]>
Commit | Line | Data |
---|---|---|
7aff4f43 SH |
1 | #!/bin/sh |
2 | ||
3 | # apparmor_mount: test proper handling of apparmor in kernels | |
4 | # without mount features | |
5 | ||
6 | # These require the ubuntu lxc package to be installed. | |
7 | ||
8 | # This program is free software; you can redistribute it and/or | |
9 | # modify it under the terms of the GNU Lesser General Public | |
10 | # License as published by the Free Software Foundation; either | |
11 | # version 2.1 of the License, or (at your option) any later version. | |
12 | ||
13 | # This library is distributed in the hope that it will be useful, | |
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | # Lesser General Public License for more details. | |
17 | ||
18 | # You should have received a copy of the GNU Lesser General Public | |
19 | # License along with this library; if not, write to the Free Software | |
20 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
21 | ||
22 | # This test assumes an Ubuntu host | |
23 | ||
24 | set -e | |
25 | ||
39e2cbec WB |
26 | # Only run on a normally configured ubuntu lxc system |
27 | if [ ! -d /sys/class/net/lxcbr0 ]; then | |
28 | echo "lxcbr0 is not configured." | |
29 | exit 1 | |
30 | fi | |
31 | if [ "$(id -u)" != "0" ]; then | |
32 | echo "ERROR: Must run as root." | |
33 | exit 1 | |
34 | fi | |
35 | ||
f58236fd SH |
36 | if [ -f /proc/self/ns/cgroup ]; then |
37 | default_profile="lxc-container-default-cgns (enforce)" | |
38 | else | |
39 | default_profile="lxc-container-default (enforce)" | |
40 | fi | |
41 | ||
7aff4f43 SH |
42 | FAIL() { |
43 | echo -n "Failed " >&2 | |
44 | echo "$*" >&2 | |
45 | exit 1 | |
46 | } | |
47 | ||
48 | run_cmd() { | |
49 | sudo -i -u $TUSER \ | |
50 | env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \ | |
5f850cf9 EV |
51 | XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \ |
52 | UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $* | |
7aff4f43 SH |
53 | } |
54 | ||
55 | DONE=0 | |
56 | MOUNTSR=/sys/kernel/security/apparmor/features/mount | |
57 | dnam=`mktemp -d` | |
d6523915 | 58 | logfile=`mktemp` |
7aff4f43 SH |
59 | cname=`basename $dnam` |
60 | cleanup() { | |
61 | run_cmd lxc-destroy -f -n $cname || true | |
62 | umount -l $MOUNTSR || true | |
63 | rmdir $dnam || true | |
d0ab6d91 | 64 | pkill -u $(id -u $TUSER) -9 || true |
7aff4f43 SH |
65 | sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet |
66 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid | |
67 | rm -Rf $HDIR /run/user/$(id -u $TUSER) | |
68 | deluser $TUSER | |
69 | if [ $DONE -eq 0 ]; then | |
d6523915 WB |
70 | echo 'Failed container log:' >&2 |
71 | cat "$logfile" >&2 | |
72 | echo 'End log' >&2 | |
73 | rm -f "$logfile" | |
7aff4f43 SH |
74 | echo "FAIL" |
75 | exit 1 | |
76 | fi | |
d6523915 | 77 | rm -f "$logfile" |
7aff4f43 SH |
78 | echo "PASS" |
79 | } | |
80 | ||
d6523915 WB |
81 | clear_log() { |
82 | truncate -s0 "$logfile" | |
83 | } | |
84 | ||
7aff4f43 SH |
85 | trap cleanup exit |
86 | ||
d6523915 WB |
87 | chmod 0666 "$logfile" |
88 | ||
7aff4f43 SH |
89 | # This would be much simpler if we could run it as |
90 | # root. However, in order to not have the bind mount | |
c239013f | 91 | # of an empty directory over the securityfs 'mount' directory |
7aff4f43 SH |
92 | # be removed, we need to do this as non-root. |
93 | ||
94 | which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } | |
95 | # create a test user | |
96 | TUSER=lxcunpriv | |
97 | HDIR=/home/$TUSER | |
98 | ||
7aff4f43 SH |
99 | deluser $TUSER && rm -Rf $HDIR || true |
100 | useradd $TUSER | |
101 | ||
102 | mkdir -p $HDIR | |
efdca59e | 103 | echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet |
7aff4f43 SH |
104 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid |
105 | ||
106 | usermod -v 910000-919999 -w 910000-919999 $TUSER | |
107 | ||
108 | mkdir -p $HDIR/.config/lxc/ | |
109 | cat > $HDIR/.config/lxc/default.conf << EOF | |
7fa3f2e9 | 110 | lxc.net.0.type = veth |
111 | lxc.net.0.link = lxcbr0 | |
bdcbb6b3 CB |
112 | lxc.idmap = u 0 910000 9999 |
113 | lxc.idmap = g 0 910000 9999 | |
7aff4f43 SH |
114 | EOF |
115 | chown -R $TUSER: $HDIR | |
116 | ||
117 | mkdir -p /run/user/$(id -u $TUSER) | |
118 | chown -R $TUSER: /run/user/$(id -u $TUSER) | |
119 | ||
120 | cd $HDIR | |
121 | ||
42e5c987 SG |
122 | if which cgm >/dev/null 2>&1; then |
123 | cgm create all $TUSER | |
124 | cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER) | |
125 | cgm movepid all $TUSER $$ | |
126 | elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then | |
127 | for d in $(cut -d : -f 2 /proc/self/cgroup); do | |
128 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
129 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \ | |
130 | string:$d string:$TUSER >/dev/null | |
131 | ||
132 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
133 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \ | |
134 | string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null | |
135 | ||
136 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
137 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \ | |
138 | string:$d string:$TUSER int32:$$ >/dev/null | |
139 | done | |
140 | else | |
141 | for d in /sys/fs/cgroup/*; do | |
8d5a91fc | 142 | [ "$d" = "/sys/fs/cgroup/unified" ] && continue |
177f793a | 143 | [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children |
42e5c987 SG |
144 | [ ! -d $d/lxctest ] && mkdir $d/lxctest |
145 | chown -R $TUSER: $d/lxctest | |
146 | echo $$ > $d/lxctest/tasks | |
147 | done | |
148 | fi | |
149 | ||
7aff4f43 | 150 | |
adb14537 | 151 | run_cmd lxc-create -t busybox -n $cname |
7aff4f43 SH |
152 | |
153 | echo "test default confined container" | |
d6523915 | 154 | run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile" |
7aff4f43 SH |
155 | run_cmd lxc-wait -n $cname -s RUNNING |
156 | pid=`run_cmd lxc-info -p -H -n $cname` | |
157 | profile=`cat /proc/$pid/attr/current` | |
f58236fd | 158 | if [ "x$profile" != "x${default_profile}" ]; then |
7aff4f43 SH |
159 | echo "FAIL: confined container was in profile $profile" |
160 | exit 1 | |
161 | fi | |
09ef0838 | 162 | run_cmd lxc-stop -n $cname -k |
d6523915 | 163 | clear_log |
7aff4f43 SH |
164 | |
165 | echo "test regular unconfined container" | |
a1d5fdfd | 166 | echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config |
d6523915 | 167 | run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile" |
7aff4f43 SH |
168 | run_cmd lxc-wait -n $cname -s RUNNING |
169 | pid=`run_cmd lxc-info -p -H -n $cname` | |
170 | profile=`cat /proc/$pid/attr/current` | |
171 | if [ "x$profile" != "xunconfined" ]; then | |
172 | echo "FAIL: unconfined container was in profile $profile" | |
173 | exit 1 | |
174 | fi | |
09ef0838 | 175 | run_cmd lxc-stop -n $cname -k |
d6523915 | 176 | clear_log |
7aff4f43 SH |
177 | |
178 | echo "masking $MOUNTSR" | |
179 | mount --bind $dnam $MOUNTSR | |
180 | ||
181 | echo "test default confined container" | |
a1d5fdfd | 182 | sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config |
7aff4f43 SH |
183 | run_cmd lxc-start -n $cname -d || true |
184 | sleep 3 | |
185 | pid=`run_cmd lxc-info -p -H -n $cname` || true | |
186 | if [ -n "$pid" -a "$pid" != "-1" ]; then | |
187 | echo "FAIL: confined container started without mount restrictions" | |
188 | echo "pid was $pid" | |
189 | exit 1 | |
190 | fi | |
191 | ||
192 | echo "test regular unconfined container" | |
a1d5fdfd | 193 | echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config |
d6523915 | 194 | run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile" |
7aff4f43 SH |
195 | run_cmd lxc-wait -n $cname -s RUNNING |
196 | pid=`run_cmd lxc-info -p -H -n $cname` | |
197 | if [ "$pid" = "-1" ]; then | |
198 | echo "FAIL: unconfined container failed to start without mount restrictions" | |
199 | exit 1 | |
200 | fi | |
201 | profile=`cat /proc/$pid/attr/current` | |
202 | if [ "x$profile" != "xunconfined" ]; then | |
203 | echo "FAIL: confined container was in profile $profile" | |
204 | exit 1 | |
205 | fi | |
09ef0838 | 206 | run_cmd lxc-stop -n $cname -k |
d6523915 | 207 | clear_log |
7aff4f43 SH |
208 | |
209 | echo "testing override" | |
a1d5fdfd | 210 | sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config |
69e38e00 | 211 | echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config |
d6523915 | 212 | run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile" |
7aff4f43 SH |
213 | run_cmd lxc-wait -n $cname -s RUNNING |
214 | pid=`run_cmd lxc-info -p -H -n $cname` | |
215 | if [ "$pid" = "-1" ]; then | |
216 | echo "FAIL: excepted container failed to start without mount restrictions" | |
217 | exit 1 | |
218 | fi | |
219 | profile=`cat /proc/$pid/attr/current` | |
f58236fd | 220 | if [ "x$profile" != "x${default_profile}" ]; then |
7aff4f43 SH |
221 | echo "FAIL: confined container was in profile $profile" |
222 | exit 1 | |
223 | fi | |
09ef0838 | 224 | run_cmd lxc-stop -n $cname -k |
d6523915 | 225 | clear_log |
7aff4f43 SH |
226 | |
227 | DONE=1 |