mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 13:58:22 +00:00
Code Issues Releases Wiki Activity

Merge tests/regression/apparmor/capabilities.sh: fail iopl/ioperm with lockdown

Browse Source 
In MR #1063 the tests/regression/apparmor/syscall.sh script was updated to
account for kernel lockdown, but the capabilities.sh script also exercises these
system calls so this also needs to be updated as well.

Also required to fix issue #226.

Signed-off-by: Alex Murray <alex.murray@canonical.com>

Closes #226
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1064
Approved-by: Georgia Garcia <georgia.garcia@canonical.com>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
This commit is contained in:
Georgia Garcia
2023-07-10 13:09:48 +00:00
parent f6b179010e eafae0dd03
commit 3b832dd313
1 changed files with 23 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
tests/regression/apparmor/capabilities.sh Normal file → Executable file
View File

@@ -49,14 +49,20 @@ CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \
sys_admin sys_boot sys_nice sys_resource sys_time \
sys_tty_config mknod lease audit_write audit_control"
# lockdown thwarts both ioperm and iopl
notlockeddown=TRUE
if [ -f /sys/kernel/security/lockdown ] && ! grep -q "\[none\]" /sys/kernel/security/lockdown; then
notlockeddown=FALSE
fi
# defines which test+capability pairs should succeed.
syscall_reboot_sys_boot=TRUE
syscall_sethostname_sys_admin=TRUE
syscall_setdomainname_sys_admin=TRUE
syscall_setpriority_sys_nice=TRUE
syscall_setscheduler_sys_nice=TRUE
syscall_ioperm_sys_rawio=TRUE
syscall_iopl_sys_rawio=TRUE
syscall_ioperm_sys_rawio=$notlockeddown
syscall_iopl_sys_rawio=$notlockeddown
syscall_chroot_sys_chroot=TRUE
syscall_mlockall_ipc_lock=TRUE
syscall_sysctl_sys_admin=TRUE
@@ -93,7 +99,13 @@ for TEST in ${TESTS} ; do
settest ${TEST}
# base case, unconfined
runchecktest "${TEST} -- unconfined" pass ${my_arg}
if [ "${TEST}" = "syscall_ioperm" -a "$notlockeddown" = "FALSE" ] ||
[ "${TEST}" = "syscall_iopl" -a "$notlockeddown" = "FALSE" ]; then
expected=fail
else
expected=pass
fi
runchecktest "${TEST} -- unconfined" ${expected} ${my_arg}
# no capabilities allowed
genprofile ${my_entries}
@@ -107,11 +119,13 @@ for TEST in ${TESTS} ; do
# all capabilities allowed
genprofile cap:ALL ${my_entries}
runchecktest "${TEST} -- all caps" pass ${my_arg}
runchecktest "${TEST} -- all caps" ${expected} ${my_arg}
# iterate through each of the capabilities
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
if [ ${expected} = "fail" ]; then
expected_result=fail
elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
expected_result=pass
elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
expected_result=pass
@@ -136,10 +150,12 @@ for TEST in ${TESTS} ; do
# all capabilities allowed
genprofile hat:$bin/${TEST} addimage:${bin}/${TEST} cap:ALL ${my_entries}
runchecktest "${TEST} changehat -- all caps" pass $bin/${TEST} ${my_arg}
runchecktest "${TEST} changehat -- all caps" ${expected} $bin/${TEST} ${my_arg}
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
if [ ${expected} = "fail" ]; then
expected_result=fail
elif [ "X$(eval echo \${${TEST}_${cap}})" = "XTRUE" ] ; then
expected_result=pass
elif [ "${TEST}" = "syscall_ptrace" -a "$(kernel_features ptrace)" = "true" ]; then
expected_result=pass