start of some changeprofile tests

2025-08-28 21:07:56 +00:00 · 2009-08-20 04:13:08 +00:00 · 2009-08-20 04:13:08 +00:00 · ed8530d9b6
commit ed8530d9b6
parent 7e962a409c
4 changed files with 143 additions and 10 deletions
--- a/tests/regression/subdomain/Makefile
+++ b/tests/regression/subdomain/Makefile
@ -8,6 +8,7 @@
 #	License.

 SRC=access.c \
+    changeprofile.c \
    changehat.c \
    changehat_fork.c \
    changehat_misc.c \
--- a/tests/regression/subdomain/changeprofile.c
+++ b/tests/regression/subdomain/changeprofile.c
@ -0,0 +1,50 @@
+/* $Id: changehat.c 166 2006-10-24 23:15:32Z jrjohansen $ */
+
+/*
+ *	Copyright (C) 2002-2005 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdlib.h>
+#include <linux/unistd.h>
+
+#include <sys/apparmor.h>
+#include "changehat.h"
+
+int main(int argc, char *argv[])
+{
+	int rc; 
+
+	if (argc != 3){
+		fprintf(stderr, "usage: %s profile file\n",
+			argv[0]);
+		return 1;
+	}
+
+	/* change profile if profile name != nochange */
+	if (strcmp(argv[1], "nochange") != 0){
+		rc = aa_change_profile(argv[1]);
+		if (rc == -1){
+			fprintf(stderr, "FAIL: changeprofile %s failed - %s\n",
+				argv[1], strerror(errno));
+			exit(errno);
+		}
+	}
+
+	rc = do_open(argv[2]);
+	if (rc == 0)
+		printf("PASS\n");
+
+	return rc;
+}
--- a/tests/regression/subdomain/changeprofile.sh
+++ b/tests/regression/subdomain/changeprofile.sh
@ -0,0 +1,77 @@
+#! /bin/bash
+# $Id: changeprofile.sh 1066 2007-12-23 01:06:30Z jrjohansen $
+
+#	Copyright (C) 2002-2005 Novell/SUSE
+#
+#	This program is free software; you can redistribute it and/or
+#	modify it under the terms of the GNU General Public License as
+#	published by the Free Software Foundation, version 2 of the
+#	License.
+
+#=NAME changeprofile
+#=DESCRIPTION 
+# Verifies basic file access permission checks for a parent profile and one 
+# subprofile/hat
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+file=$tmpdir/file
+subfile=$tmpdir/file2
+okperm=rw
+
+othertest="$pwd/rw"
+subtest2="$pwd//sub2"
+subtest3="$pwd//sub3"
+
+
+touch $file $subfile
+
+# CHANGEPROFILE UNCONFINED
+runchecktest "CHANGEPROFILE (unconfined - nochange)" pass nochange $file
+runchecktest_errno ENOENT "CHANGEPROFILE (unconfined)" fail $subtest $file
+genprofile image=$othertest $file:$okperm
+runchecktest "CHANGEPROFILE (unconfined)" pass $othertest $file
+exit
+
+# NO CHANGEPROFILE TEST
+genprofile $file:$okperm
+runchecktest "NO CHANGEPROFILE (access parent file)" pass nochange $file
+runchecktest "NO CHANGEPROFILE (access sub file)" fail nochange $subfile
+
+
+
+
+# CHANGEPROFILE NO HATS TEST - NO PERMISSION
+runchecktest "CHANGEPROFILE (no hats, nochange)" pass nochange $file
+runchecktest_errno EACCES "CHANGEPROFILE (no hats, $file)" fail $subtest $file
+runchecktest_errno EACCES "CHANGEPROFILE (no hats, $subfile)" fail $subtest $subfile
+
+# CHANGEPROFILE NO HATS TEST - PERMISSION
+genprofile $file:$okperm 'change_profile ->':$subtest
+runchecktest "CHANGEPROFILE (no hats, nochange)" pass nochange $file
+exit
+runchecktest_errno ENOENT "CHANGEPROFILE (no hats, $file)" fail $subtest $file
+runchecktest_errno ENOENT "CHANGEPROFILE (no hats, $subfile)" fail $subtest $subfile
+
+# CHANGEPROFILE TEST
+
+genprofile $file:$okperm hat:$subtest $subfile:$okperm
+
+runchecktest "CHANGEPROFILE (access parent file)" fail $subtest $file
+runchecktest "CHANGEPROFILE (access sub file)" pass $subtest $subfile
+
+# CHANGEPROFILE TEST -- multiple subprofiles
+
+genprofile $file:$okperm hat:$subtest $subfile:$okperm hat:$subtest2 $subfile:$okperm hat:$subtest3 $subfile:$okperm
+
+runchecktest "CHANGEPROFILE (access parent file)" fail $subtest $file
+runchecktest "CHANGEPROFILE (access sub file)" pass $subtest $subfile
+runchecktest "CHANGEPROFILE (access sub file)" pass $subtest2 $subfile
+runchecktest "CHANGEPROFILE (access sub file)" pass $subtest3 $subfile
+
--- a/tests/regression/subdomain/ptrace.sh
+++ b/tests/regression/subdomain/ptrace.sh
@ -29,6 +29,10 @@ bin=$pwd

 helper=$pwd/ptrace_helper

+# -n number of syscalls to perform
+# -c have the child call ptrace_me, else parent does ptrace_attach
+# -h transition child to ptrace_helper before doing ptrace (used to test
+#  x transitions with ptrace)
 # test base line of unconfined tracing unconfined
 runchecktest "test 1" pass -n 100 /bin/true
 runchecktest "test 1 -c" pass -c -n 100 /bin/true
@ -97,27 +101,27 @@ runchecktest "test 7a -hc " pass -h -c -n 100 $helper
 runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true
 runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true

-#traced helper can't do px - should update so depends on tracer
+#traced helper from unconfined
 genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true
 runchecktest "test 8" pass -n 100 /bin/true
 # pass - ptrace_attach is done before exec
 runchecktest "test 8 -c " pass -c -n 100 /bin/true
 runchecktest "test 8 -h" pass -h -n 100 $helper
 runchecktest "test 8 -hc " pass -h -c -n 100 $helper
-# fail - can not px due to ptrace
-runchecktest "test 8 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 8 -hc prog" fail -h -c -n 100 $helper /bin/true
+# pass - can px if tracer can ptrace target
+runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true

-#traced helper can't do ux - should update so depends on tracer
+#traced helper from unconfined
 genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true
 runchecktest "test 9" pass -n 100 /bin/true
 # pass - ptrace_attach is done before exec
 runchecktest "test 9 -c " pass -c -n 100 /bin/true
 runchecktest "test 9 -h" pass -h -n 100 $helper
 runchecktest "test 9 -hc " pass -h -c -n 100 $helper
-# fail - can not ux due to ptrace
-runchecktest "test 9 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 9 -hc prog" fail -h -c -n 100 $helper /bin/true
+# pass - can ux if tracer can ptrace target
+runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true
+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true

 genprofile
 # fail due to no exec permission
@ -148,10 +152,11 @@ runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true

 #ptraced confined app can't px - fails to unset profile
 genprofile image=$helper $helper:rix /bin/true:rpx
-runchecktest "test 14 -h prog" fail -h -n 100 $helper /bin/true
-runchecktest "test 14 -hc prog" fail -h -c -n 100 $helper /bin/true
+runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true
+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true

 #ptraced confined app can't ux - fails to unset profile
+#
 genprofile image=$helper $helper:rix /bin/true:rux
 runchecktest "test 14 -h prog" fail -h -n 100 $helper /bin/true
 runchecktest "test 14 -hc prog" fail -h -c -n 100 $helper /bin/true