Nnp unconfined exception tests

Add nnp tests around the unconfined exception.

An unconfined task is allowed changing to a profile under nnp restrictions. However this has implications when the task has stacked confinement.

  profile//&unconfined

  profile//&:ns:unconfined

  ...

will not be caught by the unconfined test. Instead the unconfined exception needs to be tested as part of the subset test. Add tests to ensure we can catch regressions around a stacked unconfined profile.

PR: https://gitlab.com/apparmor/apparmor/merge_requests/424
Signed-off-by: John Johansen <john.johansen@canonical.com>

tests/regression/apparmor/nnp.sh

@@ -28,6 +28,7 @@ fileok="${file}:${okperm}"
 getcon="/proc/*/attr/current:r"
 setcon="/proc/*/attr/current:w"
 setexec="/proc/*/attr/exec:w"
+policy="/sys/kernel/security/apparmor/"
 
 touch $file
 
@@ -67,7 +68,7 @@ runchecktest "NNP (change profile - no NNP)" pass -P "$bin/open"
 runchecktest_errno EPERM "NNP (change profile - NNP)" fail -n -P "$bin/open"
 
 if [ "$(kernel_features_istrue domain/stack)" != "true" ] ; then
-    echo "	kernel does not support profile stacking - skipping stacking tests ..."
+    echo "	kernel does not support profile stacking - skipping stacking nnp tests ..."
 else
 
     # Verify that NNP allows stack onexec of another profile
@@ -79,4 +80,65 @@ else
     genprofile "$fileok" "$setcon" "change_profile->:&$bin/open" -- image="$bin/open" "$fileok"
     runchecktest "NNP (stack profile - no NNP)" pass -p "$bin/open" -f "$file"
     runchecktest "NNP (stack profile - NNP)" pass -n -p "$bin/open" -f "$file"
+
+    #Verify that NNP allow stacking unconfined along current profile
+    #this allows verifying that a stack with unconfined still gets the
+    #unconfined exception applied. It also tests that dropping unconfined
+    #from the stack is allowed. ie.
+    # transition//&unconfined -> transition//&open
+    # and
+    # transition//&unconfined -> transition//&open//&unconfined
+    genprofile "$fileok" "$setcon" "change_profile->:&$bin/open" "change_profile->:&unconfined" -- image="$bin/open" "$fileok"
+    runchecktest "NNP (stack profile&unconfined - no NNP)" pass -i "&unconfined" -p "$bin/open" -f "$file"
+    runchecktest "NNP (stack profile&unconfined - NNP)" pass -n -i "&unconfined" -p "$bin/open" -f "$file"
+
+    genprofile "$fileok" "$setcon" "change_profile->:$bin/transition" "change_profile->:$bin/open" "change_profile->:&unconfined" -- image="$bin/open" "$fileok"
+    runchecktest "NNP (change profile&unconfined - no NNP)" pass -i "&unconfined" -P "$bin/transition//&$bin/open" -f "$file"
+    runchecktest "NNP (change profile&unconfined - NNP)" pass -n -i "&unconfined" -P "$bin/transition//&$bin/open" -f "$file"
+
+
+    #Verify that NNP allows stacking a new policy namespace
+    #must use stdin with genprofile for namespaces
+    genprofile --stdin <<EOF
+$test {
+    @{gen_bin $test}
+    @{gen_def}
+    ${file} ${okperm},
+    /proc/*/attr/current w,
+    change_profile-> &:nnp:unconfined,
+}
+:nnp:$bin/open {
+    @{gen_bin $bin/open}
+    @{gen_def}
+    ${file} ${okperm},
+}
+EOF
+    #genprofile is creating child namespace so mkdir not needed
+    runchecktest "NNP (stack :nnp:unconfined - no NNP)" pass -p ":nnp:unconfined" -f "$file"
+    runchecktest "NNP (stack :nnp:unconfined - NNP)" pass -n -p ":nnp:unconfined" -f "$file"
+
+    runchecktest "NNP (stack :nnp:open - no NNP)" fail -p ":nnp:$bin/open" -f "$file"
+    runchecktest "NNP (stack :nnp:open - NNP)" fail -n -p ":nnp:$bin/open" -f "$file"
+
+    genprofile --stdin <<EOF
+$test {
+    @{gen_bin $test}
+    @{gen_def}
+    ${file} ${okperm},
+    /proc/*/attr/current w,
+    change_profile-> &:nnp:$bin/open,
+}
+:nnp:$bin/open {
+    @{gen_bin $bin/open}
+    @{gen_def}
+    ${file} ${okperm},
+}
+EOF
+     runchecktest "NNP (stack :nnp:open - no NNP)" pass -p ":nnp:$bin/open" -f "$file"
+    runchecktest "NNP (stack :nnp:open - NNP)" pass -n -p ":nnp:$bin/open" -f "$file"
+    # explicitly remove profile before cleaning up the namespace so
+    # prologue.inc auto cleanup doesn't fail
+    removeprofile
+    echo -n  ":nnp:" > "$policy/.remove" || echo "   warning failed to remove namespace policy/namespaces/nnp"
+
 fi

tests/regression/apparmor/transition.c

@@ -309,6 +309,7 @@ static void usage(const char *prog)
 		"  -P <LABEL>\tCall aa_change_profile(LABEL)\n"
 		"  -o <LABEL>\tCall aa_stack_onexec(LABEL)\n"
 		"  -p <LABEL>\tCall aa_stack_profile(LABEL)\n"
+		"  -i <LABEL>\tCall aa_change_profile(LABEL) before nnp\n"
 		"  -n\t\tSet NO_NEW_PRIVS\n"
 		"  -L <LABEL>\tVerify that /proc/self/attr/exec contains LABEL\n"
 		"  -M <MODE>\tVerify that /proc/self/attr/exec contains MODE. Set to \"%s\" if a NULL mode is expected.\n"
@@ -351,10 +352,10 @@ static void set_transition(const char *prog, struct options *opts,
 static void parse_opts(int argc, char **argv, struct options *opts)
 {
 	const char *prog = argv[0];
-	int o;
+	int o, rc;
 
 	memset(opts, 0, sizeof(*opts));
-	while ((o = getopt(argc, argv, "f:L:M:l:m:nO:P:o:p:")) != -1) {
+	while ((o = getopt(argc, argv, "f:L:M:l:m:nO:P:o:p:i:")) != -1) {
 		switch (o) {
 		case 'f': /* file */
 			opts->file = optarg;
@@ -386,6 +387,14 @@ static void parse_opts(int argc, char **argv, struct options *opts)
 		case 'p': /* aa_stack_profile */
 			set_transition(prog, opts, STACK_PROFILE, optarg);
 			break;
+		case 'i': /* aa_change_profile - immediate before nnp */
+			rc = aa_change_profile(optarg);
+			if (rc < 0) {
+				int err = errno;
+				perror("FAIL: immediate change_profile");
+				exit(err);
+			}
+			break;
 		default: /* '?' */
 			usage(prog);
 		}