From a03acd0ff1f2ffbf5efaf076a15426a0c0850504 Mon Sep 17 00:00:00 2001 From: Georgia Garcia Date: Wed, 14 Dec 2022 20:05:57 +0000 Subject: [PATCH] tests: fix profile generation for dbus test The test "eavesdrop (confined w/o dbus perms)" was failing for the wrong reason. While it should fail because it is missing dbus rules, it was actually failing because it didn't have the required unix rule. The error message was: "FAIL: Failed to open connection to "session" message bus: Failed to open socket: Permission denied" Corresponding audit log: [28306.743863] audit: type=1400 audit(1671048091.505:297): apparmor="DENIED" operation="create" class="net" profile="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" pid=6787 comm="dbus_eavesdrop" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none After the change, the error message is: FAIL: Failed to open connection to "session" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) Corresponding audit log: [28444.248268] audit: type=1107 audit(1671048229.009:300): pid=6826 uid=0 auid=1000 ses=5 subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6854 label="/home/georgia/apparmor/tests/regression/apparmor/dbus_eavesdrop" peer_label="unconfined" exe="/usr/bin/dbus-daemon" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Georgia Garcia (cherry picked from commit c42efa510ef59f573a29bfa9ea3005ab33eef632) Signed-off-by: John Johansen --- tests/regression/apparmor/dbus_eavesdrop.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/regression/apparmor/dbus_eavesdrop.sh b/tests/regression/apparmor/dbus_eavesdrop.sh index a7f21552f..35d035a6c 100755 --- a/tests/regression/apparmor/dbus_eavesdrop.sh +++ b/tests/regression/apparmor/dbus_eavesdrop.sh @@ -34,7 +34,7 @@ runchecktest "eavesdrop (unconfined)" pass $args # Make sure we get denials when confined but not allowed -genprofile +gendbusprofile runchecktest "eavesdrop (confined w/o dbus perms)" fail $args gendbusprofile "dbus send,"