diff --git a/.gitignore b/.gitignore index 55f1f08c9..57430c5e2 100644 --- a/.gitignore +++ b/.gitignore @@ -250,6 +250,7 @@ tests/regression/apparmor/fchown tests/regression/apparmor/fd_inheritance tests/regression/apparmor/fd_inheritor tests/regression/apparmor/fork +tests/regression/apparmor/getcon_verify tests/regression/apparmor/introspect tests/regression/apparmor/io_uring tests/regression/apparmor/link diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile index 2c000ac87..643e42855 100644 --- a/tests/regression/apparmor/Makefile +++ b/tests/regression/apparmor/Makefile @@ -141,6 +141,7 @@ SRC=access.c \ fd_inheritance.c \ fd_inheritor.c \ fork.c \ + getcon_verify.c \ link.c \ link_subset.c \ mmap.c \ @@ -283,6 +284,7 @@ EXEC=$(SRC:%.c=%) TESTS=aa_exec \ access \ + allow_all \ attach_disconnected \ at_secure \ introspect \ diff --git a/tests/regression/apparmor/allow_all.sh b/tests/regression/apparmor/allow_all.sh new file mode 100644 index 000000000..259e30dbd --- /dev/null +++ b/tests/regression/apparmor/allow_all.sh @@ -0,0 +1,43 @@ +#! /bin/bash +# Copyright (C) 2025 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, version 2 of the +# License. + +#=NAME allow_all +#=DESCRIPTION +# Verifies that allow all profiles work as expected and use implicit pix transitions +#=END + +pwd=`dirname $0` +pwd=`cd $pwd ; /bin/pwd` + +bin=$pwd + +. "$bin/prologue.inc" + +# Two profiles are needed here: +# 1. Load a custom profile-with-attachment for ${bin}/allow_all +# 2. Load an allow_all profile for ${bin}/complain +# 3. Execute ${bin}/complain under the allow_all profile and check the confinement that ${bin}/allow_all fell under + +cat < ${tmpdir}/allow_all_profile +abi , + +profile regression_allow_all ${bin}/getcon_verify { +allow all, +} +EOF + +"${subdomain}" ${parser_args} ${tmpdir}/allow_all_profile + +settest allow_all "${bin}/complain" + +genprofile "allow all" +runchecktest "Allow all - ix default" pass exec "${bin}/getcon_verify" "${bin}/complain" "enforce" +genprofile "allow all" "/**:pix" +runchecktest "Allow all - pix rule" pass exec "${bin}/getcon_verify" "regression_allow_all" "enforce" + +"${subdomain}" ${parser_args} -R ${tmpdir}/allow_all_profile diff --git a/tests/regression/apparmor/getcon_verify.c b/tests/regression/apparmor/getcon_verify.c new file mode 100644 index 000000000..0d24bf055 --- /dev/null +++ b/tests/regression/apparmor/getcon_verify.c @@ -0,0 +1,31 @@ +#include + +#include +#include +#include + +// Simple program that checks if its own confinement has a string +int main(int argc, char **argv) { + if (argc != 3) { + fprintf(stderr, "FAIL: usage: allow_all [expected_label] [expected mode]\n"); + return 1; + } + + char *label; + char *mode; + aa_getcon(&label, &mode); + + // Now check our own confinement + if (strcmp(label, argv[1]) == 0 && strcmp(mode, argv[2]) == 0) { + free(label); + puts("PASS"); + return 0; + } else { + fprintf(stderr, "FAIL: expected confinement %s (%s), got label %s (%s)\n", + argv[1], argv[2], label, mode); + free(label); + return 1; + } + + return 0; +} \ No newline at end of file