socketpair regression test: add aa_getpeercon() enabled perm

Because of the need to be stacking LSM aware, aa_getpeercon() calls
aa_enable to ensure that apparmor is enabled. Without the permission,
aa_getpeercon() fails, causing test failures.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>

tests/regression/apparmor/socketpair.sh

@@ -35,6 +35,7 @@ np2="new_profile_2"
 af_unix_create=""
 af_unix_create_label=""
 af_unix_inherit=""
+aa_enabled="/sys/module/apparmor/parameters/enabled:r"
 
 if [ "$(kernel_features network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
@@ -52,7 +53,7 @@ do_test "unconfined bad con" fail "uncon" "(null)"
 do_test "unconfined bad mode" fail "unconfined" "(null)XXX"
 
 # Ensure correct labeling under confinement
-genprofile $af_unix_create
+genprofile $af_unix_create $aa_enabled
 do_test "confined" pass "$test" "enforce"
 
 # Test the test
@@ -60,20 +61,21 @@ do_test "confined bad con" fail "/bad${test}" "enforce"
 do_test "confined bad mode" fail "$test" "inforce"
 
 # Ensure correct mode when using the complain flag
-genprofile flag:complain $af_unix_create
+genprofile flag:complain $af_unix_create $aa_enabled
 do_test "complain" pass "$test" "complain"
 
 # Test the test
-genprofile flag:complain $af_unix_create
+genprofile flag:complain $af_unix_create $aa_enabled
 do_test "complain bad mode" fail "$test" "enforce"
 
 # Ensure correct mode when using the audit flag
-genprofile flag:audit $af_unix_create
+genprofile flag:audit $af_unix_create $aa_enabled
 do_test "complain" pass "$test" "enforce"
 
 # Ensure correct labeling after passing fd pair across exec
 # NOTE: due to label crosscheck, parent needs 'rw' access
-genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
+genprofile $af_unix_create ${af_unix_create_label} $aa_enabled $exec 'change_profile->':$np1 -- \
+           image=$np1 addimage:$test $af_unix_inherit $aa_enabled
 do_test "confined exec transition" pass "$test" "enforce" "$np1"
 
 # af_unix_create is set to non-null at the top of the test script if
@@ -81,39 +83,40 @@ do_test "confined exec transition" pass "$test" "enforce" "$np1"
 if [ -n "${af_unix_create}" ] ; then
 	# Ensure label crosscheck still requires parent needs' rw' access
 	# after passing fd pair across exec
-	genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
+	genprofile $af_unix_create $exec $aa_enabled 'change_profile->':$np1 -- \
+	           image=$np1 addimage:$test $af_unix_inherit $aa_enabled
 	do_test "confined exec transition, crosscheck rejection" fail "$test" "enforce" "$np1"
 fi
 
 # Ensure correct labeling after passing fd pair across a no-transition exec
 # NOTE: The test still calls aa_change_onexec(), so change_profile -> $test
 #       is still needed
-genprofile $af_unix_create $exec 'change_profile->':$test
+genprofile $af_unix_create $exec $aa_enabled 'change_profile->':$test
 do_test "confined exec no transition" pass "$test" "enforce" "$test"
 
 # Ensure correct complain mode after passing fd pair across exec
-genprofile flag:complain $af_unix_create $exec 'change_profile->':$np1 -- \
-	   image=$np1 addimage:$test $af_unix_inherit
+genprofile flag:complain $af_unix_create $aa_enabled $exec 'change_profile->':$np1 -- \
+	   image=$np1 addimage:$test $af_unix_inherit $aa_enabled
 do_test "confined exec transition from complain" pass "$test" "complain" "$np1"
 
 # Ensure correct enforce mode after passing fd pair across exec
-genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- \
-	   image=$np1 addimage:$test flag:complain $af_unix_inherit
+genprofile $af_unix_create ${af_unix_create_label} $aa_enabled $exec 'change_profile->':$np1 -- \
+	   image=$np1 addimage:$test flag:complain $af_unix_inherit $aa_enabled
 do_test "confined exec transition to complain" pass "$test" "enforce" "$np1"
 
 # af_unix_create is set to non-null at the top of the test script if
 # the kernel advertises supporting unix sockets
 if [ -n "${af_unix_create}" ] ; then
 	# Ensure label crosscheck enforced in complain mode after passing fd pair across exec
-	genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
-		   image=$np1 addimage:$test flag:complain $af_unix_inherit
+	genprofile $af_unix_create $aa_enabled $exec 'change_profile->':$np1 -- \
+		   image=$np1 addimage:$test flag:complain $af_unix_inherit $aa_enabled
 	do_test "confined exec transition to complain, crosscheck rejection" fail "$test" "enforce" "$np1"
 fi
 
 # Ensure correct labeling after passing fd pair across 2 execs
-gp_args="$af_unix_create ${af_unix_create_label} $exec change_profile->:$np1 -- \
-	 image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \
-	 image=$np2 addimage:$test $af_unix_inherit"
+gp_args="$af_unix_create ${af_unix_create_label} $aa_enabled $exec change_profile->:$np1 -- \
+	 image=$np1 addimage:$test $af_unix_inherit $aa_enabled $exec change_profile->:$np2 -- \
+	 image=$np2 addimage:$test $af_unix_inherit $aa_enabled"
 genprofile $gp_args
 do_test "confined 2 exec transitions" pass "$test" "enforce" "$np1" "$np2"
 
@@ -122,9 +125,9 @@ do_test "confined 2 exec transitions bad con" fail "$test" "enforce" "$np1" "$np
 do_test "confined 2 exec transitions bad mode" fail "$test" "complain" "$np1" "$np2"
 
 # Ensure correct labeling after passing fd pair across exec to unconfined
-genprofile $af_unix_create $exec 'change_profile->':unconfined
+genprofile $af_unix_create $aa_enabled $exec 'change_profile->':unconfined
 do_test "confined exec transition to unconfined" pass "$test" "enforce" "unconfined"
 
 # Ensure correct labeling after passing fd pair across exec from unconfined
-genprofile image=$np1 addimage:$test $af_unix_inherit
+genprofile image=$np1 addimage:$test $af_unix_inherit $aa_enabled
 do_test "unconfined exec transition ton confined" pass "unconfined" "(null)" "$np1"