Merge Write a regression test for mediating file access in private mounts

This test, as is, emits an execname warning which is due to a bug in the `prologue.inc` infrastructure (see !1450 for a fix to this issue). Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1448 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-03-04 00:14:44 +01:00 · 2024-12-19 19:44:51 +00:00 · 2024-12-19 19:44:51 +00:00 · ba60bfff85
commit ba60bfff85
parent c489631770 fa58d3611a
3 changed files with 47 additions and 0 deletions
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@ -267,6 +267,7 @@ TESTS=aa_exec \
      exec_qual \
      fchdir \
      fd_inheritance \
+      file_unbindable_mount \
      fork \
      i18n \
      link \
--- a/tests/regression/apparmor/file_unbindable_mount.sh
+++ b/tests/regression/apparmor/file_unbindable_mount.sh
@ -0,0 +1,45 @@
+#! /bin/bash
+#	Copyright (C) 2024 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME file_unbindable_mount
+#=DESCRIPTION
+# Verifies that file rules work across unbindable mounts
+#=END
+
+pwd=$(dirname "$0")
+pwd=$(cd "$pwd" || exit ; /bin/pwd)
+
+bin=$pwd
+
+. "$bin/prologue.inc"
+
+backing_file="$tmpdir/loop_file"
+mount_target="$tmpdir/mount_target"
+
+mkdir "${mount_target}"
+fallocate -l 512K "${backing_file}"
+mkfs.fat -F 32 "${backing_file}" > /dev/null 2> /dev/null
+
+losetup -f "${backing_file}" || fatalerror 'Unable to set up a loop device'
+loop_device="$(/sbin/losetup -n -O NAME -l -j "${backing_file}")"
+
+mount --make-unbindable "${loop_device}" "${mount_target}"
+fallocate -l 16K "${mount_target}/a_file"
+# echo is also a builtin, making things a bit more complicated
+cp "$(type -P echo)" "${mount_target}/echo"
+
+settest file_unbindable_mount "${bin}/complain"
+
+genprofile "${mount_target}/a_file:r" "${mount_target}/echo:ix"
+runchecktest "Read file in unbindable mount" pass read "${mount_target}/a_file"
+runchecktest "Exec in unbindable mount" pass exec "${mount_target}/echo" PASS
+
+umount "${loop_device}"
+
+losetup -d "${loop_device}"
+rm "${backing_file}"
--- a/tests/regression/apparmor/task.yaml
+++ b/tests/regression/apparmor/task.yaml
@ -27,6 +27,7 @@ environment:
    TEST/exec_stack: 1
    TEST/fchdir: 1
    TEST/fd_inheritance: 1
+    TEST/file_unbindable_mount: 1
    TEST/fork: 1
    TEST/i18n: 1
    TEST/introspect: 1