bug: https://bugs.launchpad.net/bugs/1531325
This patch defines the arch specific registers struct for s390 for the
ptrace regression test.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
binutils/, and point the regression test to the C based aa-exec in
binutils/.
Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.
All other features of the Perl aa-exec are present in the C aa-exec.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Add regression tests for the --profile, --namespace, and --immediate
options of aa-exec.
A new variable is added to uservars.inc to point to the in-tree or
system aa-exec depending on the presence of the USE_SYSTEM=1 make
variable at build time.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
In testing against the 4.1 kernel, the syscall_sysctl testcase started
failing even in the unconfined case. What the test program does is
attempt to adjust the kernel.threads-max sysctl to be slightly larger
and see if the operation succeeds by reading the value back out. It
also attempts to save the original value and restore it. The test
was failing because (in VMs at least) the default value chosen by
the kernel for the kernel.threads-max setting was high enough that
attempts to increase it would be ignored (likely to prevent too much
use of kernel memory by threads), helpfully without any message being
report to dmesg. Thus, the initial read of the current value would
succeed, the write of that value + 1024 would appear to succeed,
but then reading the value back out and comparing it to the expected
value would fail, as it would still be the original value, not the
expected new value.
This patch attempts to address this by first attempting to raise
the value, and if that does not appear to work, to then attempt
to lower it. It also refactors the code a bit by creating helper
functions to perform the actual sysctl(2) calls to make the code a
bit easier to read.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The local defines in the link_subset test collide and result in build
warnings. Replace the defines with a naming that won't collide and
makes it clear a local define for the test is being used.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
1. The test is using the wrong defines: It is using the defines from the
parser for the packed dfa permissions. This set of permissions is not
meant to be exposed to the outside world
2. The kernel is using the wrong mapping function for the permissions
in the file class. This results in partially exposing the packed
permissions, but even then it doesn't fully line up with the packed
permissions, and is not correct for several of the potential permissions.
Attached is a patch that fixes the test, and moves the two tests that
fail due to the kernel to xpass.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
In the commit "Rev 3169: regression tests: have
ptrace use PTRACE_GETREGSET by default", I created
some ifdef magic to use the per arch general purpose
register data structures for various architectures,
including arm64. Unfortunately, in the upstream glibc commit
7d05a8168b
<bits/ptrace.h> is no longer included in the arm64 specific user.h,
which defined the structure as 'struct user_pt_regs'; instead user.h
was converted to define 'struct user_regs_struct'. Because of this, the
ptrace test fails to compile on arm64 when glibc is 2.20 or newer.
This patch adjusts the ptrace test to use the newer structure on arm64
if it's detected that a newer glibc is detected and reverts to using
the older one for older glibcs. It also adds an error when compiling
on architectures that haven't been incorporated yet.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://bugs.launchpad.net/apparmor/+bug/1470985
The ptrace regression test fails to compile on the arm64 platform,
because it uses PTRACE_GETREGS and not the newer PTRACE_GETREGSET
interface for getting access to arch-specific register information[0].
However, fixing it is complicated by the fact that the struct name
for for the general purpose registers is not named consistently
across architectures. This patch attempts to address those issues,
and compiles at least on i386, amd64, arm64, arm (armhf), ppc64,
and ppc64el. The test is verified to continue to function correctly
on i386 and amd64.
[0] https://sourceware.org/ml/archer/2010-q3/msg00193.html
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The aa_policy_cache_new() and aa_policy_cache_remove() functions are
changed to accept a dirfd parameter.
The cache dirfd (by default, /etc/apparmor.d/cache) is opened earlier in
aa_policy_cache_new(). Previously, the directory wasn't accessed until
later in the following call chain:
aa_policy_cache_new() -> init_cache_features() -> create_cache()
Because of this change, the logic to create the cache dir must be moved
from create_cache() to aa_policy_cache_new().
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The most common case when creating an aa_kernel_interface object will be
to do so while using the current kernel's feature set for the
kernel_features parameter. Rather than have callers instantiate their
own aa_features object in this situation, aa_kernel_interface_new()
should do it for them if they specify NULL for the kernel_features
parameter.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The most common case when creating an aa_policy_cache object will be to
do so while using the current kernel's feature set for the
kernel_features parameter. Rather than have callers instantiate their
own aa_features object in this situation, aa_policy_cache_new() should
do it for them if they specify NULL for the kernel_features parameter.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This patch changes the aa_policy_cache_new() prototype and gets rid of
aa_policy_cache_is_valid() and aa_policy_cache_create().
The create bool of aa_policy_cache_new() is replaced with a 16 bit
unsigned int used to specify the maximum number of caches that should be
present in the specified cache directory. If the number is exceeded, the
old cache directories are reaped. The definition of "old" is private to
libapparmor and only 1 cache directory is currently supported. However,
that will change in the near future and multiple cache directories will
be supported.
If 0 is specified for the max_caches parameter, no new caches can be
created and only an existing, valid cache can be used. An error is
returned if no valid caches exist in that case.
If UINT16_MAX is specified, an unlimited amount of caches can be created
and reaping is disabled.
This means that 0 to (2^16)-2, or infinite, caches will be supported in
the future.
This change allows for the parser to continue to support the
--skip-bad-cache (by passing 0 for max_caches) and the --write-cache
option (by passing 1 or more for max_caches) without confusing
libapparmor users with the aa_policy_cache_{is_valid,create}()
functions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Rename require_features to require_kernel_features and
have_features to kernel_features
to indicate they are tests for kernel features, as now there are tests
for parser features and in the future there might be library features
as well.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
has not been updated. The issue is that the regression tests detect the
kernel features set and generate policy that the parser may not be able
to compile.
Augment the regressions tests with a couple simple functions to test what
is supported by the parser, and update the test conditionals to use them.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
A number of simple query tests based on read and write perms of files
and directories.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The test program was querying its own profile. Adjust the profile
generation so that a separate profile is generated and have query_label
query the separate profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch modifies the socketpair.c test to verify the return value of
aa_getpeercon() based upon the expected label and expected mode lengths.
The test had to be changed slightly so that the returned mode, from
aa_getpeercon(), was preserved. It was being overwritten with the
special NO_MODE value.
This change helps to make sure that future changes to the code behind
aa_getpeercon() does not unintentionally change the function's return
value.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The following patch addresses two issues on older releases:
1) In trunk commit 2911, the line 'undefine VERBOSE' was added to
parser/tst/Makefile so that the equality tests would not generate
verbose output when $VERBOSE != 1. Unfortunately, the 'undefine'
keyword was not introduced in GNU Make until version 3.82. On
distro releases like Ubuntu 12.04 LTS that include versions of Make
older than that, make check and make clean abort when VERBOSE is
not set to 1. The patch fixes that by setting VERBOSE to a zero
length string if does not already equal 1.
2) In trunk commit 2923, a workaround for systemd as init was added
to the pivot_root regression test. The workaround included a
call to ps(1) to determine if systemd is pid 1. Unfortunately,
in older versions of the procps package (such as the version in
Ubuntu 12.04 LTS), 'ps -hp1' emits the warning
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
The patch below converts the ps call to 'ps hp1' which does not
generate the warning.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The aa_features and aa_kernel_interface APIs get a little bit of
testing, as well.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The systemd init daemon mounts the / filesystem as shared [1], which
breaks pivot_root(2). The following patch adjusts the pivot_root
test script to remount / as private if it detects that its shared,
allowing the tests to run successfully, and then undoes it once the
tests are complete.
[1] http://cgit.freedesktop.org/systemd/systemd/commit/?id=b3ac5f8cb98757416d8660023d6564a7c411f0a0
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Parts of the regression tests that use the do_open() inline function
from changehat.h fail to build under gcc-5 like so:
cc -g -O0 -Wall -Wstrict-prototypes changeprofile.c -lapparmor -o changeprofile
/tmp/ccT6GE6k.o: In function `main':
/home/ubuntu/bzr/apparmor/tests/regression/apparmor/changeprofile.c:43: undefined reference to `do_open'
collect2: error: ld returned 1 exit status
<builtin>: recipe for target 'changeprofile' failed
This patch converts the do_open function declaration to be static
inline, which apparently keeps gcc-5 from getting confused.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
These regression tests are for an Ubuntu-specific bug. However, they
should benefit the upstream project, as well. Ubuntu took an incomplete
version of a patch, which introduced the bug. The version of that patch
that landed upstream did not contain the bug.
The bug was in policy compilation of certain combinations of rule types,
conditionals, and conditional values. The easiest such combination to
test is a rule such as:
ptrace peer=ABC,
Buggy parsers will generate binary policy that causes the kernel to deny
a ptrace of a process confined by ABC, despite the presence of the above
rule.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
With the two recent unix socket test patches to mark dgram tests as
failing but expected to pass, I realized that there's no indication
in the output that there are current expected failures (except for
the single corefile test expected failure)[0]. This patch attempts to
remedy that by emitting the x-type plus the test description for each
test that is marked as such. I've set it to always emit these results.
[0] The test infrastructure does give an alert if there is a test that
has been marked xpass or xfail but has started behaving correctly.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
It's not been tracked down in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373172 why
this is happening, but the current unnamed unix socket dgram tests
are failing when only the server is confined, and the peer label is
given as only the confining profile (the stream and seqpacket dgram
tests/permissions don't seem to trigger this revalidation rejection).
Until this bug is diagnosed and addressed, mark these tests as failing
but expected to pass (i.e. 'xpass').
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
With the addition of the unix socket mediation and
corresponding tests, there are currently two tests that fail
in unix_socket_pathname.sh. These have been recorded as bugs
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373174 and
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176 but John
has not had time to investigate if these are legitimate bugs. The
following patch marks the tests as expecting to pass but currently
failing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Iterate through the individual client and server AF_UNIX pathname
permissions and remove them, one-by-one, to verify that the test fails.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
The new file unix_socket.inc includes a generic set of tests that can be
reused by another test script in order to test unnamed AF_UNIX socket
mediation. The do_test() function is conditionalized in a way that it
can test confined servers and confined clients depending on the
arguments passed in.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket operations for testing getopt and setopt permissions
were occurring back to back. This patch breaks them up into "pre-bind"
and "post-bind" operations. The setopt operation now occurs pre-bind
while the getopt operation happens post-bind. This allows for the test
policy to test setopt without an addr= conditional and to test getopt
with an addr= conditional.
Additionally, the wrapper functions that call setsockopt()/getsockopt()
are moved into a new file that both unix_socket.c and
unix_socket_client.c can reuse.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client will now do a getsockname() on its socket in order to test
the AppArmor 'getattr' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The server will now do a shutdown() on its socket in order to test the
AppArmor 'shutdown' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Use the sendto()/recvfrom() functions when dealing with dgram sockets in
unix_socket_client.
This allows us to test different interfaces besides the typical
write()/read() and will allow for a smaller permissions set for
unix_socket_client.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket_client test program was using an abstract socket, which
was set up using the autobind feature, when testing any socket address
types.
To more accurately test a specific address type, this patch changes the
client code to use whatever address type that the server is using. The
string ".client" will be added to the end of the server's address.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update unix_socket and unix_socket_client to use setsockopt() in order
to set send and receive timeouts for socket IO operations. This takes
the place of poll(). Poll() was not being used for all potentially
blocking socket operations which could have resulted in test cases
blocking infinitely.
This also has the nice side effect of using getsockopt() and
setsockopt(). These are AppArmor mediation points in kernel ABI v7 so it
is worthwhile to test the calls while under confinement.
This patch updates the existing v7 policy generation to allow the getopt
and setopt accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
It is too complicated, due to the number of corner cases, to write a
script that generates the rules for each AF_UNIX address type (pathname,
abstract, and unnamed) and socket type (stream, dgram, and seqpacket).
This patch moves the AF_UNIX pathname tests into their own file with the
intent of having each address type be tested in their own file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Instead of using the entire sun_path buffer for abstract socket names,
only use the exact length of the string that is specified on the command
line. The nul-terminator is not included for abstract sockets.
The size of sun_path is modified to include the nul-terminator for
pathname address types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.
The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Put a bare unix rule in the core gendbusprofile() function that all
dbus_*.sh use. We aren't interested in testing AF_UNIX mediation in the
dbus tests, since that's already done elsewhere, so we'll
unconditionally allow full AF_UNIX access to prevent test breakage
caused by any future changes in libdbus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Unrequested replies are message types that are typically replies, such
as error and method_return message types, but have not been requested by
the recipient.
The AppArmor mediation code in dbus-daemon allows requested reply
messages through if the original message was allowed. However,
unrequested reply messages should be checked against the system policy
to make certain that they should be allowed.
This test verifies that the dbus-daemon is properly querying system
policy when it detects that a message is an unrequested reply.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.
Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
