mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-03 07:45:50 +00:00
Code Issues Releases Wiki Activity

Merge Write a regression test for mediating file access in private mounts

Browse Source 
This test, as is, emits an execname warning which is due to a bug in the `prologue.inc` infrastructure (see !1450 for a fix to this issue).

Signed-off-by: Ryan Lee <ryan.lee@canonical.com>

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1448
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
2024-12-19 19:44:51 +00:00
parent c489631770 fa58d3611a
commit ba60bfff85
3 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/regression/apparmor/Makefile
View File

@@ -267,6 +267,7 @@ TESTS=aa_exec \
exec_qual \ exec_qual \
fchdir \ fchdir \
fd_inheritance \ fd_inheritance \
file_unbindable_mount \
fork \ fork \
i18n \ i18n \
link \ link \

45
tests/regression/apparmor/file_unbindable_mount.sh Normal file
View File

@@ -0,0 +1,45 @@
#! /bin/bash
# Copyright (C) 2024 Canonical, Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
#=NAME file_unbindable_mount
#=DESCRIPTION
# Verifies that file rules work across unbindable mounts
#=END
pwd=$(dirname "$0")
pwd=$(cd "$pwd" || exit ; /bin/pwd)
bin=$pwd
. "$bin/prologue.inc"
backing_file="$tmpdir/loop_file"
mount_target="$tmpdir/mount_target"
mkdir "${mount_target}"
fallocate -l 512K "${backing_file}"
mkfs.fat -F 32 "${backing_file}" > /dev/null 2> /dev/null
losetup -f "${backing_file}" || fatalerror 'Unable to set up a loop device'
loop_device="$(/sbin/losetup -n -O NAME -l -j "${backing_file}")"
mount --make-unbindable "${loop_device}" "${mount_target}"
fallocate -l 16K "${mount_target}/a_file"
# echo is also a builtin, making things a bit more complicated
cp "$(type -P echo)" "${mount_target}/echo"
settest file_unbindable_mount "${bin}/complain"
genprofile "${mount_target}/a_file:r" "${mount_target}/echo:ix"
runchecktest "Read file in unbindable mount" pass read "${mount_target}/a_file"
runchecktest "Exec in unbindable mount" pass exec "${mount_target}/echo" PASS
umount "${loop_device}"
losetup -d "${loop_device}"
rm "${backing_file}"

1
tests/regression/apparmor/task.yaml
View File

@@ -27,6 +27,7 @@ environment:
TEST/exec_stack: 1 TEST/exec_stack: 1
TEST/fchdir: 1 TEST/fchdir: 1
TEST/fd_inheritance: 1 TEST/fd_inheritance: 1
TEST/file_unbindable_mount: 1
TEST/fork: 1 TEST/fork: 1
TEST/i18n: 1 TEST/i18n: 1
TEST/introspect: 1 TEST/introspect: 1