tests: add allow all rule test to the regression tests

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>

tests/regression/apparmor/aa_exec.sh

@@ -79,3 +79,16 @@ runchecktest "complain (--namespace=${ns})" pass "$aa_exec -n $ns -p $test" "$te
 
 genprofile_aa_exec "$test" 0
 runchecktest "negative test: bad ns (--namespace=${ns}XXX)" fail "$aa_exec -n ${ns}XXX -p $test" "$test (enforce)"
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile --stdin <<EOF
+$test {
+  all,
+}
+
+:${ns}:${test} {
+  all,
+}
+EOF
+    runchecktest "allow all" pass "$aa_exec -p $test" "$test (enforce)"
+fi

tests/regression/apparmor/access.sh

@@ -29,6 +29,13 @@ touch $file
 chmod 777 $file	# full perms so discretionary access checks succeed
 
 # PASS TEST
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    genprofile "all"
+    runchecktest "ACCESS allow all r (rwx)" pass $file r
+    runchecktest "ACCESS allow all rx (rwx)" pass $file rx
+    runchecktest "ACCESS allow all rwx (rwx)" pass $file rwx
+fi
+
 genprofile $file:$rwxperm
 runchecktest "ACCESS file r (rwx)" pass $file r
 runchecktest "ACCESS file rx (rwx)" pass $file rx

tests/regression/apparmor/attach_disconnected.sh

@@ -105,6 +105,15 @@ do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $n
 
 # TODO: adding attach_disconnected.path to a replaced unconfined
 
+# ALLOW ALL does not include attach_disconnected
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" flag:attach_disconnected -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all" pass $file $att_dis_client $socket $loop_device $new_root $put_old
+
+	genprofile "all" -- image=$att_dis_client "all"
+	do_test "attach_disconnected allow all no flag" fail $file $att_dis_client $socket $loop_device $new_root $put_old
+fi
+
 genprofile $file_perm unix:create $socket_perm $att_dis_client:px -- image=$att_dis_client $file_perm unix:create $socket_perm $create_dir $cap "pivot_root:ALL" "mount:ALL" flag:attach_disconnected
 
 do_test "attach_disconnected" pass $file $att_dis_client $socket $loop_device $new_root $put_old

tests/regression/apparmor/dbus_eavesdrop.sh

@@ -45,6 +45,11 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		gendbusprofile "all,"
+		runchecktest "eavesdrop (allow all)" pass $args
+	fi
+
 	gendbusprofile "dbus,"
 	runchecktest "eavesdrop (dbus allowed)" pass $args
 

tests/regression/apparmor/dbus_message.sh

@@ -60,6 +60,12 @@ run_tests()
 
 	# Make sure send is allowed when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		message_gendbusprofile "all,"
+		runtestfg "message (allow all)" pass $confined_args
+		checktestfg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	message_gendbusprofile "dbus,"
 	runtestfg "message (dbus allowed)" pass $confined_args
 	checktestfg "compare_logs $unconfined_log eq $confined_log"

tests/regression/apparmor/dbus_service.sh

@@ -92,6 +92,14 @@ run_tests()
 
 	# Make sure we're okay when confined with appropriate permissions
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		service_gendbusprofile "all,"
+		service_runtestbg "service (allow all)" pass $unconfined_log
+		sendmethod
+		sendsignal
+		service_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	service_gendbusprofile "dbus,"
 	service_runtestbg "service (dbus allowed)" pass $unconfined_log
 	sendmethod

tests/regression/apparmor/dbus_unrequested_reply.sh

@@ -80,6 +80,14 @@ run_tests()
 	sendmethodreturn
 	ur_checktestbg
 
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		# All perms are granted so the logs should be equal
+		ur_gendbusprofile "all,"
+		ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log
+		sendmethodreturn
+		ur_checktestbg "compare_logs $unconfined_log eq $confined_log"
+	fi
+
 	# All dbus perms are granted so the logs should be equal
 	ur_gendbusprofile "dbus,"
 	ur_runtestbg "unrequested_reply (method_return, dbus allowed)" pass $confined_log

tests/regression/apparmor/io_uring.sh

@@ -55,6 +55,11 @@ do_tests "no perms" fail fail
 genprofile $required_perms "qual=deny:io_uring"
 do_tests "deny perms" fail fail
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	do_tests "allow all" pass pass
+fi
+
 genprofile $required_perms "io_uring"
 do_tests "generic perms" pass pass
 

tests/regression/apparmor/net_inet.sh

@@ -97,8 +97,8 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv4 tcp no conds" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=0.0.0.0;port=0" # INADDR_ANY
-rcv_rules="network;ip=$bind_ipv4;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv4;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv4;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv4;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv4;port=$bind_port;peer=(ip=$remote_ipv4,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv4;port=$remote_port;peer=(ip=$bind_ipv4,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv4 udp generic perms" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
@@ -126,11 +126,26 @@ generate_profile="genprofile network $sender:px -- image=$sender network"
 do_tests "ipv6 tcp no conds" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
 
 setsockopt_rules="network;(setopt,getopt);ip=::0;port=0" # IN6ADDR_ANY_INIT
-rcv_rules="network;ip=$bind_ipv6;peer=(ip=anon)"
-snd_rules="network;ip=$remote_ipv6;peer=(ip=anon)"
+rcv_rules="network;ip=$bind_ipv6;peer=(ip=none)"
+snd_rules="network;ip=$remote_ipv6;peer=(ip=none)"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 udp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
 
 generate_profile="genprofile network;ip=$bind_ipv6;port=$bind_port;peer=(ip=$remote_ipv6,port=$remote_port) $setsockopt_rules $rcv_rules $sender:px -- image=$sender network;ip=$remote_ipv6;port=$remote_port;peer=(ip=$bind_ipv6,port=$bind_port) $setsockopt_rules $snd_rules"
 do_tests "ipv6 tcp generic perms" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+
+
+if [ "$(parser_supports 'all,')" = "true" ]; then
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 udp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv4 tcp allow all" pass pass $bind_ipv4 $bind_port $remote_ipv4 $remote_port tcp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 udp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port udp "$generate_profile"
+
+    generate_profile="genprofile all -- image=$sender all"
+    do_tests "ipv6 tcp allow all" pass pass $bind_ipv6 $bind_port $remote_ipv6 $remote_port tcp "$generate_profile"
+fi

tests/regression/apparmor/net_raw.sh

@@ -29,3 +29,7 @@ runchecktest "RAW SOCKET (no cap)" fail
 genprofile cap:net_raw network:
 runchecktest "RAW SOCKET (cap net_raw)" pass
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "RAW SOCKET (allow all)" pass
+fi

tests/regression/apparmor/posix_mq.sh

@@ -95,6 +95,10 @@ for username in "root" "$userid" ; do
     genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" "$pipe:rw" -- image=$sender "deny mqueue" "$pipe:rw"
     do_tests "confined $username - deny perms" fail fail fail fail $usercmd
 
+    if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all" -- image=$sender "all"
+	do_tests "confined $username - allow all" pass pass pass pass $usercmd
+    fi
 
     # generic mqueue
     # 2 Potential failures caused by missing other x permission in path

tests/regression/apparmor/ptrace_v6.inc

@@ -235,6 +235,15 @@ runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper
 runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true}
 runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true}
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	genprofile "all"
+	runchecktest "test allow all" pass -n 100 ${bin_true}
+	runchecktest "test allow all -c" pass -c -n 100 ${bin_true}
+	runchecktest "test allow all -h" pass -h -n 100 $helper
+	runchecktest "test allow all -hc" pass -h -c -n 100 $helper
+	runchecktest "test allow all -h prog" pass -h -n 100 $helper ${bin_true}
+	runchecktest "test allow all -hc prog" pass -h -c -n 100 $helper ${bin_true}
+fi
 
 #ptraced confined app traced by profile can px
 genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix

tests/regression/apparmor/tcp.sh

@@ -35,6 +35,12 @@ runchecktest "TCP (no apparmor)" pass $port
 genprofile 
 runchecktest "TCP (accept, connect) no network rules" fail $port
 
+if [ "$(parser_supports 'all,')" = "true" ]; then
+	# PASS TEST - allow all
+	genprofile "all"
+	runchecktest "TCP (allow all)" pass $port
+fi
+
 # PASS TEST - allow tcp
 genprofile network:tcp
 runchecktest "TCP (accept, connect) allow tcp" pass $port

tests/regression/apparmor/userns.sh

@@ -101,6 +101,11 @@ fi
 # confined tests should have the same results if apparmor_restrict_unprivileged_userns is enabled or not
 run_confined_tests()
 {
+	if [ "$(parser_supports 'all,')" = "true" ]; then
+		generate_profile="genprofile all"
+		do_test "confined allow all $1" pass pass pass pass "$generate_profile"
+	fi
+
 	generate_profile="genprofile userns"
 	do_test "confined all perms $1" pass pass fail fail "$generate_profile"