It's not been tracked down in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373172 why
this is happening, but the current unnamed unix socket dgram tests
are failing when only the server is confined, and the peer label is
given as only the confining profile (the stream and seqpacket dgram
tests/permissions don't seem to trigger this revalidation rejection).
Until this bug is diagnosed and addressed, mark these tests as failing
but expected to pass (i.e. 'xpass').
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
With the addition of the unix socket mediation and
corresponding tests, there are currently two tests that fail
in unix_socket_pathname.sh. These have been recorded as bugs
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373174 and
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373176 but John
has not had time to investigate if these are legitimate bugs. The
following patch marks the tests as expecting to pass but currently
failing.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Iterate through the individual client and server AF_UNIX pathname
permissions and remove them, one-by-one, to verify that the test fails.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
The new file unix_socket.inc includes a generic set of tests that can be
reused by another test script in order to test unnamed AF_UNIX socket
mediation. The do_test() function is conditionalized in a way that it
can test confined servers and confined clients depending on the
arguments passed in.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket operations for testing getopt and setopt permissions
were occurring back to back. This patch breaks them up into "pre-bind"
and "post-bind" operations. The setopt operation now occurs pre-bind
while the getopt operation happens post-bind. This allows for the test
policy to test setopt without an addr= conditional and to test getopt
with an addr= conditional.
Additionally, the wrapper functions that call setsockopt()/getsockopt()
are moved into a new file that both unix_socket.c and
unix_socket_client.c can reuse.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The client will now do a getsockname() on its socket in order to test
the AppArmor 'getattr' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The server will now do a shutdown() on its socket in order to test the
AppArmor 'shutdown' unix rule permission.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Use the sendto()/recvfrom() functions when dealing with dgram sockets in
unix_socket_client.
This allows us to test different interfaces besides the typical
write()/read() and will allow for a smaller permissions set for
unix_socket_client.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The unix_socket_client test program was using an abstract socket, which
was set up using the autobind feature, when testing any socket address
types.
To more accurately test a specific address type, this patch changes the
client code to use whatever address type that the server is using. The
string ".client" will be added to the end of the server's address.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update unix_socket and unix_socket_client to use setsockopt() in order
to set send and receive timeouts for socket IO operations. This takes
the place of poll(). Poll() was not being used for all potentially
blocking socket operations which could have resulted in test cases
blocking infinitely.
This also has the nice side effect of using getsockopt() and
setsockopt(). These are AppArmor mediation points in kernel ABI v7 so it
is worthwhile to test the calls while under confinement.
This patch updates the existing v7 policy generation to allow the getopt
and setopt accesses.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
It is too complicated, due to the number of corner cases, to write a
script that generates the rules for each AF_UNIX address type (pathname,
abstract, and unnamed) and socket type (stream, dgram, and seqpacket).
This patch moves the AF_UNIX pathname tests into their own file with the
intent of having each address type be tested in their own file.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Instead of using the entire sun_path buffer for abstract socket names,
only use the exact length of the string that is specified on the command
line. The nul-terminator is not included for abstract sockets.
The size of sun_path is modified to include the nul-terminator for
pathname address types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.
The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Put a bare unix rule in the core gendbusprofile() function that all
dbus_*.sh use. We aren't interested in testing AF_UNIX mediation in the
dbus tests, since that's already done elsewhere, so we'll
unconditionally allow full AF_UNIX access to prevent test breakage
caused by any future changes in libdbus.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Unrequested replies are message types that are typically replies, such
as error and method_return message types, but have not been requested by
the recipient.
The AppArmor mediation code in dbus-daemon allows requested reply
messages through if the original message was allowed. However,
unrequested reply messages should be checked against the system policy
to make certain that they should be allowed.
This test verifies that the dbus-daemon is properly querying system
policy when it detects that a message is an unrequested reply.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.
Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This change only sets up unix_socket.sh to test abstract sockets.
Unconfined processes are tested while using an abstract socket but
the test function returns before testing with confinement.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Rename the test in preparation for expanding its capabilities to cover
all UNIX domain socket address format types.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Earlier fixes to the parser's handling of escape sequences involving '\'
caused a behavioral change that profiles no longer needed to contain
'\\' before an octal escape sequence. However, the regression tests were
never modified to take this change into account, and thus the i18n.sh
octal tests would fail. This patch fixes that.
Also, with the changes, the parser no longer accepts _\_ as a valid
sequence, so we skip this character.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com> (on IRC)
The child process changes into a hat while the parent process stays in
the main profile.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Add two tests that verify AppArmor denials when one end of the pipe has
bad access permissions to the pipe.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The named_pipe parent process kills the child process at exit. A
"signal," rule must be added to all confinement profiles when the test
is running under a kernel that performs signal mediation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Allow for the parent and child processes to change into separate hats to
verify named pipe communications between hats with varying permissions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Add debugging info to test binaries and disable optimizations.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1235478
This is a test to check the label on file descriptors returned from
socketpair().
In its simple form, it simply calls socketpair() and checks the
labels on both fds.
In its complex form, it has the ability to do the simple test, then set
up an exec transition using aa_change_onexec(), and re-exec itself to
check the labeling after the file descriptors have been passed across an
exec transition.
The complex form is meant to test revalidation at exec. AppArmor
currently keeps the original labeling in place across the exec
transition.
Note that this test does not currently test read/write access to the
file descriptors. It only checks the label, as returned by
aa_getpeercon(2).
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Allow for the regression tests to specify arbitrary profile names
without hitting fatal errors or getting warnings from mkprofile.pl.
This allows for a test to have a line like this:
genprofile change_profile->':arbitrary_name -- \
image=arbitrary_name addimage:$test
In the example above, $test can call aa_change_onexec("arbitrary_name")
and then re-exec itself to test behavior across exec transitions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The mount.sh script mixes calls to the regression test 'mount' binary
and /sbin/mount. This can result in stale mtab entries being left around
after a test run because /sbin/mount adds an mtab entry but the test
'mount' binary, which is also used for unmounting, does not remove mtab
entries.
To solve this problem, the -n option is passed to /sbin/mount so that it
doesn't add an mtab entry when mounting.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The end of the mount.sh regression test script contained cleanup
commands to unmount and detach the loop device used for testing.
However, the second losetup command fails and, with the recent
regression test suite fix to not ignore failed shell commands, an error
is triggered at the end of the test run.
Additionally, these cleanup commands are not ran when the test fails
during the test run and an immediate exit is requested upon failure
(with the -r flag).
This patch fixes and moves the cleanup logic into a function that is
assigned to do_onexit so that the cleanup is always performed at exit
and the test can run successfully.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When there was a test error, such as a shell command failure, the
function used for the ERR trap, error_handler(), was causing the error
to be silently ignored by the test runner.
It was calling exit_handler() directly, before calling fatalerror().
This caused $_fatal to be left unset when exit_handler() was called.
exit_handler() sources epilogue.inc and the last bit of epilogue.inc
exits with $num_testfailures if $_fatal was unset. The fatalerror() call
site in error_hanlder() was never reached. So, as long as there were no
test failures, then an error in a test script would cause the test to
exit early with 0.
It is safe to simply call fatalerror() from error_handler() because
fatalerror() sets $_fatal to true and exits. This causes exit_handler()
to be called and since $_fatal is set to true, prologue.inc exits with
127.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The previous test patches where done with the hardcoded bypass for
unconfined.
This semantic was changed so that a confined app can now block unconfined
processes from tracing or sending signals to it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update mkprofile.pl to generate ptrace rules and update test scripts to
test ptrace mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update mkprofile.pl to generate signal rules and update test scripts to
grant signal permissions when needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The addition of the dbus tests requires dbus dev libraries be installed
to run the test suite. This is not always desirable or even possible.
So make building and running the dbus tests conditional on the
pkg-config info from those libs. If they are not present output a
message about skipping the tests.
This patch contains the review fix from sbeattie
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This test attempts to clone itself in a new mount namespace, pivot root
into a new filesystem (ext2 disk image mounted over loopback), and then
verify that a profile transition, if one was specified in the pivot_root
rule, has properly occurred.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
The mount.sh regression test script was not testing with actual AppArmor
mount rules. This patch improves mkprofile.pl by adding the ability to
generate mount rules and adds tests to mount.sh that verify mount
mediation is working properly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Fixed a couple typos and added fstype tests]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This updates the regression tests for v6 policy. It refactors the
required_features test into a have_features fn, and a new
requires_features fn (renamed to catch all instances make sure they
where right)
The have_features fn is then applied to several test to make them
conditionally apply based off of availability of the feature
and policy version.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
On ppc64el platforms, the minimum swapfile size is 640KiB. Our swap
test aborts there because it creates a swapfile of size 512KiB. This
patch adjusts the size to 768KiB, to satisfy ppc64el and to try
to keep the size down for embedded and otherwise limited platforms
(e.g. phones).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Some kernels have CONFIG_SYSCALL_SYSCTL disabled, which is something to
be encouraged. This patch separates out the two different kind of sysctl
tests (syscall based and /proc/sys based) into separate shell functions,
and then checks to see that the test environment supports each before
invoking each shell function, issuing a warning (but not failing the
tests) if not available.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The regression swap test attempts to activate a swap file in a
directory under where tmpdir is set in uservars.inc; if this is a
tmpfs filesystem, this will fail (it's kind of silly to create a
swap file on a tmpfs, a memory-backed filesystem). This patch adds a
check to the swap test script and skips the tests if it detects it's
on tmpfs and marks the test as a failure if the check fails.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
