This patch annotates that a couple of values emitted on failure are
of type size_t, eliminating a couple of compiler warnings.
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
The previous patch for removing libimmunix support from the regression
tests wasn't complete. Also, the 2.2 and 2.4 kernel support code is
closely related and can be removed considering how old those kernels
are.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Only attempt to link against libapparmor since libimmunix has been
deprecated for 5+ years.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The multiarch filesystem layout for Ubuntu uses directories such as
/usr/lib/{i386-linux-gnu,x86_64-linux-gnu,arm-linux-gnueabihf} so
peeking into /usr/{lib,lib64} is no longer sufficient.
This patch uses ldconfig to print out the libraries that it knows about
and grep that output for libapparmor.so or libimmunix.so.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
The purpose is to provide test coverage for accessing UNIX domain socket
files. AppArmor write permissions are needed to create the socket files
and both read and write permissions are needed to connect to the socket.
This patch adds a test to the UNIX file descriptor passing tests and
creates an entirely new set of tests for sending and receiving messages
using path-based SOCK_STREAM, SOCK_DGRAM, and SOCK_SEQPACKET UNIX domain
sockets.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This is a regression test to load a profile, query it from userspace
using aa_query_label(), and then verify the results.
The query interface is tested by the dbus mediation regression tests,
but this test helps in finding bugs specific to AppArmor, which may
possibly be caused by the parser, kernel, and/or libapparmor.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
From: John Johansen <john.johansen@canonical.com>
let allow be used as a prefix in place of deny. Allow is the default
and is implicit so it is not needed but some user keep tripping over
it, and it makes the language more symmetric
eg.
/foo rw,
allow /foo rw,
deny /foo rw,
Patch history:
v1: - initial revision
v2: - rename yacc target rule from opt_deny to opt_perm_mode to
reflect
that it can be either an allow or deny modifier
- break apart tests into more digestible chunks and to clarify
their purpose
- fix some tests to exercise 'audit allow'
- add negative tests for 'allow' and 'deny' in the same rule
- add support for 'allow' keyword to apparmor.vim
- fix a bug in apparmor.vim to let it recognize multiple
capability entries in a single line.
v3: - add support for optional keywords on capability rules in
regression tests, as well as the bare capability keyword (via
'cap:ALL')
- add allow, deny, and conflicting capability behavioral
regression tests
- fix vim syntax modeline to refer to apparmor in parser tests
- adjust FILE regex in vim syntax file creator script
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1218099
This patch adds support for expanding variables with dbus rules.
Specifically, they can expanded within the bus, name, path, member,
interface, and peer label fields.
Parser test cases and regression test cases are added as well.
Patch history:
v1: initial version of patch
v2: add equality.sh tests to verify that the results of using
variable expansion is the same as what should be equivalent rules
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Integrate dbus tests into the regression testing framework.
This started out as dbus-send.c, from the dbus source, and then grew
from there.
dbus_message is an example "client" program that only sends out
messages. dbus_service binds to a well-known name and then listens and
responds to incoming messages. They share some code in dbus_common.c.
The test scripts, dbus_message.sh and dbus_service.sh, share some
functionality in dbus.inc.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Add a new set of tests that tests delegation of file descriptors when
inherited across combinations of confined and unconfined processes.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This patch broadens the testing of file descriptor passing over Unix
domain sockets, but the real focus is on passing a file descriptor from
an unconfined server to a confined client. The confined client should
have full access to the file descriptor, despite not having a
corresponding file rule in its profile, due to delegation.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
required for a test to run. This will help keep the regression suite
from reporting a lot of failures when it hits a kernel that doesn't
support the feature being tested.
its current iteration is pretty brain dead, only testing for the
existance of feature files/dirs (and not contents) but I think it is
probably sufficient for now.
To use it, just call the required_features fn right after sourcing
prologue.inc in the bash test script that is called by the make file.
If any of the requested features don't exist the bash script will exit
reporting the first feature that was missing
Eg.
. $bin/prologue.inc
required_features dbus
required_features dbus dbus/mask network domain/change_hatv
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Allows for the test script to specify a final check to be performed
after checking the output of the test binary. This may be useful, for
example, if the test script wants to compare logging output of the test
binary to known-good logging output.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
chance to run before verifying it's current and future confinement
state. In testing the combined sleeps added roughly a second to
onexec.sh's total time on relatively reasonable hardware.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-By: John Johansen <john.johansen@canonical.com> (via IRC)
It turns out that PAGE_SIZE isn't defined on all architectures.
This fixes a regression test failure happening on Ubuntu quantal
on the arm ti-omap4 architecture.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
- It failed to remove coredump files named "core"
- It failed to properly detect "core.<pid>" files
- And it would fail if the coredump_pattern had been modified to
a different location.
This lead one of the tests to report it was passing when it
wasn't because it was detecting the previous tests core file.
- Fix the test to set the coredump_pattern, to dump into the
tmpdir used for the test.
- Make it so it will only detect the core file for the pid of
the last test run.
- And extend the test to have a couple of extra test cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Kees Cook <kees@ubuntu.com>
access to /proc/*/attr/{current,exec}, the onexec testcase that
attempted to do things without explicit access granted to
/proc/*/attr/exec in the testsuite passes instead of fails. This commit
takes that into account.
This extends the auto-profile generation so that it can take profiles formated
in standard profile language augemented by a few special variables for
the automatically generated rules. This will all extended the regression
tests in ways that are not currently supported, because mkprofile format
does not match of the profile language.
the special apparmorish variables are
@{gen_elf name} - generate rules for elf binaries
@{gen_bin name} - generate rules for a binary
@{gen_def} - generate default rules
@{gen name} - do @{gen_def} @{gen_bin name}
To generate a profile you do
genprofile --stdin <<EOF
/profile/name {
@{gen /profile/name}
}
EOF
eg. to generate the equivalent of
genprofile
you would do
genprofile --stdin <<EOF
$test {
@{gen $test}
}
EOF
and the equiv of
genprofile $file:rw
would be
genprofile --stdin <<EOF
$test {
@{gen $test}
$file rw,
}
while it takes a little more to generate a base profile than the old syntax, it
use the actual profile language (augmented with the special variables), it is a
lot more flexible, and a lot easier to expand when new rule types are added.
eg. of something not possible with the current auto generation
Generate a profile with a child profile and hat and a trailing profile
genprofile --stdin <<EOF
$test {
@{gen $test}
profile $bin/open {
@{gen $bin/open}
}
^hatfoo {
$file rw,
}
}
profile $bin/exec {
@{gen $bin/exec}
}
EOF
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
Bug #963756
The kernel has an extended test for change_profile when used with
onexec, that allows it to only work against set executables.
The parser is not correctly mapping change_profile for this test
update the mapping so change_onexec will work when confined.
Note: the parser does not currently support the extended syntax
that the kernel test allows for, this just enables it to work
for the generic case.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The capabilities tests where failing in the changehat_wrapper test. This was because
they could not the changehat_wrapper sub executable, which trying to exec a binary
in the tmpdir.
Specifically if the test was for syscall_ptrace. It would generate a profile with
a hat for ^syscall_ptrace and attempt to execute ./syscall_ptrace. However this
was failing in some situations, including when trying to debug from the tmpdir,
as the syscall_XXX binary is no longer local.
Instead use the fully qualified path for the hat name, and the exec path.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The retaining of the tmpdir is used during debugging of test failures, but currently
when a test fails, the next test is run overwritting the previous tmpdir value. This
is a problem even when manually running individual test shell scripts if the failure
is not the last test in the script.
Instead cause testing to about when retaintmpdir is true, which will cover the debugging
needs for the majority of failure cases.
Signed-off-by: John Johansen <john.johansen@canonical.com>
aa_getprocattr is returning the size of the buffer not the size of the
data read that it is supposed to return. Also update the man page to
reflect the return value as documented in the functions, and update
the test cases to check the return value.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Steve Beattie <sbeattie@ubuntu.com>
file,
was not given the correct permissions. It was only being given the owner
set of permissions. This would result in rejects when trying look at
files owned by other users
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
properly quote the _known variable (set when the tests are marked as
expected failures) when the expectation was that the testcase would
produce a corefile. This would result in a failed testcase reporting
XFAIL incorrectly.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
suffix of an image= flag, as it's no longer needed. It also eliminates
code that emitted the permissions based on the result of the parse.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen@canonical.com
add 'rix' permissions on executable images (but still auto-generate
ldd dependencies), for use when specifying alternate permissions
on executables.
Where appropriate, it also converts a few testcases to make use of
the option.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
generated profile and have the ldd auto-generation of rules occur on
it. It also kills all testcase usage of $dynlibs, which had stopped
being generated by prologue.inc in a prior patch.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
mkprofile.pl helper and take the convoluted code out of the bash
prologue.inc. It also detects if the binary is a script and performs
ldd analysis on the interpreter.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
their purpose a little more accurately; renames the dump_flags to
emit_flags for the same reason, and also adds a modicum a function
prototype information to the function declarations.
Signed-off-by: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
write access to /proc/*/attr/current to mkprofile.pl from prologue.inc.
Signed-Off-By: Steve Beattie <sbeattie@ubuntu.com>
Acked-by: John Johansen <john.johansen@canonical.com>
The behavior for revalidation/revocation of open files has changed
with the current kernel code, resulting in these tests being reported
as failing even though they are showing expected behavior.
Under the current kernel module this form of revalidation/revocation
can not be tested reliably, so just changing the expected result is
not enough, completely disable the tests for now.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-By: Steve Beattie <sbeattie@ubuntu.com>
stress tests on the parser, by dropping the maximum number of rules
each profile can have, as well as reducing the number of profiles to
generate by default to 50. It also cleans up the emitted profiles
a little, creates the profile names with the suffix .sd [1], fixes
stress.sh to actually honor the -p (alternate parser) argument, fixes
the profile flags generation to not generate duplicates flags, and
fixes the file rules to always start with a constant randomly-generated
prefix element (rather than a regex or variable) to greatly reduce
the possibility of X dominance collisions in the parser
toolchain has gotten stricter about linking order; in short, linked
libraries need to come after the objects referring to them. Adding to
LDLIBS is the correct solution for this.
See https://wiki.ubuntu.com/NattyNarwhal/ToolchainTransition for more
details.
loopback mounted filesystem to operate on, to guarantee that the mount
option user_xattr is enabled (it's disabled by default on Ubuntu).
With this change, a number of the user xattr testcases that were
expected to pass but weren't started working; however, some of the
ones that were failing as expected are now passing. I've touched up
the expectations as well.
the testsuite. It looks like coredump mediation may have been removed,
since it is rather a corner-case, so I have currently marked it as XFAIL.
In hooking it back up, the "prologue.inc" was reviewed, dead code dropped,
and the "image=" argument changed to correctly handle the imageperms
syntax used elsewhere. It was working in other tests out of coincidence.
