mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-02 07:15:18 +00:00
Code Issues Releases Wiki Activity

cleaner way to keep files open for lsof

Browse Source
This commit is contained in:
Nicolas Campuzano Jimenez
2025-03-03 17:05:09 -05:00
committed by Ryan Lee
parent 5d8baf08b7
commit a65924c28a
1 changed files with 72 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
tests/profiles/lsof/task.yaml
View File

@@ -1,14 +1,5 @@
summary: stress test for the lsof profile summary: stress test for the lsof profile
execute: | execute: |
### Trivial test cases
#lsof /usr/bin/bash | MATCH '/usr/bin/bash' #initial basic test
# lsof >/dev/null 2>&1
# test $? -eq 0$
#if debugging necessary, run spread with '-vv' and '-debugging' and uncomment below
#lsof | tee /var/tmp/lsof_no_denials.txt
# Create block and character devices only if they don't exist
########### ###########
## SETUP ## ## SETUP ##
########### ###########
@@ -17,7 +8,7 @@ execute: |
# make sure we can run lsof -d mem later # make sure we can run lsof -d mem later
sudo chmod 660 /dev/mem sudo chmod 660 /dev/mem
# Create loopback test device (chck it doesn't exist either!) # Create loopback test device (check it doesn't exist either!)
[ -e /dev/loop10 ] || sudo mknod /dev/loop10 b 7 10 # major 1 -> loopback device; #minor10 -> instance 10 of device driver; shouldn't be in use. [ -e /dev/loop10 ] || sudo mknod /dev/loop10 b 7 10 # major 1 -> loopback device; #minor10 -> instance 10 of device driver; shouldn't be in use.
dd if=/dev/zero of=/tmp/test.img bs=1M count=10 # Fill /tmp/test.img with 10MB of 0's dd if=/dev/zero of=/tmp/test.img bs=1M count=10 # Fill /tmp/test.img with 10MB of 0's
sudo losetup /dev/loop10 /tmp/test.img # mount /tmp/test.img on /dev/loop10 so it looks like a block device sudo losetup /dev/loop10 /tmp/test.img # mount /tmp/test.img on /dev/loop10 so it looks like a block device
@@ -32,7 +23,7 @@ execute: |
# List all open files attached to /, recursively # List all open files attached to /, recursively
# sudo lsof +D / # sudo lsof +D /
# these 2 could be combined in one (-i -U) to list all UNIX sockets and network files$$$$ # these 2 could be combined in one (-i -U) to list all UNIX sockets and network files
sudo lsof -i sudo lsof -i
sudo lsof -U sudo lsof -U
# these 5 could be combined ( -d mem,mmap,txt,CHR,BLK) for mapped, memory-mapped, binaries, character & block devices) # these 5 could be combined ( -d mem,mmap,txt,CHR,BLK) for mapped, memory-mapped, binaries, character & block devices)
@@ -42,8 +33,9 @@ execute: |
sudo lsof -d CHR sudo lsof -d CHR
sudo lsof -d BLK sudo lsof -d BLK
# ########################################################################## #############################
# Test Deleted but Open Files # Test Deleted but Open Files
#############################
# Create a test file and open it in the background # Create a test file and open it in the background
echo "test data" > /tmp/deleted-file echo "test data" > /tmp/deleted-file
sleep 1 sleep 1
@@ -60,8 +52,9 @@ execute: |
kill $TAIL_PID kill $TAIL_PID
# ####################################################### ##############################
# Start a temporary web server # Start a temporary web server
##############################
python3 -m http.server 8080 & python3 -m http.server 8080 &
PYTHON_PID=$! PYTHON_PID=$!
sleep 2 sleep 2
@@ -71,26 +64,23 @@ execute: |
# Cleanup # Cleanup
kill $PYTHON_PID kill $PYTHON_PID
# ######################################################## ####################
# Test Named Pipe # Test Named Pipe
####################
# Open a named pipe # Open a named pipe
mkfifo /tmp/testpipe mkfifo /tmp/testpipe
cat /tmp/testpipe & # Open for reading in the background # open the pipe for r/w so that it remains open
CAT_PID=$! exec 3<> /tmp/testpipe
sleep 2
echo "test" > /tmp/testpipe #so that grep doesn't hang
sleep 1
# Check lsof dislays open pipe # Check lsof dislays open pipe
sudo lsof +E | tee /tmp/lsof.log | grep /tmp/testpipe || grep FIFO /tmp/lsof.log sudo lsof +E | tee /tmp/lsof.log | grep /tmp/testpipe || grep FIFO /tmp/lsof.log
# Cleanup # Cleanup
#kill $CAT_PID 2>/dev/null #in case cat terminates as soon as it outputs the redirected input from echoi exec 3<&- # Close fd 3
rm /tmp/testpipe rm /tmp/testpipe
#
#
# cat /tmp/script_debug.log
# ########################### #####################
# Open network sockets # Open network sockets
#####################
# Start a temporary web server # Start a temporary web server
python3 -m http.server 8080 & python3 -m http.server 8080 &
sleep 1 sleep 1
@@ -119,30 +109,31 @@ execute: |
kill $SCRIPT_PID 2>/dev/null kill $SCRIPT_PID 2>/dev/null
# ################################### #################
# #Zombie process # Zombie process
# ## Create a process that turns into a zombie #################
# Create a process that turns into a zombie
bash -c 'sleep 10 & wait $!' & bash -c 'sleep 10 & wait $!' &
PARENT_PID=$! PARENT_PID=$!
# # Wait a moment and check for zombies # Wait a moment and check for zombies
sleep 2 sleep 2
ps -ef | grep defunct ps -ef | grep defunct
sudo lsof -p $PARENT_PID sudo lsof -p $PARENT_PID
# # Cleanup # Cleanup
kill $PARENT_PID 2>/dev/null kill $PARENT_PID 2>/dev/null
###########################
# ######################################### # Encrypted loopback device
# #Encrypted loopback device ###########################
# Create an encrypted loopback device # Create an encrypted loopback device
dd if=/dev/zero of=/tmp/encrypted.img bs=1M count=30 dd if=/dev/zero of=/tmp/encrypted.img bs=1M count=30
sudo losetup /dev/loop20 /tmp/encrypted.img sudo losetup /dev/loop20 /tmp/encrypted.img
echo "securest passphrase" | sudo cryptsetup luksFormat /dev/loop20 --key-file=- echo "securest passphrase" | sudo cryptsetup luksFormat /dev/loop20 --key-file=-
echo "securest passphrase" | sudo cryptsetup luksOpen /dev/loop20 encdev --key-file=- echo "securest passphrase" | sudo cryptsetup luksOpen /dev/loop20 encdev --key-file=-
# # Mount it and check open files # Mount it and check open files
sudo mkfs.ext4 /dev/mapper/encdev sudo mkfs.ext4 /dev/mapper/encdev
mkdir -p /mnt/encrypted mkdir -p /mnt/encrypted
sudo mount /dev/mapper/encdev /mnt/encrypted sudo mount /dev/mapper/encdev /mnt/encrypted
@@ -154,55 +145,57 @@ execute: |
sudo lsof /mnt/encrypted sudo lsof /mnt/encrypted
exec 3<&- # Close file descriptor after lsof exec 3<&- # Close file descriptor after lsof
# # Cleanup # Cleanup
sudo umount /mnt/encrypted sudo umount /mnt/encrypted
sudo cryptsetup luksClose encdev sudo cryptsetup luksClose encdev
sudo losetup -d /dev/loop20 sudo losetup -d /dev/loop20
rm /tmp/encrypted.img rm /tmp/encrypted.img
# ############################################# ########
#Try SMB #Try SMB
########
#Install SMB and Mount SMB share #Install SMB and Mount SMB share
sudo apt update && sudo apt install -y samba sudo apt update && sudo apt install -y samba
sleep 1 sleep 1
sudo mkdir -p /srv/samba/share sudo mkdir -p /srv/samba/share
sudo chmod 777 /srv/samba/share # Allow all users to access (for testing) sudo chmod 777 /srv/samba/share # Allow all users to access (for testing)
# Inline the 'testshare' entry to the samba config file
printf "\n[testshare]\npath = /srv/samba/share\nbrowseable = yes\nread only = no\nguest ok = yes\nforce user = nobody\n" | sudo tee -a /etc/samba/smb.conf printf "\n[testshare]\npath = /srv/samba/share\nbrowseable = yes\nread only = no\nguest ok = yes\nforce user = nobody\n" | sudo tee -a /etc/samba/smb.conf
sleep 1 sleep 1
sudo systemctl restart smbd nmbd sudo systemctl restart smbd nmbd
sudo ss -tulnp | grep smbd # sudo ss -tulnp | grep smbd # uncomment if need to troubleshoot SMB.
sudo modprobe cifs sudo modprobe cifs
#testparm
sleep 1 sleep 1
sudo mkdir -p /mnt/smb sudo mkdir -p /mnt/smb
sudo mount -t cifs //127.0.0.1/testshare /mnt/smb -o guest sudo mount -t cifs //127.0.0.1/testshare /mnt/smb -o guest
# Try open file from mounted sharew # Try open file from mounted share
echo "test content" | sudo tee /srv/samba/share/testfile.txt echo "test content" | sudo tee /srv/samba/share/testfile.txt
sudo sync #sync samba or no content is cat'd sudo sync # sync samba to update testfile.txt
cat /mnt/smb/testfile.txt & # Open shared file for reading ans assign fd 3. Opoen for r/w can be tricky in smb, this does the trick.
CAT_PID=$! exec 3</mnt/smb/testfile.txt
sleep 2 sleep 2
#lsof on open share #lsof on open share
#sudo lsof /mnt/smb
sudo lsof -c smbd sudo lsof -c smbd
#kill $CAT_PID # Cleanup
exec 3<&- # Close fd 3
sudo umount /mnt/smb sudo umount /mnt/smb
############################################## #########
# Try NFS # Try NFS
#########
#mount NFS #mount NFS
sudo apt install -y nfs-kernel-server sudo apt install -y nfs-kernel-server
sleep 1 sleep 1
sudo mkdir -p /srv/nfs/share sudo mkdir -p /srv/nfs/share
sudo chmod 777 /srv/nfs/share # Allow all users for testing sudo chmod 777 /srv/nfs/share # Allow all users for testing
# Update nfs share config
echo '/srv/nfs/share 127.0.0.1(rw,sync,no_subtree_check,no_root_squash)' | sudo tee -a /etc/exports echo '/srv/nfs/share 127.0.0.1(rw,sync,no_subtree_check,no_root_squash)' | sudo tee -a /etc/exports
sudo exportfs -a sudo exportfs -a
sudo systemctl restart nfs-kernel-server sudo systemctl restart nfs-kernel-server
@@ -210,3 +203,4 @@ execute: |
sudo mount -t nfs 127.0.0.1:/srv/nfs/share /mnt/nfs sudo mount -t nfs 127.0.0.1:/srv/nfs/share /mnt/nfs
sudo lsof -c nfsd sudo lsof -c nfsd
sudo umount /mnt/nfs