3 * Copyright © 2014 Serge Hallyn <serge.hallyn@ubuntu.com>.
4 * Copyright © 2014 Canonical Ltd.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2, as
8 * published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 /* Test apparmor rules */
23 #include <lxc/lxccontainer.h>
24 #include "lxc/utils.h"
30 #define MYNAME "test-aa"
32 static void try_to_remove(void)
34 struct lxc_container
*c
;
35 c
= lxc_container_new(MYNAME
, NULL
);
43 static int test_attach_write_file(void* payload
)
61 * try opening a file attached to a container. Return 0 on open fail. Return
62 * 1 if the file open succeeded. Return -1 if attach itself failed - perhaps an
65 static int do_test_file_open(struct lxc_container
*c
, char *fnam
)
72 lxc_attach_options_t attach_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
76 fprintf(stderr
, "pipe failed %d\n", ret
);
79 attach_options
.stdout_fd
= pipefd
[1];
80 attach_options
.attach_flags
&= ~(LXC_ATTACH_LSM_EXEC
|LXC_ATTACH_DROP_CAPABILITIES
);
81 attach_options
.attach_flags
|= LXC_ATTACH_LSM_NOW
;
82 ret
= c
->attach(c
, test_attach_write_file
, fnam
, &attach_options
, &pid
);
84 fprintf(stderr
, "attach failed\n");
88 ret
= read(pipefd
[0], result
, sizeof(result
)-1);
90 fprintf(stderr
, "read failed %d\n", ret
);
95 if (strncmp(result
, "no", 2) == 0)
99 (void)wait_for_pid(pid
);
106 char *files_to_allow
[] = { "/sys/class/net/lo/ifalias",
107 "/proc/sys/kernel/shmmax",
110 char *files_to_deny
[] = {
111 "/sys/kernel/uevent_helper",
112 "/proc/sys/fs/file-nr",
113 "/sys/kernel/mm/ksm/pages_to_scan",
114 "/proc/sys/kernel/sysrq",
117 static bool test_aa_policy(struct lxc_container
*c
)
121 for (i
= 0; files_to_deny
[i
]; i
++) {
122 ret
= do_test_file_open(c
, files_to_deny
[i
]);
124 fprintf(stderr
, "attach failed; skipping test\n");
128 fprintf(stderr
, "failed - opened %s\n",
132 fprintf(stderr
, "passed with %s\n", files_to_deny
[i
]);
135 for (i
= 0; files_to_allow
[i
]; i
++) {
136 ret
= do_test_file_open(c
, files_to_allow
[i
]);
138 fprintf(stderr
, "attach failed; skipping test\n");
142 fprintf(stderr
, "failed - could not open %s\n",
146 fprintf(stderr
, "passed with %s\n", files_to_allow
[i
]);
152 int main(int argc
, char *argv
[])
154 struct lxc_container
*c
;
156 c
= lxc_container_new(MYNAME
, NULL
);
158 fprintf(stderr
, "%s: %d: failed to load first container\n", __FILE__
, __LINE__
);
162 if (c
->is_defined(c
)) {
163 fprintf(stderr
, "%d: %s thought it was defined\n", __LINE__
, MYNAME
);
166 if (!c
->set_config_item(c
, "lxc.net.0.type", "empty")) {
167 fprintf(stderr
, "%s: %d: failed to set network type\n", __FILE__
, __LINE__
);
170 c
->save_config(c
, NULL
);
171 if (!c
->createl(c
, "busybox", NULL
, NULL
, 0, NULL
)) {
172 fprintf(stderr
, "%s: %d: failed to create container\n", __FILE__
, __LINE__
);
176 c
->clear_config_item(c
, "lxc.mount.auto");
177 c
->set_config_item(c
, "lxc.mount.entry", "proc proc proc");
178 c
->set_config_item(c
, "lxc.mount.entry", "sysfs sys sysfs");
179 c
->save_config(c
, NULL
);
181 c
->want_daemonize(c
, true);
182 if (!c
->startl(c
, 0, NULL
)) {
183 fprintf(stderr
, "Error starting container\n");
187 if (!test_aa_policy(c
)) {