parser: add equality test to check that change_hat rule is being inserted

This add a test to ensure that the parser is inserting rules to allow access to the proc interface for change_hat. Unfortunately the rule the parser inserts is a bare owner write that we can't replicate in policy as policy write perm maps to create, append and write. So to test equality compare profiles using rules granting access to the proc attr interface except one uses the append permission and the other uses write. They will differ in permissions unless the parser inserts the proc attr write rule for change_hat in which case the permissions will get merged and we have equivalence. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/626 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2020-09-17 19:22:44 -07:00 · 2020-09-17 19:22:44 -07:00 · d1be977667
commit d1be977667
parent 3328225bd4
1 changed files with 17 additions and 1 deletions
--- a/parser/tst/equality.sh
+++ b/parser/tst/equality.sh
@ -545,7 +545,23 @@ verify_binary_equality "set rlimit memlock <= 2GB" \
                       "/t { set rlimit memlock <= 2GB, }" \
                       "/t { set rlimit memlock <= $((2 * 1024)) MB, }" \
                       "/t { set rlimit memlock <= $((2 * 1024 * 1024)) KB, }" \
-                       "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }" \
+                       "/t { set rlimit memlock <= $((2 * 1024 * 1024 * 1024)) , }"
+
+# Unfortunately we can not just compare an empty profile and hat to a
+# ie. "/t { ^test { /f r, }}"
+# to the second profile with the equivalent rule inserted manually
+# because policy write permission "w" actually expands to mutiple permissions
+# under the hood, and the parser is not adding those permissions
+# to the rules it auto generates
+# So we insert the rule with "append" permissions, and rely on the parser
+# merging permissions of rules.
+# If the parser isn't adding the rules "append" is not equivalent to
+# the "write" permission in the second profile and the test will fail.
+# If the parser is adding the change_hat proc attr rules then the
+# rules should merge and be equivalent.
+verify_binary_equality "change_hat rules automatically inserted"\
+		       "/t { owner /proc/[0-9]*/attr/{apparmor/,}current a, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current a, /f r, }}" \
+		       "/t { owner /proc/[0-9]*/attr/{apparmor/,}current w, ^test { owner /proc/[0-9]*/attr/{apparmor/,}current w, /f r, }}"

 if [ $fails -ne 0 ] || [ $errors -ne 0 ]
 then