mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-09-01 23:05:11 +00:00
Code Issues Releases Wiki Activity

regression test: conditionaly run pivot_root domain, transitions

Browse Source 
Update the tests to test whether the kernel and parser support domain
transitions on pivot_root.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
This commit is contained in:
John Johansen
2017-09-07 02:28:06 -07:00
parent 4eece9d5ee
commit ec6f185787
2 changed files with 56 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/regression/apparmor/pivot_root.sh
View File

@@ -155,6 +155,12 @@ do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
genprofile $cur $cap "pivot_root:oldroot=$put_old $bad" genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test" do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
if [ "$(kernel_features_istrue namespaces/pivot_root)" != "true" ] ; then
echo " kernel does not support pivot_root domain transitions skipping tests ..."
elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then
#pivot_root domain transitions not supported
echo " parser does not support pivot root domain transitions skipping tests ..."
else
# Give sufficient perms and perform a profile transition # Give sufficient perms and perform a profile transition
genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
do_test "transition" pass "$put_old" "$new_root" "$new_prof" do_test "transition" pass "$put_old" "$new_root" "$new_prof"
@@ -186,3 +192,5 @@ do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
# Ensure failure when the new profile doesn't exist and new_root and put_old are specified # Ensure failure when the new profile doesn't exist and new_root and put_old are specified
genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof" do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
fi

24
tests/regression/apparmor/prologue.inc
View File

@@ -22,6 +22,30 @@
# For this file, functions are first, entry point code is at end, see "MAIN" # For this file, functions are first, entry point code is at end, see "MAIN"
#use $() to retreive the failure message or "true" if success #use $() to retreive the failure message or "true" if success
kernel_features_istrue()
{
if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
echo "Kernel feature masks not supported."
return 1;
fi
for f in $@ ; do
if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
echo "Required feature '$f' not available."
return 2;
fi
if [ ! -f "/sys/kernel/security/apparmor/features/$f" -o \
`cat "/sys/kernel/security/apparmor/features/$f"` == 'no' ] ; then
echo "Required feature '$f' not available."
return 3;
fi
done
echo "true"
return 0;
}
kernel_features() kernel_features()
{ {
if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then