projects / lxc.git / blame
| Commit | Line | Data |
|---|---|---|
| 2d8021b3 WB |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| 2 | From: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
| 3 | Date: Tue, 24 Jul 2018 13:59:04 +0200 | |
| 4 | Subject: [PATCH] tests: add test for generated apparmor profiles | |
| 5 | ||
| 6 | Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> | |
| 7 | (cherry picked from commit e7311a84e5bd0758931033b1a0ce649baa720a58) | |
| 8 | --- | |
| 9 | src/tests/Makefile.am | 2 + | |
| 10 | src/tests/lxc-test-apparmor-generated | 84 +++++++++++++++++++++++++++++++++++ | |
| 11 | 2 files changed, 86 insertions(+) | |
| 12 | create mode 100755 src/tests/lxc-test-apparmor-generated | |
| 13 | ||
| 14 | diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am | |
| 15 | index a2179c3c..df5d35df 100644 | |
| 16 | --- a/src/tests/Makefile.am | |
| 17 | +++ b/src/tests/Makefile.am | |
| 18 | @@ -79,6 +79,7 @@ if DISTRO_UBUNTU | |
| 19 | bin_SCRIPTS += \ | |
| 20 | lxc-test-lxc-attach \ | |
| 21 | lxc-test-apparmor-mount \ | |
| 22 | + lxc-test-apparmor-generated \ | |
| 23 | lxc-test-checkpoint-restore \ | |
| 24 | lxc-test-snapdeps \ | |
| 25 | lxc-test-symlink \ | |
| 26 | @@ -112,6 +113,7 @@ EXTRA_DIST = \ | |
| 27 | lxc-test-rootfs \ | |
| 28 | lxc-test-autostart \ | |
| 29 | lxc-test-apparmor-mount \ | |
| 30 | + lxc-test-apparmor-generated \ | |
| 31 | lxc-test-checkpoint-restore \ | |
| 32 | lxc-test-cloneconfig \ | |
| 33 | lxc-test-createconfig \ | |
| 34 | diff --git a/src/tests/lxc-test-apparmor-generated b/src/tests/lxc-test-apparmor-generated | |
| 35 | new file mode 100755 | |
| 36 | index 00000000..be2e3261 | |
| 37 | --- /dev/null | |
| 38 | +++ b/src/tests/lxc-test-apparmor-generated | |
| 39 | @@ -0,0 +1,84 @@ | |
| 40 | +#!/bin/sh | |
| 41 | + | |
| 42 | +# lxc: linux Container library | |
| 43 | + | |
| 44 | +# This is a test script for generated apparmor profiles | |
| 45 | + | |
| 46 | +# This library is free software; you can redistribute it and/or | |
| 47 | +# modify it under the terms of the GNU Lesser General Public | |
| 48 | +# License as published by the Free Software Foundation; either | |
| 49 | +# version 2.1 of the License, or (at your option) any later version. | |
| 50 | + | |
| 51 | +# This library is distributed in the hope that it will be useful, | |
| 52 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 53 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 54 | +# Lesser General Public License for more details. | |
| 55 | + | |
| 56 | +# You should have received a copy of the GNU Lesser General Public | |
| 57 | +# License along with this library; if not, write to the Free Software | |
| 58 | +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
| 59 | + | |
| 60 | +if ! which apparmor_parser >/dev/null 2>&1; then | |
| 61 | + echo 'SKIP: test for generated apparmor profiles: apparmor_parser missing' | |
| 62 | +fi | |
| 63 | +exit 0 | |
| 64 | + | |
| 65 | +DONE=0 | |
| 66 | +KNOWN_RELEASES="precise trusty xenial yakkety zesty" | |
| 67 | +LOGFILE="/tmp/lxc-test-$$.log" | |
| 68 | +cleanup() { | |
| 69 | + lxc-destroy -n $CONTAINER_NAME >/dev/null 2>&1 || true | |
| 70 | + | |
| 71 | + if [ $DONE -eq 0 ]; then | |
| 72 | + [ -f "$LOGFILE" ] && cat "$LOGFILE" >&2 | |
| 73 | + rm -f "$LOGFILE" | |
| 74 | + echo "FAIL" | |
| 75 | + exit 1 | |
| 76 | + fi | |
| 77 | + rm -f "$LOGFILE" | |
| 78 | + echo "PASS" | |
| 79 | +} | |
| 80 | + | |
| 81 | +ARCH=i386 | |
| 82 | +if type dpkg >/dev/null 2>&1; then | |
| 83 | + ARCH=$(dpkg --print-architecture) | |
| 84 | +fi | |
| 85 | + | |
| 86 | +trap cleanup EXIT HUP INT TERM | |
| 87 | +set -eu | |
| 88 | + | |
| 89 | +# Create a container | |
| 90 | +CONTAINER_NAME=lxc-test-apparmor-generated | |
| 91 | + | |
| 92 | +# default release is trusty, or the systems release if recognized | |
| 93 | +release=trusty | |
| 94 | +if [ -f /etc/lsb-release ]; then | |
| 95 | + . /etc/lsb-release | |
| 96 | + rels=$(ubuntu-distro-info --supported 2>/dev/null) || | |
| 97 | + rels="$KNOWN_RELEASES" | |
| 98 | + for r in $rels; do | |
| 99 | + [ "$DISTRIB_CODENAME" = "$r" ] && release="$r" | |
| 100 | + done | |
| 101 | +fi | |
| 102 | + | |
| 103 | +lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH | |
| 104 | +CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) | sed -e 's/dir://') | |
| 105 | +cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak | |
| 106 | + | |
| 107 | +# Set the profile to be auto-generated | |
| 108 | +echo "lxc.apparmor.profile = generated" >> $CONTAINER_PATH/config | |
| 109 | + | |
| 110 | +# Start it | |
| 111 | +lxc-start -n $CONTAINER_NAME -lDEBUG -o "$LOGFILE" | |
| 112 | +lxc-wait -n $CONTAINER_NAME -t 5 -s RUNNING || (echo "Container didn't start" && exit 1) | |
| 113 | +pid=`lxc-info -p -H -n $CONTAINER_NAME` | |
| 114 | +profile=`cat /proc/$pid/attr/current` | |
| 115 | +expected_profile="lxc-${CONTAINER_NAME}_</var/lib/lxc>//&:lxc-${CONTAINER_NAME}_<-var-lib-lxc>:unconfined (enforce)" | |
| 116 | +lxc-stop -n $CONTAINER_NAME -k | |
| 117 | +if [ "x$profile" != "x$expected_profile" ]; then | |
| 118 | + echo "FAIL: container was in profile $profile" >&2 | |
| 119 | + echo "expected profile: $expected_profile" >&2 | |
| 120 | + exit 1 | |
| 121 | +fi | |
| 122 | + | |
| 123 | +DONE=1 | |
| 124 | -- | |
| 125 | 2.11.0 | |
| 126 |