lsm: add a test for apparmor

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

6 files changed, 115 insertions, 0 deletions

diff --git a/test/zdtm.sh b/test/zdtm.sh
index ff4616af9..9d97779d2 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -198,6 +198,7 @@ generate_test_list()
 		ns/static/clean_mntns
 		static/remap_dead_pid
 		static/poll
+		static/apparmor
 	"
 
 	TEST_CR_KERNEL="
@@ -330,6 +331,7 @@ mntns_rw_ro_rw
 netns-dev
 sockets00
 cow01
+apparmor
 "
 
 CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index 860cf415c..443e1080e 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -1,4 +1,5 @@
 /lib/libzdtmtst.a
+/live/static/apparmor
 /live/static/arm-neon00
 /live/static/bind-mount
 /live/static/busyloop00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index 6e5ffb342..a968bbe49 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -122,6 +122,7 @@ TST_NOFILE	=				\
 		remap_dead_pid			\
 		aio00				\
 		fd				\
+		apparmor				\
 #		jobctl00			\
 
 TST_FILE	=				\
diff --git a/test/zdtm/live/static/apparmor.c b/test/zdtm/live/static/apparmor.c
new file mode 100644
index 000000000..5da3f44ca
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.c
@@ -0,0 +1,100 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that an apparmor profile is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen@canonical.com>";
+
+#define PROFILE "criu_test"
+
+int setprofile()
+{
+	char profile[1024];
+	int fd, len;
+
+	len = snprintf(profile, sizeof(profile), "changeprofile " PROFILE);
+	if (len < 0 || len >= sizeof(profile)) {
+		fail("bad sprintf\n");
+		return -1;
+	}
+
+	fd = open("/proc/self/attr/current", O_WRONLY);
+	if (fd < 0) {
+		fail("couldn't open fd\n");
+		return -1;
+	}
+
+	/* apparmor wants this in exactly one write, so we use write() here
+	 * vs. fprintf Just To Be Sure */
+	len = write(fd, profile, len);
+	close(fd);
+
+	if (len < 0) {
+		fail("couldn't write profile\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+int checkprofile()
+{
+	FILE *f;
+	char path[PATH_MAX], profile[1024];
+	int len;
+
+	sprintf(path, "/proc/self/attr/current");
+
+	f = fopen(path, "r");
+	if (!f) {
+		fail("couldn't open lsm current\n");
+		return -1;
+	}
+
+	len = fscanf(f, "%[^ \n]s", profile);
+	fclose(f);
+	if (len != 1) {
+		fail("wrong number of items scanned %d\n", len);
+		return -1;
+	}
+
+	if (strcmp(profile, PROFILE) != 0) {
+		fail("bad profile .%s. expected .%s.\n", profile, PROFILE);
+		return -1;
+	}
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	test_init(argc, argv);
+
+	if (access("/sys/kernel/security/apparmor", F_OK) != 0) {
+		skip("apparmor not enabled\n");
+		return 1;
+	}
+
+	if (system("apparmor_parser -r apparmor.profile") < 0) {
+		fail("apparmor profile parse failed");
+		return -1;
+	}
+
+	setprofile();
+
+	test_daemon();
+	test_waitsig();
+
+	if (checkprofile(0) == 0)
+		pass();
+
+	return 0;
+}
diff --git a/test/zdtm/live/static/apparmor.checkskip b/test/zdtm/live/static/apparmor.checkskip
new file mode 100755
index 000000000..eb506f15d
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.checkskip
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+test -d /sys/kernel/security/apparmor
diff --git a/test/zdtm/live/static/apparmor.profile b/test/zdtm/live/static/apparmor.profile
new file mode 100644
index 000000000..69b1b259b
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.profile
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+profile criu_test {
+	/** rwmlkix,
+	capability,
+	unix,
+	signal,
+}