mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-09 02:41:03 +01:00
c59d7489be
This commit adds a test that checks to see if exec unconfined --> confined requires any access to the binary being run confined. Current behavior is that it does not.
72 lines
1.3 KiB
Bash
Executable file
72 lines
1.3 KiB
Bash
Executable file
#! /bin/bash
|
|
# $Id$
|
|
|
|
# Copyright (C) 2002-2005 Novell/SUSE
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation, version 2 of the
|
|
# License.
|
|
|
|
#=NAME exec
|
|
#=DESCRIPTION Runs exec() through ux, ix & px functionality
|
|
|
|
pwd=`dirname $0`
|
|
pwd=`cd $pwd ; /bin/pwd`
|
|
|
|
bin=$pwd
|
|
|
|
. $bin/prologue.inc
|
|
|
|
file=/bin/true
|
|
ok_ix_perm=rix
|
|
badperm=r
|
|
ok_ux_perm=ux
|
|
ok_px_perm=px
|
|
bad_mx_perm=rm
|
|
|
|
# PASS TEST - inherited
|
|
|
|
genprofile $file:$ok_ix_perm
|
|
|
|
runchecktest "EXEC with ix" pass $file
|
|
|
|
# PASS TEST - unconstrained
|
|
|
|
genprofile $file:$ok_ux_perm
|
|
|
|
runchecktest "EXEC with ux" pass $file
|
|
|
|
# PASS TEST - profiled
|
|
|
|
genprofile $file:$ok_px_perm -- image=$file
|
|
|
|
runchecktest "EXEC with px" pass $file
|
|
|
|
# FAIL TEST - px/no profile
|
|
|
|
genprofile $file:$ok_px_perm
|
|
|
|
runchecktest "EXEC with px - no profile" fail $file
|
|
|
|
# NOLINK PERMTEST
|
|
|
|
genprofile $file:$badperm
|
|
|
|
runchecktest "EXEC no x" fail $file
|
|
|
|
# MMAP exec
|
|
|
|
genprofile $file:$bad_mx_perm
|
|
|
|
runchecktest "EXEC mmap x" fail $file
|
|
|
|
# UNCONFINED -> CONFINED
|
|
|
|
genprofile image=$file
|
|
runchecktest "EXEC unconfined -> confined" pass $file
|
|
|
|
# UNCONFINED -> CONFINED no access to self binary
|
|
|
|
genprofile -N image=$file "/lib/ld*.so*:rix" "/lib/lib*.so*:rm"
|
|
runchecktest "EXEC unconfined -> confined/no access to self" pass $file
|