Add debugging info to test binaries and disable optimizations.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Bug: https://bugs.launchpad.net/bugs/1235478
This is a test to check the label on file descriptors returned from
socketpair().
In its simple form, it simply calls socketpair() and checks the
labels on both fds.
In its complex form, it has the ability to do the simple test, then set
up an exec transition using aa_change_onexec(), and re-exec itself to
check the labeling after the file descriptors have been passed across an
exec transition.
The complex form is meant to test revalidation at exec. AppArmor
currently keeps the original labeling in place across the exec
transition.
Note that this test does not currently test read/write access to the
file descriptors. It only checks the label, as returned by
aa_getpeercon(2).
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Allow for the regression tests to specify arbitrary profile names
without hitting fatal errors or getting warnings from mkprofile.pl.
This allows for a test to have a line like this:
genprofile change_profile->':arbitrary_name -- \
image=arbitrary_name addimage:$test
In the example above, $test can call aa_change_onexec("arbitrary_name")
and then re-exec itself to test behavior across exec transitions.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The mount.sh script mixes calls to the regression test 'mount' binary
and /sbin/mount. This can result in stale mtab entries being left around
after a test run because /sbin/mount adds an mtab entry but the test
'mount' binary, which is also used for unmounting, does not remove mtab
entries.
To solve this problem, the -n option is passed to /sbin/mount so that it
doesn't add an mtab entry when mounting.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The end of the mount.sh regression test script contained cleanup
commands to unmount and detach the loop device used for testing.
However, the second losetup command fails and, with the recent
regression test suite fix to not ignore failed shell commands, an error
is triggered at the end of the test run.
Additionally, these cleanup commands are not ran when the test fails
during the test run and an immediate exit is requested upon failure
(with the -r flag).
This patch fixes and moves the cleanup logic into a function that is
assigned to do_onexit so that the cleanup is always performed at exit
and the test can run successfully.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
When there was a test error, such as a shell command failure, the
function used for the ERR trap, error_handler(), was causing the error
to be silently ignored by the test runner.
It was calling exit_handler() directly, before calling fatalerror().
This caused $_fatal to be left unset when exit_handler() was called.
exit_handler() sources epilogue.inc and the last bit of epilogue.inc
exits with $num_testfailures if $_fatal was unset. The fatalerror() call
site in error_hanlder() was never reached. So, as long as there were no
test failures, then an error in a test script would cause the test to
exit early with 0.
It is safe to simply call fatalerror() from error_handler() because
fatalerror() sets $_fatal to true and exits. This causes exit_handler()
to be called and since $_fatal is set to true, prologue.inc exits with
127.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The previous test patches where done with the hardcoded bypass for
unconfined.
This semantic was changed so that a confined app can now block unconfined
processes from tracing or sending signals to it.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Update mkprofile.pl to generate ptrace rules and update test scripts to
test ptrace mediation.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Update mkprofile.pl to generate signal rules and update test scripts to
grant signal permissions when needed.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
The addition of the dbus tests requires dbus dev libraries be installed
to run the test suite. This is not always desirable or even possible.
So make building and running the dbus tests conditional on the
pkg-config info from those libs. If they are not present output a
message about skipping the tests.
This patch contains the review fix from sbeattie
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This test attempts to clone itself in a new mount namespace, pivot root
into a new filesystem (ext2 disk image mounted over loopback), and then
verify that a profile transition, if one was specified in the pivot_root
rule, has properly occurred.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
The mount.sh regression test script was not testing with actual AppArmor
mount rules. This patch improves mkprofile.pl by adding the ability to
generate mount rules and adds tests to mount.sh that verify mount
mediation is working properly.
Signed-off-by: John Johansen <john.johansen@canonical.com>
[tyhicks: Fixed a couple typos and added fstype tests]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This updates the regression tests for v6 policy. It refactors the
required_features test into a have_features fn, and a new
requires_features fn (renamed to catch all instances make sure they
where right)
The have_features fn is then applied to several test to make them
conditionally apply based off of availability of the feature
and policy version.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
On ppc64el platforms, the minimum swapfile size is 640KiB. Our swap
test aborts there because it creates a swapfile of size 512KiB. This
patch adjusts the size to 768KiB, to satisfy ppc64el and to try
to keep the size down for embedded and otherwise limited platforms
(e.g. phones).
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Some kernels have CONFIG_SYSCALL_SYSCTL disabled, which is something to
be encouraged. This patch separates out the two different kind of sysctl
tests (syscall based and /proc/sys based) into separate shell functions,
and then checks to see that the test environment supports each before
invoking each shell function, issuing a warning (but not failing the
tests) if not available.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The regression swap test attempts to activate a swap file in a
directory under where tmpdir is set in uservars.inc; if this is a
tmpfs filesystem, this will fail (it's kind of silly to create a
swap file on a tmpfs, a memory-backed filesystem). This patch adds a
check to the swap test script and skips the tests if it detects it's
on tmpfs and marks the test as a failure if the check fails.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
The magic token used in the test suite is incorrectly stored
as an int rather than unsigned long leading to failure like this:
running changehat_misc
/tmp/testlibCTcwOe/source/trusty/apparmor-2.8.95~2411/tests/regression/apparmor/prologue.inc: line 176: 20184
Killed $testexec "$@" > $outfile 2>&1
Error: changehat_twice failed. Test 'CHANGEHAT (subprofile->subprofile)' was expected to 'pass'. Reason for
failure 'killed by signal 9'
Signed-off-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Delete uservars.out (Message-ID: <20140303235422.GD4112@nxnw.org>)
Add uservars.inc.{system,source} to support USE_SYSTEM variable
(John ack'd the USE_SYSTEM variable bit)
Signed-of-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
In the course of developing apparmor dbus mediation, the aa_query_label
symbol was added to libapparmor on trunk, and given the symbol version
(via libapparmor.map) of APPARMOR_3.0. As apparmor upstream, we have
not made a release where this would have been exported.
Unfortunately, in Ubuntu, a version was released in 13.10 that included
the aa_query_label() symbol with a version of APPARMOR_1.1. This
can cause a breakage on that platform with the incorporation of the
impending apparmor 2.9 release.
This patch provides both versions (APPARMOR_1.1 and APPARMOR_2.9)
of the aa_query_label() symbol. It requires the function name in
kernel_interface.c to be renamed (similar to how the deprecated
change_hat() symbol is named in the source as __change_hat()),
otherwise linking fails with duplicated symbols. The default symbol
used will still be the APPARMOR_2.9 version, but binaries linked with
the APPARMOR_1.1 version would still continue to work unchanged.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This patch replaces explicitly named output targets with the make
variable $@ as well as an instance where dbus_common.h was being added
to the compile command line due to the use of $^ rather than $<.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Change uservars.inc subdomain variable to use the in-tree parser by
default.
Also, clean up some commented out subdomain values that don't look to be
in use any longer and add one commented out value pointing to the system
parser.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The regression test README examples use sh when showing how to run
individual tests but bash is needed, instead.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
By raising an error for being unable to find libapparmor any time
a make command is run, we break things like make clean and other
targets that don't strictly depend on libapparmor existing (note that
Tyler's implementation for the parser did not do this). This patch
fixes this for the regression tests, mod_apparmor and pam_apparmor
by making a separate libapparmor_check target that looks to see if
an error message should be generated.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch converts the regression tests to build against the in-tree
libapparmor, giving an error if libapparmor has not already been built.
It also maintains support for building against the system libapparmor
via passing
USE_SYSTEM=1
on the make command line. An error is also given if the system
libapparmor cannot be found, indicating that development packages need
to be installed. The check to look for libapparmor is also updated
to make use of libapparmor pkg-config data if available.
Patch history:
v1: initial submission
v2: convert from including the apparmor.h on the command line to
specifying an in-tree libapparmor header include path, now
that their location has been adjusted to make it safe to do
so. Remove work around related to defining _GNU_SOURCE.
v3: fix LDLIBS to use output of pkg-config et al tests instead of
hardcoding -lapparmor in the USE_SYSTEM case.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Simple regression test that calls AddMatch using a match string that
sets up eavesdropping on all method call messages.
The shell script file runs the test unconfined and under a variety of
confinement profiles to make sure that eavesdropping confinement is
working as intended.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch annotates that a couple of values emitted on failure are
of type size_t, eliminating a couple of compiler warnings.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The previous patch for removing libimmunix support from the regression
tests wasn't complete. Also, the 2.2 and 2.4 kernel support code is
closely related and can be removed considering how old those kernels
are.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Only attempt to link against libapparmor since libimmunix has been
deprecated for 5+ years.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The multiarch filesystem layout for Ubuntu uses directories such as
/usr/lib/{i386-linux-gnu,x86_64-linux-gnu,arm-linux-gnueabihf} so
peeking into /usr/{lib,lib64} is no longer sufficient.
This patch uses ldconfig to print out the libraries that it knows about
and grep that output for libapparmor.so or libimmunix.so.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The purpose is to provide test coverage for accessing UNIX domain socket
files. AppArmor write permissions are needed to create the socket files
and both read and write permissions are needed to connect to the socket.
This patch adds a test to the UNIX file descriptor passing tests and
creates an entirely new set of tests for sending and receiving messages
using path-based SOCK_STREAM, SOCK_DGRAM, and SOCK_SEQPACKET UNIX domain
sockets.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This is a regression test to load a profile, query it from userspace
using aa_query_label(), and then verify the results.
The query interface is tested by the dbus mediation regression tests,
but this test helps in finding bugs specific to AppArmor, which may
possibly be caused by the parser, kernel, and/or libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1218099
This patch adds support for expanding variables with dbus rules.
Specifically, they can expanded within the bus, name, path, member,
interface, and peer label fields.
Parser test cases and regression test cases are added as well.
Patch history:
v1: initial version of patch
v2: add equality.sh tests to verify that the results of using
variable expansion is the same as what should be equivalent rules
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Integrate dbus tests into the regression testing framework.
This started out as dbus-send.c, from the dbus source, and then grew
from there.
dbus_message is an example "client" program that only sends out
messages. dbus_service binds to a well-known name and then listens and
responds to incoming messages. They share some code in dbus_common.c.
The test scripts, dbus_message.sh and dbus_service.sh, share some
functionality in dbus.inc.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add a new set of tests that tests delegation of file descriptors when
inherited across combinations of confined and unconfined processes.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch broadens the testing of file descriptor passing over Unix
domain sockets, but the real focus is on passing a file descriptor from
an unconfined server to a confined client. The confined client should
have full access to the file descriptor, despite not having a
corresponding file rule in its profile, due to delegation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
required for a test to run. This will help keep the regression suite
from reporting a lot of failures when it hits a kernel that doesn't
support the feature being tested.
its current iteration is pretty brain dead, only testing for the
existance of feature files/dirs (and not contents) but I think it is
probably sufficient for now.
To use it, just call the required_features fn right after sourcing
prologue.inc in the bash test script that is called by the make file.
If any of the requested features don't exist the bash script will exit
reporting the first feature that was missing
Eg.
. $bin/prologue.inc
required_features dbus
required_features dbus dbus/mask network domain/change_hatv
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Allows for the test script to specify a final check to be performed
after checking the output of the test binary. This may be useful, for
example, if the test script wants to compare logging output of the test
binary to known-good logging output.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
chance to run before verifying it's current and future confinement
state. In testing the combined sleeps added roughly a second to
onexec.sh's total time on relatively reasonable hardware.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (via IRC)
It turns out that PAGE_SIZE isn't defined on all architectures.
This fixes a regression test failure happening on Ubuntu quantal
on the arm ti-omap4 architecture.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- It failed to remove coredump files named "core"
- It failed to properly detect "core.<pid>" files
- And it would fail if the coredump_pattern had been modified to
a different location.
This lead one of the tests to report it was passing when it
wasn't because it was detecting the previous tests core file.
- Fix the test to set the coredump_pattern, to dump into the
tmpdir used for the test.
- Make it so it will only detect the core file for the pid of
the last test run.
- And extend the test to have a couple of extra test cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
access to /proc/*/attr/{current,exec}, the onexec testcase that
attempted to do things without explicit access granted to
/proc/*/attr/exec in the testsuite passes instead of fails. This commit
takes that into account.
This extends the auto-profile generation so that it can take profiles formated
in standard profile language augemented by a few special variables for
the automatically generated rules. This will all extended the regression
tests in ways that are not currently supported, because mkprofile format
does not match of the profile language.
the special apparmorish variables are
@{gen_elf name} - generate rules for elf binaries
@{gen_bin name} - generate rules for a binary
@{gen_def} - generate default rules
@{gen name} - do @{gen_def} @{gen_bin name}
To generate a profile you do
genprofile --stdin <<EOF
/profile/name {
@{gen /profile/name}
}
EOF
eg. to generate the equivalent of
genprofile
you would do
genprofile --stdin <<EOF
$test {
@{gen $test}
}
EOF
and the equiv of
genprofile $file:rw
would be
genprofile --stdin <<EOF
$test {
@{gen $test}
$file rw,
}
while it takes a little more to generate a base profile than the old syntax, it
use the actual profile language (augmented with the special variables), it is a
lot more flexible, and a lot easier to expand when new rule types are added.
eg. of something not possible with the current auto generation
Generate a profile with a child profile and hat and a trailing profile
genprofile --stdin <<EOF
$test {
@{gen $test}
profile $bin/open {
@{gen $bin/open}
}
^hatfoo {
$file rw,
}
}
profile $bin/exec {
@{gen $bin/exec}
}
EOF
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug #963756
The kernel has an extended test for change_profile when used with
onexec, that allows it to only work against set executables.
The parser is not correctly mapping change_profile for this test
update the mapping so change_onexec will work when confined.
Note: the parser does not currently support the extended syntax
that the kernel test allows for, this just enables it to work
for the generic case.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The capabilities tests where failing in the changehat_wrapper test. This was because
they could not the changehat_wrapper sub executable, which trying to exec a binary
in the tmpdir.
Specifically if the test was for syscall_ptrace. It would generate a profile with
a hat for ^syscall_ptrace and attempt to execute ./syscall_ptrace. However this
was failing in some situations, including when trying to debug from the tmpdir,
as the syscall_XXX binary is no longer local.
Instead use the fully qualified path for the hat name, and the exec path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The retaining of the tmpdir is used during debugging of test failures, but currently
when a test fails, the next test is run overwritting the previous tmpdir value. This
is a problem even when manually running individual test shell scripts if the failure
is not the last test in the script.
Instead cause testing to about when retaintmpdir is true, which will cover the debugging
needs for the majority of failure cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa_getprocattr is returning the size of the buffer not the size of the
data read that it is supposed to return. Also update the man page to
reflect the return value as documented in the functions, and update
the test cases to check the return value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Steve Beattie <sbeattie@ubuntu.com>
file,
was not given the correct permissions. It was only being given the owner
set of permissions. This would result in rejects when trying look at
files owned by other users
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
