AppArmor

Merge lp:~apparmor-dev/apparmor/aa-fixes into lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain

  1. aa-fixes
  2. Merge into apparmor-ubuntu-citrain
Proposed by Tyler Hicks
Status: Merged
Approved by: Jamie Strandboge
Approved revision: 1507
Merged at revision: 1500
Proposed branch: lp:~apparmor-dev/apparmor/aa-fixes
Merge into: lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
Diff against target: 1166 lines (+1101/-2)
10 files modified
debian/changelog (+26/-2)
debian/patches/bare-capability-rule-support.patch (+89/-0)
debian/patches/check-config-for-sysctl.patch (+274/-0)
debian/patches/fix-typo-in-dbus_write.patch (+22/-0)
debian/patches/increase-swap-size.patch (+30/-0)
debian/patches/initialize-mount-flags.patch (+17/-0)
debian/patches/limited-mount-rule-support.patch (+222/-0)
debian/patches/series (+8/-0)
debian/patches/test-mount-mediation.patch (+266/-0)
debian/patches/test-v6-policy.patch (+147/-0)
To merge this branch: bzr merge lp:~apparmor-dev/apparmor/aa-fixes
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+213170@code.launchpad.net

Description of the change

Is your branch in sync with latest trunk? Yes

Is debian/changelog properly formatted in the MP? Yes

Did you build your software in a clean sbuild/pbuilder chroot or ppa? Yes (security-proposed PPA)

Did you build your software in a clean sbuild/pbuilder chroot or ppa on armhf? Yes (security-proposed PPA)

Has your component TestPlan been executed successfully on emulator/armhf Touch build (eg, one of N4, N10, N7 (either), Galaxy Nexus) and clean Ubuntu Desktop VM? I've done an abbreviated version of the TestPlan, at jdstrand's request:

 - Ran QRT's test-apparmor.py (to test the changes to the regression suite and aa.py)
 - Created an LXC container, started it, and verified that it was confined (for LP: #1296459)
 - Manually tested the Python utils (for LP: #1294825 and LP: #1294819)
   + Note that they still backtrace on the LXC abstractions due to LP: #1295346 and LP: #1298678)
 - Launched apps and verified their confinement on Touch
 - Did exploratory testing on Touch and Desktop

Has a 5 minute exploratory testing run been executed on an armhf Touch build? Yes (N7)

If you changed the packaging (debian/), did you subscribe a core-dev to this MP? N/A

What components might get impacted by your changes?

 - The apparmor/aa.py Python module and the utils shipped in apparmor-utils
 - apparmor_parser
 - The in-tree regression tests (they don't get installed but are used for testing)

Have you requested review by the teams of these owning components? Yes, upstream AppArmor has acked all changes and jdstrand is the reviewer of this merge

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Looks great, thanks!

review: Approve
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Looks good to me, thanks

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2014-03-26 16:15:34 +0000
+++ debian/changelog 2014-03-28 00:01:01 +0000
@@ -1,5 +1,6 @@
1apparmor (2.8.95~2430-0ubuntu3) UNRELEASED; urgency=medium1apparmor (2.8.95~2430-0ubuntu3) trusty; urgency=medium
22
3 [ Jamie Strandboge ]
3 * debian/lib/apparmor/functions: properly calculate number of profiles in4 * debian/lib/apparmor/functions: properly calculate number of profiles in
4 /var/lib/apparmor/profiles (LP: #1295816)5 /var/lib/apparmor/profiles (LP: #1295816)
5 * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d6 * autostart aa-notify via /etc/xdg/autostart instead of /etc/X11/Xsession.d
@@ -11,7 +12,30 @@
11 * debian/notify/notify.conf: use_group should be set to "sudo" instead of12 * debian/notify/notify.conf: use_group should be set to "sudo" instead of
12 "admin" (LP: #1009666)13 "admin" (LP: #1009666)
1314
14 -- Jamie Strandboge <jamie@ubuntu.com> Wed, 26 Mar 2014 10:34:34 -050015 [ Tyler Hicks ]
16 * debian/patches/initialize-mount-flags.patch: Initialize the variables
17 containing mount rule flags to zero. Otherwise, the parser may set
18 unexpected bits in the mount flags field for rules that do not specify
19 mount flags. The uninitialized mount flag variables may have caused
20 unexpected AppArmor denials during mount mediation. (LP: #1296459)
21 * debian/patches/fix-typo-in-dbus_write.patch: Fix a bug in the
22 apparmor/aa.py module that caused the utilities in the apparmor-utils
23 package to write out network rules instead of dbus rules
24 * debian/patches/limited-mount-rule-support.patch: Fix a bug in the
25 apparmor/aa.py module that caused the utilities in the apparmor-utils
26 package to traceback when encountering a mount rule (LP: #1294825)
27 * debian/patches/bare-capability-rule-support.patch: Fix a bug in the
28 apparmor/aa.py module that caused the utilities in the apparmor-utils
29 package to traceback when encountering a bare capability rule
30 (LP: #1294819)
31 * debian/patches/check-config-for-sysctl.patch,
32 debian/patches/increase-swap-size.patch: Fix bugs in the regression test
33 suite that caused errors when running on ppc64el
34 * debian/patches/test-v6-policy.patch,
35 debian/patches/test-mount-mediation.patch: Improve the regression tests
36 by increasing the mount rule test coverage
37
38 -- Tyler Hicks <tyhicks@canonical.com> Thu, 27 Mar 2014 14:12:29 -0500
1539
16apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium40apparmor (2.8.95~2430-0ubuntu2) trusty; urgency=medium
1741
1842
=== added file 'debian/patches/bare-capability-rule-support.patch'
--- debian/patches/bare-capability-rule-support.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/bare-capability-rule-support.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,89 @@
1Description: utils: Basic support for bare capability rules
2 .
3 Bug: https://bugs.launchpad.net/bugs/1294819
4 .
5 This patch as minimal support for bare capability rules ("capability,").
6 It prevents aa.py from emitting a traceback when encountering such a
7 rule.
8 .
9 It only adds the ability to parse and write the bare rule. It doesn't
10 attempt to be clever when deleting duplicate rules, such as realizing
11 that "capability audit_control," can be deleted if "capability," is also
12 present.
13 .
14 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
15 Acked-by: Steve Beattie <steve@nxnw.org>
16 Acked-by: Christian Boltz <apparmor@cboltz.de>
17Origin: commit, revision id: tyhicks@canonical.com-20140320192724-z0kqjl8kzx4khx57
18Author: Tyler Hicks <tyhicks@canonical.com>
19Bug: https://launchpad.net/bugs/1294819
20Last-Update: 2014-03-20
21X-Bzr-Revision-Id: tyhicks@canonical.com-20140320192724-z0kqjl8kzx4khx57
22
23=== modified file 'utils/apparmor/aa.py'
24--- old/utils/apparmor/aa.py 2014-03-20 19:25:42 +0000
25+++ new/utils/apparmor/aa.py 2014-03-20 19:27:24 +0000
26@@ -78,6 +78,9 @@
27 # To store the globs entered by users so they can be provided again
28 user_globs = []
29
30+# The key for representing bare rules such as "capability," or "file,"
31+ALL = '_ALL'
32+
33 ## Variables used under logprof
34 ### Were our
35 t = hasher() # dict()
36@@ -2104,6 +2107,9 @@
37 deleted = []
38 if profilecaps and inccaps:
39 for capname in profilecaps.keys():
40+ # XXX The presence of a bare capability rule ("capability,") should
41+ # cause more specific capability rules
42+ # ("capability audit_control,") to be deleted
43 if inccaps[capname].get('set', False) == 1:
44 deleted.append(capname)
45 for capname in deleted:
46@@ -2599,7 +2605,7 @@
47 ## Profile parsing regex
48 RE_PROFILE_START = re.compile('^\s*(("??/.+?"??)|(profile\s+("??.+?"??)))\s+((flags=)?\((.+)\)\s+)?\{\s*(#.*)?$')
49 RE_PROFILE_END = re.compile('^\s*\}\s*(#.*)?$')
50-RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?capability\s+(\S+)\s*,\s*(#.*)?$')
51+RE_PROFILE_CAP = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?capability(\s+\S+)?\s*,\s*(#.*)?$')
52 RE_PROFILE_LINK = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?link\s+(((subset)|(<=))\s+)?([\"\@\/].*?"??)\s+->\s*([\"\@\/].*?"??)\s*,\s*(#.*)?$')
53 RE_PROFILE_CHANGE_PROFILE = re.compile('^\s*change_profile\s+->\s*("??.+?"??),(#.*)?$')
54 RE_PROFILE_ALIAS = re.compile('^\s*alias\s+("??.+?"??)\s+->\s*("??.+?"??)\s*,(#.*)?$')
55@@ -2733,7 +2739,9 @@
56 if matches[1] and matches[1].strip() == 'deny':
57 allow = 'deny'
58
59- capability = matches[2]
60+ capability = ALL
61+ if matches[2]:
62+ capability = matches[2].strip()
63
64 profile_data[profile][hat][allow]['capability'][capability]['set'] = True
65 profile_data[profile][hat][allow]['capability'][capability]['audit'] = audit
66@@ -3236,7 +3244,10 @@
67 if prof_data[allow]['capability'][cap].get('audit', False):
68 audit = 'audit '
69 if prof_data[allow]['capability'][cap].get('set', False):
70- data.append('%s%s%scapability %s,' % (pre, audit, allowstr, cap))
71+ if cap == ALL:
72+ data.append('%s%s%scapability,' % (pre, audit, allowstr))
73+ else:
74+ data.append('%s%s%scapability %s,' % (pre, audit, allowstr, cap))
75 data.append('')
76
77 return data
78@@ -3698,7 +3709,9 @@
79 if matches[1] and matches[1].strip() == 'deny':
80 allow = 'deny'
81
82- capability = matches[2]
83+ capability = ALL
84+ if matches[2]:
85+ capability = matches[2].strip()
86
87 if not write_prof_data[hat][allow]['capability'][capability].get('set', False):
88 correct = False
89
090
=== added file 'debian/patches/check-config-for-sysctl.patch'
--- debian/patches/check-config-for-sysctl.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/check-config-for-sysctl.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,274 @@
1Description: regression sysctl: skip if sysctl not available
2 .
3 Some kernels have CONFIG_SYSCALL_SYSCTL disabled, which is something to
4 be encouraged. This patch separates out the two different kind of sysctl
5 tests (syscall based and /proc/sys based) into separate shell functions,
6 and then checks to see that the test environment supports each before
7 invoking each shell function, issuing a warning (but not failing the
8 tests) if not available.
9 .
10 Signed-off-by: Steve Beattie <steve@nxnw.org>
11 Acked-by: John Johansen <john.johansen@canonical.com>
12Origin: commit, revision id: sbeattie@ubuntu.com-20140320182310-dxmze74scskktd6h
13Author: Steve Beattie <sbeattie@ubuntu.com>
14Last-Update: 2014-03-20
15X-Bzr-Revision-Id: sbeattie@ubuntu.com-20140320182310-dxmze74scskktd6h
16
17=== modified file 'tests/regression/apparmor/syscall_sysctl.sh'
18--- old/tests/regression/apparmor/syscall_sysctl.sh 2010-12-20 20:29:10 +0000
19+++ new/tests/regression/apparmor/syscall_sysctl.sh 2014-03-20 18:23:10 +0000
20@@ -25,119 +25,140 @@
21 ##
22 ## C. SYSCTL
23 ##
24+
25+test_syscall_sysctl()
26+{
27+ settest syscall_sysctl
28+
29+ runchecktest "SYSCTL (no confinement read only)" pass ro
30+
31+ runchecktest "SYSCTL (no confinement rw)" pass
32+
33+ genprofile $sysctlgood:r
34+ runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
35+
36+ genprofile $sysctlgood:r
37+ runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
38+
39+ genprofile $sysctlgood:w
40+ runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
41+
42+ genprofile $sysctlgood:w
43+ runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
44+
45+ genprofile $sysctlgood:rw
46+ runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
47+
48+ genprofile $sysctlgood:rw
49+ runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
50+
51+ genprofile $sysctlbad:r
52+ runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
53+
54+ genprofile $sysctlbad:r
55+ runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
56+
57+ genprofile $sysctlbad:w
58+ runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
59+
60+ genprofile $sysctlbad:w
61+ runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
62+
63+ genprofile $sysctlbad:rw
64+ runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
65+
66+ genprofile $sysctlbad:rw
67+ runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
68+}
69+
70+test_sysctl_proc()
71+{
72+ settest sysctl_proc
73+
74+ #unconfined
75+ runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
76+ value=`cat $sysctlgood`
77+ runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
78+ runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
79+
80+ #test with profile giving access to sysctlgood
81+ genprofile $sysctlgood:r
82+ runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
83+
84+ genprofile $sysctlgood:w
85+ runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
86+
87+ genprofile $sysctlgood:rw
88+ runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
89+
90+ genprofile $sysctlgood:r
91+ value=`cat $sysctlgood`
92+ runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
93+
94+ genprofile $sysctlgood:w
95+ value=`cat $sysctlgood`
96+ runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
97+
98+ genprofile $sysctlgood:rw
99+ value=`cat $sysctlgood`
100+ runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
101+
102+ genprofile $sysctlgood:r
103+ runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
104+
105+ genprofile $sysctlgood:w
106+ runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
107+
108+ genprofile $sysctlgood:rw
109+ runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
110+
111+ #test with profile giving access to sysctlbad but access to sysctlgood
112+ genprofile $sysctlbad:r
113+ runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
114+
115+ genprofile $sysctlbad:w
116+ runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
117+
118+ genprofile $sysctlbad:rw
119+ runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
120+
121+ genprofile $sysctlbad:r
122+ value=`cat $sysctlgood`
123+ runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
124+
125+ genprofile $sysctlbad:w
126+ value=`cat $sysctlgood`
127+ runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
128+
129+ genprofile $sysctlbad:rw
130+ value=`cat $sysctlgood`
131+ runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
132+
133+ genprofile $sysctlbad:r
134+ runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
135+
136+ genprofile $sysctlbad:w
137+ runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
138+
139+ genprofile $sysctlbad:rw
140+ runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
141+}
142+
143+
144+# check if the kernel supports CONFIG_SYSCTL_SYSCALL
145+# generally we want to encourage kernels to disable it, but if it's
146+# enabled we want to test against it
147 settest syscall_sysctl
148-
149-runchecktest "SYSCTL (no confinement read only)" pass ro
150-
151-runchecktest "SYSCTL (no confinement rw)" pass
152-
153-genprofile $sysctlgood:r
154-runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
155-
156-genprofile $sysctlgood:r
157-runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
158-
159-genprofile $sysctlgood:w
160-runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
161-
162-genprofile $sysctlgood:w
163-runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
164-
165-genprofile $sysctlgood:rw
166-runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
167-
168-genprofile $sysctlgood:rw
169-runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
170-
171-genprofile $sysctlbad:r
172-runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
173-
174-genprofile $sysctlbad:r
175-runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
176-
177-genprofile $sysctlbad:w
178-runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
179-
180-genprofile $sysctlbad:w
181-runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
182-
183-genprofile $sysctlbad:rw
184-runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
185-
186-genprofile $sysctlbad:rw
187-runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
188+res=$(${test} ro)
189+if [ $? -ne 0 -a $res == "FAIL: sysctl read failed - Function not implemented" ] ; then
190+ echo " WARNING: syscall sysctl not implemented, skipping tests ..."
191+else
192+ test_syscall_sysctl
193+fi
194
195 # now test /proc/sys/ paths
196-
197-settest sysctl_proc
198-
199-#unconfined
200-runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
201-value=`cat $sysctlgood`
202-runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
203-runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
204-
205-#test with profile giving access to sysctlgood
206-genprofile $sysctlgood:r
207-runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
208-
209-genprofile $sysctlgood:w
210-runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
211-
212-genprofile $sysctlgood:rw
213-runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
214-
215-genprofile $sysctlgood:r
216-value=`cat $sysctlgood`
217-runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
218-
219-genprofile $sysctlgood:w
220-value=`cat $sysctlgood`
221-runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
222-
223-genprofile $sysctlgood:rw
224-value=`cat $sysctlgood`
225-runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
226-
227-genprofile $sysctlgood:r
228-runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
229-
230-genprofile $sysctlgood:w
231-runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
232-
233-genprofile $sysctlgood:rw
234-runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
235-
236-#test with profile giving access to sysctlbad but access to sysctlgood
237-genprofile $sysctlbad:r
238-runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
239-
240-genprofile $sysctlbad:w
241-runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
242-
243-genprofile $sysctlbad:rw
244-runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
245-
246-genprofile $sysctlbad:r
247-value=`cat $sysctlgood`
248-runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
249-
250-genprofile $sysctlbad:w
251-value=`cat $sysctlgood`
252-runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
253-
254-genprofile $sysctlbad:rw
255-value=`cat $sysctlgood`
256-runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
257-
258-genprofile $sysctlbad:r
259-runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
260-
261-genprofile $sysctlbad:w
262-runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
263-
264-genprofile $sysctlbad:rw
265-runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
266-
267-
268-
269+if [ ! -f "${sysctlgood}" ] ; then
270+ echo " WARNING: proc sysctl path not found, /proc not mounted? Skipping tests ..."
271+else
272+ test_sysctl_proc
273+fi
274
0275
=== added file 'debian/patches/fix-typo-in-dbus_write.patch'
--- debian/patches/fix-typo-in-dbus_write.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/fix-typo-in-dbus_write.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,22 @@
1Description: utils: Fix typo in write_dbus()
2 .
3 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
4 Acked-by: Steve Beattie <steve@nxnw.org>
5Origin: commit, revision id: tyhicks@canonical.com-20140320191940-ygolw53q0oaqw3k0
6Author: Tyler Hicks <tyhicks@canonical.com>
7Last-Update: 2014-03-20
8X-Bzr-Revision-Id: tyhicks@canonical.com-20140320191940-ygolw53q0oaqw3k0
9
10=== modified file 'utils/apparmor/aa.py'
11--- old/utils/apparmor/aa.py 2014-03-16 15:06:42 +0000
12+++ new/utils/apparmor/aa.py 2014-03-20 19:19:40 +0000
13@@ -3265,7 +3265,7 @@
14
15 def write_dbus(prof_data, depth):
16 data = write_dbus_rules(prof_data, depth, 'deny')
17- data += write_net_rules(prof_data, depth, 'allow')
18+ data += write_dbus_rules(prof_data, depth, 'allow')
19 return data
20
21 def write_link_rules(prof_data, depth, allow):
22
023
=== added file 'debian/patches/increase-swap-size.patch'
--- debian/patches/increase-swap-size.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/increase-swap-size.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,30 @@
1Description: regression swap test: 640 KiB not enough swap for everyone
2 .
3 On ppc64el platforms, the minimum swapfile size is 640KiB. Our swap
4 test aborts there because it creates a swapfile of size 512KiB. This
5 patch adjusts the size to 768KiB, to satisfy ppc64el and to try
6 to keep the size down for embedded and otherwise limited platforms
7 (e.g. phones).
8 .
9 Signed-off-by: Steve Beattie <steve@nxnw.org>
10 Acked-by: John Johansen <john.johansen@canonical.com>
11Origin: commit, revision id: sbeattie@ubuntu.com-20140320182851-iwz354gzejfxr3x6
12Author: Steve Beattie <sbeattie@ubuntu.com>
13Last-Update: 2014-03-20
14X-Bzr-Revision-Id: sbeattie@ubuntu.com-20140320182851-iwz354gzejfxr3x6
15
16=== modified file 'tests/regression/apparmor/swap.sh'
17--- old/tests/regression/apparmor/swap.sh 2014-03-19 18:53:26 +0000
18+++ new/tests/regression/apparmor/swap.sh 2014-03-20 18:28:51 +0000
19@@ -29,7 +29,9 @@
20
21 swap_file=$tmpdir/swapfile
22
23-dd if=/dev/zero of=${swap_file} bs=1024 count=512 2> /dev/null
24+# ppc64el wants this to be larger than 640KiB
25+# arm/small machines want this as small as possible
26+dd if=/dev/zero of=${swap_file} bs=1024 count=768 2> /dev/null
27 /sbin/mkswap -f ${swap_file} > /dev/null
28
29 # TEST 1. Make sure can enable and disable swap unconfined
30
031
=== added file 'debian/patches/initialize-mount-flags.patch'
--- debian/patches/initialize-mount-flags.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/initialize-mount-flags.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,17 @@
1Subject: Initialize mount flag variables
2Author: Steve Beattie <steve@nxnw.org>
3Origin: https://lists.ubuntu.com/archives/apparmor/2014-March/005498.html
4
5Index: apparmor-2.8.95~2430/parser/mount.c
6===================================================================
7--- apparmor-2.8.95~2430.orig/parser/mount.c 2014-03-25 15:20:57.018085658 -0500
8+++ apparmor-2.8.95~2430/parser/mount.c 2014-03-25 15:20:57.010085658 -0500
9@@ -389,7 +389,7 @@ mnt_rule::mnt_rule(struct cond_entry *sr
10 struct cond_entry *dst_conds __unused, char *mnt_point_p,
11 int allow_p):
12 mnt_point(mnt_point_p), device(device_p), trans(NULL), opts(NULL),
13- audit(0), deny(0)
14+ flags(0), inv_flags(0), audit(0), deny(0)
15 {
16 /* FIXME: dst_conds are ignored atm */
17 aa_class = AA_CLASS_MOUNT;
018
=== added file 'debian/patches/limited-mount-rule-support.patch'
--- debian/patches/limited-mount-rule-support.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/limited-mount-rule-support.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,222 @@
1Description: utils: Add very limited support for mount rules
2 .
3 Bug: https://bugs.launchpad.net/bugs/1294825
4 .
5 This patch is inspired by sbeattie's patch to add limited dbus rule
6 support. It adds does very dumb parsing of mount rules. Basically, it
7 stores mount, remount, and umount rules as raw strings wrapped in a
8 class.
9 .
10 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
11 Acked-by: Steve Beattie <steve@nxnw.org>
12 Acked-by: Christian Boltz <apparmor@cboltz.de>
13Origin: commit, revision id: tyhicks@canonical.com-20140320192542-we2ydn5rk0p05dtt
14Author: Tyler Hicks <tyhicks@canonical.com>
15Bug: https://launchpad.net/bugs/1294825
16Last-Update: 2014-03-20
17X-Bzr-Revision-Id: tyhicks@canonical.com-20140320192542-we2ydn5rk0p05dtt
18
19=== modified file 'utils/apparmor/aa.py'
20--- old/utils/apparmor/aa.py 2014-03-20 19:19:40 +0000
21+++ new/utils/apparmor/aa.py 2014-03-20 19:25:42 +0000
22@@ -2616,6 +2616,7 @@
23 RE_NETWORK_FAMILY_TYPE = re.compile('\s+(\S+)\s+(\S+)\s*,$')
24 RE_NETWORK_FAMILY = re.compile('\s+(\S+)\s*,$')
25 RE_PROFILE_DBUS = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?(dbus[^#]*\s*,)\s*(#.*)?$')
26+RE_PROFILE_MOUNT = re.compile('^\s*(audit\s+)?(allow\s+|deny\s+)?((mount|remount|umount)[^#]*\s*,)\s*(#.*)?$')
27
28 # match anything that's not " or #, or matching quotes with anything except quotes inside
29 __re_no_or_quoted_hash = '([^#"]|"[^"]*")*'
30@@ -2693,6 +2694,7 @@
31 profile_data[profile][hat]['allow']['netdomain'] = hasher()
32 profile_data[profile][hat]['allow']['path'] = hasher()
33 profile_data[profile][hat]['allow']['dbus'] = list()
34+ profile_data[profile][hat]['allow']['mount'] = list()
35 # Save the initial comment
36 if initial_comment:
37 profile_data[profile][hat]['initial_comment'] = initial_comment
38@@ -2966,6 +2968,28 @@
39 dbus_rules.append(dbus_rule)
40 profile_data[profile][hat][allow]['dbus'] = dbus_rules
41
42+ elif RE_PROFILE_MOUNT.search(line):
43+ matches = RE_PROFILE_MOUNT.search(line).groups()
44+
45+ if not profile:
46+ raise AppArmorException(_('Syntax Error: Unexpected mount entry found in file: %s line: %s') % (file, lineno + 1))
47+
48+ audit = False
49+ if matches[0]:
50+ audit = True
51+ allow = 'allow'
52+ if matches[1] and matches[1].strip() == 'deny':
53+ allow = 'deny'
54+ mount = matches[2]
55+
56+ mount_rule = parse_mount_rule(mount)
57+ mount_rule.audit = audit
58+ mount_rule.deny = (allow == 'deny')
59+
60+ mount_rules = profile_data[profile][hat][allow].get('mount', list())
61+ mount_rules.append(mount_rule)
62+ profile_data[profile][hat][allow]['mount'] = mount_rules
63+
64 elif RE_PROFILE_CHANGE_HAT.search(line):
65 matches = RE_PROFILE_CHANGE_HAT.search(line).groups()
66
67@@ -3060,6 +3084,10 @@
68 # return aarules.DBUS_Rule()
69 #print(line)
70
71+def parse_mount_rule(line):
72+ # XXX Do real parsing here
73+ return aarules.Raw_Mount_Rule(line)
74+
75 def separate_vars(vs):
76 """Returns a list of all the values for a variable"""
77 data = []
78@@ -3268,6 +3296,24 @@
79 data += write_dbus_rules(prof_data, depth, 'allow')
80 return data
81
82+def write_mount_rules(prof_data, depth, allow):
83+ pre = ' ' * depth
84+ data = []
85+
86+ # no mount rules, so return
87+ if not prof_data[allow].get('mount', False):
88+ return data
89+
90+ for mount_rule in prof_data[allow]['mount']:
91+ data.append('%s%s' % (pre, mount_rule.serialize()))
92+ data.append('')
93+ return data
94+
95+def write_mount(prof_data, depth):
96+ data = write_mount_rules(prof_data, depth, 'deny')
97+ data += write_mount_rules(prof_data, depth, 'allow')
98+ return data
99+
100 def write_link_rules(prof_data, depth, allow):
101 pre = ' ' * depth
102 data = []
103@@ -3361,6 +3407,7 @@
104 data += write_capabilities(prof_data, depth)
105 data += write_netdomain(prof_data, depth)
106 data += write_dbus(prof_data, depth)
107+ data += write_mount(prof_data, depth)
108 data += write_links(prof_data, depth)
109 data += write_paths(prof_data, depth)
110 data += write_change_profile(prof_data, depth)
111@@ -3509,6 +3556,7 @@
112 'capability': write_capabilities,
113 'netdomain': write_netdomain,
114 'dbus': write_dbus,
115+ 'mount': write_mount,
116 'link': write_links,
117 'path': write_paths,
118 'change_profile': write_change_profile,
119@@ -3600,6 +3648,7 @@
120 data += write_capabilities(write_prof_data[name], depth)
121 data += write_netdomain(write_prof_data[name], depth)
122 data += write_dbus(write_prof_data[name], depth)
123+ data += write_mount(write_prof_data[name], depth)
124 data += write_links(write_prof_data[name], depth)
125 data += write_paths(write_prof_data[name], depth)
126 data += write_change_profile(write_prof_data[name], depth)
127
128=== modified file 'utils/apparmor/rules.py'
129--- old/utils/apparmor/rules.py 2014-03-07 17:58:54 +0000
130+++ new/utils/apparmor/rules.py 2014-03-20 19:25:42 +0000
131@@ -55,3 +55,15 @@
132 return "%s%s%s" % ('audit ' if self.audit else '',
133 'deny ' if self.deny else '',
134 self.rule)
135+
136+class Raw_Mount_Rule(object):
137+ audit = False
138+ deny = False
139+
140+ def __init__(self, rule):
141+ self.rule = rule
142+
143+ def serialize(self):
144+ return "%s%s%s" % ('audit ' if self.audit else '',
145+ 'deny ' if self.deny else '',
146+ self.rule)
147
148=== added file 'utils/test/test-mount_parse.py'
149--- old/utils/test/test-mount_parse.py 1970-01-01 00:00:00 +0000
150+++ new/utils/test/test-mount_parse.py 2014-03-20 19:25:42 +0000
151@@ -0,0 +1,70 @@
152+#! /usr/bin/env python
153+# ------------------------------------------------------------------
154+#
155+# Copyright (C) 2014 Canonical Ltd.
156+#
157+# This program is free software; you can redistribute it and/or
158+# modify it under the terms of version 2 of the GNU General Public
159+# License published by the Free Software Foundation.
160+#
161+# ------------------------------------------------------------------
162+
163+import apparmor.aa as aa
164+import unittest
165+
166+class AAParseMountTest(unittest.TestCase):
167+
168+ def test_parse_plain_mount_rule(self):
169+ rule = 'mount,'
170+ mount = aa.parse_mount_rule(rule)
171+ self.assertEqual(rule, mount.serialize(),
172+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
173+
174+ def test_parse_ro_mount(self):
175+ rule = 'mount -o ro,'
176+ mount = aa.parse_mount_rule(rule)
177+ self.assertEqual(rule, mount.serialize(),
178+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
179+
180+ def test_parse_rw_mount_with_mount_points(self):
181+ rule = 'mount -o rw /dev/sdb1 -> /mnt/external,'
182+ mount = aa.parse_mount_rule(rule)
183+ self.assertEqual(rule, mount.serialize(),
184+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
185+
186+class AAParseRemountTest(unittest.TestCase):
187+
188+ def test_parse_plain_remount_rule(self):
189+ rule = 'remount,'
190+ mount = aa.parse_mount_rule(rule)
191+ self.assertEqual(rule, mount.serialize(),
192+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
193+
194+ def test_parse_ro_remount(self):
195+ rule = 'remount -o ro,'
196+ mount = aa.parse_mount_rule(rule)
197+ self.assertEqual(rule, mount.serialize(),
198+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
199+
200+ def test_parse_ro_remount_with_mount_point(self):
201+ rule = 'remount -o ro /,'
202+ mount = aa.parse_mount_rule(rule)
203+ self.assertEqual(rule, mount.serialize(),
204+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
205+
206+class AAParseUmountTest(unittest.TestCase):
207+
208+ def test_parse_plain_umount_rule(self):
209+ rule = 'umount,'
210+ mount = aa.parse_mount_rule(rule)
211+ self.assertEqual(rule, mount.serialize(),
212+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
213+
214+ def test_parse_umount_with_mount_point(self):
215+ rule = 'umount /mnt/external,'
216+ mount = aa.parse_mount_rule(rule)
217+ self.assertEqual(rule, mount.serialize(),
218+ 'mount object returned "%s", expected "%s"' % (mount.serialize(), rule))
219+
220+if __name__ == '__main__':
221+ unittest.main()
222
0223
=== modified file 'debian/patches/series'
--- debian/patches/series 2014-03-20 03:36:23 +0000
+++ debian/patches/series 2014-03-28 00:01:01 +0000
@@ -24,3 +24,11 @@
24fix-ppc-endian-ftbfs.patch24fix-ppc-endian-ftbfs.patch
25opt_arg.patch25opt_arg.patch
26tests-cond-dbus.patch26tests-cond-dbus.patch
27initialize-mount-flags.patch
28fix-typo-in-dbus_write.patch
29limited-mount-rule-support.patch
30bare-capability-rule-support.patch
31check-config-for-sysctl.patch
32increase-swap-size.patch
33test-v6-policy.patch
34test-mount-mediation.patch
2735
=== added file 'debian/patches/test-mount-mediation.patch'
--- debian/patches/test-mount-mediation.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/test-mount-mediation.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,266 @@
1Description: tests: Improve mount rule tests
2 .
3 The mount.sh regression test script was not testing with actual AppArmor
4 mount rules. This patch improves mkprofile.pl by adding the ability to
5 generate mount rules and adds tests to mount.sh that verify mount
6 mediation is working properly.
7 .
8 Signed-off-by: John Johansen <john.johansen@canonical.com>
9 [tyhicks: Fixed a couple typos and added fstype tests]
10 Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
11 Acked-by: Steve Beattie <steve@nxnw.org>
12Origin: commit, revision id: tyhicks@canonical.com-20140327021004-2ydtqsjx74mjujfv
13Author: John Johansen <john.johansen@canonical.com>
14Last-Update: 2014-03-27
15X-Bzr-Revision-Id: tyhicks@canonical.com-20140327021004-2ydtqsjx74mjujfv
16
17=== modified file 'tests/regression/apparmor/mkprofile.pl'
18--- old/tests/regression/apparmor/mkprofile.pl 2013-09-20 13:48:56 +0000
19+++ new/tests/regression/apparmor/mkprofile.pl 2014-03-27 02:10:04 +0000
20@@ -174,6 +174,78 @@
21 }
22 }
23
24+sub gen_mount($) {
25+ my $rule = shift;
26+ my @rules = split (/:/, $rule);
27+ if (@rules == 2) {
28+ if ($rules[1] =~ /^ALL$/) {
29+ push (@{$output_rules{$hat}}, " mount,\n");
30+ } else {
31+ push (@{$output_rules{$hat}}, " mount $rules[1],\n");
32+ }
33+ } elsif (@rules == 3) {
34+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2],\n");
35+ } elsif (@rules == 4) {
36+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3],\n");
37+ } elsif (@rules == 5) {
38+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4],\n");
39+ } elsif (@rules == 6) {
40+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
41+ } elsif (@rules == 7) {
42+ push (@{$output_rules{$hat}}, " mount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
43+ } else {
44+ (!$nowarn) && print STDERR "Warning: invalid mount description '$rule', ignored\n";
45+ }
46+}
47+
48+sub gen_remount($) {
49+ my $rule = shift;
50+ my @rules = split (/:/, $rule);
51+ if (@rules == 2) {
52+ if ($rules[1] =~ /^ALL$/) {
53+ push (@{$output_rules{$hat}}, " remount,\n");
54+ } else {
55+ push (@{$output_rules{$hat}}, " remount $rules[1],\n");
56+ }
57+ } elsif (@rules == 3) {
58+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2],\n");
59+ } elsif (@rules == 4) {
60+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3],\n");
61+ } elsif (@rules == 5) {
62+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4],\n");
63+ } elsif (@rules == 6) {
64+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
65+ } elsif (@rules == 7) {
66+ push (@{$output_rules{$hat}}, " remount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
67+ } else {
68+ (!$nowarn) && print STDERR "Warning: invalid remount description '$rule', ignored\n";
69+ }
70+}
71+
72+sub gen_umount($) {
73+ my $rule = shift;
74+ my @rules = split (/:/, $rule);
75+ if (@rules == 2) {
76+ if ($rules[1] =~ /^ALL$/) {
77+ push (@{$output_rules{$hat}}, " umount,\n");
78+ } else {
79+ push (@{$output_rules{$hat}}, " umount $rules[1],\n");
80+ }
81+ } elsif (@rules == 3) {
82+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2],\n");
83+ } elsif (@rules == 4) {
84+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3],\n");
85+ } elsif (@rules == 5) {
86+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4],\n");
87+ } elsif (@rules == 6) {
88+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5],\n");
89+ } elsif (@rules == 7) {
90+ push (@{$output_rules{$hat}}, " umount $rules[1] $rules[2] $rules[3] $rules[4] $rules[5] $rules[6],\n");
91+ } else {
92+ (!$nowarn) && print STDERR "Warning: invalid umount description '$rule', ignored\n";
93+ }
94+}
95+
96 sub gen_file($) {
97 my $rule = shift;
98 my @rules = split (/:/, $rule);
99@@ -260,6 +332,12 @@
100 gen_network($rule);
101 } elsif ($rule =~ /^cap:/) {
102 gen_cap($rule);
103+ } elsif ($rule =~ /^mount:/) {
104+ gen_mount($rule);
105+ } elsif ($rule =~ /^remount:/) {
106+ gen_remount($rule);
107+ } elsif ($rule =~ /^umount:/) {
108+ gen_umount($rule);
109 } elsif ($rule =~ /^flag:/) {
110 gen_flag($rule);
111 } elsif ($rule =~ /^hat:/) {
112
113=== modified file 'tests/regression/apparmor/mount.sh'
114--- old/tests/regression/apparmor/mount.sh 2012-02-24 12:29:08 +0000
115+++ new/tests/regression/apparmor/mount.sh 2014-03-27 02:10:04 +0000
116@@ -28,11 +28,29 @@
117
118 mount_file=$tmpdir/mountfile
119 mount_point=$tmpdir/mountpoint
120+mount_bad=$tmpdir/mountbad
121 loop_device="unset"
122+fstype="ext2"
123+
124+setup_mnt() {
125+ /bin/mount -t${fstype} ${loop_device} ${mount_point}
126+# /bin/mount -t${fstype} ${loop_device} ${mount_bad}
127+}
128+remove_mnt() {
129+ mountpoint -q "${mount_point}"
130+ if [ $? -eq 0 ] ; then
131+ /bin/umount -t${fstype} ${mount_point}
132+ fi
133+ mountpoint -q "${mount_bad}"
134+ if [ $? -eq 0 ] ; then
135+ /bin/umount -t${fstype} ${mount_bad}
136+ fi
137+}
138
139 dd if=/dev/zero of=${mount_file} bs=1024 count=512 2> /dev/null
140-/sbin/mkfs -text2 -F ${mount_file} > /dev/null 2> /dev/null
141+/sbin/mkfs -t${fstype} -F ${mount_file} > /dev/null 2> /dev/null
142 /bin/mkdir ${mount_point}
143+/bin/mkdir ${mount_bad}
144
145 # in a modular udev world, the devices won't exist until the loopback
146 # module is loaded.
147@@ -56,32 +74,95 @@
148 fatalerror 'Unable to find a free loop device'
149 fi
150
151+
152 # TEST 1. Make sure can mount and umount unconfined
153-
154 runchecktest "MOUNT (unconfined)" pass mount ${loop_device} ${mount_point}
155+remove_mnt
156+
157+setup_mnt
158 runchecktest "UMOUNT (unconfined)" pass umount ${loop_device} ${mount_point}
159-
160-# TEST A2. confine MOUNT
161-
162-genprofile
163-runchecktest "MOUNT (confined)" fail mount ${loop_device} ${mount_point}
164-
165-# TEST A3. confine MOUNT - cap sys_admin is not sufficient to mount
166-genprofile capability:sys_admin
167-runchecktest "MOUNT (confined)" fail mount ${loop_device} ${mount_point}
168-
169-/bin/umount -text2 ${mount_point}
170-
171-# TEST A4. confine UMOUNT
172-
173-/bin/mount -text2 ${loop_device} ${mount_point}
174-
175-genprofile
176-runchecktest "UMOUNT (confined)" fail umount ${loop_device} ${mount_point}
177-
178-# TEST A4. confine UMOUNT - cap sys_admin allows unmount
179-genprofile capability:sys_admin
180-runchecktest "UMOUNT (confined)" pass umount ${loop_device} ${mount_point}
181+remove_mnt
182+
183+# TEST A2. confine MOUNT no perms
184+genprofile
185+runchecktest "MOUNT (confined no perm)" fail mount ${loop_device} ${mount_point}
186+remove_mnt
187+
188+setup_mnt
189+runchecktest "UMOUNT (confined no perm)" fail umount ${loop_device} ${mount_point}
190+remove_mnt
191+
192+
193+if [ "$(have_features mount)" != "true" ] ; then
194+ genprofile capability:sys_admin
195+ runchecktest "MOUNT (confined cap)" pass mount ${loop_device} ${mount_point}
196+ remove_mnt
197+
198+ setup_mnt
199+ runchecktest "UMOUNT (confined cap)" pass umount ${loop_device} ${mount_point}
200+ remove_mnt
201+else
202+ echo " using mount rules ..."
203+
204+ genprofile capability:sys_admin
205+ runchecktest "MOUNT (confined cap)" fail mount ${loop_device} ${mount_point}
206+ remove_mnt
207+
208+ setup_mnt
209+ runchecktest "UMOUNT (confined cap)" fail umount ${loop_device} ${mount_point}
210+ remove_mnt
211+
212+
213+ genprofile mount:ALL
214+ runchecktest "MOUNT (confined mount:ALL)" fail mount ${loop_device} ${mount_point}
215+ remove_mnt
216+
217+
218+ genprofile "mount:-> ${mount_point}/"
219+ runchecktest "MOUNT (confined bad mntpnt mount -> mntpnt)" fail mount ${loop_device} ${mount_bad}
220+ remove_mnt
221+
222+ runchecktest "MOUNT (confined mount -> mntpnt)" fail mount ${loop_device} ${mount_point}
223+ remove_mnt
224+
225+
226+
227+ genprofile umount:ALL
228+ setup_mnt
229+ runchecktest "UMOUNT (confined umount:ALL)" fail umount ${loop_device} ${mount_point}
230+ remove_mnt
231+
232+
233+ genprofile mount:ALL cap:sys_admin
234+ runchecktest "MOUNT (confined cap mount:ALL)" pass mount ${loop_device} ${mount_point}
235+ remove_mnt
236+
237+
238+ genprofile cap:sys_admin "mount:-> ${mount_point}/"
239+ runchecktest "MOUNT (confined bad mntpnt cap mount -> mntpnt)" fail mount ${loop_device} ${mount_bad}
240+ remove_mnt
241+
242+ runchecktest "MOUNT (confined cap mount -> mntpnt)" pass mount ${loop_device} ${mount_point}
243+ remove_mnt
244+
245+
246+ genprofile cap:sys_admin "mount:fstype=${fstype}XXX"
247+ runchecktest "MOUNT (confined cap mount bad fstype)" fail mount ${loop_device} ${mount_point}
248+ remove_mnt
249+
250+ genprofile cap:sys_admin "mount:fstype=${fstype}"
251+ runchecktest "MOUNT (confined cap mount fstype)" pass mount ${loop_device} ${mount_point}
252+ remove_mnt
253+
254+
255+ genprofile cap:sys_admin umount:ALL
256+ setup_mnt
257+ runchecktest "UMOUNT (confined cap umount:ALL)" pass umount ${loop_device} ${mount_point}
258+ remove_mnt
259+
260+fi
261+
262+#need tests for move mount, remount, bind mount, pivot root, chroot
263
264 # cleanup, umount file
265 /bin/umount ${loop_device} > /dev/null 2> /dev/null || /sbin/losetup -d ${loop_device} > /dev/null 2> /dev/null
266
0267
=== added file 'debian/patches/test-v6-policy.patch'
--- debian/patches/test-v6-policy.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/test-v6-policy.patch 2014-03-28 00:01:01 +0000
@@ -0,0 +1,147 @@
1Description: tests: Update the regression tests for v6 policy
2 .
3 This updates the regression tests for v6 policy. It refactors the
4 required_features test into a have_features fn, and a new
5 requires_features fn (renamed to catch all instances make sure they
6 where right)
7 .
8 The have_features fn is then applied to several test to make them
9 conditionally apply based off of availability of the feature
10 and policy version.
11 .
12 Signed-off-by: John Johansen <john.johansen@canonical.com>
13 Acked-by: Tyler Hicks <tyhicks@canonical.com>
14Origin: commit, revision id: tyhicks@canonical.com-20140327020859-njwpwlyvqjbrurvl
15Author: John Johansen <john.johansen@canonical.com>
16Last-Update: 2014-03-27
17X-Bzr-Revision-Id: tyhicks@canonical.com-20140327020859-njwpwlyvqjbrurvl
18
19=== modified file 'tests/regression/apparmor/dbus_eavesdrop.sh'
20--- old/tests/regression/apparmor/dbus_eavesdrop.sh 2013-12-06 19:19:33 +0000
21+++ new/tests/regression/apparmor/dbus_eavesdrop.sh 2014-03-27 02:08:59 +0000
22@@ -18,7 +18,7 @@
23 bin=$pwd
24
25 . $bin/prologue.inc
26-required_features dbus
27+requires_features dbus
28 . $bin/dbus.inc
29
30 args="--session"
31
32=== modified file 'tests/regression/apparmor/dbus_message.sh'
33--- old/tests/regression/apparmor/dbus_message.sh 2013-08-29 19:34:13 +0000
34+++ new/tests/regression/apparmor/dbus_message.sh 2014-03-27 02:08:59 +0000
35@@ -18,7 +18,7 @@
36 bin=$pwd
37
38 . $bin/prologue.inc
39-required_features dbus
40+requires_features dbus
41 . $bin/dbus.inc
42
43 listnames="--type=method_call --session --name=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames"
44
45=== modified file 'tests/regression/apparmor/dbus_service.sh'
46--- old/tests/regression/apparmor/dbus_service.sh 2013-08-20 19:14:03 +0000
47+++ new/tests/regression/apparmor/dbus_service.sh 2014-03-27 02:08:59 +0000
48@@ -17,7 +17,7 @@
49 bin=$pwd
50
51 . $bin/prologue.inc
52-required_features dbus
53+requires_features dbus
54 . $bin/dbus.inc
55
56 service="--$bus --name=$dest $path $iface"
57
58=== modified file 'tests/regression/apparmor/prologue.inc'
59--- old/tests/regression/apparmor/prologue.inc 2013-09-28 00:33:09 +0000
60+++ new/tests/regression/apparmor/prologue.inc 2014-03-27 02:08:59 +0000
61@@ -21,19 +21,32 @@
62 #
63 # For this file, functions are first, entry point code is at end, see "MAIN"
64
65-required_features()
66+#use $() to retreive the failure message or "true" if success
67+have_features()
68 {
69 if [ ! -e "/sys/kernel/security/apparmor/features/" ] ; then
70- echo "Kernel feature masks not supported. Skipping tests ..."
71- exit 0
72+ echo "Kernel feature masks not supported."
73+ return 1;
74 fi
75
76 for f in $@ ; do
77 if [ ! -e "/sys/kernel/security/apparmor/features/$f" ] ; then
78- echo "Required feature $f not available. Skipping tests ..."
79- exit 0
80+ echo "Required feature '$f' not available."
81+ return 2;
82 fi
83 done
84+
85+ echo "true"
86+ return 0;
87+}
88+
89+requires_features()
90+{
91+ local res=$(have_features $@)
92+ if [ "$res" != "true" ] ; then
93+ echo "$res. Skipping tests ..."
94+ exit 0
95+ fi
96 }
97
98 requires_query_interface()
99
100=== modified file 'tests/regression/apparmor/tcp.sh'
101--- old/tests/regression/apparmor/tcp.sh 2011-03-02 13:02:45 +0000
102+++ new/tests/regression/apparmor/tcp.sh 2014-03-27 02:08:59 +0000
103@@ -15,6 +15,7 @@
104 bin=$pwd
105
106 . $bin/prologue.inc
107+requires_features network
108
109 port=34567
110 ip="127.0.0.1"
111
112=== modified file 'tests/regression/apparmor/unix_fd_server.sh'
113--- old/tests/regression/apparmor/unix_fd_server.sh 2013-10-29 17:35:51 +0000
114+++ new/tests/regression/apparmor/unix_fd_server.sh 2014-03-27 02:08:59 +0000
115@@ -132,10 +132,12 @@
116 sleep 1
117 rm -f ${socket}
118
119-# FAIL - confined client, no access to the socket file
120-
121-genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm
122-runchecktest "fd passing; confined client w/o socket access" fail $file $socket $fd_client
123-
124-sleep 1
125-rm -f ${socket}
126+if [ "$(have_features policy/versions/v6)" == "true" ] ; then
127+ # FAIL - confined client, no access to the socket file
128+
129+ genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm
130+ runchecktest "fd passing; confined client w/o socket access" fail $file $socket $fd_client
131+
132+ sleep 1
133+ rm -f ${socket}
134+fi
135
136=== modified file 'tests/regression/apparmor/unix_socket_file.sh'
137--- old/tests/regression/apparmor/unix_socket_file.sh 2013-10-29 17:35:51 +0000
138+++ new/tests/regression/apparmor/unix_socket_file.sh 2014-03-27 02:08:59 +0000
139@@ -27,6 +27,7 @@
140 bin=$pwd
141
142 . $bin/prologue.inc
143+requires_features policy/versions/v6
144
145 client=$bin/unix_socket_file_client
146 socket=${tmpdir}/unix_socket_file.sock
147

Subscribers

People subscribed via source and target branches

to all changes: