[CRIU] [PATCH v2 3/3] lsm: add a test for apparmor

Tycho Andersen tycho.andersen at canonical.com
Tue May 5 09:14:59 PDT 2015 

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 test/zdtm.sh                             |   2 +
 test/zdtm/.gitignore                     |   1 +
 test/zdtm/live/static/Makefile           |   1 +
 test/zdtm/live/static/apparmor.c         | 100 +++++++++++++++++++++++++++++++
 test/zdtm/live/static/apparmor.checkskip |   3 +
 test/zdtm/live/static/apparmor.profile   |   8 +++
 6 files changed, 115 insertions(+)
 create mode 100644 test/zdtm/live/static/apparmor.c
 create mode 100755 test/zdtm/live/static/apparmor.checkskip
 create mode 100644 test/zdtm/live/static/apparmor.profile

diff --git a/test/zdtm.sh b/test/zdtm.sh
index d3626f7..314f364 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -198,6 +198,7 @@ generate_test_list()
 		ns/static/clean_mntns
 		static/remap_dead_pid
 		static/poll
+		static/apparmor
 	"
 
 	TEST_CR_KERNEL="
@@ -328,6 +329,7 @@ mntns_rw_ro_rw
 netns-dev
 sockets00
 cow01
+apparmor
 "
 
 CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index aee6b9e..8e58ef3 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -1,4 +1,5 @@
 /lib/libzdtmtst.a
+/live/static/apparmor
 /live/static/arm-neon00
 /live/static/bind-mount
 /live/static/busyloop00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index 33a91f1..0f14752 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -122,6 +122,7 @@ TST_NOFILE	=				\
 		remap_dead_pid			\
 		aio00				\
 		fd				\
+		apparmor				\
 #		jobctl00			\
 
 TST_FILE	=				\
diff --git a/test/zdtm/live/static/apparmor.c b/test/zdtm/live/static/apparmor.c
new file mode 100644
index 0000000..5da3f44
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.c
@@ -0,0 +1,100 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that an apparmor profile is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen at canonical.com>";
+
+#define PROFILE "criu_test"
+
+int setprofile()
+{
+	char profile[1024];
+	int fd, len;
+
+	len = snprintf(profile, sizeof(profile), "changeprofile " PROFILE);
+	if (len < 0 || len >= sizeof(profile)) {
+		fail("bad sprintf\n");
+		return -1;
+	}
+
+	fd = open("/proc/self/attr/current", O_WRONLY);
+	if (fd < 0) {
+		fail("couldn't open fd\n");
+		return -1;
+	}
+
+	/* apparmor wants this in exactly one write, so we use write() here
+	 * vs. fprintf Just To Be Sure */
+	len = write(fd, profile, len);
+	close(fd);
+
+	if (len < 0) {
+		fail("couldn't write profile\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+int checkprofile()
+{
+	FILE *f;
+	char path[PATH_MAX], profile[1024];
+	int len;
+
+	sprintf(path, "/proc/self/attr/current");
+
+	f = fopen(path, "r");
+	if (!f) {
+		fail("couldn't open lsm current\n");
+		return -1;
+	}
+
+	len = fscanf(f, "%[^ \n]s", profile);
+	fclose(f);
+	if (len != 1) {
+		fail("wrong number of items scanned %d\n", len);
+		return -1;
+	}
+
+	if (strcmp(profile, PROFILE) != 0) {
+		fail("bad profile .%s. expected .%s.\n", profile, PROFILE);
+		return -1;
+	}
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	test_init(argc, argv);
+
+	if (access("/sys/kernel/security/apparmor", F_OK) != 0) {
+		skip("apparmor not enabled\n");
+		return 1;
+	}
+
+	if (system("apparmor_parser -r apparmor.profile") < 0) {
+		fail("apparmor profile parse failed");
+		return -1;
+	}
+
+	setprofile();
+
+	test_daemon();
+	test_waitsig();
+
+	if (checkprofile(0) == 0)
+		pass();
+
+	return 0;
+}
diff --git a/test/zdtm/live/static/apparmor.checkskip b/test/zdtm/live/static/apparmor.checkskip
new file mode 100755
index 0000000..eb506f1
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.checkskip
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+test -d /sys/kernel/security/apparmor
diff --git a/test/zdtm/live/static/apparmor.profile b/test/zdtm/live/static/apparmor.profile
new file mode 100644
index 0000000..69b1b25
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.profile
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+profile criu_test {
+	/** rwmlkix,
+	capability,
+	unix,
+	signal,
+}
-- 
2.1.4

More information about the CRIU mailing list