From ec62254b04f328b693d0f8d136c7c1bca747134c Mon Sep 17 00:00:00 2001
From: Steve Beattie <steve.beattie@canonical.com>
Date: Mon, 24 Aug 2020 22:46:08 -0700
Subject: [PATCH] regression tests: add FIPS-140-2 lib validation hmac files

DBus services link against libgcrypt, and thus when libgcrypt has had
patches applied to make it FIP 140-2 compliant, the dbus based tests
confined by apparmor need access to the associated library integrity validation
file. Fix this by causing mkprofile to grant read access in all
generated profiles by default.

Signed-off-by: Steve Beattie <steve.beattie@canonical.com>
Bug: https://bugs.launchpad.net/bugs/1891664
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/595
---
 tests/regression/apparmor/mkprofile.pl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl
index 704c941be..201d53cb5 100755
--- a/tests/regression/apparmor/mkprofile.pl
+++ b/tests/regression/apparmor/mkprofile.pl
@@ -101,6 +101,10 @@ sub gen_default_rules() {
 
   # give every profile access to /dev/urandom (propolice, etc.)
   gen_file("/dev/urandom:r");
+
+  # give every profile access to FIPS hmac files in /lib and /usr/lib
+  gen_file("/{usr/,}lib{,32,64}/.lib*.so*.hmac:r");
+  gen_file("/{usr/,}lib/{,**/}.lib*.so*.hmac:r");
 }
 
 sub gen_elf_binary($) {