This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.
Since the server execs the client, this commit also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The code from unix_fd_client can be used by other clients which
will receive the fd of a file using SCM rights.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
needed to check for the kernel version. Refer to [qa-regression-testing](https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py#n1653).
As discussed on !767, we might need a more complicated test than
only checking for the kernel version, since this feature might
be available in out-of-tree Ubuntu kernels such as saucy (3.13).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/769
Acked-by: John Johansen <john@jjmx.net>
When using the system parser ${parser_config} will be empty and so if this
is quoted when passed as argument to the parser then this gets in
interpreted as the name of a file to be compiled and hence the parser just
prints:
File not found, skipping...
File not found, skipping...
File not found, skipping...
...
for all the aa_policy_cache tests - instead fix this by just not quoting
this argument as suggested by cboltz.
This fixes the regression tests to run to completion without error when
USE_SYSTEM=1 is set.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/788
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
When using the system parser ${parser_config} will be empty and so if this
is unconditionally passed as an argument to the parser then this gets in
interpreted as the name of a file to be compiled and hence the parser just
prints:
File not found, skipping...
File not found, skipping...
File not found, skipping...
...
for all the aa_policy_cache tests - instead fix this to pass a single args
argument to the parser which will only include parser_config if it is not
empty.
This fixes the regression tests to run to completion without error when
USE_SYSTEM=1 is set.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
mount -o loop fails when the loopback module is not loaded with
permission denied. Add a check if /dev/loop0 exists. If not, load
the loop module.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/781
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
need to check for the kernel version.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The regression tests are failing on some older kernels due to
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 being cherry-picked
back to them without the corresponding apparmor patch
34c426acb75cc21bdf84685e106db0c1a3565057.
This means we can not rely on a simple features/flag check to determine
how the kernel is behaving with regard to mmap. Since this test is
not concerned with testing mmap, instead of adding a more complex
conditional simplify by always adding the m permission.
Fixes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1830984
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Georgia Garcia <georgia.garcia@canonical.com>
The following errors are happening on the regression tests
of i18n.sh on arm64 hirsute/impish:
Error: open failed. Test 'i18n (194) OPEN (octal) "/tmp/sdtest.3654-6536-J2ZwFM/file__post" RW' was expected to 'pass'. Reason for failure 'FAIL: open /tmp/sdtest.3654-6536-J2ZwFM/file__post failed - Permission denied'
...
The cause is a bash bug handling UTF-8 on subshells.
Fixes: https://bugs.launchpad.net/apparmor/+bug/1932331
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/765
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Fix spelling errors in code strings. Some strings are translatable.
This fixes are potentially user visible.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
With the exception of the documentation fixes, these should all be
invisible to users.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/687
The aa_policy_cache test is using the system parser.conf file even
when the tests are set to use source. This can lead to failures
if the system parser.conf contain options not understood by
the source parser.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
When using the in tree parser we should not be using the system
parser.conf file, as if the system apparmor is newer than the
tree being tested the parser.conf file could contain options not
understood by the in tree apparmor_parser.
Use --config-file to specify the default in tree parser.conf
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/653
Signed-off-by: John Johansen <john.johansen@canonical.com>
Older versions of Make will choke on the # character in the $(shell
expression, treating it as the beginning of a comment. Resulting in
the following error
make unterminated call to function 'shell': missing ')'. Stop.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/639
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve.beattie@canonical.com>
af_unix allows for sockets to be bound to a name that is autogenerated.
Currently this type of binding is only supported by a very generic
rule.
unix (bind) type=dgram,
but this allows both sockets with specified names and anonymous
sockets. Extend unix rule syntax to support specifying just an
auto bind socket by specifying addr=auto
eg.
unix (bind) addr=auto,
It is important to note that addr=auto only works for the bind
permission as once the socket is bound to an autogenerated address,
the addr with have a valid unique value that can be matched against
with a regular
addr=@name
expression
Fixes: https://bugs.launchpad.net/apparmor/+bug/1867216
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/521
Signed-off-by: John Johansen <john.johansen@canonical.com>
prologue.inc:settest() in same cases invokes a sed command that uses
'~' as a pattern separator, on things that can contain filesystem
paths. However, in the debian/ubuntu world, '~' can be used in version
strings, particularly for pre-release versions, and when this happens
and the version is embedded in the path, the sed command breaks
because of the extraneous separator. Fix this by using '#' as a
separator, which has the benefit of being considered a comment if
accidentally interpreted by a shell.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/599
DBus services link against libgcrypt, and thus when libgcrypt has had
patches applied to make it FIP 140-2 compliant, the dbus based tests
confined by apparmor need access to the associated library integrity validation
file. Fix this by causing mkprofile to grant read access in all
generated profiles by default.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1891664
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/595
Following up on !549, this patchset unifies most of the compiler warnings settings to use EXTRA_WARNINGS as newly defined in `common/Make.rules` and then adds the `-Wimplicit-fallthrough` compiler warning to the default set.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/551
Acked-by: John Johansen <john.johansen@canonical.com>
Add basic support for policy to specify a feature abi. Under the
current implementation the first feature abi specified will be
used as the policy abi for the entire profile.
If no feature abi is defined before rules are processed then the
default policy abi will be used.
If multiple feature abi rules are encountered and the specified
abi is different then a warning will be issued, and the initial abi
will continue to be used. The ability to support multiple policy
feature abis during a compile will be added in a future patch.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Define EXTRA_WARNINGS in the common/Make.rules helper so that adding
additional warnings can be done in one(-ish) location, and replace
locally defined C compiler warning flags with EXTRA_WARNINGS in most
locations in the build tree.
v2: issue a warning for any compiler option that the compiler does not
support
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Because of the need to be stacking LSM aware, aa_getpeercon() calls
aa_enable to ensure that apparmor is enabled. Without the permission,
aa_getpeercon() fails, causing test failures.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
While xattr attachments exist without outofband transitions, they are
broken when values contain the null character. The addition of
outofband transitions fixes this problem.
While we could make the test requirement for outofband transitions
specific to a few tests, since the parser currently requires outofband
transitions to generate xattr attachment conditionals, for a first
pass just make the whole test suite require them.
Revisit this when/if the parser will allow xattr attachments without
outofband transitions.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <sbeattie@ubuntu.com>
Update the xattr_profile.sh tests so that
- each test can be uniquely identified
- the embedded nul tests are updated to the now supported/passing state
Signed-off-by: John Johansen <john.johansen@canonical.com>
Support profiles that choose to match the presence of an extended
attribute without validating its value. This lets AppArmor target xattrs
with binary data, such as security.ima and security.evm values. For
example, it's now possible to write a profile such as:
profile signed_binaries /** xattrs=(security.ima) {
# ...
}
Both presence and value matches can be used in the same profile. To
match a signed xattr, target both the xattr and the security.ima value:
profile python_script /** xattrs=(
security.evm
security.apparmor="python"
) {
# ...
}
Updated to work using out of band matching instead of separate data
array.
Signed-off-by: Eric Chiang <ericchiang@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
The unconfined exception needs to be applied even when a stack is
being used. When a stack is in use it prevents the unconfined
test from being used and instead it must be done as part of the
subset test.
Signed-off-by: John Johansen <john.johansen@canonical.com>
tests: Allow aa_policy_cache.c to build against old libapparmors
See merge request apparmor/apparmor!407
Acked-by: John Johansen <john.johansen@canonical.com>
Improve readability by being explicit about the value to use when the
conditional evaluates to true.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: John Johansen <john.johansen@canonical.com>
Commit ad81ea0e67 ("tests: Add option to dump policy cache dir with
the libapparmor wrapper") modified aa_policy_cache.c to call
aa_policy_cache_dir_path_preview(). That added a hard dependency on
libapparmor >= 2.13, which is the first version to add
policy_cache_dir_path_preview() to libapparmor. The dependency makes it
impossible to build and run the upstream regression tests against an
installed libapparmor older than 2.13 due to aa_policy_cache.c failing
to build.
Add a compatible aa_policy_cache_dir_path_preview() when building
aa_policy_cache.c against a libapparmor older than 2.13 and newer than
or equal to 2.10.
Fixes: ad81ea0e67 ("tests: Add option to dump policy cache dir with the libapparmor wrapper")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Test the profile transition limits imposed by NO_NEW_PRIVS to ensure
that behavior doesn't unexpectedly change.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
The mult_mount test creates a small disk image, formats it, and mounts
it in multiple locations in preparation for the tests. However, the
created raw file (80KB) is too small to make a working file system if
4K blocks are used by mkfs. In Ubuntu 19.10, the default was recently
changed for mkfs to default to always using 4K blocks, causing the
script to fail.
We could force mkfs to use 1K blocks, but instead, in case some future
version of mkfs decides not to support 1K blocks at all, we bump up the
size of the disk image to 512KB; large enough to work with 4K blocks
yet small enough to be workable in small scale test environments.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1834192
MR: https://gitlab.com/apparmor/apparmor/merge_requests/396
Add a target to install build dependencies for the apparmor regression
tests. Currently supports Ubuntu and Debian distros.
Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
looping through the first 16 loop devices to find a free device will
fail if those mount devices are taken, and unfortunately there are
now services that use an excessive amount of loop devices causing
the regression test to fail.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
Adjust aa_policy_cache.sh to handle the additional layer in the
directory hierarchy when determining where the policy cache binaries are
stored. This is needed due to the multicache changes that allow multiple
policy caches to exist on a single system.
Differentiate between the cache location (the top level directory
containing all caches) and the cache directory (the directory used to
store the cached policies).
Use the libapparmor wrapper to get the cache directory for the given
cache location and the features of the currently running kernel.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Print the policy cache directory path for the features of the currently
running kernel to stdout so that the aa_policy_cache.sh regression test
script can make use of it when writing out binary policy files.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
In a usr-merge ubuntu/debian environment /bin is a symlink to
/usr/bin, which causes invalid apparmor policy to be generated for
/bin/true. Instead, copy /bin/true to the per test temporary directory
and execute it from there.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
When running the swap regression tests, the swapon command would issue
a warning about insecure permissions on the swapfile being used as
part of the test:
mkswap: /tmp/sdtest.9698-822-2BL034/swapfile: insecure permissions 0644, 0600 suggested.
Fix this by setting the permissions after the swapfile is created.
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/108
The mount regression test passes MS_MANDLOCK to the mount(2) syscall in
the test program. When the kernel is configured without
CONFIG_MANDATORY_FILE_LOCKING set, attempting to mount a filesystem with
this option always fails with EPERM. To fix, convert the test program to
use the MS_NODEV option instead.
Bug: https://bugs.launchpad.net/apparmor/+bug/1765025
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
PR: https://gitlab.com/apparmor/apparmor/merge_requests/109
The environ.sh test fails with the following fatal error:
Fatal Error (environ): Unable to run test sub-executable
The reason is due to the tests which use the env_check.sh helper see
unexpected output in the helper's output:
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (C.UTF-8)
I see a number of locale related denials:
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/locale-archive" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/etc/locale.alias" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_IDENTIFICATION" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_CTYPE" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_COLLATE" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_MESSAGES/" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_NUMERIC" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/aa/tests/regression/apparmor/env_check.sh" name="/usr/lib/locale/C.UTF-8/LC_TIME" pid=738 comm="env_check.sh" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Allowing everything under /usr/lib/locale/ to be read by the helper
results in the environ.sh test passing.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Some of the regression tests are missing conditionals or have the
wrong conditionals so that they fail on current upstream kernels.
Fix this by adding and changing conditionals and requires where
appropriate. With the patches the tests report passing on 4.14 and
4.15 kernels.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Time out
