mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-23 02:27:12 +00:00
regression tests: fix regression tests to pass on 4.14 upstream kernel
Some of the regression tests are missing conditionals or have the wrong conditionals so that they fail on current upstream kernels. Fix this by adding and changing conditionals and requires where appropriate. With the patches the tests report passing on 4.14 and 4.15 kernels. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Time out
This commit is contained in:
John Johansen
parent
ef718df685
commit
6f1d054468
@ -93,122 +93,126 @@ querytest()
|
|||||||
runchecktest "$desc" "$pf" "$expect" "$label" "$perms" $*
|
runchecktest "$desc" "$pf" "$expect" "$label" "$perms" $*
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check querying of a label that the kernel doesn't know about
|
if [ "$(kernel_features dbus)" == "true" ]; then
|
||||||
# aa_query_label() should return an error
|
# Check querying of a label that the kernel doesn't know about
|
||||||
expect anything
|
# aa_query_label() should return an error
|
||||||
perms dbus send
|
expect anything
|
||||||
querytest "QUERY no profile loaded" fail $dbus_msg_query
|
perms dbus send
|
||||||
|
querytest "QUERY no profile loaded" fail $dbus_msg_query
|
||||||
|
|
||||||
# Check querying with an empty mask - aa_query_label() should error out
|
# Check querying with an empty mask - aa_query_label() should error out
|
||||||
genqueryprofile "dbus,"
|
genqueryprofile "dbus,"
|
||||||
expect anything
|
expect anything
|
||||||
perms dbus # no perms
|
perms dbus # no perms
|
||||||
querytest "QUERY empty mask" fail $dbus_msg_query
|
querytest "QUERY empty mask" fail $dbus_msg_query
|
||||||
|
|
||||||
# Check dbus - allowed without auditing
|
# Check dbus - allowed without auditing
|
||||||
genqueryprofile "dbus,"
|
genqueryprofile "dbus,"
|
||||||
expect allow
|
expect allow
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY dbus (msg send)" pass $dbus_msg_query
|
querytest "QUERY dbus (msg send)" pass $dbus_msg_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY dbus (msg receive)" pass $dbus_msg_query
|
querytest "QUERY dbus (msg receive)" pass $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY dbus (msg send & receive)" pass $dbus_msg_query
|
querytest "QUERY dbus (msg send & receive)" pass $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus (svc)" pass $dbus_svc_query
|
querytest "QUERY dbus (svc)" pass $dbus_svc_query
|
||||||
|
|
||||||
# Check deny dbus - denied without auditing
|
# Check deny dbus - denied without auditing
|
||||||
genqueryprofile "deny dbus,"
|
genqueryprofile "deny dbus,"
|
||||||
expect # neither allow, nor audit
|
expect # neither allow, nor audit
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY deny dbus (msg send)" pass $dbus_msg_query
|
querytest "QUERY deny dbus (msg send)" pass $dbus_msg_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY deny dbus (msg receive)" pass $dbus_msg_query
|
querytest "QUERY deny dbus (msg receive)" pass $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY deny dbus (msg send & receive)" pass $dbus_msg_query
|
querytest "QUERY deny dbus (msg send & receive)" pass $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY deny dbus (svc)" pass $dbus_svc_query
|
querytest "QUERY deny dbus (svc)" pass $dbus_svc_query
|
||||||
|
|
||||||
# Check audit dbus - allowed, but audited
|
# Check audit dbus - allowed, but audited
|
||||||
genqueryprofile "audit dbus,"
|
genqueryprofile "audit dbus,"
|
||||||
expect allow audit
|
expect allow audit
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY audit dbus (msg send)" pass $dbus_msg_query
|
querytest "QUERY audit dbus (msg send)" pass $dbus_msg_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY audit dbus (msg receive)" pass $dbus_msg_query
|
querytest "QUERY audit dbus (msg receive)" pass $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY audit dbus (msg send & receive)" pass $dbus_msg_query
|
querytest "QUERY audit dbus (msg send & receive)" pass $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY audit dbus (svc)" pass $dbus_svc_query
|
querytest "QUERY audit dbus (svc)" pass $dbus_svc_query
|
||||||
|
|
||||||
# Check audit deny dbus - explicit deny without auditing
|
# Check audit deny dbus - explicit deny without auditing
|
||||||
genqueryprofile "audit deny dbus,"
|
genqueryprofile "audit deny dbus,"
|
||||||
expect audit
|
expect audit
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY audit deny dbus (msg send)" pass $dbus_msg_query
|
querytest "QUERY audit deny dbus (msg send)" pass $dbus_msg_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY audit deny dbus (msg receive)" pass $dbus_msg_query
|
querytest "QUERY audit deny dbus (msg receive)" pass $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY audit deny dbus (msg send & receive)" pass $dbus_msg_query
|
querytest "QUERY audit deny dbus (msg send & receive)" pass $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY audit deny dbus (svc)" pass $dbus_svc_query
|
querytest "QUERY audit deny dbus (svc)" pass $dbus_svc_query
|
||||||
|
|
||||||
# Check dbus send - ensure that receive and bind bits aren't set
|
# Check dbus send - ensure that receive and bind bits aren't set
|
||||||
genqueryprofile "dbus send,"
|
genqueryprofile "dbus send,"
|
||||||
expect allow
|
expect allow
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY dbus send (msg send)" pass $dbus_msg_query
|
querytest "QUERY dbus send (msg send)" pass $dbus_msg_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY dbus send (msg receive)" fail $dbus_msg_query
|
querytest "QUERY dbus send (msg receive)" fail $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY dbus send (msg send & receive)" fail $dbus_msg_query
|
querytest "QUERY dbus send (msg send & receive)" fail $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus send (msg bind)" fail $dbus_msg_query
|
querytest "QUERY dbus send (msg bind)" fail $dbus_msg_query
|
||||||
perms dbus send bind
|
perms dbus send bind
|
||||||
querytest "QUERY dbus send (msg send & bind)" fail $dbus_msg_query
|
querytest "QUERY dbus send (msg send & bind)" fail $dbus_msg_query
|
||||||
|
|
||||||
# Check dbus receive - ensure that send and bind bits aren't set
|
# Check dbus receive - ensure that send and bind bits aren't set
|
||||||
genqueryprofile "dbus receive,"
|
genqueryprofile "dbus receive,"
|
||||||
expect allow
|
expect allow
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY dbus receive (msg receive)" pass $dbus_msg_query
|
querytest "QUERY dbus receive (msg receive)" pass $dbus_msg_query
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY dbus receive (msg send)" fail $dbus_msg_query
|
querytest "QUERY dbus receive (msg send)" fail $dbus_msg_query
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY dbus receive (msg send & receive)" fail $dbus_msg_query
|
querytest "QUERY dbus receive (msg send & receive)" fail $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus receive (msg bind)" fail $dbus_msg_query
|
querytest "QUERY dbus receive (msg bind)" fail $dbus_msg_query
|
||||||
perms dbus receive bind
|
perms dbus receive bind
|
||||||
querytest "QUERY dbus receive (msg receive & bind)" fail $dbus_msg_query
|
querytest "QUERY dbus receive (msg receive & bind)" fail $dbus_msg_query
|
||||||
|
|
||||||
# Check dbus bind - ensure that send and receive bits aren't set
|
# Check dbus bind - ensure that send and receive bits aren't set
|
||||||
genqueryprofile "dbus bind,"
|
genqueryprofile "dbus bind,"
|
||||||
expect allow
|
expect allow
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus bind (svc bind)" pass $dbus_svc_query
|
querytest "QUERY dbus bind (svc bind)" pass $dbus_svc_query
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY dbus bind (svc send)" fail $dbus_svc_query
|
querytest "QUERY dbus bind (svc send)" fail $dbus_svc_query
|
||||||
perms dbus send bind
|
perms dbus send bind
|
||||||
querytest "QUERY dbus bind (svc send & bind)" fail $dbus_svc_query
|
querytest "QUERY dbus bind (svc send & bind)" fail $dbus_svc_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY dbus bind (svc receive)" fail $dbus_svc_query
|
querytest "QUERY dbus bind (svc receive)" fail $dbus_svc_query
|
||||||
perms dbus receive bind
|
perms dbus receive bind
|
||||||
querytest "QUERY dbus bind (svc receive & bind)" fail $dbus_svc_query
|
querytest "QUERY dbus bind (svc receive & bind)" fail $dbus_svc_query
|
||||||
|
|
||||||
# Check dbus - ensure that send and receive bits aren't set in service queries
|
# Check dbus - ensure that send and receive bits aren't set in service queries
|
||||||
# and the bind bit isn't set in message queries
|
# and the bind bit isn't set in message queries
|
||||||
genqueryprofile "dbus,"
|
genqueryprofile "dbus,"
|
||||||
expect allow
|
expect allow
|
||||||
perms dbus send receive
|
perms dbus send receive
|
||||||
querytest "QUERY dbus (msg send & receive)" pass $dbus_msg_query
|
querytest "QUERY dbus (msg send & receive)" pass $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus (msg bind)" fail $dbus_msg_query
|
querytest "QUERY dbus (msg bind)" fail $dbus_msg_query
|
||||||
perms dbus bind
|
perms dbus bind
|
||||||
querytest "QUERY dbus (svc bind)" pass $dbus_svc_query
|
querytest "QUERY dbus (svc bind)" pass $dbus_svc_query
|
||||||
perms dbus send
|
perms dbus send
|
||||||
querytest "QUERY dbus (svc send)" fail $dbus_svc_query
|
querytest "QUERY dbus (svc send)" fail $dbus_svc_query
|
||||||
perms dbus receive
|
perms dbus receive
|
||||||
querytest "QUERY dbus (svc receive)" fail $dbus_svc_query
|
querytest "QUERY dbus (svc receive)" fail $dbus_svc_query
|
||||||
|
else
|
||||||
|
echo " required feature dbus missing, skipping dbus queries ..."
|
||||||
|
fi
|
||||||
|
|
||||||
genqueryprofile "file,"
|
genqueryprofile "file,"
|
||||||
expect allow
|
expect allow
|
||||||
|
|||||||
@ -137,7 +137,7 @@ runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd
|
|||||||
sleep 1
|
sleep 1
|
||||||
rm -f ${socket}
|
rm -f ${socket}
|
||||||
|
|
||||||
if [ "$(kernel_features policy/versions/v6)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
|
if [ "$(kernel_features policy/network/af_unix)" == "true" -a "$(parser_supports 'unix,')" == "true" ] ; then
|
||||||
# FAIL - confined client, no access to the socket file
|
# FAIL - confined client, no access to the socket file
|
||||||
|
|
||||||
genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
|
genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
|
||||||
|
|||||||
@ -28,6 +28,8 @@ bin=$pwd
|
|||||||
|
|
||||||
. $bin/prologue.inc
|
. $bin/prologue.inc
|
||||||
requires_kernel_features policy/versions/v6
|
requires_kernel_features policy/versions/v6
|
||||||
|
#af_mask for downgrade test af_unix for full test
|
||||||
|
requires_kernel_features network/af_mask
|
||||||
|
|
||||||
settest unix_socket
|
settest unix_socket
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user