The unnamed nature of an O_TMPFILE, combined with the delayed linkage of
linkat(2), creates a potential for a filesystem mediation bypass. Thus,
add a test to verify whether or not such a bypass occurs.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Basic AppArmor profile for the free binary, tested on Ubuntu 24.04.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1629
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
This is a small improvement that makes sure lsusb is able to read some
properties of the virtual USB devices provisioned for the test.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
Creates an AA profile for ProFTPD. The profile has been tested on Oracular with version `1.3.8.b+dfsg-2ubuntu1`, using the source integration/unit tests and via FTP commands. As an FTP package any directory can be used for manipulating files. I've included read/write permissions to several usual locations located at the end of the profile. However these are too loose, any suggestions for how they could be tightened is much appreciated. Thanks!
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1524
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Initial profile for review + extra descriptions to summarize why each rule / chunk is there.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1486
Approved-by: John Johansen <john@jjmx.net>
Merged-by: Maxime Bélair <maxime.belair@canonical.com>
Due to how labeling is implemented, during the creation it is not yet
defined, so we need to grant create permissions without attaching the
label yet. Also, adjust tests to pass when label support is
implemented in the kernel.
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1623
Approved-by: Maxime Bélair <maxime.belair@canonical.com>
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This includes testing for options in (list) by itself, along with a rudimentary test for the combination of options=(list) and options in (list).
In particular, the test for the combination confirms that the `apparmor.d` man page was wrong about what happens when these options are combined.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1672
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
disconnected_mount_complain only contains xpass tests, which should
not be included in the spread XFAIL tests.
Fixes: 1aca4a1d ("tests: regression: mark disconnected-complain-mode tests as xpass")
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
- set filetype, instead of syntax, in vim modelines
- replace filetype of subdomain with apparmor
- move modelines in the first or last five lines of each file so that
vim can recognize them
There is an unfortunate long kernel dev history as to why this currently
isn't the case, so we're stuck with documenting the facts for now.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Check that when using a HTTP client via tinyproxy that the expected Via header
is present and that the tinyproxy stats page works as expected.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1537
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The tests on slower systems are occassionally timing out leading to
inconsistent pass/fail runs. The time out failure depending on which
test it occurs in can result in false passes, or failres.
Double the timeout, which hopefully will be enough to avoid the
timeout issue without making the tests wait too long.
Signed-off-by: John Johansen <john.johansen@canonical.com>
FS based unix sockets have a complicatd interaction with socket
mediation some of the mediation happens in file hooks while other
parts happen in network hooks.
When the kernel doesn't have the unix socket mediation patches the
interactions become largely mediated through the network hooks, as
unix rules get downgraded to socket rules. However some filesystem
operations are needed, and some hooks like bind may be called
differently based on the unix socket type, and not just the address.
Without the kernel patches these variations are not taken into
account.
Changes in the parser networking permission mappings have also
affected the downgrade path, as the parser now supports permissions on
socket rules, downgrades can use permissions and be more faithful to
the original rule but this can also break tests that didn't add all
the permissions needed for the downgrade case.
update unix_socket_pathname.sh to detect whether rule downgrades are
being used, and adjust permissions and expectations based on this.
Fixes: 7ce768244 ("tests: regression: fix regression test for upstream kernels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
toybox is similar to busybox but is developed with Android development in
mind. Thus, it has the same issues as the busybox profile and should be
removed.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1620
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The attach_disconnected.sh and deleted.sh tests added expanded their
testing by using unix sockets. This however ever needs support of
unix socket mediation.
Provide a minimal fix by setting bailouts for the the tests if the
requirement is not present. Long term it would be better if the
expected/needed permissions sets could be tweaked to take into
account the permissions required by the use of unix sockets.
The fix f47d5c70a fix af_unix tests for v8 networking, was never
correct, though it worked and was closer before support for fine
grained inet mediation landed. Before finegrained inet mediation
landed unix rules would allow specifying the permission but inet would
not only allowing coarse socket mediation rules. While the backend
supported finegrained permissions in v8 socket mediation the parser
did not.
If af_unix mediation was not supported by the kernel the af_unix
mediation rule would be downgrade to a network rule. All network
socket rules allowed full permission because the parser didn't
support permissions on socket rules. So the "unix create," rule
was being downgraded to a "unix," rule. Thus the "unix create",
rule was enough permissions, in the downgrade even though it
actually wasn't enough permissions.
With support for fine grained inet permissions, support for permissions
on socket rules also landed. When this happend "unix create," was not
enough permissions any more because it was not downgraded to "unix,",
this resulted in failed mediation.
Fixes: cb4a397b1 ("tests: add attach_disconnected tests")
Fixes: f47d5c70a ("fix af_unix tests for v8 networking")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Without the kernel patches in
https://lists.ubuntu.com/archives/apparmor/2025-March/013533.html
these tests will fail. This means spread ci for the majority of
kernels will fail.
Indeed disconnected paths failing in complain mode was always expected
behavior until the above kernel patches were posted.
Instead mark these patches as xpass, so spread CI can pass. These
tests will need to be updated to make them detect if the kernel
supports complain mode with disconnected paths.
Signed-off-by: John Johansen <john.johansen@canonical.com>
The test is added as XFAIL for all images because the kernel patches
required for them to pass have not yet been upstreamed into any published
kernel.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Disconnected paths on lookups have caused actual permission denials, even
when the loaded profile is in complain mode. This is a test that causes
disconnections using mounts (both old and new API) and then verifies that
a complain mode profile doesn't prevent operations with disconnected fds.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
The command shell builtin is not recognized by older versions of make, so
switch back to using the which binary instead.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
linux/mount.h is only used in the move_mount test, which exercises the
move_mount syscall that was introduced sometime in 2018 or later. Older
systems without the header also lack the syscall, so we can just skip the
test in those cases.
Signed-off-by: Ryan Lee <ryan.lee@canonical.com>
Instead of relying on neverssl.com spin up a local http server and test
tinyproxy against that to ensure the test can run even if the wider internet is
not accessible.
Signed-off-by: Alex Murray <alex.murray@canonical.com>
When a test fails because of an unexpected success (XFAIL), do not display the empty error log as that may confuse the reader just as it had confused the author.
In addition, when something legitimately fails then display tail of trace log as that may show some useful information.
Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com>
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1548
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
