diff options
author | Tycho Andersen <tycho.andersen@canonical.com> | 2015-05-07 01:18:44 +0300 |
---|---|---|
committer | Pavel Emelyanov <xemul@parallels.com> | 2015-05-08 15:31:09 +0300 |
commit | c6e724f61a2f9ffae9145d485443aa0b8920de66 (patch) | |
tree | 3bfc2208868136df8f6f6c776fbcf5cc1dec6a6a | |
parent | cf7a73389df9c6c98a816b6fd30fae10c0781733 (diff) |
lsm: add a test for apparmor
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
-rwxr-xr-x | test/zdtm.sh | 2 | ||||
-rw-r--r-- | test/zdtm/.gitignore | 1 | ||||
-rw-r--r-- | test/zdtm/live/static/Makefile | 1 | ||||
-rw-r--r-- | test/zdtm/live/static/apparmor.c | 100 | ||||
-rwxr-xr-x | test/zdtm/live/static/apparmor.checkskip | 3 | ||||
-rw-r--r-- | test/zdtm/live/static/apparmor.profile | 8 |
6 files changed, 115 insertions, 0 deletions
diff --git a/test/zdtm.sh b/test/zdtm.sh index ff4616af9..9d97779d2 100755 --- a/test/zdtm.sh +++ b/test/zdtm.sh @@ -198,6 +198,7 @@ generate_test_list() ns/static/clean_mntns static/remap_dead_pid static/poll + static/apparmor " TEST_CR_KERNEL=" @@ -330,6 +331,7 @@ mntns_rw_ro_rw netns-dev sockets00 cow01 +apparmor " CRIU_CPT=$CRIU diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore index 860cf415c..443e1080e 100644 --- a/test/zdtm/.gitignore +++ b/test/zdtm/.gitignore @@ -1,4 +1,5 @@ /lib/libzdtmtst.a +/live/static/apparmor /live/static/arm-neon00 /live/static/bind-mount /live/static/busyloop00 diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile index 6e5ffb342..a968bbe49 100644 --- a/test/zdtm/live/static/Makefile +++ b/test/zdtm/live/static/Makefile @@ -122,6 +122,7 @@ TST_NOFILE = \ remap_dead_pid \ aio00 \ fd \ + apparmor \ # jobctl00 \ TST_FILE = \ diff --git a/test/zdtm/live/static/apparmor.c b/test/zdtm/live/static/apparmor.c new file mode 100644 index 000000000..5da3f44ca --- /dev/null +++ b/test/zdtm/live/static/apparmor.c @@ -0,0 +1,100 @@ +#include <unistd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <sys/mount.h> +#include <linux/limits.h> +#include <signal.h> +#include "zdtmtst.h" + +const char *test_doc = "Check that an apparmor profile is restored"; +const char *test_author = "Tycho Andersen <tycho.andersen@canonical.com>"; + +#define PROFILE "criu_test" + +int setprofile() +{ + char profile[1024]; + int fd, len; + + len = snprintf(profile, sizeof(profile), "changeprofile " PROFILE); + if (len < 0 || len >= sizeof(profile)) { + fail("bad sprintf\n"); + return -1; + } + + fd = open("/proc/self/attr/current", O_WRONLY); + if (fd < 0) { + fail("couldn't open fd\n"); + return -1; + } + + /* apparmor wants this in exactly one write, so we use write() here + * vs. fprintf Just To Be Sure */ + len = write(fd, profile, len); + close(fd); + + if (len < 0) { + fail("couldn't write profile\n"); + return -1; + } + + return 0; +} + +int checkprofile() +{ + FILE *f; + char path[PATH_MAX], profile[1024]; + int len; + + sprintf(path, "/proc/self/attr/current"); + + f = fopen(path, "r"); + if (!f) { + fail("couldn't open lsm current\n"); + return -1; + } + + len = fscanf(f, "%[^ \n]s", profile); + fclose(f); + if (len != 1) { + fail("wrong number of items scanned %d\n", len); + return -1; + } + + if (strcmp(profile, PROFILE) != 0) { + fail("bad profile .%s. expected .%s.\n", profile, PROFILE); + return -1; + } + + return 0; +} + +int main(int argc, char **argv) +{ + test_init(argc, argv); + + if (access("/sys/kernel/security/apparmor", F_OK) != 0) { + skip("apparmor not enabled\n"); + return 1; + } + + if (system("apparmor_parser -r apparmor.profile") < 0) { + fail("apparmor profile parse failed"); + return -1; + } + + setprofile(); + + test_daemon(); + test_waitsig(); + + if (checkprofile(0) == 0) + pass(); + + return 0; +} diff --git a/test/zdtm/live/static/apparmor.checkskip b/test/zdtm/live/static/apparmor.checkskip new file mode 100755 index 000000000..eb506f15d --- /dev/null +++ b/test/zdtm/live/static/apparmor.checkskip @@ -0,0 +1,3 @@ +#!/bin/bash + +test -d /sys/kernel/security/apparmor diff --git a/test/zdtm/live/static/apparmor.profile b/test/zdtm/live/static/apparmor.profile new file mode 100644 index 000000000..69b1b259b --- /dev/null +++ b/test/zdtm/live/static/apparmor.profile @@ -0,0 +1,8 @@ +# vim:syntax=apparmor + +profile criu_test { + /** rwmlkix, + capability, + unix, + signal, +} |