When running the swap regression tests, the swapon command would issue
a warning about insecure permissions on the swapfile being used as
part of the test:
mkswap: /tmp/sdtest.9698-822-2BL034/swapfile: insecure permissions 0644, 0600 suggested.
Fix this by setting the permissions after the swapfile is created.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/108
The mount regression test passes MS_MANDLOCK to the mount(2) syscall in
the test program. When the kernel is configured without
CONFIG_MANDATORY_FILE_LOCKING set, attempting to mount a filesystem with
this option always fails with EPERM. To fix, convert the test program to
use the MS_NODEV option instead.
Bug: https://bugs.launchpad.net/apparmor/+bug/1765025
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/109
The environ.sh test fails with the following fatal error:
Fatal Error (environ): Unable to run test sub-executable
The reason is due to the tests which use the env_check.sh helper see
unexpected output in the helper's output:
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8)
I see a number of locale related denials:
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/locale-archive" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/etc/locale.alias" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_CTYPE" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_COLLATE" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_NUMERIC" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_TIME" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Allowing everything under /usr/lib/locale/ to be read by the helper
results in the environ.sh test passing.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
Not all kernels support writing the path_max kernel parameter after
boot. Detect if it can be written and run the long_path tests only
if it can be.
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
newer versions of apparmor that support multi-transaction have this xpass
case fixed
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update the tests to test whether the kernel and parser support domain
transitions on pivot_root.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
In commit 3649, Colin King fixed the readdir test build issue where
aarch64 only supports getdetns64(), not getdents(). Realistically,
however, we want to ensure mediation occurs on both syscalls where
they exist. This patch changes the test to attempt performing both
versions of getdents(). Because we want to catch the situation where
the result of getdents differs from getdents64, we now pass in the
expected result.
Also add a test to verify that having write access does not grant
the ability to read a directory's contents.
Bug: https://bugs.launchpad.net/bugs/1674245
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
https://launchpad.net/bugs/1674245
arm64 build of the tests breaks because getdents is not available.
Where available, use gendents64 as the preferred choice.
Fixes:
cc -g -O0 -Wall -Wstrict-prototypes readdir.c -lapparmor -o readdir
readdir.c: In function ‘main’:
readdir.c:45:14: error: ‘SYS_getdents’ undeclared (first use in this function)
if (syscall(SYS_getdents, fd, &dir, sizeof(struct dirent)) == -1){
^~~~~~~~~~~~
readdir.c:45:14: note: each undeclared identifier is reported only once for each function it appears in
<builtin>: recipe for target 'readdir' failed
make: *** [readdir] Error 1
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
In the environ regression test, when the exec() of the child process
fails, we don't report FAIL to stdout, so the regression tests consider
it an error rather than a failure and abort, short-circuiting the
test script.
This commit fixes this by emitting the FAIL message when the result
from the wait() syscall indicates the child process did not succeed.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
exec_stack picked up a fix to address a semantic change introduced in
4.8 kernels.
However older kernels don't need the extra permission and the exec_stack
test is the only test we currently have that caught the semantic change.
Keep exec_stack to the minimum set of permissions needed for a given
kernel. Which allows us to use exec_stack as a test to detect the
semantic change showing up in unexpected place until we have a test
specifically designed for this.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
https://launchpad.net/bugs/1628745
The following upstream kernel commit changed the semantics of the exec
permission check in the 4.8 kernel:
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon Aug 22 16:41:46 2016 -0700
binfmt_elf: switch to new creds when switching to new mm
That change means that the target profile of an exec transition must
have permission to map the binary being executed. This patch fixes
regression test failures while the exec_stack.sh test is running against
4.8 and newer kernels by granting mapping permission to the target
profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
profile_A//&:ns1://unconfined (mixed)
this is confusing and can even break some trusted helpers. The unconfined
profile has been special cased and now will report enforce when stacking
with unconfined
profile_A//&:ns1://unconfined (enforce)
This patch fixes the regression tests to work with this change
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://launchpad.net/bugs/1521400
The onexec.sh test has periodically exhibited unexplicable failures that
are possibly due to race conditions when onexec.sh is verifying the
/proc/PID/attr/{current,exec} values of the process under test. This
patch attempts to solve the flaky test failures by removing the need for
IPC to coordinate between the test script and the test program.
The old onexec test program is removed and the transition test program
is used instead. This allows for the test script to tell the transition
test program what its current and exec procattr labels should be via
command line options.
Since IPC is no longer needed, the signal:ALL allow rule can be dropped
from the test profile. A new allow rule is needed to grant reading of
/proc/*/attr/{current,exec} since transition must verify the contents of
these files.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add optional command line parameters to the transition test program that
can be used to verify a certain label and/or mode that should be found
in /proc/self/attr/exec.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add logic to the at_secure.sh test script to verifies that the parser is
new enough to support change_profile exec modes and determine what the
kernel's support for change_profile exec modes before verifying that
AT_SECURE is set correctly after various exec transitions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The gen_change_profile() function must be changed to allow the extra
condition in change_profiles rules.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Quote $@ so that the for loop doesn't iterate on the space-delimited
version of the rule(s) under test. This allows more complex rules such
as "change_profile foo -> bar," to be tested where, before this patch,
only "change_profile," could be tested.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The AT_SECURE value in the kernel's per-process auxiliary vector is what
signals to libc that the process' environment should be scrubbed. This
new set of regression tests checks the AT_SECURE value after performing
the various types of exec transitions that AppArmor supports (file rules
with different exec access modes and change_profile rules).
Different versions of the kernel handle AT_SECURE differently with
respect to change_profile rules. This change in behavior was introduced
in the AppArmor profile stacking kernel support and the tests are
conditionalized to account for this change.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Extend the transition test program to allow for changing to a new
profile. This change will be useful in test scripts that need to test
operations across profile stacks and/or profile changes.
The calls to aa_stack_onexec() and aa_stack_profile() are build-time
conditionalized on whether or not the libapparmor being used has
implemented those functions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
This test will soon be made to do more than just stack a new profile.
It will be extended to allow for changing to a new profile and,
therefore, should be renamed.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 11 May 2016 13:52:56 +0100
Subject: syscall_sysctl test: correctly skip if CONFIG_SYSCTL_SYSCALL=n
This test attempts to auto-skip the sysctl() part if that syscall
was not compiled into the current kernel, via
CONFIG_SYSCTL_SYSCALL=n. Unfortunately, this didn't actually work,
for two reasons:
* Because "${test} ro" wasn't in "&&", "||", a pipeline or an "if",
and it had nonzero exit status, the trap on ERR was triggered,
causing execution of the error_handler() shell function, which
aborts the test with a failed status. The rules for ERR are the
same as for "set -e", so we can circumvent it in the same ways.
* Because sysctl_syscall.c prints its diagnostic message to stderr,
but the $() operator only captures stdout, it never matched
in the string comparison. This is easily solved by redirecting
its stderr to stdout.
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
The stacking tests worked fine when using in-tree programs and libraries
but the tests unexpectedly failed when USE_SYSTEM=1 was specified. This
patch makes use of the addimage:$test argument to mkprofile.pl to
generate the correct file permissions needed to use the system binaries.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
I configured the stacking test binary to only be built when libapparmor
2.11 is present. The versioning of the 2.11 Beta 1 release (2.10.95)
causes that check to fail and the stacking tests to not be used.
This patch adjusts the libapparmor version check to be aware of the 2.11
Beta 1 versioning.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
This adds support to the profile generator script for change_profile
rules, giving the ability to write the 3 factor version of the rule
(e.g. "change_profile /t -> A_PROFILE") which was significantly more
difficult using straight raw rules, which is why we don't have any 3
factor rule tests.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Now that the onexec test program notices that it failed to send SIGSTOP
to itself, causing a whole bunch of tests to be detected as failing,
grant the ability to send and receive signals to the onexec tests.
(The onexec tests are not tests intended to verify signal mediation.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The onexec test was ignoring errors from the kill() call, so it didn't
notice when it had failed to send SIGSTOP to itself.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Based on a patch by John Johansen <john.johansen@canonical.com>
(I converted the check to look for the process directory in /proc
rather than sending signal 0 to the task, as John had done in a patch
sent to me, to prevent failures in signal delivery from blocking the
check from working correctly.)
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Based on a patch by John Johansen <john.johansen@canonical.com>
Add more details to the checks in the regression tests onexec tests,
to make debugging failures easier. Also, use more local variables
to indicate what and how many arguments are expected to the onexec
check_* functions.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The stacking test binary links against libapparmor for
aa_stack_profile() and aa_stack_onexec(), which will be present in 2.11.
This means that regression test builds using the system libapparmor
should not build the stacking test binary unless the libapparmor 2.11 or
newer is present.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Policy namespaces are not well supported in older parsers and kernels.
This is a case where the kernel support doesn't seem to be working.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Stacking is a complex feature and, in order to sufficiently test all
aspects of stacking, a relatively complex test program is needed.
This patch adds a program that can call
aa_stack_onexec()/aa_stack_profile(), perform file IO on a given file
path, verify that the current confinement context is what it is expected
to be, and/or execute itself or another program.
The confinement context verification can handle stacked labels with any
ordering.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Some tidying up is needed in order to reuse do_open(). This patch
eliminates the chance of returning 0 due to errno being not set. It also
adjusts the file string to be const.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The idea is that the $test profile grants $file access and the
$othertest profile grants $subfile access. Both profiles grant
$stacktest access. The tests verify that after changing to the stacked
$othertest//&$test profile, only $stacktest can be accessed.
Similar tests are also added for stacking with a namespaced profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The kernel patches that implement AppArmor profile stacking made changes
that allow the the backed for change_profile to detect if the target
profile does not exist prior to checking if the current profile allows
the change_profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://launchpad.net/bugs/1540666
Reuse the new parse_label() function to initialize named_transition
structs so that transition targets, when used with change_profile, are
properly seperated into a profile namespace and profile name.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Bug: https://launchpad.net/bugs/1379874
https://launchpad.net/bugs/1544387
Don't split namespaces from profile names using YACC grammar. Instead,
treat the entire string as a label in the grammer. The label can then be
split into a namespace and a profile name using the new parse_label()
function.
This fixes a bug that caused the profile keyword to not be used with a
label containing a namespace in the profile declaration.
Fixing this bug uncovered a bad parser test case at
simple_tests/profile/profile_ns_ok1.sd. The test case mistakenly
included two definitions of the :foo:unattached profile despite being
marked as expected to pass. I've adjusted the name of one of the
profiles to :foo:unattached2.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
https://launchpad.net/bugs/1546455
Don't filter out AF_UNSPEC from the list of valid protocol families so
that the parser will accept rules such as 'network unspec,'.
There are certain syscalls, such as socket(2), where the LSM hooks are
called before the protocol family is validated. In these cases, AppArmor
was emitting denials even though socket(2) will eventually fail. There
may be cases where AF_UNSPEC sockets are accepted and we need to make
sure that we're mediating those appropriately.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
[cboltz: Add 'unspec' to the network domain keywords of the utils]
bug: https://bugs.launchpad.net/bugs/1531325
This patch defines the arch specific registers struct for s390 for the
ptrace regression test.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Remove the Perl aa-exec implementation, move the aa-exec(8) man page to
binutils/, and point the regression test to the C based aa-exec in
binutils/.
Note that the new C aa-exec does not implement the --file option which
was present in the Perl aa-exec. It encouraged running programs as root,
since root privileges were required to load the specified profile.
All other features of the Perl aa-exec are present in the C aa-exec.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Add regression tests for the --profile, --namespace, and --immediate
options of aa-exec.
A new variable is added to uservars.inc to point to the in-tree or
system aa-exec depending on the presence of the USE_SYSTEM=1 make
variable at build time.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
