[This corresponds to commits 6414, 6415, 6417, 6422, 6423, and 6424 in

the old svn tree.]

This patch adds tests to verify the environment filtering done in the Px
and Ux cases. It tests the environment from both an elf executable and
from a shell script. Also verifies that with the apparmor module loaded,
environment filtering on setuid apps still happens.

tests/regression/subdomain/Makefile

@@ -21,6 +21,8 @@ SRC=access.c \
     chmod.c \
     chown.c \
     deleted.c \
+    environ.c \
+    env_check.c \
     exec.c \
     exec_qual.c \
     exec_qual2.c \
@@ -100,6 +102,7 @@ TESTS=access \
       changehat_misc \
       chdir \
       deleted \
+      environ \
       exec \
       exec_qual \
       fork \

tests/regression/subdomain/env_check.c

@@ -0,0 +1,42 @@
+/* $Id$ */
+
+/*	Copyright (C) 2002-2006 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+int main(int argc, char *argv[])
+{
+	char *var, *val, *p, *envval;
+
+	if (argc < 2 || !(p = strchr(argv[1], '='))) {
+		fprintf(stderr, "Usage: %s VAR=value\n", argv[0]);
+		return 1;
+	}
+
+	var = strndup(argv[1], p - argv[1]);
+	val = strdup(p + 1);
+
+	envval = getenv(var);
+	if (!envval) {
+		fprintf(stderr, "FAIL: environment variable not found\n");
+		return 1;
+	}
+
+	if (strcmp(envval, val) != 0) {
+		fprintf(stderr, "FAIL: environment variable differs: expected '%s', found '%s'\n",
+			val, envval);
+		return 1;
+	}
+	return 0;
+}

tests/regression/subdomain/env_check.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+#
+#	$Id$
+#
+#	Copyright (C) 2002-2006 Novell/SUSE
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+if [ -z "$1" ] ; then
+	echo "Usage: $0 var=value"
+	exit 1;
+fi
+
+VAR=${1%%=*}
+VALUE=${1#*=}
+ENVVAL=$(eval echo \${$VAR})
+
+#echo ENVVAL = $ENVVAL
+
+if [ -z "${ENVVAL}" ] ; then
+	echo "FAIL: Environment variable \$$VAR is unset"
+	exit 1;
+fi
+
+if [ "${ENVVAL}" != "${VALUE}" ] ; then
+	echo "FAIL: Environment variable \$$VAR differs; expected $VALUE got ${ENVVAL}"
+	exit 1;
+fi
+
+exit 0

tests/regression/subdomain/environ.c

@@ -0,0 +1,82 @@
+/* $Id$ */
+
+/*	Copyright (C) 2002-2006 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/wait.h>
+
+#define RET_FAILURE 0
+#define RET_SUCCESS 1
+#define RET_CHLD_SUCCESS 2
+#define RET_CHLD_FAILURE 3
+#define RET_CHLD_SIGNAL 4
+
+int interp_status(int status)
+{
+	int rc;
+
+	if (WIFEXITED(status)) {
+		if (WEXITSTATUS(status) == 0) {
+			rc = RET_CHLD_SUCCESS;
+		} else {
+			rc = RET_CHLD_FAILURE;
+		}
+	} else {
+		rc = RET_CHLD_SIGNAL;
+	}
+
+	return rc;
+}
+
+int main(int argc, char *argv[])
+{
+	pid_t pid;
+	int status;
+	int retval = 1;
+
+	if (argc < 3 || !strchr(argv[2], '=')) {
+		fprintf(stderr, "Usage: %s program VAR=value\n", argv[0]);
+		return 1;
+	}
+
+	putenv(strdup(argv[2]));
+
+	pid = fork();
+
+	if (pid > 0) {
+		/* parent */
+		while (wait(&status) != pid);
+			/* nothing */
+
+		if (!WIFSTOPPED(status)) {
+			retval = interp_status(status);
+		}
+
+		if (retval == RET_CHLD_SUCCESS) {
+			printf("PASS\n");
+			retval = 0;
+		}
+
+	} else if (pid == 0) {
+		 /* child */
+		retval = execl(argv[1], argv[1], argv[2], (char *) NULL);
+		return retval;
+	} else {
+		/* error */
+		perror("FAIL: fork() failed:");
+		return 1;
+	}
+
+	return retval;
+}
+

tests/regression/subdomain/environ.sh

@@ -0,0 +1,93 @@
+#! /bin/bash
+# $Id$
+
+#	Copyright (C) 2002-2005 Novell/SUSE
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME environ
+#=DESCRIPTION
+# verify bprm_unsafe filtering occurs for Px and Ux.
+#
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+helper=$pwd/env_check
+setuid_helper=${tmpdir}/env_check
+helper_sh=$pwd/env_check.sh
+
+# TEST environment filtering on elf binaries
+genprofile $helper:ux
+runchecktest "ENVIRON (elf): ux & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): ux & sensitive env" pass $helper LD_LIBRARY_PATH=.
+
+genprofile $helper:Ux
+runchecktest "ENVIRON (elf): Ux & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): Ux & sensitive env" fail $helper LD_LIBRARY_PATH=.
+
+genprofile $helper:rix
+runchecktest "ENVIRON (elf): ix & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): ix & sensitive env" pass $helper LD_LIBRARY_PATH=.
+
+genprofile $helper:px -- image=$helper
+runchecktest "ENVIRON (elf): px & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): px & sensitive env" pass $helper LD_LIBRARY_PATH=.
+
+genprofile $helper:Px -- image=$helper
+runchecktest "ENVIRON (elf): Px & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): Px & sensitive env" fail $helper LD_LIBRARY_PATH=.
+
+genprofile image=$helper
+runchecktest "ENVIRON (elf): unconfined --> confined & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): unconfined --> confined & sensitive env" pass $helper LD_LIBRARY_PATH=.
+
+genprofile -C
+runchecktest "ENVIRON (elf): confined/complain & regular env" pass $helper FOO=BAR
+runchecktest "ENVIRON (elf): confined/complain & sensitive env" pass $helper LD_LIBRARY_PATH=.
+
+# TEST environment filtering on shell scripts
+genprofile ${helper_sh}:ux
+runchecktest "ENVIRON (shell script): ux & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): ux & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile ${helper_sh}:Ux
+runchecktest "ENVIRON (shell script): Ux & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): Ux & sensitive env" fail ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile ${helper_sh}:px -- image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
+runchecktest "ENVIRON (shell script): px & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): px & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile ${helper_sh}:Px -- image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
+runchecktest "ENVIRON (shell script): Px & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): Px & sensitive env" fail ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile ${helper_sh}:rix /bin/bash:rix "/lib/lib*:mr"
+runchecktest "ENVIRON (shell script): ix & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): ix & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile image=${helper_sh} /bin/bash:rix "/lib/lib*:mr"
+runchecktest "ENVIRON (shell script): unconfined --> confined & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): unconfined --> confined & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
+
+genprofile -C
+runchecktest "ENVIRON (shell script): confined/complain & regular env" pass ${helper_sh} FOO=BAR
+runchecktest "ENVIRON (shell script): confined/complain & sensitive env" pass ${helper_sh} LD_LIBRARY_PATH=.
+
+# TEST environment filtering still works on setuid apps
+removeprofile
+
+cp $helper ${setuid_helper}
+chown nobody ${setuid_helper}
+chmod u+s ${setuid_helper}
+runchecktest "ENVIRON (elf): unconfined setuid helper" pass ${setuid_helper} FOO=BAR
+runchecktest "ENVIRON (elf): unconfined setuid helper" fail ${setuid_helper} LD_LIBRARY_PATH=.