Merge regression: add an allow_all test that checks pix+ix transitions

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1663 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
2025-08-22 01:57:43 +00:00 · 2025-05-08 05:46:20 +00:00 · 2025-05-08 05:46:20 +00:00 · 726cb2e1f1
commit 726cb2e1f1
parent 95036df4a1 b698daaf62
4 changed files with 77 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -250,6 +250,7 @@ tests/regression/apparmor/fchown
 tests/regression/apparmor/fd_inheritance
 tests/regression/apparmor/fd_inheritor
 tests/regression/apparmor/fork
+tests/regression/apparmor/getcon_verify
 tests/regression/apparmor/introspect
 tests/regression/apparmor/io_uring
 tests/regression/apparmor/link
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@ -141,6 +141,7 @@ SRC=access.c \
    fd_inheritance.c \
    fd_inheritor.c \
    fork.c \
+    getcon_verify.c \
    link.c \
    link_subset.c \
    mmap.c \
@ -283,6 +284,7 @@ EXEC=$(SRC:%.c=%)

 TESTS=aa_exec \
      access \
+      allow_all \
      attach_disconnected \
      at_secure \
      introspect \
--- a/tests/regression/apparmor/allow_all.sh
+++ b/tests/regression/apparmor/allow_all.sh
@ -0,0 +1,43 @@
+#! /bin/bash
+#	Copyright (C) 2025 Canonical, Ltd.
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME allow_all
+#=DESCRIPTION
+# Verifies that allow all profiles work as expected and use implicit pix transitions
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. "$bin/prologue.inc"
+
+# Two profiles are needed here:
+# 1. Load a custom profile-with-attachment for ${bin}/allow_all
+# 2. Load an allow_all profile for ${bin}/complain
+# 3. Execute ${bin}/complain under the allow_all profile and check the confinement that ${bin}/allow_all fell under
+
+cat <<EOF > ${tmpdir}/allow_all_profile
+abi <abi/4.0>,
+
+profile regression_allow_all ${bin}/getcon_verify {
+allow all,
+}
+EOF
+
+"${subdomain}" ${parser_args} ${tmpdir}/allow_all_profile
+
+settest allow_all "${bin}/complain"
+
+genprofile "allow all"
+runchecktest "Allow all - ix default" pass exec "${bin}/getcon_verify" "${bin}/complain" "enforce"
+genprofile "allow all" "/**:pix"
+runchecktest "Allow all - pix rule" pass exec "${bin}/getcon_verify" "regression_allow_all" "enforce"
+
+"${subdomain}" ${parser_args} -R ${tmpdir}/allow_all_profile
--- a/tests/regression/apparmor/getcon_verify.c
+++ b/tests/regression/apparmor/getcon_verify.c
@ -0,0 +1,31 @@
+#include <sys/apparmor.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Simple program that checks if its own confinement has a string
+int main(int argc, char **argv) {
+    if (argc != 3) {
+        fprintf(stderr, "FAIL: usage: allow_all [expected_label] [expected mode]\n");
+        return 1;
+    }
+
+    char *label;
+    char *mode;
+    aa_getcon(&label, &mode);
+
+    // Now check our own confinement
+    if (strcmp(label, argv[1]) == 0 && strcmp(mode, argv[2]) == 0) {
+        free(label);
+        puts("PASS");
+        return 0;
+    } else {
+        fprintf(stderr, "FAIL: expected confinement %s (%s), got label %s (%s)\n",
+            argv[1], argv[2], label, mode);
+        free(label);
+        return 1;
+    }
+
+    return 0;
+}