3 * Copyright © 2014 Serge Hallyn <serge.hallyn@ubuntu.com>.
4 * Copyright © 2014 Canonical Ltd.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2, as
8 * published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 /* Test apparmor rules */
21 #include <lxc/lxccontainer.h>
22 #include "lxc/utils.h"
28 #define MYNAME "test-aa"
30 static void try_to_remove(void)
32 struct lxc_container
*c
;
33 c
= lxc_container_new(MYNAME
, NULL
);
41 static int test_attach_write_file(void* payload
)
59 * try opening a file attached to a container. Return 0 on open fail. Return
60 * 1 if the file open succeeded. Return -1 if attach itself failed - perhas an
63 static int do_test_file_open(struct lxc_container
*c
, char *fnam
)
70 lxc_attach_options_t attach_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
74 fprintf(stderr
, "pipe failed %d\n", ret
);
77 attach_options
.stdout_fd
= pipefd
[1];
78 attach_options
.attach_flags
&= ~(LXC_ATTACH_LSM_EXEC
|LXC_ATTACH_DROP_CAPABILITIES
);
79 attach_options
.attach_flags
|= LXC_ATTACH_LSM_NOW
;
80 ret
= c
->attach(c
, test_attach_write_file
, fnam
, &attach_options
, &pid
);
82 fprintf(stderr
, "attach failed\n");
86 ret
= read(pipefd
[0], result
, sizeof(result
)-1);
88 fprintf(stderr
, "read failed %d\n", ret
);
93 if (strncmp(result
, "no", 2) == 0)
104 char *files_to_allow
[] = { "/sys/class/net/lo/ifalias",
105 "/proc/sys/kernel/shmmax",
108 char *files_to_deny
[] = { "/proc/mem", "/proc/kmem",
109 "/sys/kernel/uevent_helper",
110 "/proc/sys/fs/file-nr",
111 "/sys/kernel/mm/ksm/pages_to_scan",
112 "/proc/sys/kernel/sysrq",
115 static bool test_aa_policy(struct lxc_container
*c
)
119 for (i
= 0; files_to_deny
[i
]; i
++) {
120 ret
= do_test_file_open(c
, files_to_deny
[i
]);
122 fprintf(stderr
, "attach failed; skipping test\n");
126 fprintf(stderr
, "failed - opened %s\n",
130 fprintf(stderr
, "passed with %s\n", files_to_deny
[i
]);
133 for (i
= 0; files_to_allow
[i
]; i
++) {
134 ret
= do_test_file_open(c
, files_to_allow
[i
]);
136 fprintf(stderr
, "attach failed; skipping test\n");
140 fprintf(stderr
, "failed - could not open %s\n",
144 fprintf(stderr
, "passed with %s\n", files_to_allow
[i
]);
150 int main(int argc
, char *argv
[])
152 struct lxc_container
*c
;
154 c
= lxc_container_new(MYNAME
, NULL
);
156 fprintf(stderr
, "%s: %d: failed to load first container\n", __FILE__
, __LINE__
);
160 if (c
->is_defined(c
)) {
161 fprintf(stderr
, "%d: %s thought it was defined\n", __LINE__
, MYNAME
);
164 if (!c
->set_config_item(c
, "lxc.network.type", "empty")) {
165 fprintf(stderr
, "%s: %d: failed to set network type\n", __FILE__
, __LINE__
);
168 c
->save_config(c
, NULL
);
169 if (!c
->createl(c
, "busybox", NULL
, NULL
, 0, NULL
)) {
170 fprintf(stderr
, "%s: %d: failed to create container\n", __FILE__
, __LINE__
);
174 c
->clear_config_item(c
, "lxc.mount.auto");
175 c
->set_config_item(c
, "lxc.mount.entry", "proc proc proc");
176 c
->set_config_item(c
, "lxc.mount.entry", "sysfs sys sysfs");
177 c
->save_config(c
, NULL
);
179 c
->want_daemonize(c
, true);
180 if (!c
->startl(c
, 0, NULL
)) {
181 fprintf(stderr
, "Error starting container\n");
185 if (!test_aa_policy(c
)) {