mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-29 05:17:59 +00:00
Code Issues Releases Wiki Activity

Merge regression: add an allow_all test that checks pix+ix transitions

Browse Source 
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1663
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-05-08 05:46:20 +00:00
commit 726cb2e1f1
4 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -250,6 +250,7 @@ tests/regression/apparmor/fchown
tests/regression/apparmor/fd_inheritance tests/regression/apparmor/fd_inheritance
tests/regression/apparmor/fd_inheritor tests/regression/apparmor/fd_inheritor
tests/regression/apparmor/fork tests/regression/apparmor/fork
tests/regression/apparmor/getcon_verify
tests/regression/apparmor/introspect tests/regression/apparmor/introspect
tests/regression/apparmor/io_uring tests/regression/apparmor/io_uring
tests/regression/apparmor/link tests/regression/apparmor/link

2
tests/regression/apparmor/Makefile
View File

@ -141,6 +141,7 @@ SRC=access.c \
fd_inheritance.c \ fd_inheritance.c \
fd_inheritor.c \ fd_inheritor.c \
fork.c \ fork.c \
getcon_verify.c \
link.c \ link.c \
link_subset.c \ link_subset.c \
mmap.c \ mmap.c \
@ -283,6 +284,7 @@ EXEC=$(SRC:%.c=%)
TESTS=aa_exec \ TESTS=aa_exec \
access \ access \
allow_all \
attach_disconnected \ attach_disconnected \
at_secure \ at_secure \
introspect \ introspect \

43
tests/regression/apparmor/allow_all.sh Normal file
View File

@ -0,0 +1,43 @@
#! /bin/bash
# Copyright (C) 2025 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
#=NAME allow_all
#=DESCRIPTION
# Verifies that allow all profiles work as expected and use implicit pix transitions
#=END
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
. "$bin/prologue.inc"
# Two profiles are needed here:
# 1. Load a custom profile-with-attachment for ${bin}/allow_all
# 2. Load an allow_all profile for ${bin}/complain
# 3. Execute ${bin}/complain under the allow_all profile and check the confinement that ${bin}/allow_all fell under
cat <<EOF > ${tmpdir}/allow_all_profile
abi <abi/4.0>,
profile regression_allow_all ${bin}/getcon_verify {
allow all,
}
EOF
"${subdomain}" ${parser_args} ${tmpdir}/allow_all_profile
settest allow_all "${bin}/complain"
genprofile "allow all"
runchecktest "Allow all - ix default" pass exec "${bin}/getcon_verify" "${bin}/complain" "enforce"
genprofile "allow all" "/**:pix"
runchecktest "Allow all - pix rule" pass exec "${bin}/getcon_verify" "regression_allow_all" "enforce"
"${subdomain}" ${parser_args} -R ${tmpdir}/allow_all_profile

31
tests/regression/apparmor/getcon_verify.c Normal file
View File

@ -0,0 +1,31 @@
#include <sys/apparmor.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Simple program that checks if its own confinement has a string
int main(int argc, char **argv) {
if (argc != 3) {
fprintf(stderr, "FAIL: usage: allow_all [expected_label] [expected mode]\n");
return 1;
}
char *label;
char *mode;
aa_getcon(&label, &mode);
// Now check our own confinement
if (strcmp(label, argv[1]) == 0 && strcmp(mode, argv[2]) == 0) {
free(label);
puts("PASS");
return 0;
} else {
fprintf(stderr, "FAIL: expected confinement %s (%s), got label %s (%s)\n",
argv[1], argv[2], label, mode);
free(label);
return 1;
}
return 0;
}