined receiver" pass pass pass pass $usercmd @@ -161,12 +161,12 @@ for username in "root" "$userid" ; do # queue label - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:label=$receiver" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:label=$receiver" "$pipe:rw" do_tests "confined $username - mqueue label 1" xpass xpass xpass xpass $usercmd # queue name and label - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" "$pipe:rw" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename" "$pipe:rw" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" "$pipe:rw" -- "image=$sender" "mqueue:(open,write):type=posix:label=$receiver:$queuename" "$pipe:rw" do_tests "confined $username - mqueue label 2" xpass xpass xpass xpass $usercmd # ensure we are cleaned up for next pass diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh index ab025c846..2dfc60e81 100755 --- a/tests/regression/apparmor/ptrace.sh +++ b/tests/regression/apparmor/ptrace.sh @@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" # Read permission was required for a confined process to be able to be traced # using ptrace. This stopped being required or functioning correctly @@ -56,7 +56,7 @@ runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true} if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then - . $bin/ptrace_v6.inc + . "$bin/ptrace_v6.inc" else - . $bin/ptrace_v5.inc + . "$bin/ptrace_v5.inc" fi diff --git a/tests/regression/apparmor/pwrite.sh b/tests/regression/apparmor/pwrite.sh index f86310d99..5e0198f0f 100755 --- a/tests/regression/apparmor/pwrite.sh +++ b/tests/regression/apparmor/pwrite.sh @@ -14,7 +14,7 @@ pwd=`cd $pwd ; pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=${tmpdir}/pwrite okperm=rw diff --git a/tests/regression/apparmor/query_label.sh b/tests/regression/apparmor/query_label.sh index 654772735..89aa8165e 100755 --- a/tests/regression/apparmor/query_label.sh +++ b/tests/regression/apparmor/query_label.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_query_interface settest query_label diff --git a/tests/regression/apparmor/readdir.sh b/tests/regression/apparmor/readdir.sh index 87cc4aae7..a50910f1b 100755 --- a/tests/regression/apparmor/readdir.sh +++ b/tests/regression/apparmor/readdir.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" dir=$tmpdir/tmpdir # x is not really needed, see chdir.sh diff --git a/tests/regression/apparmor/regex.sh b/tests/regression/apparmor/regex.sh index ef1d038d8..9a0f1bdc1 100755 --- a/tests/regression/apparmor/regex.sh +++ b/tests/regression/apparmor/regex.sh @@ -22,7 +22,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file file2=$tmpdir/filealpha diff --git a/tests/regression/apparmor/rename.sh b/tests/regression/apparmor/rename.sh index c5a24a096..75a494961 100644 --- a/tests/regression/apparmor/rename.sh +++ b/tests/regression/apparmor/rename.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file1=$tmpdir/file1 file2=$tmpdir/file2 diff --git a/tests/regression/apparmor/rw.sh b/tests/regression/apparmor/rw.sh index 309b44439..09fb8c3b0 100755 --- a/tests/regression/apparmor/rw.sh +++ b/tests/regression/apparmor/rw.sh @@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/src okperm=rw diff --git a/tests/regression/apparmor/sd_flags.sh b/tests/regression/apparmor/sd_flags.sh index f08211810..41481219c 100755 --- a/tests/regression/apparmor/sd_flags.sh +++ b/tests/regression/apparmor/sd_flags.sh @@ -14,7 +14,7 @@ pwd=$(cd $pwd ; /bin/pwd) bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" settest open @@ -58,56 +58,56 @@ settest changehat_wrapper # audit alone # PASS TEST (noflags) -genprofile hat:open addimage:${bin}/open $file:$okperm +genprofile hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (noflags)" pass open $file # PASS TEST 1 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # PASS TEST 2 (audit) -genprofile hat:open addimage:${bin}/open $file:$okperm flag:audit +genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:audit runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # PASS TEST 3 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$okperm flag:audit +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$okperm flag:audit runchecktest "SD_FLAGS HAT/OPEN RW (audit)" pass open $file # FAILURE TEST 1 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # FAILURE TEST 2 (audit) -genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # FAILURE TEST 3 (audit) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (audit)" fail open $file # complain alone # PASS TEST 1 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # PASS TEST 2 (complain) -genprofile hat:open addimage:${bin}/open $file:$okperm flag:complain +genprofile hat:open "addimage:${bin}/open" $file:$okperm flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # PASS TEST 3 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$okperm flag:complain +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$okperm flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (complain)" pass open $file # FAILURE TEST 1 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 runchecktest "SD_FLAGS HAT/OPEN R (complain)" fail open $file # PASS TEST 4 (complain) -genprofile hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # PASS TEST 5 (complain) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # PASS TEST 6 (complain) no hat defined @@ -116,10 +116,10 @@ runchecktest "SD_FLAGS HAT/OPEN R (complain)" pass open $file # audit + complain # PASS TEST 3 (audit+complain) -genprofile flag:audit hat:open addimage:${bin}/open $file:$badperm1 flag:complain +genprofile flag:audit hat:open "addimage:${bin}/open" $file:$badperm1 flag:complain runchecktest "SD_FLAGS HAT/OPEN RW (audit+complain)" pass open $file # FAILURE TEST 3 (complain+audit) -genprofile flag:complain hat:open addimage:${bin}/open $file:$badperm1 flag:audit +genprofile flag:complain hat:open "addimage:${bin}/open" $file:$badperm1 flag:audit runchecktest "SD_FLAGS HAT/OPEN R (complain+audit)" fail open $file diff --git a/tests/regression/apparmor/setattr.sh b/tests/regression/apparmor/setattr.sh index b49fcd9be..2c9b88e1e 100644 --- a/tests/regression/apparmor/setattr.sh +++ b/tests/regression/apparmor/setattr.sh @@ -47,7 +47,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file dir="$tmpdir/dir/" diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh index 5d94f4c1e..69839906b 100755 --- a/tests/regression/apparmor/socketpair.sh +++ b/tests/regression/apparmor/socketpair.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features network/af_unix diff --git a/tests/regression/apparmor/stackonexec.sh b/tests/regression/apparmor/stackonexec.sh index 5cc8a8660..1b18bd2d9 100755 --- a/tests/regression/apparmor/stackonexec.sh +++ b/tests/regression/apparmor/stackonexec.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features domain/stack settest transition diff --git a/tests/regression/apparmor/stackprofile.sh b/tests/regression/apparmor/stackprofile.sh index 82cc3bb7a..c7d634a0f 100755 --- a/tests/regression/apparmor/stackprofile.sh +++ b/tests/regression/apparmor/stackprofile.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features domain/stack settest transition diff --git a/tests/regression/apparmor/swap.sh b/tests/regression/apparmor/swap.sh index 39de6d2af..2796c4798 100755 --- a/tests/regression/apparmor/swap.sh +++ b/tests/regression/apparmor/swap.sh @@ -21,7 +21,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ## ## A. SWAP diff --git a/tests/regression/apparmor/symlink.sh b/tests/regression/apparmor/symlink.sh index f288a754f..d3f426c51 100755 --- a/tests/regression/apparmor/symlink.sh +++ b/tests/regression/apparmor/symlink.sh @@ -14,7 +14,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" src=$tmpdir/src1 target=$tmpdir/target diff --git a/tests/regression/apparmor/syscall.sh b/tests/regression/apparmor/syscall.sh index b9d68d471..721db98e3 100755 --- a/tests/regression/apparmor/syscall.sh +++ b/tests/regression/apparmor/syscall.sh @@ -20,7 +20,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ## ## A. PTRACE diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh index 647df403f..77742ec9d 100644 --- a/tests/regression/apparmor/syscall_sysctl.sh +++ b/tests/regression/apparmor/syscall_sysctl.sh @@ -20,7 +20,7 @@ sysctlbad=/proc/sys/kernel/sysrq bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" ## ## C. SYSCTL diff --git a/tests/regression/apparmor/sysv_mq.sh b/tests/regression/apparmor/sysv_mq.sh index 202d3da07..3f83f3bb2 100755 --- a/tests/regression/apparmor/sysv_mq.sh +++ b/tests/regression/apparmor/sysv_mq.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features ipc/sysv_mqueue requires_parser_support "mqueue," @@ -35,8 +35,8 @@ echo "$user:password" | sudo chpasswd userid=$(id -u $user) # workaround to not have to set o+x -chmod 6755 $receiver -setcap cap_dac_read_search+pie $receiver +chmod 6755 "$receiver" +setcap cap_dac_read_search+pie "$receiver" cleanup() { @@ -62,7 +62,7 @@ do_tests() all_args=("$@") rest_args=("${all_args[@]:2}") - do_test "$prefix" "$expect_send" -c $sender -k $qkey -s $semaphore "${rest_args[@]}" + do_test "$prefix" "$expect_send" -c "$sender" -k $qkey -s $semaphore "${rest_args[@]}" } for username in "root" "$userid" ; do @@ -75,10 +75,10 @@ for username in "root" "$userid" ; do do_tests "unconfined $username" pass $usercmd # No mqueue perms - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- "image=$sender" do_tests "confined $username - no perms" fail $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- "image=$sender" "deny mqueue" do_tests "confined $username - deny perms" fail $usercmd # generic mqueue @@ -89,56 +89,56 @@ for username in "root" "$userid" ; do # apparmor when doing "root" username tests # * if doing the $userid set of tests and you see # Permission denied in the test output - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- "image=$sender" "mqueue" do_tests "confined $username - mqueue" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- image=$sender "mqueue:type=sysv" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- "image=$sender" "mqueue:type=sysv" do_tests "confined $username - mqueue type=sysv" pass $usercmd # queue name - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue:$qkey" do_tests "confined $username - mqueue /name 1" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue:$qkey" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- "image=$sender" "mqueue:$qkey" do_tests "confined $username - mqueue /name 2" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue" do_tests "confined $username - mqueue /name 3" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey2" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- "image=$sender" "mqueue:$qkey2" do_tests "confined $username - mqueue /name 4" fail $usercmd -t 1 # specific permissions - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 1" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 2" fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 3" fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 4" fail $usercmd -t 1 # we need to remove queue since the previous test didn't ipcrm --queue-key $qkey >/dev/null 2>&1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 5" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:(open,write)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- "image=$sender" "mqueue:(open,write)" do_tests "confined $username - specific 6" pass $usercmd - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,read)" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:(open,read)" do_tests "confined $username - specific 7" fail $usercmd -t 1 - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- "image=$sender" "mqueue:write" do_tests "confined $username - specific 7" fail $usercmd -t 1 # unconfined receiver - genprofile image=$sender "mqueue" + genprofile "image=$sender" "mqueue" do_tests "confined sender $username - unconfined receiver" pass $usercmd @@ -148,12 +148,12 @@ for username in "root" "$userid" ; do # queue label - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- "image=$sender" "mqueue:label=$receiver" do_tests "confined $username - mqueue label 1" xpass $usercmd # queue name and label - genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- image=$sender "mqueue:(open,write):type=sysv:label=$receiver:$qkey" + genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- "image=$sender" "mqueue:(open,write):type=sysv:label=$receiver:$qkey" do_tests "confined $username - mqueue label 2" xpass $usercmd diff --git a/tests/regression/apparmor/tcp.sh b/tests/regression/apparmor/tcp.sh index 7d528cb39..4e5ea6882 100755 --- a/tests/regression/apparmor/tcp.sh +++ b/tests/regression/apparmor/tcp.sh @@ -20,7 +20,7 @@ bin=$pwd # kernel feature supported # need to be able to query the parser if it supports the # kernel feature -. $bin/prologue.inc +. "$bin/prologue.inc" requires_any_of_kernel_features network network_v8 port=34567 diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh index c4c410ae2..92624f3fe 100755 --- a/tests/regression/apparmor/unix_fd_server.sh +++ b/tests/regression/apparmor/unix_fd_server.sh @@ -18,7 +18,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=${tmpdir}/file socket=${tmpdir}/unix_fd_test diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh index 21c35e263..a1e496950 100644 --- a/tests/regression/apparmor/unix_socket_abstract.sh +++ b/tests/regression/apparmor/unix_socket_abstract.sh @@ -26,8 +26,8 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc -. $bin/unix_socket.inc +. "$bin/prologue.inc" +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/unix_socket_autobind.sh b/tests/regression/apparmor/unix_socket_autobind.sh index 3a183d753..de0a3774f 100644 --- a/tests/regression/apparmor/unix_socket_autobind.sh +++ b/tests/regression/apparmor/unix_socket_autobind.sh @@ -31,8 +31,8 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc -. $bin/unix_socket.inc +. "$bin/prologue.inc" +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh index 1566ec136..379786d4a 100755 --- a/tests/regression/apparmor/unix_socket_pathname.sh +++ b/tests/regression/apparmor/unix_socket_pathname.sh @@ -26,7 +26,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features policy/versions/v6 #af_mask for downgrade test af_unix for full test requires_any_of_kernel_features network/af_mask network_v8/af_mask @@ -112,19 +112,19 @@ testsocktype() # PASS - server w/ access to the file - genprofile $sockpath:$okserver $af_unix $client:Ux + genprofile $sockpath:$okserver $af_unix "$client:Ux" runchecktest "$testdesc; confined server w/ access ($okserver)" $ex_result $args removesockets $sockpath $client_sockpath # FAIL - server w/o access to the file - genprofile $af_unix $client:Ux + genprofile $af_unix "$client:Ux" runchecktest "$testdesc; confined server w/o access" fail $args removesockets $sockpath $client_sockpath # FAIL - server w/ bad access to the file - genprofile $sockpath:$badserver1 $af_unix $client:Ux + genprofile $sockpath:$badserver1 $af_unix "$client:Ux" runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args removesockets $sockpath $client_sockpath @@ -133,7 +133,7 @@ testsocktype() if [ -n "$badserver2" ] ; then # FAIL - server w/ bad access to the file - genprofile $sockpath:$badserver2 $af_unix $client:Ux + genprofile $sockpath:$badserver2 $af_unix "$client:Ux" runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args removesockets $sockpath $client_sockpath @@ -142,7 +142,7 @@ testsocktype() if [ -n "$af_unix_okserver" ] ; then # FAIL - server w/o af_unix access - genprofile $sockpath:$okserver $client:Ux + genprofile $sockpath:$okserver "$client:Ux" runchecktest "$testdesc; confined server w/o af_unix" fail $args removesockets $sockpath $client_sockpath @@ -152,7 +152,7 @@ testsocktype() for access in ${af_unix_okserver//,/ }; do # FAIL - server w/ a missing af_unix access - genprofile $sockpath:$okserver "unix:(${af_unix_okserver//$access/})" $client:Ux + genprofile $sockpath:$okserver "unix:(${af_unix_okserver//$access/})" "$client:Ux" runchecktest "$testdesc; confined server w/ a missing af_unix access ($access)" fail $args removesockets $sockpath $client_sockpath done @@ -170,32 +170,32 @@ testsocktype() # PASS - client w/ access to the file - genprofile $server -- image=$client $sockpath:$okclient $af_unix + genprofile $server -- "image=$client" $sockpath:$okclient $af_unix runchecktest "$testdesc; confined client w/ access ($okclient)" $ex_result $args removesockets $sockpath $client_sockpath # FAIL - client w/o access to the file - genprofile $server -- image=$client $af_unix + genprofile $server -- "image=$client" $af_unix runchecktest "$testdesc; confined client w/o access" fail $args removesockets $sockpath $client_sockpath # FAIL - client w/ bad access to the file - genprofile $server -- image=$client $sockpath:$badclient1 $af_unix + genprofile $server -- "image=$client" $sockpath:$badclient1 $af_unix runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args removesockets $sockpath $client_sockpath # FAIL - client w/ bad access to the file - genprofile $server -- image=$client $sockpath:$badclient2 + genprofile $server -- "image=$client" $sockpath:$badclient2 runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args removesockets $sockpath $client_sockpath if [ -n "$af_unix_okclient" ] ; then # FAIL - client w/o af_unix access - genprofile $server -- image=$client $sockpath:$okclient + genprofile $server -- "image=$client" $sockpath:$okclient runchecktest "$testdesc; confined client w/o af_unix" fail $args removesockets $sockpath $client_sockpath @@ -205,7 +205,7 @@ testsocktype() for access in ${af_unix_okclient//,/ }; do # FAIL - client w/ a missing af_unix access - genprofile $server -- image=$client $sockpath:$okclient "unix:(${af_unix_okclient//$access/})" + genprofile $server -- "image=$client" $sockpath:$okclient "unix:(${af_unix_okclient//$access/})" runchecktest "$testdesc; confined client w/ a missing af_unix access ($access)" fail $args removesockets $sockpath $client_sockpath done diff --git a/tests/regression/apparmor/unix_socket_unnamed.sh b/tests/regression/apparmor/unix_socket_unnamed.sh index 66bea0a5c..f1b3102c0 100644 --- a/tests/regression/apparmor/unix_socket_unnamed.sh +++ b/tests/regression/apparmor/unix_socket_unnamed.sh @@ -26,8 +26,8 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc -. $bin/unix_socket.inc +. "$bin/prologue.inc" +. "$bin/unix_socket.inc" requires_kernel_features policy/versions/v7 requires_kernel_features network/af_unix requires_parser_support "unix," diff --git a/tests/regression/apparmor/unlink.sh b/tests/regression/apparmor/unlink.sh index 2683a3a13..34821513b 100755 --- a/tests/regression/apparmor/unlink.sh +++ b/tests/regression/apparmor/unlink.sh @@ -17,7 +17,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file=$tmpdir/file okperm=rwix diff --git a/tests/regression/apparmor/userns.sh b/tests/regression/apparmor/userns.sh index 9df4e7b43..097ba96c5 100755 --- a/tests/regression/apparmor/userns.sh +++ b/tests/regression/apparmor/userns.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features namespaces/mask/userns_create requires_parser_support "userns," @@ -68,7 +68,7 @@ do_test() runchecktest "$desc unshare - root" $expect_root -u # unshare $generate_setns_profile - runchecktest "$desc setns - root" $expect_setns_root -s $userns_setns_bin -p $pipe # setns + runchecktest "$desc setns - root" $expect_setns_root -s "$userns_setns_bin" -p $pipe # setns settest -u "foo" userns # run tests as user foo $generate_profile # settest removes the profile, so load it here @@ -76,7 +76,7 @@ do_test() runchecktest "$desc unshare - user" $expect_user -u # unshare $generate_setns_profile - runchecktest "$desc setns - user" $expect_setns_user -s $userns_setns_bin -p $pipe # setns + runchecktest "$desc setns - user" $expect_setns_user -s "$userns_setns_bin" -p $pipe # setns } if [ -e $unprivileged_userns_clone_path ] && [ $unprivileged_userns_clone -eq 0 ]; then @@ -152,9 +152,9 @@ detail="apparmor_restrict_unprivileged_userns enabled" do_test "unconfined $detail" pass $user_testresult pass pass # it should work when running as user with cap_sys_admin -setcap cap_sys_admin+pie $bin/userns +setcap cap_sys_admin+pie "$bin/userns" do_test "unconfined cap_sys_admin $detail" pass pass pass pass # remove cap_sys_admin from binary -setcap cap_sys_admin= $bin/userns +setcap cap_sys_admin= "$bin/userns" run_confined_tests "$detail" diff --git a/tests/regression/apparmor/xattrs.sh b/tests/regression/apparmor/xattrs.sh index 341695aa3..c053a4fe7 100755 --- a/tests/regression/apparmor/xattrs.sh +++ b/tests/regression/apparmor/xattrs.sh @@ -34,7 +34,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" requires_kernel_features file/xattr diff --git a/tests/regression/apparmor/xattrs_profile.sh b/tests/regression/apparmor/xattrs_profile.sh index 41116ad15..e383a7641 100755 --- a/tests/regression/apparmor/xattrs_profile.sh +++ b/tests/regression/apparmor/xattrs_profile.sh @@ -16,7 +16,7 @@ pwd=`cd $pwd ; /bin/pwd` bin=$pwd -. $bin/prologue.inc +. "$bin/prologue.inc" file="$bin/xattrs_profile" @@ -26,14 +26,14 @@ requires_kernel_features policy/outofband # Clean up existing xattrs clean_xattr() { - setfattr --remove=user.foo $file 2> /dev/null || true - setfattr --remove=user.bar $file 2> /dev/null || true - setfattr --remove=user.spam $file 2> /dev/null || true + setfattr --remove=user.foo "$file" 2> /dev/null || true + setfattr --remove=user.bar "$file "2> /dev/null || true + setfattr --remove=user.spam "$file "2> /dev/null || true } set_xattr() { - setfattr --name="$1" --value="$2" $file + setfattr --name="$1" --value="$2" "$file" } clean_xattr