2
0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00

[This corresponds to commits 6414, 6415, 6417, 6422, 6423, and 6424 in

the old svn tree.]

This patch adds tests to verify the environment filtering done in the Px
and Ux cases. It tests the environment from both an elf executable and
from a shell script. Also verifies that with the apparmor module loaded,
environment filtering on setuid apps still happens.
This commit is contained in:
Steve Beattie
2006-09-12 05:55:31 +00:00
parent 1cd7fe23d4
commit 76cbeb9892
5 changed files with 253 additions and 0 deletions

View File

@@ -21,6 +21,8 @@ SRC=access.c \
chmod.c \
chown.c \
deleted.c \
environ.c \
env_check.c \
exec.c \
exec_qual.c \
exec_qual2.c \
@@ -100,6 +102,7 @@ TESTS=access \
changehat_misc \
chdir \
deleted \
environ \
exec \
exec_qual \
fork \

View File

@@ -0,0 +1,42 @@
/* $Id$ */
/* Copyright (C) 2002-2006 Novell/SUSE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
int main(int argc, char *argv[])
{
char *var, *val, *p, *envval;
if (argc < 2 || !(p = strchr(argv[1], '='))) {
fprintf(stderr, "Usage: %s VAR=value\n", argv[0]);
return 1;
}
var = strndup(argv[1], p - argv[1]);
val = strdup(p + 1);
envval = getenv(var);
if (!envval) {
fprintf(stderr, "FAIL: environment variable not found\n");
return 1;
}
if (strcmp(envval, val) != 0) {
fprintf(stderr, "FAIL: environment variable differs: expected '%s', found '%s'\n",
val, envval);
return 1;
}
return 0;
}

View File

@@ -0,0 +1,33 @@
#!/bin/sh
#
# $Id$
#
# Copyright (C) 2002-2006 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
if [ -z "$1" ] ; then
echo "Usage: $0 var=value"
exit 1;
fi
VAR=${1%%=*}
VALUE=${1#*=}
ENVVAL=$(eval echo \${$VAR})
#echo ENVVAL = $ENVVAL
if [ -z "${ENVVAL}" ] ; then
echo "FAIL: Environment variable \$$VAR is unset"
exit 1;
fi
if [ "${ENVVAL}" != "${VALUE}" ] ; then
echo "FAIL: Environment variable \$$VAR differs; expected $VALUE got ${ENVVAL}"
exit 1;
fi
exit 0

View File

@@ -0,0 +1,82 @@
/* $Id$ */
/* Copyright (C) 2002-2006 Novell/SUSE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/wait.h>
#define RET_FAILURE 0
#define RET_SUCCESS 1
#define RET_CHLD_SUCCESS 2
#define RET_CHLD_FAILURE 3
#define RET_CHLD_SIGNAL 4
int interp_status(int status)
{
int rc;
if (WIFEXITED(status)) {
if (WEXITSTATUS(status) == 0) {
rc = RET_CHLD_SUCCESS;
} else {
rc = RET_CHLD_FAILURE;
}
} else {
rc = RET_CHLD_SIGNAL;
}
return rc;
}
int main(int argc, char *argv[])
{
pid_t pid;
int status;
int retval = 1;
if (argc < 3 || !strchr(argv[2], '=')) {
fprintf(stderr, "Usage: %s program VAR=value\n", argv[0]);
return 1;
}
putenv(strdup(argv[2]));
pid = fork();
if (pid > 0) {
/* parent */
while (wait(&status) != pid);
/* nothing */
if (!WIFSTOPPED(status)) {
retval = interp_status(status);
}
if (retval == RET_CHLD_SUCCESS) {
printf("PASS\n");
retval = 0;
}
} else if (pid == 0) {
/* child */
retval = execl(argv[1], argv[1], argv[2], (char *) NULL);
return retval;
} else {
/* error */
perror("FAIL: fork() failed:");
return 1;
}
return retval;
}

View File

@@ -0,0 +1,93 @@
#! /bin/bash
# $Id$
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
#=NAME environ
#=DESCRIPTION
# verify bprm_unsafe filtering occurs for Px and Ux.
#
#=END
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
. $bin/prologue.inc
helper=$pwd/env_check
setuid_helper=${tmpdir}/env_check
helper_sh=$pwd/env_check.sh
# TEST environment filtering on elf binaries
genprofile $helper:ux
runchecktest "ENVIRON (elf): ux & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): ux & sensitive env" pass $helper LD_LIBRARY_PATH=.
genprofile $helper:Ux
runchecktest "ENVIRON (elf): Ux & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): Ux & sensitive env" fail $helper LD_LIBRARY_PATH=.
genprofile $helper:rix
runchecktest "ENVIRON (elf): ix & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): ix & sensitive env" pass $helper LD_LIBRARY_PATH=.
genprofile $helper:px -- image=$helper
runchecktest "ENVIRON (elf): px & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): px & sensitive env" pass $helper LD_LIBRARY_PATH=.
genprofile $helper:Px -- image=$helper
runchecktest "ENVIRON (elf): Px & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): Px & sensitive env" fail $helper LD_LIBRARY_PATH=.
genprofile image=$helper
runchecktest "ENVIRON (elf): unconfined --> confined & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): unconfined --> confined & sensitive env" pass $helper LD_LIBRARY_PATH=.
genprofile -C
runchecktest "ENVIRON (elf): confined/complain & regular env" pass $helper FOO=BAR
runchecktest "ENVIRON (elf): confined/complain & sensitive env" pass $helper LD_LIBRARY_PATH=.
# TEST environment filtering on shell scripts
genprofile ${helper_sh}:ux
runchecktest "ENVIRON (shell script): ux & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): ux & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
genprofile ${helper_sh}:Ux
runchecktest "ENVIRON (shell script): Ux & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): Ux & sensitive env" fail ${helper_sh} LD_LIBRARY_PATH=.
genprofile ${helper_sh}:px -- image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
runchecktest "ENVIRON (shell script): px & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): px & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
genprofile ${helper_sh}:Px -- image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
runchecktest "ENVIRON (shell script): Px & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): Px & sensitive env" fail ${helper_sh} LD_LIBRARY_PATH=.
genprofile ${helper_sh}:rix /bin/bash:rix "/lib/lib*:mr"
runchecktest "ENVIRON (shell script): ix & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): ix & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
genprofile image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
runchecktest "ENVIRON (shell script): unconfined --> confined & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): unconfined --> confined & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
genprofile -C
runchecktest "ENVIRON (shell script): confined/complain & regular env" pass ${helper_sh} FOO=BAR
runchecktest "ENVIRON (shell script): confined/complain & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
# TEST environment filtering still works on setuid apps
removeprofile
cp $helper ${setuid_helper}
chown nobody ${setuid_helper}
chmod u+s ${setuid_helper}
runchecktest "ENVIRON (elf): unconfined setuid helper" pass ${setuid_helper} FOO=BAR
runchecktest "ENVIRON (elf): unconfined setuid helper" fail ${setuid_helper} LD_LIBRARY_PATH=.