KNOWN_RELEASES="precise trusty xenial yakkety zesty"
MOUNTSR=/sys/kernel/security/apparmor/features/mount
dnam=`mktemp -d`
+logfile=`mktemp`
cname=`basename $dnam`
cleanup() {
run_cmd lxc-destroy -f -n $cname || true
rm -Rf $HDIR /run/user/$(id -u $TUSER)
deluser $TUSER
if [ $DONE -eq 0 ]; then
+ echo 'Failed container log:' >&2
+ cat "$logfile" >&2
+ echo 'End log' >&2
+ rm -f "$logfile"
echo "FAIL"
exit 1
fi
+ rm -f "$logfile"
echo "PASS"
}
+clear_log() {
+ truncate -s0 "$logfile"
+}
+
trap cleanup exit
# Only run on a normally configured ubuntu lxc system
exit 1
fi
+chmod 0666 "$logfile"
+
# This would be much simpler if we could run it as
# root. However, in order to not have the bind mount
# of an empty directory over the securitfs 'mount' directory
run_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
echo "test default confined container"
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "test regular unconfined container"
echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR
echo "test regular unconfined container"
echo "lxc.apparmor.profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
echo "testing override"
sed -i '/apparmor.profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.apparmor.allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
-run_cmd lxc-start -n $cname -d
+run_cmd lxc-start -n $cname -d -lDEBUG -o "$logfile"
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
exit 1
fi
run_cmd lxc-stop -n $cname -k
+clear_log
DONE=1