spelling: userns

[mirror_lxc.git] / src / tests / lxc-test-apparmor-mount

diff --git a/src/tests/lxc-test-apparmor-mount b/src/tests/lxc-test-apparmor-mount
index 6a50f54ef62e33f655254e90471b0a1612f8fad2..d21c948223ff1be240c5297eee469ce30c065611 100755 (executable)
--- a/src/tests/lxc-test-apparmor-mount
+++ b/src/tests/lxc-test-apparmor-mount
@@ -23,6 +23,16 @@
 
 set -e
 
+# Only run on a normally configured ubuntu lxc system
+if [ ! -d /sys/class/net/lxcbr0 ]; then
+       echo "lxcbr0 is not configured."
+       exit 1
+fi
+if [ "$(id -u)" != "0" ]; then
+       echo "ERROR: Must run as root."
+       exit 1
+fi
+
 if [ -f /proc/self/ns/cgroup ]; then
        default_profile="lxc-container-default-cgns (enforce)"
 else
@@ -45,6 +55,7 @@ DONE=0
 KNOWN_RELEASES="precise trusty xenial yakkety zesty"
 MOUNTSR=/sys/kernel/security/apparmor/features/mount
 dnam=`mktemp -d`
+logfile=`mktemp`
 cname=`basename $dnam`
 cleanup() {
        run_cmd lxc-destroy -f -n $cname || true
@@ -56,27 +67,28 @@ cleanup() {
        rm -Rf $HDIR /run/user/$(id -u $TUSER)
        deluser $TUSER
        if [ $DONE -eq 0 ]; then
+               echo 'Failed container log:' >&2
+               cat "$logfile" >&2
+               echo 'End log' >&2
+               rm -f "$logfile"
                echo "FAIL"
                exit 1
        fi
+       rm -f "$logfile"
        echo "PASS"
 }
 
+clear_log() {
+       truncate -s0 "$logfile"
+}
+
 trap cleanup exit
 
-# Only run on a normally configured ubuntu lxc system
-if [ ! -d /sys/class/net/lxcbr0 ]; then
-       echo "lxcbr0 is not configured."
-       exit 1
-fi
-if [ "$(id -u)" != "0" ]; then
-       echo "ERROR: Must run as root."
-       exit 1
-fi
+chmod 0666 "$logfile"
 
 # This would be much simpler if we could run it as
 # root.  However, in order to not have the bind mount
-# of an empty directory over the securitfs 'mount' directory
+# of an empty directory over the securityfs 'mount' directory
 # be removed, we need to do this as non-root.
 
 which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
@@ -100,10 +112,10 @@ usermod -v 910000-919999 -w 910000-919999 $TUSER
 
 mkdir -p $HDIR/.config/lxc/
 cat > $HDIR/.config/lxc/default.conf << EOF
-lxc.network.type = veth
-lxc.network.link = lxcbr0
-lxc.id_map = u 0 910000 9999
-lxc.id_map = g 0 910000 9999
+lxc.net.0.type = veth
+lxc.net.0.link = lxcbr0
+lxc.idmap = u 0 910000 9999
+lxc.idmap = g 0 910000 9999
 EOF
 chown -R $TUSER: $HDIR
 
@@ -132,6 +144,7 @@ elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
        done
 else
        for d in /sys/fs/cgroup/*; do
+               [ "$d" = "/sys/fs/cgroup/unified" ] && continue
                [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
                [ ! -d $d/lxctest ] && mkdir $d/lxctest
                chown -R $TUSER: $d/lxctest
@@ -159,7 +172,7 @@ fi
 run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
 
 echo "test default confined container"
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
 profile=`cat /proc/$pid/attr/current`
@@ -168,10 +181,11 @@ if [ "x$profile" != "x${default_profile}" ]; then
        exit 1
 fi
 run_cmd lxc-stop -n $cname -k
+clear_log
 
 echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
 profile=`cat /proc/$pid/attr/current`
@@ -180,12 +194,13 @@ if [ "x$profile" != "xunconfined" ]; then
        exit 1
 fi
 run_cmd lxc-stop -n $cname -k
+clear_log
 
 echo "masking $MOUNTSR"
 mount --bind $dnam $MOUNTSR
 
 echo "test default confined container"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
 run_cmd lxc-start -n $cname -d || true
 sleep 3
 pid=`run_cmd lxc-info -p -H -n $cname` || true
@@ -196,8 +211,8 @@ if [ -n "$pid" -a "$pid" != "-1" ]; then
 fi
 
 echo "test regular unconfined container"
-echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
 if [ "$pid" = "-1" ]; then
@@ -210,11 +225,12 @@ if [ "x$profile" != "xunconfined" ]; then
        exit 1
 fi
 run_cmd lxc-stop -n $cname -k
+clear_log
 
 echo "testing override"
-sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
-echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
+echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
 run_cmd lxc-wait -n $cname -s RUNNING
 pid=`run_cmd lxc-info -p -H -n $cname`
 if [ "$pid" = "-1" ]; then
@@ -227,5 +243,6 @@ if [ "x$profile" != "x${default_profile}" ]; then
        exit 1
 fi
 run_cmd lxc-stop -n $cname -k
+clear_log
 
 DONE=1