[mirror_lxc.git] / src / tests / lxc-test-apparmor-generated

#!/bin/sh

# lxc: linux Container library

# This is a test script for generated apparmor profiles

# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

if ! which apparmor_parser >/dev/null 2>&1; then
	echo 'SKIP: test for generated apparmor profiles: apparmor_parser missing'
fi
exit 0

DONE=0
KNOWN_RELEASES="precise trusty xenial yakkety zesty"
LOGFILE="/tmp/lxc-test-$$.log"
cleanup() {
	lxc-destroy -n $CONTAINER_NAME >/dev/null 2>&1 || true

	if [ $DONE -eq 0 ]; then
		[ -f "$LOGFILE" ] && cat "$LOGFILE" >&2
		rm -f "$LOGFILE"
		echo "FAIL"
		exit 1
	fi
	rm -f "$LOGFILE"
	echo "PASS"
}

ARCH=i386
if type dpkg >/dev/null 2>&1; then
	ARCH=$(dpkg --print-architecture)
fi

trap cleanup EXIT HUP INT TERM
set -eu

# Create a container
CONTAINER_NAME=lxc-test-apparmor-generated

# default release is trusty, or the systems release if recognized
release=trusty
if [ -f /etc/lsb-release ]; then
    . /etc/lsb-release
    rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
        rels="$KNOWN_RELEASES"
    for r in $rels; do
        [ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
    done
fi

lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH
CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) | sed -e 's/dir://')
cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak

# Set the profile to be auto-generated
echo "lxc.apparmor.profile = generated" >> $CONTAINER_PATH/config

# Start it
lxc-start -n $CONTAINER_NAME -lDEBUG -o "$LOGFILE"
lxc-wait -n $CONTAINER_NAME -t 5 -s RUNNING || (echo "Container didn't start" && exit 1)
pid=`lxc-info -p -H -n $CONTAINER_NAME`
profile=`cat /proc/$pid/attr/current`
expected_profile="lxc-${CONTAINER_NAME}_</var/lib/lxc>//&:lxc-${CONTAINER_NAME}_<-var-lib-lxc>:unconfined (enforce)"
lxc-stop -n $CONTAINER_NAME -k
if [ "x$profile" != "x$expected_profile" ]; then
	echo "FAIL: container was in profile $profile" >&2
	echo "expected profile: $expected_profile" >&2
	exit 1
fi

DONE=1
Commit	Line	Data
e7311a84 WB	1	#!/bin/sh
	2
	3	# lxc: linux Container library
	4
	5	# This is a test script for generated apparmor profiles
	6
	7	# This library is free software; you can redistribute it and/or
	8	# modify it under the terms of the GNU Lesser General Public
	9	# License as published by the Free Software Foundation; either
	10	# version 2.1 of the License, or (at your option) any later version.
	11
	12	# This library is distributed in the hope that it will be useful,
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	15	# Lesser General Public License for more details.
	16
	17	# You should have received a copy of the GNU Lesser General Public
	18	# License along with this library; if not, write to the Free Software
	19	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	20
	21	if ! which apparmor_parser >/dev/null 2>&1; then
	22	echo 'SKIP: test for generated apparmor profiles: apparmor_parser missing'
	23	fi
	24	exit 0
	25
	26	DONE=0
	27	KNOWN_RELEASES="precise trusty xenial yakkety zesty"
	28	LOGFILE="/tmp/lxc-test-$$.log"
	29	cleanup() {
	30	lxc-destroy -n $CONTAINER_NAME >/dev/null 2>&1 \|\| true
	31
	32	if [ $DONE -eq 0 ]; then
	33	[ -f "$LOGFILE" ] && cat "$LOGFILE" >&2
	34	rm -f "$LOGFILE"
	35	echo "FAIL"
	36	exit 1
	37	fi
	38	rm -f "$LOGFILE"
	39	echo "PASS"
	40	}
	41
	42	ARCH=i386
	43	if type dpkg >/dev/null 2>&1; then
	44	ARCH=$(dpkg --print-architecture)
	45	fi
	46
	47	trap cleanup EXIT HUP INT TERM
	48	set -eu
	49
	50	# Create a container
	51	CONTAINER_NAME=lxc-test-apparmor-generated
	52
	53	# default release is trusty, or the systems release if recognized
	54	release=trusty
	55	if [ -f /etc/lsb-release ]; then
	56	. /etc/lsb-release
	57	rels=$(ubuntu-distro-info --supported 2>/dev/null) \|\|
	58	rels="$KNOWN_RELEASES"
	59	for r in $rels; do
	60	[ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
	61	done
	62	fi
	63
	64	lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH
65	CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) \| sed -e 's/dir://')
66	cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak
67
68	# Set the profile to be auto-generated
69	echo "lxc.apparmor.profile = generated" >> $CONTAINER_PATH/config
70
71	# Start it
72	lxc-start -n $CONTAINER_NAME -lDEBUG -o "$LOGFILE"
73	lxc-wait -n $CONTAINER_NAME -t 5 -s RUNNING \|\| (echo "Container didn't start" && exit 1)
74	pid=`lxc-info -p -H -n $CONTAINER_NAME`
75	profile=`cat /proc/$pid/attr/current`
76	expected_profile="lxc-${CONTAINER_NAME}_</var/lib/lxc>//&:lxc-${CONTAINER_NAME}_<-var-lib-lxc>:unconfined (enforce)"
77	lxc-stop -n $CONTAINER_NAME -k
78	if [ "x$profile" != "x$expected_profile" ]; then
79	echo "FAIL: container was in profile $profile" >&2
80	echo "expected profile: $expected_profile" >&2
81	exit 1
82	fi
83
84	DONE=1