mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 10:07:12 +00:00
Code Issues Releases Wiki Activity

regression: move new mount syscall defs to shared header and test for necessity

Browse Source 
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
This commit is contained in:
Ryan Lee 2025-03-20 15:40:32 -07:00
parent 1f08b5125d
commit 40e07b4561
5 changed files with 213 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
tests/regression/apparmor/Makefile
View File

@ -88,6 +88,23 @@ USE_SYSCTL:=$(shell echo $(SYSCTL_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && e
LINUX_MOUNT_INCLUDE="\#include <linux/mount.h>" LINUX_MOUNT_INCLUDE="\#include <linux/mount.h>"
HAVE_LINUX_MOUNT_H:=$(shell echo $(LINUX_MOUNT_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true) HAVE_LINUX_MOUNT_H:=$(shell echo $(LINUX_MOUNT_INCLUDE) | cpp -dM >/dev/null 2>/dev/null && echo true)
# Perform detection of whether the new mount syscalls are available and whether
# we'll need to provide the wrapper functions ourselves.
# The syscalls themselves are available in Ubuntu Focal and later, with
# associated constants available in linux/mount.h, but the wrapper functions are
# only available in sys/mount.h in Ubuntu Noble and later.
# Test-compile the header with the test function selected as if it were a
# regular .c file:
# * -Wimplicit-function-declaration to warn upon function prototype not existing in header
# * -Werror to convert that warning into a hard error
# * -x c to force compilation to an object file instead of a precompiled header
HAVE_NEW_MOUNT_PROTOS=$(shell gcc -c -o /dev/null -Wimplicit-function-declaration -Werror -x c -DCHECK_FOR_NEW_MOUNT_PROTOTYPES mount_syscall_iface.h && echo true)
ifneq ($(HAVE_NEW_MOUNT_PROTOS),true)
CFLAGS += -DVENDORED_NEW_MOUNT_PROTOTYPES
endif
CFLAGS += -g -O0 $(EXTRA_WARNINGS) CFLAGS += -g -O0 $(EXTRA_WARNINGS)
SRC=access.c \ SRC=access.c \
@ -180,6 +197,8 @@ endif
#only do move_mount test if we have linux/mount.h #only do move_mount test if we have linux/mount.h
ifeq ($(HAVE_LINUX_MOUNT_H),true) ifeq ($(HAVE_LINUX_MOUNT_H),true)
SRC+=move_mount.c SRC+=move_mount.c
else
CFLAGS += -DSKIP_NEW_MOUNT_TESTING
endif endif
#only do sysctl syscall test if defines installed and OR supported by the #only do sysctl syscall test if defines installed and OR supported by the

30
tests/regression/apparmor/disconnected_mount_complain.c
View File

@ -12,22 +12,12 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
#include "mount_syscall_iface.h"
#ifdef DEBUG #ifdef DEBUG
#include <sys/apparmor.h> #include <sys/apparmor.h>
#endif #endif
/*static int mount_setattr(int dirfd, const char *pathname, unsigned int flags,
struct mount_attr *attr, size_t size) {
return syscall(SYS_mount_setattr, dirfd, pathname, flags, attr, size);
}
static int open_tree(int dirfd, const char *filename, unsigned int flags) {
return syscall(SYS_open_tree, dirfd, filename, flags);
}
static int move_mount(int from_dirfd, const char *from_pathname,
int to_dirfd, const char *to_pathname, unsigned int flags) {
return syscall(SYS_move_mount, from_dirfd, from_pathname, to_dirfd, to_pathname, flags);
}*/
#ifdef DEBUG #ifdef DEBUG
#define DEBUG_PRINTF(...) printf(__VA_ARGS__) #define DEBUG_PRINTF(...) printf(__VA_ARGS__)
#else #else
@ -184,6 +174,7 @@ int test_with_old_style_mount() {
return rc; return rc;
} }
#ifndef SKIP_NEW_MOUNT_TESTING
int test_with_open_tree_mount() { int test_with_open_tree_mount() {
DEBUG_PRINTF("Unshare mount ns\n"); DEBUG_PRINTF("Unshare mount ns\n");
// Call unshare() to step into a new mount namespace // Call unshare() to step into a new mount namespace
@ -359,10 +350,15 @@ int test_with_fsmount(const char *source) {
} }
return rc; return rc;
} }
#endif
int main(int argc, char **argv) { int main(int argc, char **argv) {
if (argc != 3 && argc != 4) { if (argc != 3 && argc != 4) {
#ifdef SKIP_NEW_MOUNT_TESTING
fprintf(stderr, "FAIL: Usage: disconnected_mount_complain [WORKDIR] old");
#else
fprintf(stderr, "FAIL: Usage: disconnected_mount_complain [WORKDIR] (old|open_tree|fsmount) [device_if_fsmount]"); fprintf(stderr, "FAIL: Usage: disconnected_mount_complain [WORKDIR] (old|open_tree|fsmount) [device_if_fsmount]");
#endif
return 1; return 1;
} }
#ifdef DEBUG #ifdef DEBUG
@ -385,7 +381,9 @@ int main(int argc, char **argv) {
} }
if (strcmp(argv[2], "old") == 0) { if (strcmp(argv[2], "old") == 0) {
return test_with_old_style_mount(); return test_with_old_style_mount();
} else if (strcmp(argv[2], "open_tree") == 0) { }
#ifndef SKIP_NEW_MOUNT_TESTING
else if (strcmp(argv[2], "open_tree") == 0) {
return test_with_open_tree_mount(); return test_with_open_tree_mount();
} else if (strcmp(argv[2], "fsmount") == 0) { } else if (strcmp(argv[2], "fsmount") == 0) {
if (argc != 4) { if (argc != 4) {
@ -397,4 +395,10 @@ int main(int argc, char **argv) {
fprintf(stderr, "FAIL: second argument must be 'old', 'open_tree', or 'fsmount'\n"); fprintf(stderr, "FAIL: second argument must be 'old', 'open_tree', or 'fsmount'\n");
return 1; return 1;
} }
#else
else {
fprintf(stderr, "FAIL: second argument must be 'old'\n");
return 1;
}
#endif
} }

27
tests/regression/apparmor/disconnected_mount_complain.sh
View File

@ -38,19 +38,28 @@ echo "corn" > "${shadowing_dir}/cornh"
genprofile -C cap:sys_admin genprofile -C cap:sys_admin
runchecktest "Complain mode profile and disconnected path mounts (mount(2))" pass $tmpdir old runchecktest "Complain mode profile and disconnected path mounts (mount(2))" pass $tmpdir old
runchecktest "Complain mode profile and disconnected path mounts (open_tree(2))" pass $tmpdir open_tree
# Use the presence of move_mount as a proxy for new mount syscall availability
if [ ! -f "$bin/move_mount" ]; then
echo " WARNING: move_mount binary was not built, skipping open_tree test ..."
else
runchecktest "Complain mode profile and disconnected path mounts (open_tree(2))" pass $tmpdir open_tree
fi
rm -r "$shadowed_target" rm -r "$shadowed_target"
rm -r "$shadowing_dir" rm -r "$shadowing_dir"
if [ ! -f "$bin/move_mount" ]; then
echo " WARNING: move_mount binary was not built, skipping fsmount test ..."
else
fallocate -l 512K "${backing_file_fsmount}"
mkfs.ext4 -F "${backing_file_fsmount}" > /dev/null 2> /dev/null
fallocate -l 512K "${backing_file_fsmount}" losetup -f "${backing_file_fsmount}" || fatalerror 'Unable to set up loop device'
mkfs.ext4 -F "${backing_file_fsmount}" > /dev/null 2> /dev/null loop_device="$(/sbin/losetup -n -O NAME -l -j "${backing_file_fsmount}")"
losetup -f "${backing_file_fsmount}" || fatalerror 'Unable to set up loop device' runchecktest "Complain mode profile and disconnected path mounts (fsmount(2))" pass $tmpdir fsmount "${loop_device}"
loop_device="$(/sbin/losetup -n -O NAME -l -j "${backing_file_fsmount}")"
runchecktest "Complain mode profile and disconnected path mounts (fsmount(2))" pass $tmpdir fsmount "${loop_device}" losetup -d "${loop_device}"
rm "${backing_file_fsmount}"
losetup -d "${loop_device}" fi
rm "${backing_file_fsmount}"

158
tests/regression/apparmor/mount_syscall_iface.h Normal file
View File

@ -0,0 +1,158 @@
/*
* A function that compile-tests if sys/mount.h has prototypes for the
* new mount syscalls (we don't care about the args as long as they're
* the right type)
*/
#ifdef CHECK_FOR_NEW_MOUNT_PROTOTYPES
#include <sys/mount.h>
int test_for_open_tree() {
int ot = open_tree(-1, "path", 0);
int mm = move_mount(-1, "from", -1, "to", 0);
int fsm = fsmount(-1, 0, 0);
int fsc = fsconfig(-1, 0, "key", "value", 0);
int fso = fsopen("fstype", 0);
return ot ^ mm ^ fsm ^ fsc ^ fso;
}
#endif
// Include <sys/mount.h> for the mount(2) and umount(2) prototypes
#include <sys/mount.h>
// If needed, include our vendored prototypes for the new syscalls
#if defined(VENDORED_NEW_MOUNT_PROTOTYPES) && !defined(SKIP_NEW_MOUNT_TESTING)
#include <sys/syscall.h>
#include <linux/mount.h>
/* fs/namespace.c
*
* SYSCALL_DEFINE3(open_tree, int, dfd, const char __user *, filename,
* unsigned, flags)
*/
static inline int open_tree(int dirfd, const char *filename, unsigned int flags)
{
return syscall(SYS_open_tree, dirfd, filename, flags);
}
/* fs/namespace.c
*
* SYSCALL_DEFINE5(move_mount,
* int, from_dfd, const char __user *, from_pathname,
* int, to_dfd, const char __user *, to_pathname,
* unsigned int, flags)
*
* Move a mount from one place to another. In combination with
* fsopen()/fsmount() this is used to install a new mount and in combination
* with open_tree(OPEN_TREE_CLONE [| AT_RECURSIVE]) it can be used to copy
* a mount subtree.
*
* Note the flags value is a combination of MOVE_MOUNT_* flags.
*
* #define MOVE_MOUNT_F_SYMLINKS 0x00000001 // Follow symlinks on from path
* #define MOVE_MOUNT_F_AUTOMOUNTS 0x00000002 // Follow automounts on from path
* #define MOVE_MOUNT_F_EMPTY_PATH 0x00000004 // Empty from path permitted
* #define MOVE_MOUNT_T_SYMLINKS 0x00000010 // Follow symlinks on to path
* #define MOVE_MOUNT_T_AUTOMOUNTS 0x00000020//Follow automounts on to path
* #define MOVE_MOUNT_T_EMPTY_PATH 0x00000040 // Empty to path permitted
* #define MOVE_MOUNT_SET_GROUP 0x00000100 // Set sharing group instead
* #define MOVE_MOUNT_BENEATH 0x00000200 // Mount beneath top mount
* #define MOVE_MOUNT__MASK 0x00000377
*/
static inline int move_mount(int from_dirfd, const char *from_pathname,
int to_dirfd, const char *to_pathname,
unsigned int flags)
{
return syscall(SYS_move_mount, from_dirfd, from_pathname,
to_dirfd, to_pathname, flags);
}
/* fs/namespace.c
*
* SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags,
* unsigned int, attr_flags)
*
* Create a kernel mount representation for a new, prepared superblock
* (specified by fs_fd) and attach to an open_tree-like file descriptor.
*
* #define FSMOUNT_CLOEXEC 0x00000001
*/
static inline int fsmount(int fs_fd, unsigned int flags,
unsigned int attr_flags)
{
return syscall(SYS_fsmount, fs_fd, flags, attr_flags);
}
/* fs/fsopen.c
*
* SYSCALL_DEFINE5(fsconfig,
* int, fd,
* unsigned int, cmd,
* const char __user *, _key,
* const void __user *, _value,
* int, aux)
*
* @fd: The filesystem context to act upon
* @cmd: The action to take
* @_key: Where appropriate, the parameter key to set
* @_value: Where appropriate, the parameter value to set
* @aux: Additional information for the value
*
* This system call is used to set parameters on a context, including
* superblock settings, data source and security labelling.
*
* Actions include triggering the creation of a superblock and the
* reconfiguration of the superblock attached to the specified context.
*
* When setting a parameter, @cmd indicates the type of value being proposed
* and @_key indicates the parameter to be altered.
*
* @_value and @aux are used to specify the value, should a value be required:
*
* (*) fsconfig_set_flag: No value is specified. The parameter must be boolean
* in nature. The key may be prefixed with "no" to invert the
* setting. @_value must be NULL and @aux must be 0.
*
* (*) fsconfig_set_string: A string value is specified. The parameter can be
* expecting boolean, integer, string or take a path. A conversion to an
* appropriate type will be attempted (which may include looking up as a
* path). @_value points to a NUL-terminated string and @aux must be 0.
*
* (*) fsconfig_set_binary: A binary blob is specified. @_value points to the
* blob and @aux indicates its size. The parameter must be expecting a
* blob.
*
* (*) fsconfig_set_path: A non-empty path is specified. The parameter must be
* expecting a path object. @_value points to a NUL-terminated string that
* is the path and @aux is a file descriptor at which to start a relative
* lookup or AT_FDCWD.
*
* (*) fsconfig_set_path_empty: As fsconfig_set_path, but with AT_EMPTY_PATH
* implied.
*
* (*) fsconfig_set_fd: An open file descriptor is specified. @_value must be
* NULL and @aux indicates the file descriptor.
*/
static inline int fsconfig(int fs_fd, unsigned int cmd, const char *key,
const void *value, int aux)
{
return syscall(SYS_fsconfig, fs_fd, cmd, key, value, aux);
}
/* fs/fsopen.c
*
* SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags)
*
* Open a filesystem by name so that it can be configured for mounting.
*
* We are allowed to specify a container in which the filesystem will be
* opened, thereby indicating which namespaces will be used (notably, which
* network namespace will be used for network filesystems).
*
* #define FSOPEN_CLOEXEC 0x00000001
*/
static inline int fsopen(const char *fs_name, unsigned int flags)
{
return syscall(SYS_fsopen, fs_name, flags);
}
#endif

142
tests/regression/apparmor/move_mount.c
View File

@ -7,148 +7,8 @@
#include <string.h> #include <string.h>
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/types.h> #include <linux/types.h>
#include <sys/syscall.h>
#ifndef open_tree #include "mount_syscall_iface.h"
/* fs/namespace.c
*
* SYSCALL_DEFINE3(open_tree, int, dfd, const char __user *, filename,
* unsigned, flags)
*/
static inline int open_tree(int dirfd, const char *filename, unsigned int flags)
{
return syscall(SYS_open_tree, dirfd, filename, flags);
}
#endif
#ifndef move_mount
/* fs/namespace.c
*
* SYSCALL_DEFINE5(move_mount,
* int, from_dfd, const char __user *, from_pathname,
* int, to_dfd, const char __user *, to_pathname,
* unsigned int, flags)
*
* Move a mount from one place to another. In combination with
* fsopen()/fsmount() this is used to install a new mount and in combination
* with open_tree(OPEN_TREE_CLONE [| AT_RECURSIVE]) it can be used to copy
* a mount subtree.
*
* Note the flags value is a combination of MOVE_MOUNT_* flags.
*
* #define MOVE_MOUNT_F_SYMLINKS 0x00000001 // Follow symlinks on from path
* #define MOVE_MOUNT_F_AUTOMOUNTS 0x00000002 // Follow automounts on from path
* #define MOVE_MOUNT_F_EMPTY_PATH 0x00000004 // Empty from path permitted
* #define MOVE_MOUNT_T_SYMLINKS 0x00000010 // Follow symlinks on to path
* #define MOVE_MOUNT_T_AUTOMOUNTS 0x00000020//Follow automounts on to path
* #define MOVE_MOUNT_T_EMPTY_PATH 0x00000040 // Empty to path permitted
* #define MOVE_MOUNT_SET_GROUP 0x00000100 // Set sharing group instead
* #define MOVE_MOUNT_BENEATH 0x00000200 // Mount beneath top mount
* #define MOVE_MOUNT__MASK 0x00000377
*/
static inline int move_mount(int from_dirfd, const char *from_pathname,
int to_dirfd, const char *to_pathname,
unsigned int flags)
{
return syscall(SYS_move_mount, from_dirfd, from_pathname,
to_dirfd, to_pathname, flags);
}
#endif
#ifndef fsmount
/* fs/namespace.c
*
* SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags,
* unsigned int, attr_flags)
*
* Create a kernel mount representation for a new, prepared superblock
* (specified by fs_fd) and attach to an open_tree-like file descriptor.
*
* #define FSMOUNT_CLOEXEC 0x00000001
*/
static inline int fsmount(int fs_fd, unsigned int flags,
unsigned int attr_flags)
{
return syscall(SYS_fsmount, fs_fd, flags, attr_flags);
}
#endif
#ifndef fsconfig
/* fs/fsopen.c
*
* SYSCALL_DEFINE5(fsconfig,
* int, fd,
* unsigned int, cmd,
* const char __user *, _key,
* const void __user *, _value,
* int, aux)
*
* @fd: The filesystem context to act upon
* @cmd: The action to take
* @_key: Where appropriate, the parameter key to set
* @_value: Where appropriate, the parameter value to set
* @aux: Additional information for the value
*
* This system call is used to set parameters on a context, including
* superblock settings, data source and security labelling.
*
* Actions include triggering the creation of a superblock and the
* reconfiguration of the superblock attached to the specified context.
*
* When setting a parameter, @cmd indicates the type of value being proposed
* and @_key indicates the parameter to be altered.
*
* @_value and @aux are used to specify the value, should a value be required:
*
* (*) fsconfig_set_flag: No value is specified. The parameter must be boolean
* in nature. The key may be prefixed with "no" to invert the
* setting. @_value must be NULL and @aux must be 0.
*
* (*) fsconfig_set_string: A string value is specified. The parameter can be
* expecting boolean, integer, string or take a path. A conversion to an
* appropriate type will be attempted (which may include looking up as a
* path). @_value points to a NUL-terminated string and @aux must be 0.
*
* (*) fsconfig_set_binary: A binary blob is specified. @_value points to the
* blob and @aux indicates its size. The parameter must be expecting a
* blob.
*
* (*) fsconfig_set_path: A non-empty path is specified. The parameter must be
* expecting a path object. @_value points to a NUL-terminated string that
* is the path and @aux is a file descriptor at which to start a relative
* lookup or AT_FDCWD.
*
* (*) fsconfig_set_path_empty: As fsconfig_set_path, but with AT_EMPTY_PATH
* implied.
*
* (*) fsconfig_set_fd: An open file descriptor is specified. @_value must be
* NULL and @aux indicates the file descriptor.
*/
static inline int fsconfig(int fs_fd, unsigned int cmd, const char *key,
const void *value, int aux)
{
return syscall(SYS_fsconfig, fs_fd, cmd, key, value, aux);
}
#endif
#ifndef fsopen
/* fs/fsopen.c
*
* SYSCALL_DEFINE2(fsopen, const char __user *, _fs_name, unsigned int, flags)
*
* Open a filesystem by name so that it can be configured for mounting.
*
* We are allowed to specify a container in which the filesystem will be
* opened, thereby indicating which namespaces will be used (notably, which
* network namespace will be used for network filesystems).
*
* #define FSOPEN_CLOEXEC 0x00000001
*/
static inline int fsopen(const char *fs_name, unsigned int flags)
{
return syscall(SYS_fsopen, fs_name, flags);
}
#endif
int do_open_tree_move_mount(const char *source, const char *target) int do_open_tree_move_mount(const char *source, const char *target)
{ {