From 13af2c37f002a89eb19834619f453053e87fac33 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Thu, 20 Mar 2014 11:23:10 -0700 Subject: [PATCH] regression sysctl: skip if sysctl not available Some kernels have CONFIG_SYSCALL_SYSCTL disabled, which is something to be encouraged. This patch separates out the two different kind of sysctl tests (syscall based and /proc/sys based) into separate shell functions, and then checks to see that the test environment supports each before invoking each shell function, issuing a warning (but not failing the tests) if not available. Signed-off-by: Steve Beattie Acked-by: John Johansen --- tests/regression/apparmor/syscall_sysctl.sh | 247 +++++++++++--------- 1 file changed, 134 insertions(+), 113 deletions(-) diff --git a/tests/regression/apparmor/syscall_sysctl.sh b/tests/regression/apparmor/syscall_sysctl.sh index a78df5baf..d68318cbd 100644 --- a/tests/regression/apparmor/syscall_sysctl.sh +++ b/tests/regression/apparmor/syscall_sysctl.sh @@ -25,119 +25,140 @@ bin=$pwd ## ## C. SYSCTL ## + +test_syscall_sysctl() +{ + settest syscall_sysctl + + runchecktest "SYSCTL (no confinement read only)" pass ro + + runchecktest "SYSCTL (no confinement rw)" pass + + genprofile $sysctlgood:r + runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro + + genprofile $sysctlgood:r + runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail + + genprofile $sysctlgood:w + runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro + + genprofile $sysctlgood:w + runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail + + genprofile $sysctlgood:rw + runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro + + genprofile $sysctlgood:rw + runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass + + genprofile $sysctlbad:r + runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro + + genprofile $sysctlbad:r + runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro + + genprofile $sysctlbad:w + runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro + + genprofile $sysctlbad:w + runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail + + genprofile $sysctlbad:rw + runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro + + genprofile $sysctlbad:rw + runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail +} + +test_sysctl_proc() +{ + settest sysctl_proc + + #unconfined + runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value + runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw + + #test with profile giving access to sysctlgood + genprofile $sysctlgood:r + runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r + + genprofile $sysctlgood:w + runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r + + genprofile $sysctlgood:rw + runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r + + genprofile $sysctlgood:r + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value + + genprofile $sysctlgood:w + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value + + genprofile $sysctlgood:rw + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value + + genprofile $sysctlgood:r + runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw + + genprofile $sysctlgood:w + runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw + + genprofile $sysctlgood:rw + runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw + + #test with profile giving access to sysctlbad but access to sysctlgood + genprofile $sysctlbad:r + runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r + + genprofile $sysctlbad:w + runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r + + genprofile $sysctlbad:rw + runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r + + genprofile $sysctlbad:r + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value + + genprofile $sysctlbad:w + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value + + genprofile $sysctlbad:rw + value=`cat $sysctlgood` + runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value + + genprofile $sysctlbad:r + runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw + + genprofile $sysctlbad:w + runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw + + genprofile $sysctlbad:rw + runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw +} + + +# check if the kernel supports CONFIG_SYSCTL_SYSCALL +# generally we want to encourage kernels to disable it, but if it's +# enabled we want to test against it settest syscall_sysctl - -runchecktest "SYSCTL (no confinement read only)" pass ro - -runchecktest "SYSCTL (no confinement rw)" pass - -genprofile $sysctlgood:r -runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro - -genprofile $sysctlgood:r -runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail - -genprofile $sysctlgood:w -runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro - -genprofile $sysctlgood:w -runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail - -genprofile $sysctlgood:rw -runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro - -genprofile $sysctlgood:rw -runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass - -genprofile $sysctlbad:r -runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro - -genprofile $sysctlbad:r -runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro - -genprofile $sysctlbad:w -runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro - -genprofile $sysctlbad:w -runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail - -genprofile $sysctlbad:rw -runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro - -genprofile $sysctlbad:rw -runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail +res=$(${test} ro) +if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then + echo " WARNING: syscall sysctl not implemented, skipping tests ..." +else + test_syscall_sysctl +fi # now test /proc/sys/ paths - -settest sysctl_proc - -#unconfined -runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value -runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw - -#test with profile giving access to sysctlgood -genprofile $sysctlgood:r -runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r - -genprofile $sysctlgood:w -runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r - -genprofile $sysctlgood:rw -runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r - -genprofile $sysctlgood:r -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value - -genprofile $sysctlgood:w -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value - -genprofile $sysctlgood:rw -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value - -genprofile $sysctlgood:r -runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw - -genprofile $sysctlgood:w -runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw - -genprofile $sysctlgood:rw -runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw - -#test with profile giving access to sysctlbad but access to sysctlgood -genprofile $sysctlbad:r -runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r - -genprofile $sysctlbad:w -runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r - -genprofile $sysctlbad:rw -runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r - -genprofile $sysctlbad:r -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value - -genprofile $sysctlbad:w -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value - -genprofile $sysctlbad:rw -value=`cat $sysctlgood` -runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value - -genprofile $sysctlbad:r -runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw - -genprofile $sysctlbad:w -runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw - -genprofile $sysctlbad:rw -runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw - - - +if [ ! -f "${sysctlgood}" ] ; then + echo " WARNING: proc sysctl path not found, /proc not mounted? Skipping tests ..." +else + test_sysctl_proc +fi