[CRIU] [PATCH v3 3/3] lsm: add a test for apparmor
Tycho Andersen
tycho.andersen at canonical.com
Wed May 6 15:18:44 PDT 2015
Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
test/zdtm.sh | 2 +
test/zdtm/.gitignore | 1 +
test/zdtm/live/static/Makefile | 1 +
test/zdtm/live/static/apparmor.c | 100 +++++++++++++++++++++++++++++++
test/zdtm/live/static/apparmor.checkskip | 3 +
test/zdtm/live/static/apparmor.profile | 8 +++
6 files changed, 115 insertions(+)
create mode 100644 test/zdtm/live/static/apparmor.c
create mode 100755 test/zdtm/live/static/apparmor.checkskip
create mode 100644 test/zdtm/live/static/apparmor.profile
diff --git a/test/zdtm.sh b/test/zdtm.sh
index d3626f7..314f364 100755
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -198,6 +198,7 @@ generate_test_list()
ns/static/clean_mntns
static/remap_dead_pid
static/poll
+ static/apparmor
"
TEST_CR_KERNEL="
@@ -328,6 +329,7 @@ mntns_rw_ro_rw
netns-dev
sockets00
cow01
+apparmor
"
CRIU_CPT=$CRIU
diff --git a/test/zdtm/.gitignore b/test/zdtm/.gitignore
index aee6b9e..8e58ef3 100644
--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
@@ -1,4 +1,5 @@
/lib/libzdtmtst.a
+/live/static/apparmor
/live/static/arm-neon00
/live/static/bind-mount
/live/static/busyloop00
diff --git a/test/zdtm/live/static/Makefile b/test/zdtm/live/static/Makefile
index 33a91f1..0f14752 100644
--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -122,6 +122,7 @@ TST_NOFILE = \
remap_dead_pid \
aio00 \
fd \
+ apparmor \
# jobctl00 \
TST_FILE = \
diff --git a/test/zdtm/live/static/apparmor.c b/test/zdtm/live/static/apparmor.c
new file mode 100644
index 0000000..5da3f44
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.c
@@ -0,0 +1,100 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+const char *test_doc = "Check that an apparmor profile is restored";
+const char *test_author = "Tycho Andersen <tycho.andersen at canonical.com>";
+
+#define PROFILE "criu_test"
+
+int setprofile()
+{
+ char profile[1024];
+ int fd, len;
+
+ len = snprintf(profile, sizeof(profile), "changeprofile " PROFILE);
+ if (len < 0 || len >= sizeof(profile)) {
+ fail("bad sprintf\n");
+ return -1;
+ }
+
+ fd = open("/proc/self/attr/current", O_WRONLY);
+ if (fd < 0) {
+ fail("couldn't open fd\n");
+ return -1;
+ }
+
+ /* apparmor wants this in exactly one write, so we use write() here
+ * vs. fprintf Just To Be Sure */
+ len = write(fd, profile, len);
+ close(fd);
+
+ if (len < 0) {
+ fail("couldn't write profile\n");
+ return -1;
+ }
+
+ return 0;
+}
+
+int checkprofile()
+{
+ FILE *f;
+ char path[PATH_MAX], profile[1024];
+ int len;
+
+ sprintf(path, "/proc/self/attr/current");
+
+ f = fopen(path, "r");
+ if (!f) {
+ fail("couldn't open lsm current\n");
+ return -1;
+ }
+
+ len = fscanf(f, "%[^ \n]s", profile);
+ fclose(f);
+ if (len != 1) {
+ fail("wrong number of items scanned %d\n", len);
+ return -1;
+ }
+
+ if (strcmp(profile, PROFILE) != 0) {
+ fail("bad profile .%s. expected .%s.\n", profile, PROFILE);
+ return -1;
+ }
+
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ test_init(argc, argv);
+
+ if (access("/sys/kernel/security/apparmor", F_OK) != 0) {
+ skip("apparmor not enabled\n");
+ return 1;
+ }
+
+ if (system("apparmor_parser -r apparmor.profile") < 0) {
+ fail("apparmor profile parse failed");
+ return -1;
+ }
+
+ setprofile();
+
+ test_daemon();
+ test_waitsig();
+
+ if (checkprofile(0) == 0)
+ pass();
+
+ return 0;
+}
diff --git a/test/zdtm/live/static/apparmor.checkskip b/test/zdtm/live/static/apparmor.checkskip
new file mode 100755
index 0000000..eb506f1
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.checkskip
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+test -d /sys/kernel/security/apparmor
diff --git a/test/zdtm/live/static/apparmor.profile b/test/zdtm/live/static/apparmor.profile
new file mode 100644
index 0000000..69b1b25
--- /dev/null
+++ b/test/zdtm/live/static/apparmor.profile
@@ -0,0 +1,8 @@
+# vim:syntax=apparmor
+
+profile criu_test {
+ /** rwmlkix,
+ capability,
+ unix,
+ signal,
+}
--
2.1.4
More information about the CRIU
mailing list