]>
Commit | Line | Data |
---|---|---|
7aff4f43 SH |
1 | #!/bin/sh |
2 | ||
3 | # apparmor_mount: test proper handling of apparmor in kernels | |
4 | # without mount features | |
5 | ||
6 | # These require the ubuntu lxc package to be installed. | |
7 | ||
8 | # This program is free software; you can redistribute it and/or | |
9 | # modify it under the terms of the GNU Lesser General Public | |
10 | # License as published by the Free Software Foundation; either | |
11 | # version 2.1 of the License, or (at your option) any later version. | |
12 | ||
13 | # This library is distributed in the hope that it will be useful, | |
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | # Lesser General Public License for more details. | |
17 | ||
18 | # You should have received a copy of the GNU Lesser General Public | |
19 | # License along with this library; if not, write to the Free Software | |
20 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
21 | ||
22 | # This test assumes an Ubuntu host | |
23 | ||
24 | set -e | |
25 | ||
f58236fd SH |
26 | if [ -f /proc/self/ns/cgroup ]; then |
27 | default_profile="lxc-container-default-cgns (enforce)" | |
28 | else | |
29 | default_profile="lxc-container-default (enforce)" | |
30 | fi | |
31 | ||
7aff4f43 SH |
32 | FAIL() { |
33 | echo -n "Failed " >&2 | |
34 | echo "$*" >&2 | |
35 | exit 1 | |
36 | } | |
37 | ||
38 | run_cmd() { | |
39 | sudo -i -u $TUSER \ | |
40 | env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \ | |
41 | XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $* | |
42 | } | |
43 | ||
44 | DONE=0 | |
0815a592 | 45 | KNOWN_RELEASES="precise trusty xenial yakkety zesty" |
7aff4f43 SH |
46 | MOUNTSR=/sys/kernel/security/apparmor/features/mount |
47 | dnam=`mktemp -d` | |
48 | cname=`basename $dnam` | |
49 | cleanup() { | |
50 | run_cmd lxc-destroy -f -n $cname || true | |
51 | umount -l $MOUNTSR || true | |
52 | rmdir $dnam || true | |
d0ab6d91 | 53 | pkill -u $(id -u $TUSER) -9 || true |
7aff4f43 SH |
54 | sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet |
55 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid | |
56 | rm -Rf $HDIR /run/user/$(id -u $TUSER) | |
57 | deluser $TUSER | |
58 | if [ $DONE -eq 0 ]; then | |
59 | echo "FAIL" | |
60 | exit 1 | |
61 | fi | |
62 | echo "PASS" | |
63 | } | |
64 | ||
65 | trap cleanup exit | |
66 | ||
67 | # Only run on a normally configured ubuntu lxc system | |
68 | if [ ! -d /sys/class/net/lxcbr0 ]; then | |
69 | echo "lxcbr0 is not configured." | |
70 | exit 1 | |
71 | fi | |
72 | if [ "$(id -u)" != "0" ]; then | |
73 | echo "ERROR: Must run as root." | |
74 | exit 1 | |
75 | fi | |
76 | ||
77 | # This would be much simpler if we could run it as | |
78 | # root. However, in order to not have the bind mount | |
79 | # of an empty directory over the securitfs 'mount' directory | |
80 | # be removed, we need to do this as non-root. | |
81 | ||
82 | which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; } | |
83 | # create a test user | |
84 | TUSER=lxcunpriv | |
85 | HDIR=/home/$TUSER | |
86 | ||
87 | ARCH=i386 | |
88 | if type dpkg >/dev/null 2>&1; then | |
89 | ARCH=$(dpkg --print-architecture) | |
90 | fi | |
91 | ||
92 | deluser $TUSER && rm -Rf $HDIR || true | |
93 | useradd $TUSER | |
94 | ||
95 | mkdir -p $HDIR | |
efdca59e | 96 | echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet |
7aff4f43 SH |
97 | sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid |
98 | ||
99 | usermod -v 910000-919999 -w 910000-919999 $TUSER | |
100 | ||
101 | mkdir -p $HDIR/.config/lxc/ | |
102 | cat > $HDIR/.config/lxc/default.conf << EOF | |
7fa3f2e9 | 103 | lxc.net.0.type = veth |
104 | lxc.net.0.link = lxcbr0 | |
7aff4f43 SH |
105 | lxc.id_map = u 0 910000 9999 |
106 | lxc.id_map = g 0 910000 9999 | |
107 | EOF | |
108 | chown -R $TUSER: $HDIR | |
109 | ||
110 | mkdir -p /run/user/$(id -u $TUSER) | |
111 | chown -R $TUSER: /run/user/$(id -u $TUSER) | |
112 | ||
113 | cd $HDIR | |
114 | ||
42e5c987 SG |
115 | if which cgm >/dev/null 2>&1; then |
116 | cgm create all $TUSER | |
117 | cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER) | |
118 | cgm movepid all $TUSER $$ | |
119 | elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then | |
120 | for d in $(cut -d : -f 2 /proc/self/cgroup); do | |
121 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
122 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \ | |
123 | string:$d string:$TUSER >/dev/null | |
124 | ||
125 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
126 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \ | |
127 | string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null | |
128 | ||
129 | dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \ | |
130 | --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \ | |
131 | string:$d string:$TUSER int32:$$ >/dev/null | |
132 | done | |
133 | else | |
134 | for d in /sys/fs/cgroup/*; do | |
177f793a | 135 | [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children |
42e5c987 SG |
136 | [ ! -d $d/lxctest ] && mkdir $d/lxctest |
137 | chown -R $TUSER: $d/lxctest | |
138 | echo $$ > $d/lxctest/tasks | |
139 | done | |
140 | fi | |
141 | ||
7aff4f43 SH |
142 | |
143 | run_cmd mkdir -p $HDIR/.cache/lxc | |
144 | [ -d /var/cache/lxc/download ] && \ | |
145 | cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \ | |
146 | chown -R $TUSER: $HDIR/.cache/lxc | |
147 | ||
64ea46c7 PHL |
148 | # default release is trusty, or the systems release if recognized |
149 | release=trusty | |
150 | if [ -f /etc/lsb-release ]; then | |
151 | . /etc/lsb-release | |
152 | rels=$(ubuntu-distro-info --supported 2>/dev/null) || | |
153 | rels="$KNOWN_RELEASES" | |
154 | for r in $rels; do | |
155 | [ "$DISTRIB_CODENAME" = "$r" ] && release="$r" | |
156 | done | |
157 | fi | |
158 | ||
159 | run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH | |
7aff4f43 SH |
160 | |
161 | echo "test default confined container" | |
162 | run_cmd lxc-start -n $cname -d | |
163 | run_cmd lxc-wait -n $cname -s RUNNING | |
164 | pid=`run_cmd lxc-info -p -H -n $cname` | |
165 | profile=`cat /proc/$pid/attr/current` | |
f58236fd | 166 | if [ "x$profile" != "x${default_profile}" ]; then |
7aff4f43 SH |
167 | echo "FAIL: confined container was in profile $profile" |
168 | exit 1 | |
169 | fi | |
09ef0838 | 170 | run_cmd lxc-stop -n $cname -k |
7aff4f43 SH |
171 | |
172 | echo "test regular unconfined container" | |
173 | echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config | |
174 | run_cmd lxc-start -n $cname -d | |
175 | run_cmd lxc-wait -n $cname -s RUNNING | |
176 | pid=`run_cmd lxc-info -p -H -n $cname` | |
177 | profile=`cat /proc/$pid/attr/current` | |
178 | if [ "x$profile" != "xunconfined" ]; then | |
179 | echo "FAIL: unconfined container was in profile $profile" | |
180 | exit 1 | |
181 | fi | |
09ef0838 | 182 | run_cmd lxc-stop -n $cname -k |
7aff4f43 SH |
183 | |
184 | echo "masking $MOUNTSR" | |
185 | mount --bind $dnam $MOUNTSR | |
186 | ||
187 | echo "test default confined container" | |
188 | sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config | |
189 | run_cmd lxc-start -n $cname -d || true | |
190 | sleep 3 | |
191 | pid=`run_cmd lxc-info -p -H -n $cname` || true | |
192 | if [ -n "$pid" -a "$pid" != "-1" ]; then | |
193 | echo "FAIL: confined container started without mount restrictions" | |
194 | echo "pid was $pid" | |
195 | exit 1 | |
196 | fi | |
197 | ||
198 | echo "test regular unconfined container" | |
199 | echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config | |
200 | run_cmd lxc-start -n $cname -d | |
201 | run_cmd lxc-wait -n $cname -s RUNNING | |
202 | pid=`run_cmd lxc-info -p -H -n $cname` | |
203 | if [ "$pid" = "-1" ]; then | |
204 | echo "FAIL: unconfined container failed to start without mount restrictions" | |
205 | exit 1 | |
206 | fi | |
207 | profile=`cat /proc/$pid/attr/current` | |
208 | if [ "x$profile" != "xunconfined" ]; then | |
209 | echo "FAIL: confined container was in profile $profile" | |
210 | exit 1 | |
211 | fi | |
09ef0838 | 212 | run_cmd lxc-stop -n $cname -k |
7aff4f43 SH |
213 | |
214 | echo "testing override" | |
215 | sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config | |
216 | echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config | |
217 | run_cmd lxc-start -n $cname -d | |
218 | run_cmd lxc-wait -n $cname -s RUNNING | |
219 | pid=`run_cmd lxc-info -p -H -n $cname` | |
220 | if [ "$pid" = "-1" ]; then | |
221 | echo "FAIL: excepted container failed to start without mount restrictions" | |
222 | exit 1 | |
223 | fi | |
224 | profile=`cat /proc/$pid/attr/current` | |
f58236fd | 225 | if [ "x$profile" != "x${default_profile}" ]; then |
7aff4f43 SH |
226 | echo "FAIL: confined container was in profile $profile" |
227 | exit 1 | |
228 | fi | |
09ef0838 | 229 | run_cmd lxc-stop -n $cname -k |
7aff4f43 SH |
230 | |
231 | DONE=1 |