MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
made it so rules like
mount slave /snap/bin/** -> /**,
mount /snap/bin/** -> /**,
would get passed into change_mount_type rule generation when they
shouldn't have been. This would result in two different errors.
1. If kernel mount flags were present on the rule. The error would
be caught causing an error to be returned, causing profile compilation
to fail.
2. If the rule did not contain explicit flags then rule would generate
change_mount_type permissions based on souly the mount point. And
the implied set of flags. However this is incorrect as it should
not generate change_mount permissions for this type of rule. Not
only does it ignore the source/device type condition but it
generates permissions that were never intended.
When used in combination with a deny prefix this overly broad
rule can result in almost all mount rules being denied, as the
denial takes priority over the allow mount rules.
Fixes: https://bugs.launchpad.net/apparmor/+bug/2023814
Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1211989
Fixes: 9d3f8c6cc ("parser: fix parsing of source as mount point for propagation type flags")
Fixes: MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1048
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1054
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit 86d193e183)
Signed-off-by: John Johansen <john.johansen@canonical.com>
Before 300889c3a, mount rules would compile policy when using source
as mount point for rules that contain propagation type flags, such as
unbindable, runbindable, private, rprivate, slave, rslave, shared, and
rshared. Even though it compiled, the rule generated would not work as
expected.
This commit fixes both issues. It allows the usage of source as mount
point for the specified flags, albeit with a deprecation warning, and
it correctly generates the mount rule.
The policy fails to load when both source and mount point are
specified, keeping the original behavior (reference
parser/tst/simple_tests/mount/bad_opt_10.sd for example).
Fixes: https://bugs.launchpad.net/bugs/1648245
Fixes: https://bugs.launchpad.net/bugs/2023025
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The mount options MS_LAZYTIME and MS_NOSYMFOLLOW were added in
kernels 4.0 and 5.10, respectively. Update the mount test script
and helper to skip testing those options if they are not available.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
The unix network tests are not being run on a v8 network capable kernel. Under v8 there needs to be some adjustments to the tests because unix rules get downgraded to the socket rule ```network unix,``` which does not have the same set of conditionals or fine grained permissions, meaning some tests that would fail under af_unix (like missing permission tests) will pass under v8 network rules.
Signed-off-by: John Johansen <john.johansen@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/893
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: John Johansen <john@jjmx.net>
When the replacement regex for multiple qualifiers matches, the
capture group variables ($1, $2, etc) are overwritten to match the
most recent regex. Since there are no capture groups in the 's/,/ /g'
regex, then $2 was empty, causing an error on policy generation.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
dbus 1.14.4 changed the behavior of unix:tmpdir to be equivalent to
unix:dir, which cases dbus-daemon to generate path based sockets,
instead of the previous abstract sockets. [1]
In this change we force dbus-daemon to generate an abstract socket by
specifying the abstract socket address in the command.
[1] https://gitlab.freedesktop.org/dbus/dbus/-/blob/dbus-1.14/NEWS#L64
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The mqueue tests were using the previous format which was specific for
capabilities. The qual= prefix should be used instead.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
dbus-broker requires some modification of the test suite. In summary:
* refactor to support starting and stopping both dbus and dbus-broker.
* Make it so we can run the tests on each, where appropriate
* skip unrequested reply and eavesdrop tests for dbus broker because they are not supported.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/965
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
DBus Broker was enabled for the dbus_message and dbus_service
regression tests.
The dbus_eavesdropping test does not run with dbus-broker because
eavesdropping was deprecated in favor or monitoring, so new tests for
the "BecomeMonitor" method need to be added.
The dbus_unrequested_reply test is also not supported by dbus-broker,
therefore the tests are skipped.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.
Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.
Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/963
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Approved-by: Christian Boltz <apparmor@cboltz.de>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The test "eavesdrop (confined w/o dbus perms)" was failing for the
wrong reason. While it should fail because it is missing dbus rules, it
was actually failing because it didn't have the required unix rule.
The error message was:
"FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied"
Corresponding audit log:
[28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
After the change, the error message is:
FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
Corresponding audit log:
[28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
The profile generated by dbus did not include this rule
which caused the following DENIED audit logs:
[26937.013475] audit: type=1400 audit(1671046721.776:246): apparmor="DENIED" operation="getattr" class="file" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_message" name="/tmp/sdtest.5720-14413-VQMPsH/output.dbus_message" pid=5866 comm="dbus_message" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Commit 8cf3534a5 ("tests regression: fix failure on older versions of
Make") from https://gitlab.com/apparmor/apparmor/-/merge_requests/639
was incorrectly applied, including the `+` prefixes from the proposed
patch. This causes the sysctl syscall() checks to not correctly be
applied and results in a mismatch of expectations in the
syscall_sysctl.sh test script, causing it and the testsuite to fail.
Thus, remove the bogon `+` characters from the Makefile, to make
USE_SYSCTL be set correctly.
Fixes: 8cf3534a5 ("tests regression: fix failure on older versions of Make")
Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
getopt returns an int, not a char.
Error caused by this issue could only be observed on non-x86 systems.
Closes LP#2000359
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Setns is used to associate to an existing user namespace, so the
kernel security hook for user namespace creation is not called.
The restriction for setns is that it should have the capability
sys_admin.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
This allows regression tests to generate profiles that use rule qualifiers,
such as allow, deny, and audit. Qualifiers can be specified for a rule by
prepending 'qual=', followed by a comma-separated list of rule qualifiers,
then a ':', then the rule itself.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
The test kernel_features only checked if the feature file exists, but
there are cases when we need to check if the feature is part of the
file's content. For example, we might want to check if a mode is present
in the feature "mask" file.
This is already supported by libapparmor's aa_features_supports.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/942
Approved-by: Steve Beattie <gitlab@nxnw.org>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
Print out a summary of the tests that passed and failed at the end of the
regression tests. Merge the tests and alltests make targets since they
only differ in which tests are run.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
This update to the regression test framework allows a test script to
execute a test binary as a different user by passing '-u <username>'
to the settest function.
Signed-off-by: Jon Tourville <jon.tourville@canonical.com>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/929
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This adds a single e2e test to check that raw_data of a loaded
policy matches the generated policy (cached).
Signed-off-by: Spyros Seimenis <spyros.seimenis@canonical.com>
libtool generates horrible shell code, you don't want to see the
shellcheck results for it ;-)
This is only relevant for local testing (not in CI) because these files
don't exist in git and therefore don't exist when the shellcheck CI job
runs.
- Assume /bin/sh has dash's features and ignore corresponding false positives
- Exclude parser/tst, tests and utils/test directories: they have tons
of shellcheck violations but they don't *directly* impact our users.
Let's first focus on code that runs on production systems.
- Exclude rc.apparmor.slackware: I don't know anything about Slackware's
/bin/sh.
The previous code happened to work only because we always pass either 0 or 1
arguments to these functions. If we ever passed them 2+ arguments,
unexpected things would happen.
For details, see https://www.shellcheck.net/wiki/SC2145
This test uses unix_fd_server to open a file and pass
its file descriptor to the attach_disconnected tests, which
then mounts, pivots root and then tries to open the file.
Since the server execs the client, this commit also inverts the order
of the parameters to allow the server to forward the client's args
along with the unix_socket path.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The code from unix_fd_client can be used by other clients which
will receive the fd of a file using SCM rights.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/810
Acked-by: John Johansen <john.johansen@canonical.com>
The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
needed to check for the kernel version. Refer to [qa-regression-testing](https://git.launchpad.net/qa-regression-testing/tree/scripts/test-apparmor.py#n1653).
As discussed on !767, we might need a more complicated test than
only checking for the kernel version, since this feature might
be available in out-of-tree Ubuntu kernels such as saucy (3.13).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/769
Acked-by: John Johansen <john@jjmx.net>
When using the system parser ${parser_config} will be empty and so if this
is quoted when passed as argument to the parser then this gets in
interpreted as the name of a file to be compiled and hence the parser just
prints:
File not found, skipping...
File not found, skipping...
File not found, skipping...
...
for all the aa_policy_cache tests - instead fix this by just not quoting
this argument as suggested by cboltz.
This fixes the regression tests to run to completion without error when
USE_SYSTEM=1 is set.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/788
Signed-off-by: Alex Murray <alex.murray@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
When using the system parser ${parser_config} will be empty and so if this
is unconditionally passed as an argument to the parser then this gets in
interpreted as the name of a file to be compiled and hence the parser just
prints:
File not found, skipping...
File not found, skipping...
File not found, skipping...
...
for all the aa_policy_cache tests - instead fix this to pass a single args
argument to the parser which will only include parser_config if it is not
empty.
This fixes the regression tests to run to completion without error when
USE_SYSTEM=1 is set.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
mount -o loop fails when the loopback module is not loaded with
permission denied. Add a check if /dev/loop0 exists. If not, load
the loop module.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/781
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Acked-by: Christian Boltz <apparmor@cboltz.de>
The file query test on query_label.sh fails on kernels
before 4.4 because of the lack of support. Since there
is no feature file to examine for this feature, we
need to check for the kernel version.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
