tests: fix use of deny qualifier on policy generation for mqueue tests

The mqueue tests were using the previous format which was specific for capabilities. The qual= prefix should be used instead. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-30 13:58:22 +00:00 · 2023-01-11 21:42:19 +00:00 · 2023-01-11 21:42:19 +00:00 · a93e1ee3cc
commit a93e1ee3cc
parent 223036d952
2 changed files with 37 additions and 37 deletions
--- a/tests/regression/apparmor/posix_mq.sh
+++ b/tests/regression/apparmor/posix_mq.sh
@ -86,11 +86,11 @@ for username in "root" "$userid" ; do
    do_tests "unconfined $username" pass pass pass pass $usercmd

    # No mqueue perms
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
    do_tests "confined $username - no perms" fail fail fail fail $usercmd


-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
    do_tests "confined $username - deny perms" fail fail fail fail $usercmd


@ -102,46 +102,46 @@ for username in "root" "$userid" ; do
    #   apparmor when doing "root" username tests
    # * if doing the $userid set of tests and you see
    #   Permission denied in the test output
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue"
    do_tests "confined $username - mqueue" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" -- image=$sender "mqueue:type=posix"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:type=posix" "$sender:px" -- image=$sender "mqueue:type=posix"
    do_tests "confined $username - mqueue type=posix" pass pass pass pass $usercmd

    # queue name
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename"
    do_tests "confined $username - mqueue /name 1" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue" "$sender:px" -- image=$sender "mqueue:$queuename"
    do_tests "confined $username - mqueue /name 2" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue"
    do_tests "confined $username - mqueue /name 3" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename2"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:$queuename" "$sender:px" -- image=$sender "mqueue:$queuename2"
    do_tests "confined $username - mqueue /name 4" fail fail fail fail $usercmd -t 1


    # specific permissions
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 1" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 2" fail fail fail fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 3" fail fail fail fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 4" fail fail fail fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 5" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 6" pass pass pass pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:read"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:read"
    do_tests "confined $username - specific 7" fail fail fail fail $usercmd -t 1

    # unconfined receiver
@ -150,17 +150,17 @@ for username in "root" "$userid" ; do


    # unconfined sender
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink"  "mqueue" "$sender:ux"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink"  "mqueue" "$sender:ux"
    do_tests "confined receiver $username - unconfined sender" pass pass pass pass $usercmd


    # queue label
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
    do_tests "confined $username - mqueue label 1" xpass xpass xpass xpass $usercmd


    # queue name and label
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "network:netlink" "mqueue:(create,read,delete):type=posix:label=$receiver:$queuename" "$sender:px" -- image=$sender "mqueue:(open,write):type=posix:label=$receiver:$queuename"
    do_tests "confined $username - mqueue label 2" xpass xpass xpass xpass $usercmd

    # ensure we are cleaned up for next pass
--- a/tests/regression/apparmor/sysv_mq.sh
+++ b/tests/regression/apparmor/sysv_mq.sh
@ -75,10 +75,10 @@ for username in "root" "$userid" ; do
    do_tests "unconfined $username" pass $usercmd

    # No mqueue perms
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "$sender:px" -- image=$sender
    do_tests "confined $username - no perms" fail $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "deny:mqueue" "$sender:px" -- image=$sender "deny mqueue"
    do_tests "confined $username - deny perms" fail $usercmd

    # generic mqueue
@ -89,51 +89,51 @@ for username in "root" "$userid" ; do
    #   apparmor when doing "root" username tests
    # * if doing the $userid set of tests and you see
    #   Permission denied in the test output
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue"
    do_tests "confined $username - mqueue" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- image=$sender "mqueue:type=sysv"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:type=sysv" "$sender:px" -- image=$sender "mqueue:type=sysv"
    do_tests "confined $username - mqueue type=sysv" pass $usercmd

    # queue name
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey"
    do_tests "confined $username - mqueue /name 1" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:px" -- image=$sender "mqueue:$qkey"
    do_tests "confined $username - mqueue /name 2" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue"
    do_tests "confined $username - mqueue /name 3" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey2"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:$qkey" "$sender:px" -- image=$sender "mqueue:$qkey2"
    do_tests "confined $username - mqueue /name 4" fail $usercmd -t 1


    # specific permissions
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 1" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 2" fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 3" fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 4" fail $usercmd -t 1
    # we need to remove queue since the previous test didn't
    ipcrm --queue-key $qkey >/dev/null 2>&1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,setattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 5" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr)" "$sender:px" -- image=$sender "mqueue:(open,write)"
    do_tests "confined $username - specific 6" pass $usercmd

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,read)"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:(open,read)"
    do_tests "confined $username - specific 7" fail $usercmd -t 1

-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete,getattr,setattr)" "$sender:px" -- image=$sender "mqueue:write"
    do_tests "confined $username - specific 7" fail $usercmd -t 1


@ -143,17 +143,17 @@ for username in "root" "$userid" ; do


    # unconfined sender
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue" "$sender:ux"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue" "$sender:ux"
    do_tests "confined receiver $username - unconfined sender" pass $usercmd


    # queue label
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:label=$receiver" "$sender:px" -- image=$sender "mqueue:label=$receiver"
    do_tests "confined $username - mqueue label 1" xpass $usercmd


    # queue name and label
-    genprofile "cap:sys_resource:deny" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- image=$sender "mqueue:(open,write):type=sysv:label=$receiver:$qkey"
+    genprofile "qual=deny:cap:sys_resource" "cap:setuid" "cap:fowner" "mqueue:(create,read,delete):type=sysv:label=$receiver:$qkey" "$sender:px" -- image=$sender "mqueue:(open,write):type=sysv:label=$receiver:$qkey"
    do_tests "confined $username - mqueue label 2" xpass $usercmd