regression test: conditionaly run pivot_root domain, transitions

Update the tests to test whether the kernel and parser support domain transitions on pivot_root. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2025-08-31 06:16:03 +00:00 · 2017-09-07 02:28:06 -07:00
parent 4eece9d5ee
commit ec6f185787
2 changed files with 56 additions and 24 deletions
--- a/tests/regression/apparmor/pivot_root.sh
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -155,34 +155,42 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
 genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
 do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"

-# Give sufficient perms and perform a profile transition
-genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
-do_test "transition" pass "$put_old" "$new_root" "$new_prof"
+if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
+    echo "	kernel does not support pivot_root domain transitions skipping tests ..."
+elif [ "$(parser_supports 'pivot_root -> foo,')"  != "true" ] ; then
+    #pivot_root domain transitions not supported
+    echo "	parser does not support pivot root domain transitions skipping tests ..."
+else
+    # Give sufficient perms and perform a profile transition
+    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
+    do_test "transition" pass "$put_old" "$new_root" "$new_prof"

-# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
-genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
-do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
+    # Ensure failure when the the new profile can't read /proc/<PID>/attr/current
+    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
+    do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"

-# Ensure failure when the new profile doesn't exist
-genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
-do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
+    # Ensure failure when the new profile doesn't exist
+    genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
+    do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"

-# Ensure the test binary is accurately doing post pivot_root profile verification
-genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
-do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
+    # Ensure the test binary is accurately doing post pivot_root profile verification
+    genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
+    do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"

-# Give sufficient perms with new_root and a transition
-genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
-do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
+    # Give sufficient perms with new_root and a transition
+    genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
+    do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"

-# Ensure failure when the new profile doesn't exist and new_root is specified
-genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
-do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
+    # Ensure failure when the new profile doesn't exist and new_root is specified
+    genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
+    do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"

-# Give sufficient perms with new_root, put_old, and a transition
-genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
-do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
+    # Give sufficient perms with new_root, put_old, and a transition
+    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
+    do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"

-# Ensure failure when the new profile doesn't exist and new_root and put_old are specified
-genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
-do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
+    # Ensure failure when the new profile doesn't exist and new_root and put_old are specified
+    genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
+    do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
+
+fi
--- a/tests/regression/apparmor/prologue.inc
+++ b/tests/regression/apparmor/prologue.inc
@@ -22,6 +22,30 @@
 # For this file, functions are first, entry point code is at end, see "MAIN"

 #use $() to retreive the failure message or "true" if success
+
+kernel_features_istrue()
+{
+	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
+		echo "Kernel feature masks not supported."
+		return 1;
+	fi
+
+	for f in $@ ; do
+		if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
+			echo "Required feature '$f' not available."
+			return 2;
+		fi
+		if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
+		     `cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then
+			echo "Required feature '$f' not available."
+			return 3;
+		fi
+        done
+
+	echo "true"
+	return 0;
+}
+
 kernel_features()
 {
 	if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then