Merge Set up overlayfs_fuse test that uses a FUSE implementation of overlayfs

This also reorganizes the overlayfs tests slightly in order to maximize code reuse between the old test and the new one.

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1503
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>

.gitlab-ci.yml

@@ -135,7 +135,7 @@ test-build-regression:
   script:
     # Additional dependencies required by regression tests
     - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
-    - apt-get install --no-install-recommends -y attr libdbus-1-dev liburing-dev
+    - apt-get install --no-install-recommends -y attr fuse-overlayfs libdbus-1-dev liburing-dev
     - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
     - make -C tests/regression/apparmor -j $(nproc)
 

tests/regression/apparmor/Makefile

@@ -191,6 +191,15 @@ Install attr or equivalent package to build and run this test${nl}\
 ************************************************************************${nl})
 endif
 
+# Only do overlayfs_fuse test if we have the required fuse-overlayfs binary
+ifeq (,$(shell command -v fuse-overlayfs))
+$(warning ${nl}\
+************************************************************************${nl}\
+No fuse-overlayfs skipping overlayfs_fuse tests ...${nl}\
+Install fuse-overlayfs or equivalent package to build and run this test${nl}\
+************************************************************************${nl})
+endif
+
 #only do dbus if proper libs are installl
 ifneq (,$(shell pkg-config --exists dbus-1 && echo TRUE))
 SRC+=dbus_eavesdrop.c dbus_message.c dbus_service.c dbus_unrequested_reply.c
@@ -279,7 +288,7 @@ TESTS=aa_exec \
       named_pipe \
       namespaces \
       net_raw \
-      overlayfs \
+      overlayfs_kernel \
       open \
       openat \
       pipe \
@@ -311,6 +320,11 @@ TESTS=aa_exec \
       longpath \
       nfs
 
+# Only do overlayfs_fuse test if we have the required fuse-overlayfs binary
+ifneq (,$(shell command -v fuse-overlayfs))
+TESTS+=overlayfs_fuse
+endif
+
 # Only do xattrs_profile test if we have the required setfattr binary
 ifneq (,$(shell command -v setfattr))
 TESTS+=xattrs_profile

tests/regression/apparmor/overlayfs_common.inc

@@ -11,6 +11,12 @@
 # Verifies that file rules work in an overlayfs
 #=END
 
+if [ "$1" != "kernel" ] && [ "$1" != "fuse" ]; then
+    echo "FAIL: no parameter/invalid parameter specified"
+    echo "(expected 'kernel' or 'fuse')"
+    exit 1
+fi
+
 pwd=$(dirname "$0")
 pwd=$(cd "$pwd" || exit ; /bin/pwd)
 
@@ -49,17 +55,26 @@ mount "${loop_device_other}" "${overlayfs_other}"
 mkdir "${overlayfs_upper}"
 mkdir "${overlayfs_workdir}"
 
-mount -t overlay -o lowerdir="${overlayfs_lower}",upperdir="${overlayfs_upper}",workdir="${overlayfs_workdir}" none "${mount_target}"|| fatalerror 'Unable to set up overlayfs'
+# The behavior when changing the contents of lowerdir or upperdir
-
+# after mounting the overlay is described as "undefined"
+# Hopefully this isn't UB in the C standard/compiler sense
+# Concretely: kernel overlayfs propagates changes, fuse-overlayfs doesn't
 fallocate -l 16K "${overlayfs_lower}/lower_file"
 touch "${overlayfs_lower}/lower_file_2"
 fallocate -l 16K "${overlayfs_upper}/upper_file"
 touch "${overlayfs_upper}/upper_file_2"
-fallocate -l 16K "${mount_target}/overlay_file"
 # echo is also a builtin, making things a bit more complicated
 cp "$(type -P echo)" "${overlayfs_lower}/lower_echo"
 cp "$(type -P echo)" "${overlayfs_upper}/upper_echo"
 
+if [ "$1" == "fuse" ]; then
+    fuse-overlayfs -o lowerdir="${overlayfs_lower}",upperdir="${overlayfs_upper}",workdir="${overlayfs_workdir}" "${mount_target}"|| fatalerror 'Unable to set up overlayfs'
+else
+    mount -t overlay -o lowerdir="${overlayfs_lower}",upperdir="${overlayfs_upper}",workdir="${overlayfs_workdir}" none "${mount_target}"|| fatalerror 'Unable to set up overlayfs'
+fi
+
+fallocate -l 16K "${mount_target}/overlay_file"
+
 settest overlayfs "${bin}/complain"
 
 genprofile "${mount_target}/lower_file:r" "${mount_target}/upper_file:r" "${mount_target}/overlay_file:r"
@@ -107,7 +122,11 @@ runchecktest "Exec in overlayfs mount (lower)" pass exec "${mount_target}/lower_
 runchecktest "Exec in overlayfs mount (upper)" pass exec "${mount_target}/upper_echo" PASS
 runchecktest "Exec in overlayfs mount (overlay)" pass exec "${mount_target}/overlay_echo" PASS
 
-umount "${mount_target}" && rmdir "${mount_target}"
+if [ "$1" == "fuse" ]; then
+    fusermount -u "${mount_target}" && rmdir "${mount_target}"
+else
+    umount "${mount_target}" && rmdir "${mount_target}"
+fi
 umount "${loop_device_lower}" && rm -r "${overlayfs_lower}"
 umount "${loop_device_other}" && rm -r "${overlayfs_other}"
 

tests/regression/apparmor/overlayfs_fuse.sh

@@ -0,0 +1,14 @@
+#! /bin/bash
+#	Copyright (C) 2024 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME overlayfs_fuse
+#=DESCRIPTION
+# Verifies that file rules work in a (fuse) overlayfs
+#=END
+
+source "./overlayfs_common.inc" fuse

tests/regression/apparmor/overlayfs_kernel.sh

@@ -0,0 +1,14 @@
+#! /bin/bash
+#	Copyright (C) 2024 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME overlayfs_kernel
+#=DESCRIPTION
+# Verifies that file rules work in a (kernel) overlayfs
+#=END
+
+source "./overlayfs_common.inc" kernel

tests/regression/apparmor/task.yaml

@@ -47,7 +47,8 @@ environment:
     TEST/onexec: 1
     TEST/open: 1
     TEST/openat: 1
-    TEST/overlayfs: 1
+    TEST/overlayfs_fuse: 1
+    TEST/overlayfs_kernel: 1
     TEST/pipe: 1
     TEST/pivot_root: 1
     TEST/posix_ipc: 1