regression tests: add unconfined exception tests to nnp.sh

The unconfined exception needs to be applied even when a stack is being used. When a stack is in use it prevents the unconfined test from being used and instead it must be done as part of the subset test. Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2019-09-25 15:45:40 -04:00 · 2019-09-25 15:45:40 -04:00 · cb5aeec433
commit cb5aeec433
parent 98fde52998
2 changed files with 74 additions and 3 deletions
--- a/tests/regression/apparmor/nnp.sh
+++ b/tests/regression/apparmor/nnp.sh
@ -28,6 +28,7 @@ fileok="${file}:${okperm}"
 getcon="/proc/*/attr/current:r"
 setcon="/proc/*/attr/current:w"
 setexec="/proc/*/attr/exec:w"
+policy="/sys/kernel/security/apparmor/"

 touch $file

@ -67,7 +68,7 @@ runchecktest "NNP (change profile - no NNP)" pass -P "$bin/open"
 runchecktest_errno EPERM "NNP (change profile - NNP)" fail -n -P "$bin/open"

 if [ "$(kernel_features_istrue domain/stack)" != "true" ] ; then
-    echo "	kernel does not support profile stacking - skipping stacking tests ..."
+    echo "	kernel does not support profile stacking - skipping stacking nnp tests ..."
 else

    # Verify that NNP allows stack onexec of another profile
@ -79,4 +80,65 @@ else
    genprofile "$fileok" "$setcon" "change_profile->:&$bin/open" -- image="$bin/open" "$fileok"
    runchecktest "NNP (stack profile - no NNP)" pass -p "$bin/open" -f "$file"
    runchecktest "NNP (stack profile - NNP)" pass -n -p "$bin/open" -f "$file"
+
+    #Verify that NNP allow stacking unconfined along current profile
+    #this allows verifying that a stack with unconfined still gets the
+    #unconfined exception applied. It also tests that dropping unconfined
+    #from the stack is allowed. ie.
+    # transition//&unconfined -> transition//&open
+    # and
+    # transition//&unconfined -> transition//&open//&unconfined
+    genprofile "$fileok" "$setcon" "change_profile->:&$bin/open" "change_profile->:&unconfined" -- image="$bin/open" "$fileok"
+    runchecktest "NNP (stack profile&unconfined - no NNP)" pass -i "&unconfined" -p "$bin/open" -f "$file"
+    runchecktest "NNP (stack profile&unconfined - NNP)" pass -n -i "&unconfined" -p "$bin/open" -f "$file"
+
+    genprofile "$fileok" "$setcon" "change_profile->:$bin/transition" "change_profile->:$bin/open" "change_profile->:&unconfined" -- image="$bin/open" "$fileok"
+    runchecktest "NNP (change profile&unconfined - no NNP)" pass -i "&unconfined" -P "$bin/transition//&$bin/open" -f "$file"
+    runchecktest "NNP (change profile&unconfined - NNP)" pass -n -i "&unconfined" -P "$bin/transition//&$bin/open" -f "$file"
+
+
+    #Verify that NNP allows stacking a new policy namespace
+    #must use stdin with genprofile for namespaces
+    genprofile --stdin <<EOF
+$test {
+    @{gen_bin $test}
+    @{gen_def}
+    ${file} ${okperm},
+    /proc/*/attr/current w,
+    change_profile-> &:nnp:unconfined,
+}
+:nnp:$bin/open {
+    @{gen_bin $bin/open}
+    @{gen_def}
+    ${file} ${okperm},
+}
+EOF
+    #genprofile is creating child namespace so mkdir not needed
+    runchecktest "NNP (stack :nnp:unconfined - no NNP)" pass -p ":nnp:unconfined" -f "$file"
+    runchecktest "NNP (stack :nnp:unconfined - NNP)" pass -n -p ":nnp:unconfined" -f "$file"
+
+    runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
+    runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
+
+    genprofile --stdin <<EOF
+$test {
+    @{gen_bin $test}
+    @{gen_def}
+    ${file} ${okperm},
+    /proc/*/attr/current w,
+    change_profile-> &:nnp:$bin/open,
+}
+:nnp:$bin/open {
+    @{gen_bin $bin/open}
+    @{gen_def}
+    ${file} ${okperm},
+}
+EOF
+     runchecktest "NNP (stack :nnp:open - no NNP)" pass -p ":nnp:$bin/open" -f "$file"
+    runchecktest "NNP (stack :nnp:open - NNP)" pass -n -p ":nnp:$bin/open" -f "$file"
+    # explicitly remove profile before cleaning up the namespace so
+    # prologue.inc auto cleanup doesn't fail
+    removeprofile
+    echo -n  ":nnp:" > "$policy/.remove" || echo "   warning failed to remove namespace policy/namespaces/nnp"
+
 fi
--- a/tests/regression/apparmor/transition.c
+++ b/tests/regression/apparmor/transition.c
@ -309,6 +309,7 @@ static void usage(const char *prog)
 		"  -P <LABEL>\tCall aa_change_profile(LABEL)\n"
 		"  -o <LABEL>\tCall aa_stack_onexec(LABEL)\n"
 		"  -p <LABEL>\tCall aa_stack_profile(LABEL)\n"
+		"  -i <LABEL>\tCall aa_change_profile(LABEL) before nnp\n"
 		"  -n\t\tSet NO_NEW_PRIVS\n"
 		"  -L <LABEL>\tVerify that /proc/self/attr/exec contains LABEL\n"
 		"  -M <MODE>\tVerify that /proc/self/attr/exec contains MODE. Set to \"%s\" if a NULL mode is expected.\n"
@ -351,10 +352,10 @@ static void set_transition(const char *prog, struct options *opts,
 static void parse_opts(int argc, char **argv, struct options *opts)
 {
 	const char *prog = argv[0];
-	int o;
+	int o, rc;

 	memset(opts, 0, sizeof(*opts));
-	while ((o = getopt(argc, argv, "f:L:M:l:m:nO:P:o:p:")) != -1) {
+	while ((o = getopt(argc, argv, "f:L:M:l:m:nO:P:o:p:i:")) != -1) {
 		switch (o) {
 		case 'f': /* file */
 			opts->file = optarg;
@ -386,6 +387,14 @@ static void parse_opts(int argc, char **argv, struct options *opts)
 		case 'p': /* aa_stack_profile */
 			set_transition(prog, opts, STACK_PROFILE, optarg);
 			break;
+		case 'i': /* aa_change_profile - immediate before nnp */
+			rc = aa_change_profile(optarg);
+			if (rc < 0) {
+				int err = errno;
+				perror("FAIL: immediate change_profile");
+				exit(err);
+			}
+			break;
 		default: /* '?' */
 			usage(prog);
 		}