mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge fix af_unix tests for v8 networking.

Browse source 
The unix network tests are not being run on a v8 network capable kernel. Under v8 there needs to be some adjustments to the tests because unix rules get downgraded to the socket rule ```network unix,``` which does not have the same set of conditionals or fine grained permissions, meaning some tests that would fail under af_unix (like missing permission tests) will pass under v8 network rules.

Signed-off-by: John Johansen <john.johansen@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/893
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
(cherry picked from commit 59b4109a8b)
Signed-off-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
John Johansen 2023-05-01 12:10:10 +00:00 committed by John Johansen
parent 0b85c03649
commit ba1aba4c00
17 changed files with 51 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
tests/regression/apparmor/aa_exec_wrapper.sh
View file

@ -16,7 +16,7 @@ fi
out=$($1 -- cat /proc/self/attr/current 2>&1)
rc=$?
if [ $rc -eq 0 ] && [ "$out" == "$2" ]; then
if [ $rc -eq 0 ] && [ "$out" = "$2" ]; then
echo PASS
exit 0
elif [ $rc -ne 0 ]; then

12
tests/regression/apparmor/capabilities.sh
View file

@ -97,7 +97,7 @@ for TEST in ${TESTS} ; do
# no capabilities allowed
genprofile ${my_entries}
if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
# ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
# capability + ptrace rule needed between pids
runchecktest "${TEST} -- no caps" pass ${my_arg}
@ -111,9 +111,9 @@ for TEST in ${TESTS} ; do
# iterate through each of the capabilities
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
expected_result=pass
elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
expected_result=pass
else
expected_result=fail
@ -126,7 +126,7 @@ for TEST in ${TESTS} ; do
# a subprofile.
settest ${testwrapper}
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} ${my_entries}
if [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ] ; then
if [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ] ; then
# ptrace between profiles confining tasks of same pid is controlled by the ptrace rule
# capability + ptrace rule needed between pids
runchecktest "${TEST} changehat -- no caps" pass $bin/${TEST} ${my_arg}
@ -139,9 +139,9 @@ for TEST in ${TESTS} ; do
runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
expected_result=pass
elif [ "${TEST}" == "syscall_ptrace" -a "$(kernel_features ptrace)" == "true" ]; then
elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
expected_result=pass
else
expected_result=fail

2
tests/regression/apparmor/changeprofile.sh
View file

@ -47,7 +47,7 @@ runchecktest "NO CHANGEPROFILE (access parent file)" pass nochange $file
runchecktest "NO CHANGEPROFILE (access sub file)" fail nochange $subfile
errno=EACCES
if [ "$(kernel_features domain/stack)" == "true" ]; then
if [ "$(kernel_features domain/stack)" = "true" ]; then
# The returned errno changed in the set of kernel patches that
# introduced AppArmor profile stacking
errno=ENOENT

2
tests/regression/apparmor/coredump.sh
View file

@ -18,7 +18,7 @@ cleancorefile()
checkcorefile()
{
# global _testdesc _pfmode _known outfile
if [ ${1:0:1} == "x" ] ; then
if [ ${1:0:1} = "x" ] ; then
requirement=${1#x}
_known=" (known problem)"
else

4
tests/regression/apparmor/deleted.sh
View file

@ -65,7 +65,9 @@ okperm=rwl
badperm=wl
af_unix=""
if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
if [ "$(kernel_features network_v8)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
af_unix="unix:create"
elif [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
af_unix="unix:create"
fi

2
tests/regression/apparmor/exec_qual.sh
View file

@ -57,7 +57,7 @@ local_runchecktest()
checktestbg
if [ "$teststatus" == "pass" -a -n "$actual_confinement" -a "$actual_confinement" != "$expected_confinement" ]
if [ "$teststatus" = "pass" -a -n "$actual_confinement" -a "$actual_confinement" != "$expected_confinement" ]
then
echo "Error: ${testname} failed. Test '${_testdesc}' actual confinement '$actual_confinement' differed from expected confinement '$expected_confinement'"
testfailed

2
tests/regression/apparmor/exec_stack.sh
View file

@ -51,7 +51,7 @@ touch $file $otherfile $sharedfile $thirdfile
# meaning the below conditional check has the wrong results for those
# kernels. Since this test is not about testing mmap just always add
# the mmap perm
#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" == "true" ]; then
#if [ "$(kernel_features domain/fix_binfmt_elf_mmap)" = "true" ]; then
# elfmmap="m"
#else
# elfmmap=""

2
tests/regression/apparmor/named_pipe.sh
View file

@ -38,7 +38,7 @@ badchild=r
# Add genprofile params that are common to all hats here
common=""
if [ "$(kernel_features signal)" == "true" -a "$(parser_supports 'signal,')" == "true" ] ; then
if [ "$(kernel_features signal)" = "true" -a "$(parser_supports 'signal,')" = "true" ] ; then
# Allow send/receive of all signals
common="${common} signal:ALL"
fi

2
tests/regression/apparmor/onexec.sh
View file

@ -44,7 +44,7 @@ do_test()
shift 4
desc="ONEXEC $desc ($prof -> $target_prof)"
if [ "$target_prof" == "nochange" ] ; then
if [ "$target_prof" = "nochange" ] ; then
runchecktest "$desc" $res -l "$prof" -- "$@"
else
runchecktest "$desc" $res -O "$target_prof" -l "$prof" -L "$target_prof" -- "$@"

2
tests/regression/apparmor/pivot_root.sh
View file

@ -50,7 +50,7 @@ do_onexit="pivot_root_cleanup"
# MS_PRIVATE temporarily.
FINDMNT=/bin/findmnt
if [ -x "${FINDMNT}" ] && ${FINDMNT} -no PROPAGATION / > /dev/null 2>&1 ; then
if [ "$(${FINDMNT} -no PROPAGATION /)" == "shared" ] ; then
if [ "$(${FINDMNT} -no PROPAGATION /)" = "shared" ] ; then
root_was_shared="yes"
fi
elif [ "$(ps hp1 -ocomm)" = "systemd" ] ; then

13
tests/regression/apparmor/prologue.inc
View file

@ -86,6 +86,19 @@ requires_kernel_features()
fi
}
requires_any_of_kernel_features()
{
while [ $# -gt 0 ]; do
local res=$(kernel_features "$1")
if [ "$res" = "true" ] ; then
return 0;
fi
shift
done
echo "$res. Skipping tests ..."
exit 0
}
# requires_namespace_interface() - exit if namespace interface is not available
requires_namespace_interface()
{

2
tests/regression/apparmor/ptrace.sh
View file

@ -55,7 +55,7 @@ runchecktest "test 2 -h prog" pass -h -n 100 $helper ${bin_true}
runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true}
if [ "$(kernel_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then
if [ "$(kernel_features ptrace)" = "true" -a "$(parser_supports 'ptrace,')" = "true" ] ; then
. $bin/ptrace_v6.inc
else
. $bin/ptrace_v5.inc

4
tests/regression/apparmor/query_label.sh
View file

@ -93,7 +93,7 @@ querytest()
runchecktest "$desc" "$pf" "$expect" "$label" "$perms" $*
}
if [ "$(kernel_features dbus)" == "true" ]; then
if [ "$(kernel_features dbus)" = "true" ]; then
# Check querying of a label that the kernel doesn't know about
# aa_query_label() should return an error
expect anything
@ -217,7 +217,7 @@ fi
genqueryprofile "file,"
expect allow
perms file exec,write,read,append,create,delete,setattr,getattr,chmod,chown,link,linksubset,lock,exec_mmap
if [ "$(kernel_features query/label/multi_transaction)" == "true" ] ; then
if [ "$(kernel_features query/label/multi_transaction)" = "true" ] ; then
querytest "QUERY file (all base perms #1)" pass /anything
querytest "QUERY file (all base perms #2)" pass /everything
else

2
tests/regression/apparmor/socketpair.sh
View file

@ -37,7 +37,7 @@ af_unix_create_label=""
af_unix_inherit=""
aa_enabled="/sys/module/apparmor/parameters/enabled:r"
if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
if [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
# AppArmor requires that the process inheriting the sock file
# descriptors have send,receive perms in its profile
af_unix_create="unix:(create,getopt)"

2
tests/regression/apparmor/swap.sh
View file

@ -29,7 +29,7 @@ bin=$pwd
# check if we can run the test at all
fstype=$(stat -f --format '%T' "${tmpdir}")
if [ "${fstype}" == "tmpfs" ] ; then
if [ "${fstype}" = "tmpfs" ] ; then
echo "ERROR: tmpdir '${tmpdir}' is of type tmpfs; can't mount a swapfile on it" 1>&2
echo "ERROR: skipping swap tests" 1>&2
num_testfailures=1

6
tests/regression/apparmor/unix_fd_server.sh
View file

@ -27,7 +27,9 @@ okperm=rw
badperm=w
af_unix=""
if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
if [ "$(kernel_features network_v8)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
af_unix="unix:create"
elif [ "$(kernel_features network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ]; then
af_unix="unix:create"
fi
@ -137,7 +139,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
sleep 1
rm -f ${socket}
if [ "$(kernel_features policy/network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
if [ "$(kernel_features policy/network/af_unix)" = "true" -a "$(parser_supports 'unix,')" = "true" ] ; then
# FAIL - confined client, no access to the socket file
genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix

17
tests/regression/apparmor/unix_socket_pathname.sh
View file

@ -29,7 +29,7 @@ bin=$pwd
. $bin/prologue.inc
requires_kernel_features policy/versions/v6
#af_mask for downgrade test af_unix for full test
requires_kernel_features network/af_mask
requires_any_of_kernel_features network/af_mask network_v8/af_mask
settest unix_socket
@ -43,9 +43,9 @@ message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
okserver=w
badserver1=r
badserver2=
if [ "$(kernel_features policy/versions/v7)" == "true" ] ; then
if [ "$(kernel_features policy/versions/v7)" = "true" ] ; then
okserver=rw
badserver2=w
# badserver2=w
fi
# af_unix support requires 'unix create' to call socket()
@ -54,9 +54,16 @@ fi
# af_unix support requires 'unix getattr' to call getsockname()
af_unix_okserver=
af_unix_okclient=
if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
if ( [ "$(kernel_features network_v8/af_unix)" = "true" ] ||
[ "$(kernel_features network/af_unix)" = "true" ] ) &&
[ "$(parser_supports 'unix,')" = "true" ] ; then
af_unix_okserver="create,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
elif [ "$(kernel_features network_v8)" = "true" ] ; then
# af_unix_okserver="create,setopt"
# af_unix_okclient="create,getopt,setopt,getattr"
af_unix_okserver="create"
af_unix_okclient="create"
fi
okclient=rw
@ -88,7 +95,7 @@ testsocktype()
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176
# get resolved
local ex_result="pass"
if [ "${socktype}" == "dgram" ] ; then
if [ "${socktype}" = "dgram" ] ; then
ex_result="xpass"
fi