[CRIU] [PATCH v4 6/7] tests: add a test for apparmor_stacking

Tycho Andersen tycho.andersen at canonical.com
Thu Oct 27 15:55:00 PDT 2016


v2: use a profile that doesn't have "unix" to test the suspend feature too
v3: use "/" in the profile names to make sure this works

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
---
 test/zdtm/static/Makefile                  |   1 +
 test/zdtm/static/apparmor_stacking.c       | 148 +++++++++++++++++++++++++++++
 test/zdtm/static/apparmor_stacking.desc    |   1 +
 test/zdtm/static/apparmor_stacking.hook    |  10 ++
 test/zdtm/static/apparmor_stacking.profile |   3 +
 5 files changed, 163 insertions(+)
 create mode 100644 test/zdtm/static/apparmor_stacking.c
 create mode 100644 test/zdtm/static/apparmor_stacking.desc
 create mode 100755 test/zdtm/static/apparmor_stacking.hook
 create mode 100644 test/zdtm/static/apparmor_stacking.profile

diff --git a/test/zdtm/static/Makefile b/test/zdtm/static/Makefile
index 6e734b2..5abec70 100644
--- a/test/zdtm/static/Makefile
+++ b/test/zdtm/static/Makefile
@@ -139,6 +139,7 @@ TST_NOFILE	:=				\
 		aio01				\
 		fd				\
 		apparmor				\
+		apparmor_stacking				\
 		seccomp_strict			\
 		seccomp_filter			\
 		seccomp_filter_tsync			\
diff --git a/test/zdtm/static/apparmor_stacking.c b/test/zdtm/static/apparmor_stacking.c
new file mode 100644
index 0000000..cf67a15
--- /dev/null
+++ b/test/zdtm/static/apparmor_stacking.c
@@ -0,0 +1,148 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <sys/socket.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check apparmor stacking is correctly restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen at canonical.com>";
+
+static int setprofile(char *to)
+{
+	char profile[1024];
+	int fd, len;
+
+	len = snprintf(profile, sizeof(profile), "changeprofile %s", to);
+	if (len < 0 || len >= sizeof(profile)) {
+		fail("bad sprintf\n");
+		return -1;
+	}
+
+	fd = open("/proc/self/attr/current", O_WRONLY);
+	if (fd < 0) {
+		fail("couldn't open fd\n");
+		return -1;
+	}
+
+	len = write(fd, profile, len);
+	close(fd);
+
+	if (len < 0) {
+		fail("couldn't write profile\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+static int checkprofile(pid_t pid, char *expected)
+{
+	FILE *f;
+	char path[PATH_MAX], profile[1024];
+	int len;
+
+	sprintf(path, "/proc/%d/attr/current", pid);
+
+	f = fopen(path, "r");
+	if (!f) {
+		fail("couldn't open lsm current\n");
+		return -1;
+	}
+
+	len = fscanf(f, "%[^ \n]s", profile);
+	fclose(f);
+	if (len != 1) {
+		fail("wrong number of items scanned %d\n", len);
+		return -1;
+	}
+
+	if (strcmp(profile, expected) != 0) {
+		fail("bad profile .%s. expected .%s.\n", profile, expected);
+		return -1;
+	}
+
+	return 0;
+}
+
+static void prepare_namespace(int sk)
+{
+	if (mkdir("/sys/kernel/security/apparmor/policy/namespaces/criu_stacking_test", 0755) && errno != EEXIST) {
+		fail("mkdir");
+		exit(1);
+	}
+
+	if (setprofile(":criu_stacking_test:") < 0)
+		exit(1);
+
+	if (system("apparmor_parser -r apparmor_stacking.profile") < 0) {
+		fail("system");
+		exit(1);
+	}
+
+	if (setprofile("criu/stacking/test") < 0)
+		exit(1);
+
+	if (write(sk, "d", 1) != 1) {
+		fail("write");
+		exit(1);
+	}
+
+	while (1)
+		sleep(1000);
+}
+
+int main(int argc, char **argv)
+{
+	pid_t pid;
+	int sk_pair[2], sk, ret = 1;
+	char c;
+
+	test_init(argc, argv);
+
+	if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, sk_pair)) {
+		fail("socketpair");
+		return 1;
+	}
+
+	pid = fork();
+	if (pid < 0) {
+		fail("fork");
+		return 1;
+	}
+
+	if (!pid) {
+		sk = sk_pair[1];
+		close(sk_pair[0]);
+
+		prepare_namespace(sk);
+	}
+
+	sk = sk_pair[0];
+	close(sk_pair[1]);
+
+	if ((ret = read(sk, &c, 1)) != 1) {
+		pr_perror("read %d", ret);
+		goto out;
+	}
+
+	test_daemon();
+	test_waitsig();
+
+	if (checkprofile(pid, ":criu_stacking_test://criu/stacking/test") < 0)
+		goto out;
+
+	ret = 0;
+	pass();
+
+out:
+	kill(pid, SIGKILL);
+	rmdir("/sys/kernel/security/apparmor/policy/namespaces/criu_stacking_test");
+	return ret;
+}
diff --git a/test/zdtm/static/apparmor_stacking.desc b/test/zdtm/static/apparmor_stacking.desc
new file mode 100644
index 0000000..6693202
--- /dev/null
+++ b/test/zdtm/static/apparmor_stacking.desc
@@ -0,0 +1 @@
+{'flavor': 'h', 'flags': 'suid', 'feature': 'apparmor_stacking'}
diff --git a/test/zdtm/static/apparmor_stacking.hook b/test/zdtm/static/apparmor_stacking.hook
new file mode 100755
index 0000000..db39c2e
--- /dev/null
+++ b/test/zdtm/static/apparmor_stacking.hook
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+[ "$1" == "--clean" -o "$1" == "--pre-restore" ] || exit 0
+
+dir="/sys/kernel/security/apparmor/policy/namespaces/criu_stacking_test"
+
+echo "Cleaning $dir"
+if [ -d $dir ]; then
+  rmdir $dir
+fi
diff --git a/test/zdtm/static/apparmor_stacking.profile b/test/zdtm/static/apparmor_stacking.profile
new file mode 100644
index 0000000..4b49998
--- /dev/null
+++ b/test/zdtm/static/apparmor_stacking.profile
@@ -0,0 +1,3 @@
+# vim:syntax=apparmor
+
+profile criu/stacking/test {}
-- 
2.9.3



More information about the CRIU mailing list