mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests: add allow all rule test to the regression tests

Browse source 
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia 2024-07-17 17:48:40 -03:00
parent d3f5308265
commit bf36ace421
14 changed files with 109 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
tests/regression/apparmor/aa_exec.sh
View file

@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
genprofile_aa_exec "$test" 0 genprofile_aa_exec "$test" 0
runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)" runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile --stdin <<EOF
$test {
all,
}
:${ns}:${test} {
all,
}
EOF
runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
fi

9
tests/regression/apparmor/access.sh
View file

@ -28,7 +28,14 @@ wxperm=wix
touch $file touch $file
chmod 777 $file # full perms so discretionary access checks succeed chmod 777 $file # full perms so discretionary access checks succeed
# PASS TEST # PASS TEST
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all"
runchecktest "ACCESS allow all r (rwx)" pass $file r
runchecktest "ACCESS allow all rx (rwx)" pass $file rx
runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
fi
genprofile $file:$rwxperm genprofile $file:$rwxperm
runchecktest "ACCESS file r (rwx)" pass $file r runchecktest "ACCESS file r (rwx)" pass $file r
runchecktest "ACCESS file rx (rwx)" pass $file rx runchecktest "ACCESS file rx (rwx)" pass $file rx

9
tests/regression/apparmor/attach_disconnected.sh
View file

@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
# TODO: adding attach_disconnected.path to a replaced unconfined # TODO: adding attach_disconnected.path to a replaced unconfined
# ALLOW ALL does not include attach_disconnected
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
genprofile "all" -- image=$att_dis_client "all"
do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
fi
genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old

5
tests/regression/apparmor/dbus_eavesdrop.sh
View file

@ -45,6 +45,11 @@ run_tests()
# Make sure we're okay when confined with appropriate permissions # Make sure we're okay when confined with appropriate permissions
if [ "$(parser_supports 'all,')" = "true" ]; then
gendbusprofile "all,"
runchecktest "eavesdrop (allow all)" pass $args
fi
gendbusprofile "dbus," gendbusprofile "dbus,"
runchecktest "eavesdrop (dbus allowed)" pass $args runchecktest "eavesdrop (dbus allowed)" pass $args

6
tests/regression/apparmor/dbus_message.sh
View file

@ -60,6 +60,12 @@ run_tests()
# Make sure send is allowed when confined with appropriate permissions # Make sure send is allowed when confined with appropriate permissions
if [ "$(parser_supports 'all,')" = "true" ]; then
message_gendbusprofile "all,"
runtestfg "message (allow all)" pass $confined_args
checktestfg "compare_logs $unconfined_log eq $confined_log"
fi
message_gendbusprofile "dbus," message_gendbusprofile "dbus,"
runtestfg "message (dbus allowed)" pass $confined_args runtestfg "message (dbus allowed)" pass $confined_args
checktestfg "compare_logs $unconfined_log eq $confined_log" checktestfg "compare_logs $unconfined_log eq $confined_log"

8
tests/regression/apparmor/dbus_service.sh
View file

@ -92,6 +92,14 @@ run_tests()
# Make sure we're okay when confined with appropriate permissions # Make sure we're okay when confined with appropriate permissions
if [ "$(parser_supports 'all,')" = "true" ]; then
service_gendbusprofile "all,"
service_runtestbg "service (allow all)" pass $unconfined_log
sendmethod
sendsignal
service_checktestbg "compare_logs $unconfined_log eq $confined_log"
fi
service_gendbusprofile "dbus," service_gendbusprofile "dbus,"
service_runtestbg "service (dbus allowed)" pass $unconfined_log service_runtestbg "service (dbus allowed)" pass $unconfined_log
sendmethod sendmethod

8
tests/regression/apparmor/dbus_unrequested_reply.sh
View file

@ -80,6 +80,14 @@ run_tests()
sendmethodreturn sendmethodreturn
ur_checktestbg ur_checktestbg
if [ "$(parser_supports 'all,')" = "true" ]; then
# All perms are granted so the logs should be equal
ur_gendbusprofile "all,"
ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
sendmethodreturn
ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
fi
# All dbus perms are granted so the logs should be equal # All dbus perms are granted so the logs should be equal
ur_gendbusprofile "dbus," ur_gendbusprofile "dbus,"
ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log

5
tests/regression/apparmor/io_uring.sh
View file

@ -55,6 +55,11 @@ do_tests "no perms" fail fail
genprofile $required_perms "qual=deny:io_uring" genprofile $required_perms "qual=deny:io_uring"
do_tests "deny perms" fail fail do_tests "deny perms" fail fail
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all"
do_tests "allow all" pass pass
fi
genprofile $required_perms "io_uring" genprofile $required_perms "io_uring"
do_tests "generic perms" pass pass do_tests "generic perms" pass pass

23
tests/regression/apparmor/net_inet.sh
View file

@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile" do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)" rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)" snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules" generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile" do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile" do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)" rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)" snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules" generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile" do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules" generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile" do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
if [ "$(parser_supports 'all,')" = "true" ]; then
generate_profile="genprofile all -- image=$sender all"
do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
generate_profile="genprofile all -- image=$sender all"
do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
generate_profile="genprofile all -- image=$sender all"
do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
generate_profile="genprofile all -- image=$sender all"
do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
fi

4
tests/regression/apparmor/net_raw.sh
View file

@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
genprofile cap:net_raw network: genprofile cap:net_raw network:
runchecktest "RAW SOCKET (cap net_raw)" pass runchecktest "RAW SOCKET (cap net_raw)" pass
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all"
runchecktest "RAW SOCKET (allow all)" pass
fi

4
tests/regression/apparmor/posix_mq.sh
View file

@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw" genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
do_tests "confined $username - deny perms" fail fail fail fail $usercmd do_tests "confined $username - deny perms" fail fail fail fail $usercmd
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all" -- image=$sender "all"
do_tests "confined $username - allow all" pass pass pass pass $usercmd
fi
# generic mqueue # generic mqueue
# 2 Potential failures caused by missing other x permission in path # 2 Potential failures caused by missing other x permission in path

9
tests/regression/apparmor/ptrace_v6.inc
View file

@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true} runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true} runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
if [ "$(parser_supports 'all,')" = "true" ]; then
genprofile "all"
runchecktest "test allow all" pass -n 100 ${bin_true}
runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
runchecktest "test allow all -h" pass -h -n 100 $helper
runchecktest "test allow all -hc" pass -h -c -n 100 $helper
runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
fi
#ptraced confined app traced by profile can px #ptraced confined app traced by profile can px
genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix

6
tests/regression/apparmor/tcp.sh
View file

@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
genprofile genprofile
runchecktest "TCP (accept, connect) no network rules" fail $port runchecktest "TCP (accept, connect) no network rules" fail $port
if [ "$(parser_supports 'all,')" = "true" ]; then
# PASS TEST - allow all
genprofile "all"
runchecktest "TCP (allow all)" pass $port
fi
# PASS TEST - allow tcp # PASS TEST - allow tcp
genprofile network:tcp genprofile network:tcp
runchecktest "TCP (accept, connect) allow tcp" pass $port runchecktest "TCP (accept, connect) allow tcp" pass $port

5
tests/regression/apparmor/userns.sh
View file

@ -101,6 +101,11 @@ fi
# confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not # confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
run_confined_tests() run_confined_tests()
{ {
if [ "$(parser_supports 'all,')" = "true" ]; then
generate_profile="genprofile all"
do_test "confined allow all $1" pass pass pass pass "$generate_profile"
fi
generate_profile="genprofile userns" generate_profile="genprofile userns"
do_test "confined all perms $1" pass pass fail fail "$generate_profile" do_test "confined all perms $1" pass pass fail fail "$generate_profile"