[mirror_lxc.git] / src / tests / lxc-test-apparmor-mount

#!/bin/sh

# apparmor_mount: test proper handling of apparmor in kernels
# without mount features

# These require the ubuntu lxc package to be installed.

# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.

# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.

# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

# This test assumes an Ubuntu host

set -e

if [ -f /proc/self/ns/cgroup ]; then
	default_profile="lxc-container-default-cgns (enforce)"
else
	default_profile="lxc-container-default (enforce)"
fi

FAIL() {
	echo -n "Failed " >&2
	echo "$*" >&2
	exit 1
}

run_cmd() {
	sudo -i -u $TUSER \
	    env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	        XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
}

DONE=0
KNOWN_RELEASES="precise trusty xenial yakkety zesty"
MOUNTSR=/sys/kernel/security/apparmor/features/mount
dnam=`mktemp -d`
cname=`basename $dnam`
cleanup() {
	run_cmd lxc-destroy -f -n $cname || true
	umount -l $MOUNTSR || true
	rmdir $dnam || true
	pkill -u $(id -u $TUSER) -9 || true
	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	deluser $TUSER
	if [ $DONE -eq 0 ]; then
		echo "FAIL"
		exit 1
	fi
	echo "PASS"
}

trap cleanup exit

# Only run on a normally configured ubuntu lxc system
if [ ! -d /sys/class/net/lxcbr0 ]; then
	echo "lxcbr0 is not configured."
	exit 1
fi
if [ "$(id -u)" != "0" ]; then
	echo "ERROR: Must run as root."
	exit 1
fi

# This would be much simpler if we could run it as
# root.  However, in order to not have the bind mount
# of an empty directory over the securitfs 'mount' directory
# be removed, we need to do this as non-root.

which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
# create a test user
TUSER=lxcunpriv
HDIR=/home/$TUSER

ARCH=i386
if type dpkg >/dev/null 2>&1; then
	ARCH=$(dpkg --print-architecture)
fi

deluser $TUSER && rm -Rf $HDIR || true
useradd $TUSER

mkdir -p $HDIR
echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

usermod -v 910000-919999 -w 910000-919999 $TUSER

mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if which cgm >/dev/null 2>&1; then
	cgm create all $TUSER
	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	for d in $(cut -d : -f 2 /proc/self/cgroup); do
		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
			string:$d string:$TUSER >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
			string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

		dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
			--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
			string:$d string:$TUSER int32:$$ >/dev/null
	done
else
	for d in /sys/fs/cgroup/*; do
		[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
		[ ! -d $d/lxctest ] && mkdir $d/lxctest
		chown -R $TUSER: $d/lxctest
		echo $$ > $d/lxctest/tasks
	done
fi


run_cmd mkdir -p $HDIR/.cache/lxc
[ -d /var/cache/lxc/download ] && \
    cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
    chown -R $TUSER: $HDIR/.cache/lxc

# default release is trusty, or the systems release if recognized
release=trusty
if [ -f /etc/lsb-release ]; then
    . /etc/lsb-release
    rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
        rels="$KNOWN_RELEASES"
    for r in $rels; do
        [ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
    done
fi

run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH

echo "test default confined container"
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "x${default_profile}" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k

echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xunconfined" ]; then
	echo "FAIL: unconfined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k

echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR

echo "test default confined container"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true
sleep 3
pid=`run_cmd lxc-info -p -H -n $cname` || true
if [ -n "$pid" -a "$pid" != "-1" ]; then
	echo "FAIL: confined container started without mount restrictions"
	echo "pid was $pid"
	exit 1
fi

echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
	echo "FAIL: unconfined container failed to start without mount restrictions"
	exit 1
fi
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xunconfined" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k

echo "testing override"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
	echo "FAIL: excepted container failed to start without mount restrictions"
	exit 1
fi
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "x${default_profile}" ]; then
	echo "FAIL: confined container was in profile $profile"
	exit 1
fi
run_cmd lxc-stop -n $cname -k

DONE=1
Commit	Line	Data
7aff4f43 SH	1	#!/bin/sh
	2
	3	# apparmor_mount: test proper handling of apparmor in kernels
	4	# without mount features
	5
	6	# These require the ubuntu lxc package to be installed.
	7
	8	# This program is free software; you can redistribute it and/or
	9	# modify it under the terms of the GNU Lesser General Public
	10	# License as published by the Free Software Foundation; either
	11	# version 2.1 of the License, or (at your option) any later version.
	12
	13	# This library is distributed in the hope that it will be useful,
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	# Lesser General Public License for more details.
	17
	18	# You should have received a copy of the GNU Lesser General Public
	19	# License along with this library; if not, write to the Free Software
	20	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
	21
	22	# This test assumes an Ubuntu host
	23
	24	set -e
	25
f58236fd SH	26	if [ -f /proc/self/ns/cgroup ]; then
	27	default_profile="lxc-container-default-cgns (enforce)"
	28	else
	29	default_profile="lxc-container-default (enforce)"
	30	fi
	31
7aff4f43 SH	32	FAIL() {
	33	echo -n "Failed " >&2
	34	echo "$*" >&2
	35	exit 1
	36	}
	37
	38	run_cmd() {
	39	sudo -i -u $TUSER \
	40	env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
	41	XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
	42	}
	43
	44	DONE=0
0815a592	45	KNOWN_RELEASES="precise trusty xenial yakkety zesty"
7aff4f43 SH	46	MOUNTSR=/sys/kernel/security/apparmor/features/mount
	47	dnam=`mktemp -d`
	48	cname=`basename $dnam`
	49	cleanup() {
	50	run_cmd lxc-destroy -f -n $cname \|\| true
	51	umount -l $MOUNTSR \|\| true
	52	rmdir $dnam \|\| true
d0ab6d91	53	pkill -u $(id -u $TUSER) -9 \|\| true
7aff4f43 SH	54	sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
	55	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	56	rm -Rf $HDIR /run/user/$(id -u $TUSER)
	57	deluser $TUSER
	58	if [ $DONE -eq 0 ]; then
	59	echo "FAIL"
	60	exit 1
	61	fi
	62	echo "PASS"
	63	}
	64
	65	trap cleanup exit
	66
	67	# Only run on a normally configured ubuntu lxc system
	68	if [ ! -d /sys/class/net/lxcbr0 ]; then
	69	echo "lxcbr0 is not configured."
	70	exit 1
	71	fi
	72	if [ "$(id -u)" != "0" ]; then
	73	echo "ERROR: Must run as root."
	74	exit 1
	75	fi
	76
	77	# This would be much simpler if we could run it as
	78	# root. However, in order to not have the bind mount
	79	# of an empty directory over the securitfs 'mount' directory
	80	# be removed, we need to do this as non-root.
	81
	82	which newuidmap >/dev/null 2>&1 \|\| { echo "'newuidmap' command is missing" >&2; exit 1; }
	83	# create a test user
	84	TUSER=lxcunpriv
	85	HDIR=/home/$TUSER
	86
	87	ARCH=i386
	88	if type dpkg >/dev/null 2>&1; then
	89	ARCH=$(dpkg --print-architecture)
	90	fi
	91
	92	deluser $TUSER && rm -Rf $HDIR \|\| true
	93	useradd $TUSER
	94
	95	mkdir -p $HDIR
efdca59e	96	echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
7aff4f43 SH	97	sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
	98
	99	usermod -v 910000-919999 -w 910000-919999 $TUSER
	100
	101	mkdir -p $HDIR/.config/lxc/
	102	cat > $HDIR/.config/lxc/default.conf << EOF
7fa3f2e9	103	lxc.net.0.type = veth
7fa3f2e9	104	lxc.net.0.link = lxcbr0
7aff4f43 SH	105	lxc.id_map = u 0 910000 9999
	106	lxc.id_map = g 0 910000 9999
	107	EOF
	108	chown -R $TUSER: $HDIR
	109
	110	mkdir -p /run/user/$(id -u $TUSER)
	111	chown -R $TUSER: /run/user/$(id -u $TUSER)
	112
	113	cd $HDIR
	114
42e5c987 SG	115	if which cgm >/dev/null 2>&1; then
	116	cgm create all $TUSER
	117	cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
	118	cgm movepid all $TUSER $$
	119	elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
	120	for d in $(cut -d : -f 2 /proc/self/cgroup); do
	121	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	122	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
	123	string:$d string:$TUSER >/dev/null
	124
	125	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	126	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
	127	string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null
	128
	129	dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
	130	--type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
	131	string:$d string:$TUSER int32:$$ >/dev/null
	132	done
	133	else
	134	for d in /sys/fs/cgroup/*; do
177f793a	135	[ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
42e5c987 SG	136	[ ! -d $d/lxctest ] && mkdir $d/lxctest
	137	chown -R $TUSER: $d/lxctest
	138	echo $$ > $d/lxctest/tasks
	139	done
	140	fi
	141
7aff4f43 SH	142
	143	run_cmd mkdir -p $HDIR/.cache/lxc
	144	[ -d /var/cache/lxc/download ] && \
	145	cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
	146	chown -R $TUSER: $HDIR/.cache/lxc
	147
64ea46c7 PHL	148	# default release is trusty, or the systems release if recognized
	149	release=trusty
	150	if [ -f /etc/lsb-release ]; then
	151	. /etc/lsb-release
	152	rels=$(ubuntu-distro-info --supported 2>/dev/null) \|\|
	153	rels="$KNOWN_RELEASES"
	154	for r in $rels; do
	155	[ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
	156	done
	157	fi
	158
	159	run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
7aff4f43 SH	160
	161	echo "test default confined container"
	162	run_cmd lxc-start -n $cname -d
	163	run_cmd lxc-wait -n $cname -s RUNNING
	164	pid=`run_cmd lxc-info -p -H -n $cname`
	165	profile=`cat /proc/$pid/attr/current`
f58236fd	166	if [ "x$profile" != "x${default_profile}" ]; then
7aff4f43 SH	167	echo "FAIL: confined container was in profile $profile"
	168	exit 1
	169	fi
09ef0838	170	run_cmd lxc-stop -n $cname -k
7aff4f43 SH	171
	172	echo "test regular unconfined container"
	173	echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
	174	run_cmd lxc-start -n $cname -d
	175	run_cmd lxc-wait -n $cname -s RUNNING
	176	pid=`run_cmd lxc-info -p -H -n $cname`
	177	profile=`cat /proc/$pid/attr/current`
	178	if [ "x$profile" != "xunconfined" ]; then
	179	echo "FAIL: unconfined container was in profile $profile"
	180	exit 1
	181	fi
09ef0838	182	run_cmd lxc-stop -n $cname -k
7aff4f43 SH	183
	184	echo "masking $MOUNTSR"
	185	mount --bind $dnam $MOUNTSR
	186
	187	echo "test default confined container"
	188	sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
	189	run_cmd lxc-start -n $cname -d \|\| true
	190	sleep 3
	191	pid=`run_cmd lxc-info -p -H -n $cname` \|\| true
	192	if [ -n "$pid" -a "$pid" != "-1" ]; then
	193	echo "FAIL: confined container started without mount restrictions"
	194	echo "pid was $pid"
	195	exit 1
	196	fi
	197
	198	echo "test regular unconfined container"
	199	echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
	200	run_cmd lxc-start -n $cname -d
	201	run_cmd lxc-wait -n $cname -s RUNNING
	202	pid=`run_cmd lxc-info -p -H -n $cname`
	203	if [ "$pid" = "-1" ]; then
	204	echo "FAIL: unconfined container failed to start without mount restrictions"
	205	exit 1
	206	fi
	207	profile=`cat /proc/$pid/attr/current`
	208	if [ "x$profile" != "xunconfined" ]; then
	209	echo "FAIL: confined container was in profile $profile"
	210	exit 1
	211	fi
09ef0838	212	run_cmd lxc-stop -n $cname -k
7aff4f43 SH	213
	214	echo "testing override"
	215	sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
	216	echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
	217	run_cmd lxc-start -n $cname -d
	218	run_cmd lxc-wait -n $cname -s RUNNING
	219	pid=`run_cmd lxc-info -p -H -n $cname`
	220	if [ "$pid" = "-1" ]; then
	221	echo "FAIL: excepted container failed to start without mount restrictions"
	222	exit 1
	223	fi
	224	profile=`cat /proc/$pid/attr/current`
f58236fd	225	if [ "x$profile" != "x${default_profile}" ]; then
7aff4f43 SH	226	echo "FAIL: confined container was in profile $profile"
	227	exit 1
	228	fi
09ef0838	229	run_cmd lxc-stop -n $cname -k
7aff4f43 SH	230
7aff4f43 SH	231	DONE=1