mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
789c323bfe
- includes patches to handle access to change_hat /proc/<pid>/attr/current being a parser rule - the working updated ptrace patches - update for the change in sysctl behavior from cap_sys_admin to profile entries
104 lines
3.2 KiB
Diff
104 lines
3.2 KiB
Diff
Index: subdomain/capabilities.sh
|
|
===================================================================
|
|
--- subdomain.orig/capabilities.sh
|
|
+++ subdomain/capabilities.sh
|
|
@@ -66,7 +66,7 @@ net_raw_net_raw=TRUE
|
|
|
|
# we completely disable ptrace(), but it's not clear if we should allow it
|
|
# when the sys_ptrace cap is specified.
|
|
-# syscall_ptrace_sys_ptrace=TRUE
|
|
+syscall_ptrace_sys_ptrace=TRUE
|
|
|
|
# if a test case requires arguments, add them here.
|
|
syscall_reboot_args=off
|
|
@@ -75,9 +75,11 @@ syscall_setdomainname_args=dumb.example.
|
|
syscall_ioperm_args="0 0x3ff"
|
|
syscall_iopl_args=3
|
|
syscall_chroot_args=${tmpdir}
|
|
+syscall_ptrace_args=sub
|
|
|
|
# if a testcase requires extra subdomain rules, add them here
|
|
syscall_chroot_extra_entries="/:r ${tmpdir}:r"
|
|
+syscall_ptrace_extra_entries="hat:sub"
|
|
|
|
testwrapper=changehat_wrapper
|
|
|
|
Index: subdomain/syscall_ptrace.c
|
|
===================================================================
|
|
--- subdomain.orig/syscall_ptrace.c
|
|
+++ subdomain/syscall_ptrace.c
|
|
@@ -21,6 +21,8 @@
|
|
#include <limits.h>
|
|
#include <string.h>
|
|
|
|
+#include "changehat.h"
|
|
+
|
|
#define FALSE 0
|
|
#define TRUE !FALSE
|
|
|
|
@@ -29,7 +31,7 @@ int main(int argc, char *argv[])
|
|
pid_t pid;
|
|
int retval = 0;
|
|
|
|
- if (argc != 1){
|
|
+ if (argc != 2){
|
|
fprintf(stderr, "usage: %s\n", argv[0]);
|
|
return 1;
|
|
}
|
|
@@ -43,6 +45,14 @@ int main(int argc, char *argv[])
|
|
while (wait(&status) != pid);
|
|
retval = WEXITSTATUS(status);
|
|
}else{
|
|
+ /* change profile so that ptrace can fail */
|
|
+ if (change_hat(argv[1], SD_ID_MAGIC + 1) == -1 &&
|
|
+ errno != EPERM) {
|
|
+ /* confined process failed to change_hat */
|
|
+ fprintf(stderr, "FAIL: changehat %s failed - %s\n",
|
|
+ argv[1], strerror(errno));
|
|
+ return errno;
|
|
+ }
|
|
if (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1){
|
|
fprintf(stderr, "FAIL: ptrace failed - %s\n",
|
|
strerror(errno));
|
|
Index: subdomain/syscall.sh
|
|
===================================================================
|
|
--- subdomain.orig/syscall.sh
|
|
+++ subdomain/syscall.sh
|
|
@@ -28,12 +28,12 @@ bin=$pwd
|
|
settest syscall_ptrace
|
|
|
|
# TEST A1
|
|
-runchecktest "PTRACE with no profile" pass
|
|
+runchecktest "PTRACE with no profile" pass sub
|
|
|
|
# TEST A2. ptrace will fail
|
|
genprofile
|
|
|
|
-runchecktest "PTRACE with confinement" fail
|
|
+runchecktest "PTRACE with confinement" fail sub
|
|
|
|
##
|
|
## B. MKNOD
|
|
Index: subdomain/ptrace.sh
|
|
===================================================================
|
|
--- subdomain.orig/ptrace.sh
|
|
+++ subdomain/ptrace.sh
|
|
@@ -28,10 +28,6 @@ bin=$pwd
|
|
# using ptrace. This stopped being required or functioning correctly
|
|
# somewhere between 2.4.18 and 2.4.20.
|
|
#
|
|
-# Tests 10 and 11
|
|
-# Requires a patch which prevents confined traced task from attempting exec.
|
|
-# Unsure of usefulness of this. We are concerned about confined task being
|
|
-# the tracer not the tracee
|
|
|
|
# Test Matrix:
|
|
# 1. unconfined parent, unconfined child, parent attaches PASS
|
|
@@ -76,5 +72,5 @@ runchecktest "test 9" pass -- /bin/bash
|
|
#genprofile image=$helper /bin/true:ux
|
|
#runchecktest "test 10" fail -h -n 100 $helper /bin/true
|
|
|
|
-#genprofile image=$helper /bin/true:rix
|
|
-#runchecktest "test 11" fail -h -n 1000 $helper /bin/true
|
|
+genprofile image=$helper /bin/true:rix
|
|
+runchecktest "test 11" pass -h -n 1000 $helper /bin/true
|