[mirror_lxc.git] / src / tests / lxc-test-apparmor-mount

#!/bin/sh

# apparmor_mount: test proper handling of apparmor in kernels
# without mount features

# These require the ubuntu lxc package to be installed.

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# This test assumes an Ubuntu host

set -e

# Only run on a normally configured ubuntu lxc system
if [ ! -d /sys/class/net/lxcbr0 ]; then
	echo "lxcbr0 is not configured."
	exit 1
fi
if [ "$(id -u)" != "0" ]; then
	echo "ERROR: Must run as root."
	exit 1
fi

if [ -f /proc/self/ns/cgroup ]; then
	default_profile="lxc-container-default-cgns (enforce)"
else
	default_profile="lxc-container-default (enforce)"
fi

FAIL() {
	echo -n "Failed " >&2
	echo "$*" >&2
	exit 1
}

run_cmd() {
	sudo -i -u $TUSER \
	    env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	        XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \
		UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $*
}

DONE=0
MOUNTSR=/sys/kernel/security/apparmor/features/mount
dnam=$(mktemp -d)
logfile=$(mktemp)
cname=$(basename $dnam)
cleanup() {
	run_cmd lxc-destroy -f -n $cname || true
	umount -l $MOUNTSR || true
	rmdir $dnam || true
	pkill -u $(id -u $TUSER) -9 || true
	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	deluser $TUSER
	if [ $DONE -eq 0 ]; then
		echo 'Failed container log:' >&2
		cat "$logfile" >&2
		echo 'End log' >&2
		rm -f "$logfile"
		echo "FAIL"
		exit 1
	fi
	rm -f "$logfile"
	echo "PASS"
}

clear_log() {
	truncate -s0 "$logfile"
}

trap cleanup exit

chmod 0666 "$logfile"

# This would be much simpler if we could run it as
# root.  However, in order to not have the bind mount
# of an empty directory over the securityfs 'mount' directory
# be removed, we need to do this as non-root.

command -v newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
# create a test user
TUSER=lxcunpriv
HDIR=/home/$TUSER

deluser $TUSER && rm -Rf $HDIR || true
useradd $TUSER

mkdir -p $HDIR
echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

usermod -v 910000-919999 -w 910000-919999 $TUSER

mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.idmap = u 0 910000 9999
lxc.idmap = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if command -v cgm >/dev/null 2>&1; then
	cgm create all $TUSER
	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	for d in $(cut -d : -f 2 /proc/self/cgroup); do
		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
			string:$d string:$TUSER >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
			string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
			string:$d string:$TUSER int32:$$ >/dev/null
	done
else
	for d in /sys/fs/cgroup/*; do
		[ "$d" = "/sys/fs/cgroup/unified" ] && continue
		[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
		[ ! -d $d/lxctest ] && mkdir $d/lxctest
		chown -R $TUSER: $d/lxctest
		echo $$ > $d/lxctest/tasks
	done
fi


run_cmd lxc-create -t busybox -n $cname

echo "test default confined container"
run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=$(run_cmd lxc-info -p -H -n $cname)
profile=$(cat /proc/$pid/attr/current)
if [ "x$profile" != "x${default_profile}" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k
clear_log

echo "test regular unconfined container"
echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=$(run_cmd lxc-info -p -H -n $cname)
profile=$(cat /proc/$pid/attr/current)
if [ "x$profile" != "xunconfined" ]; then
	echo "FAIL: unconfined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k
clear_log

echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR

echo "test default confined container"
sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true
sleep 3
pid=$(run_cmd lxc-info -p -H -n $cname) || true
if [ -n "$pid" -a "$pid" != "-1" ]; then
	echo "FAIL: confined container started without mount restrictions"
	echo "pid was $pid"
	exit 1
fi

echo "test regular unconfined container"
echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=$(run_cmd lxc-info -p -H -n $cname)
if [ "$pid" = "-1" ]; then
	echo "FAIL: unconfined container failed to start without mount restrictions"
	exit 1
fi
profile=$(cat /proc/$pid/attr/current)
if [ "x$profile" != "xunconfined" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k
clear_log

echo "testing override"
sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=$(run_cmd lxc-info -p -H -n $cname)
if [ "$pid" = "-1" ]; then
	echo "FAIL: excepted container failed to start without mount restrictions"
	exit 1
fi
profile=$(cat /proc/$pid/attr/current)
if [ "x$profile" != "x${default_profile}" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k
clear_log

DONE=1
Commit	Line	Data
7aff4f43 SH	1	#!/bin/sh
	2
	3	# apparmor_mount: test proper handling of apparmor in kernels
	4	# without mount features
	5
	6	# These require the ubuntu lxc package to be installed.
	7
	8	# This program is free software; you can redistribute it and/or
	9	# modify it under the terms of the GNU Lesser General Public
	10	# License as published by the Free Software Foundation; either
	11	# version 2.1 of the License, or (at your option) any later version.
	12
	13	# This library is distributed in the hope that it will be useful,
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	# Lesser General Public License for more details.
	17
	18	# You should have received a copy of the GNU Lesser General Public
	19	# License along with this library; if not, write to the Free Software
	20	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	21
	22	# This test assumes an Ubuntu host
	23
	24	set -e
	25
39e2cbec WB	26	# Only run on a normally configured ubuntu lxc system
	27	if [ ! -d /sys/class/net/lxcbr0 ]; then
	28	echo "lxcbr0 is not configured."
	29	exit 1
	30	fi
	31	if [ "$(id -u)" != "0" ]; then
	32	echo "ERROR: Must run as root."
	33	exit 1
	34	fi
	35
f58236fd SH	36	if [ -f /proc/self/ns/cgroup ]; then
	37	default_profile="lxc-container-default-cgns (enforce)"
	38	else
	39	default_profile="lxc-container-default (enforce)"
	40	fi
	41
7aff4f43 SH	42	FAIL() {
	43	echo -n "Failed " >&2
	44	echo "$*" >&2
	45	exit 1
	46	}
	47
	48	run_cmd() {
	49	sudo -i -u $TUSER \
	50	env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
5f850cf9 EV	51	XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) ASAN_OPTIONS=${ASAN_OPTIONS:-} \
5f850cf9 EV	52	UBSAN_OPTIONS=${UBSAN_OPTIONS:-} $*
7aff4f43 SH	53	}
	54
	55	DONE=0
	56	MOUNTSR=/sys/kernel/security/apparmor/features/mount
ac46b356 DH	57	dnam=$(mktemp -d)
	58	logfile=$(mktemp)
	59	cname=$(basename $dnam)
7aff4f43 SH	60	cleanup() {
	61	run_cmd lxc-destroy -f -n $cname \|\| true
	62	umount -l $MOUNTSR \|\| true
	63	rmdir $dnam \|\| true
d0ab6d91	64	pkill -u $(id -u $TUSER) -9 \|\| true
7aff4f43 SH	65	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	66	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	67	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	68	deluser $TUSER
	69	if [ $DONE -eq 0 ]; then
d6523915 WB	70	echo 'Failed container log:' >&2
	71	cat "$logfile" >&2
	72	echo 'End log' >&2
	73	rm -f "$logfile"
7aff4f43 SH	74	echo "FAIL"
	75	exit 1
	76	fi
d6523915	77	rm -f "$logfile"
7aff4f43 SH	78	echo "PASS"
	79	}
	80
d6523915 WB	81	clear_log() {
	82	truncate -s0 "$logfile"
	83	}
	84
7aff4f43 SH	85	trap cleanup exit
7aff4f43 SH	86
d6523915 WB	87	chmod 0666 "$logfile"
d6523915 WB	88
7aff4f43 SH	89	# This would be much simpler if we could run it as
7aff4f43 SH	90	# root. However, in order to not have the bind mount
c239013f	91	# of an empty directory over the securityfs 'mount' directory
7aff4f43 SH	92	# be removed, we need to do this as non-root.
7aff4f43 SH	93
4c69af0c	94	command -v newuidmap >/dev/null 2>&1 \|\| { echo "'newuidmap' command is missing" >&2; exit 1; }
7aff4f43 SH	95	# create a test user
	96	TUSER=lxcunpriv
	97	HDIR=/home/$TUSER
	98
7aff4f43 SH	99	deluser $TUSER && rm -Rf $HDIR \|\| true
	100	useradd $TUSER
	101
	102	mkdir -p $HDIR
efdca59e	103	echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
7aff4f43 SH	104	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	105
	106	usermod -v 910000-919999 -w 910000-919999 $TUSER
	107
	108	mkdir -p $HDIR/.config/lxc/
	109	cat > $HDIR/.config/lxc/default.conf << EOF
7fa3f2e9	110	lxc.net.0.type = veth
7fa3f2e9	111	lxc.net.0.link = lxcbr0
bdcbb6b3 CB	112	lxc.idmap = u 0 910000 9999
bdcbb6b3 CB	113	lxc.idmap = g 0 910000 9999
7aff4f43 SH	114	EOF
	115	chown -R $TUSER: $HDIR
	116
	117	mkdir -p /run/user/$(id -u $TUSER)
	118	chown -R $TUSER: /run/user/$(id -u $TUSER)
	119
	120	cd $HDIR
	121
4c69af0c	122	if command -v cgm >/dev/null 2>&1; then
42e5c987 SG	123	cgm create all $TUSER
	124	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	125	cgm movepid all $TUSER $$
	126	elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	127	for d in $(cut -d : -f 2 /proc/self/cgroup); do
	128	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	129	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
	130	string:$d string:$TUSER >/dev/null
	131
	132	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	133	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
	134	string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null
	135
	136	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	137	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
	138	string:$d string:$TUSER int32:$$ >/dev/null
	139	done
	140	else
	141	for d in /sys/fs/cgroup/*; do
8d5a91fc	142	[ "$d" = "/sys/fs/cgroup/unified" ] && continue
177f793a	143	[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
42e5c987 SG	144	[ ! -d $d/lxctest ] && mkdir $d/lxctest
	145	chown -R $TUSER: $d/lxctest
	146	echo $$ > $d/lxctest/tasks
	147	done
	148	fi
	149
7aff4f43	150
adb14537	151	run_cmd lxc-create -t busybox -n $cname
7aff4f43 SH	152
7aff4f43 SH	153	echo "test default confined container"
d6523915	154	run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
7aff4f43	155	run_cmd lxc-wait -n $cname -s RUNNING
ac46b356 DH	156	pid=$(run_cmd lxc-info -p -H -n $cname)
ac46b356 DH	157	profile=$(cat /proc/$pid/attr/current)
f58236fd	158	if [ "x$profile" != "x${default_profile}" ]; then
7aff4f43 SH	159	echo "FAIL: confined container was in profile $profile"
	160	exit 1
	161	fi
09ef0838	162	run_cmd lxc-stop -n $cname -k
d6523915	163	clear_log
7aff4f43 SH	164
7aff4f43 SH	165	echo "test regular unconfined container"
a1d5fdfd	166	echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
d6523915	167	run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
7aff4f43	168	run_cmd lxc-wait -n $cname -s RUNNING
ac46b356 DH	169	pid=$(run_cmd lxc-info -p -H -n $cname)
ac46b356 DH	170	profile=$(cat /proc/$pid/attr/current)
7aff4f43 SH	171	if [ "x$profile" != "xunconfined" ]; then
	172	echo "FAIL: unconfined container was in profile $profile"
	173	exit 1
	174	fi
09ef0838	175	run_cmd lxc-stop -n $cname -k
d6523915	176	clear_log
7aff4f43 SH	177
	178	echo "masking $MOUNTSR"
	179	mount --bind $dnam $MOUNTSR
	180
	181	echo "test default confined container"
a1d5fdfd	182	sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
7aff4f43 SH	183	run_cmd lxc-start -n $cname -d \|\| true
7aff4f43 SH	184	sleep 3
ac46b356	185	pid=$(run_cmd lxc-info -p -H -n $cname) \|\| true
7aff4f43 SH	186	if [ -n "$pid" -a "$pid" != "-1" ]; then
	187	echo "FAIL: confined container started without mount restrictions"
	188	echo "pid was $pid"
	189	exit 1
	190	fi
	191
	192	echo "test regular unconfined container"
a1d5fdfd	193	echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
d6523915	194	run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
7aff4f43	195	run_cmd lxc-wait -n $cname -s RUNNING
ac46b356	196	pid=$(run_cmd lxc-info -p -H -n $cname)
7aff4f43 SH	197	if [ "$pid" = "-1" ]; then
	198	echo "FAIL: unconfined container failed to start without mount restrictions"
	199	exit 1
	200	fi
ac46b356	201	profile=$(cat /proc/$pid/attr/current)
7aff4f43 SH	202	if [ "x$profile" != "xunconfined" ]; then
	203	echo "FAIL: confined container was in profile $profile"
	204	exit 1
	205	fi
09ef0838	206	run_cmd lxc-stop -n $cname -k
d6523915	207	clear_log
7aff4f43 SH	208
7aff4f43 SH	209	echo "testing override"
a1d5fdfd	210	sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
69e38e00	211	echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
d6523915	212	run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
7aff4f43	213	run_cmd lxc-wait -n $cname -s RUNNING
ac46b356	214	pid=$(run_cmd lxc-info -p -H -n $cname)
7aff4f43 SH	215	if [ "$pid" = "-1" ]; then
	216	echo "FAIL: excepted container failed to start without mount restrictions"
	217	exit 1
	218	fi
ac46b356	219	profile=$(cat /proc/$pid/attr/current)
f58236fd	220	if [ "x$profile" != "x${default_profile}" ]; then
7aff4f43 SH	221	echo "FAIL: confined container was in profile $profile"
	222	exit 1
	223	fi
09ef0838	224	run_cmd lxc-stop -n $cname -k
d6523915	225	clear_log
7aff4f43 SH	226
7aff4f43 SH	227	DONE=1