debian/patches/extra/0012-tests-add-test-for-generated-apparmor-profiles.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: Wolfgang Bumiller <w.bumiller@proxmox.com>
   3 Date: Tue, 24 Jul 2018 13:59:04 +0200
   4 Subject: [PATCH] tests: add test for generated apparmor profiles
   5
   6 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
   7 (cherry picked from commit e7311a84e5bd0758931033b1a0ce649baa720a58)
   8 ---
   9  src/tests/Makefile.am                 |  2 +
  10  src/tests/lxc-test-apparmor-generated | 84 +++++++++++++++++++++++++++++++++++
  11  2 files changed, 86 insertions(+)
  12  create mode 100755 src/tests/lxc-test-apparmor-generated
  13
  14 diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
  15 index a2179c3c..df5d35df 100644
  16 --- a/src/tests/Makefile.am
  17 +++ b/src/tests/Makefile.am
  18 @@ -79,6 +79,7 @@ if DISTRO_UBUNTU
  19  bin_SCRIPTS += \
  20         lxc-test-lxc-attach \
  21         lxc-test-apparmor-mount \
  22 +       lxc-test-apparmor-generated \
  23         lxc-test-checkpoint-restore \
  24         lxc-test-snapdeps \
  25         lxc-test-symlink \
  26 @@ -112,6 +113,7 @@ EXTRA_DIST = \
  27         lxc-test-rootfs \
  28         lxc-test-autostart \
  29         lxc-test-apparmor-mount \
  30 +       lxc-test-apparmor-generated \
  31         lxc-test-checkpoint-restore \
  32         lxc-test-cloneconfig \
  33         lxc-test-createconfig \
  34 diff --git a/src/tests/lxc-test-apparmor-generated b/src/tests/lxc-test-apparmor-generated
  35 new file mode 100755
  36 index 00000000..be2e3261
  37 --- /dev/null
  38 +++ b/src/tests/lxc-test-apparmor-generated
  39 @@ -0,0 +1,84 @@
  40 +#!/bin/sh
  41 +
  42 +# lxc: linux Container library
  43 +
  44 +# This is a test script for generated apparmor profiles
  45 +
  46 +# This library is free software; you can redistribute it and/or
  47 +# modify it under the terms of the GNU Lesser General Public
  48 +# License as published by the Free Software Foundation; either
  49 +# version 2.1 of the License, or (at your option) any later version.
  50 +
  51 +# This library is distributed in the hope that it will be useful,
  52 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
  53 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  54 +# Lesser General Public License for more details.
  55 +
  56 +# You should have received a copy of the GNU Lesser General Public
  57 +# License along with this library; if not, write to the Free Software
  58 +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  59 +
  60 +if ! which apparmor_parser >/dev/null 2>&1; then
  61 +       echo 'SKIP: test for generated apparmor profiles: apparmor_parser missing'
  62 +fi
  63 +exit 0
  64 +
  65 +DONE=0
  66 +KNOWN_RELEASES="precise trusty xenial yakkety zesty"
  67 +LOGFILE="/tmp/lxc-test-$$.log"
  68 +cleanup() {
  69 +       lxc-destroy -n $CONTAINER_NAME >/dev/null 2>&1 || true
  70 +
  71 +       if [ $DONE -eq 0 ]; then
  72 +               [ -f "$LOGFILE" ] && cat "$LOGFILE" >&2
  73 +               rm -f "$LOGFILE"
  74 +               echo "FAIL"
  75 +               exit 1
  76 +       fi
  77 +       rm -f "$LOGFILE"
  78 +       echo "PASS"
  79 +}
  80 +
  81 +ARCH=i386
  82 +if type dpkg >/dev/null 2>&1; then
  83 +       ARCH=$(dpkg --print-architecture)
  84 +fi
  85 +
  86 +trap cleanup EXIT HUP INT TERM
  87 +set -eu
  88 +
  89 +# Create a container
  90 +CONTAINER_NAME=lxc-test-apparmor-generated
  91 +
  92 +# default release is trusty, or the systems release if recognized
  93 +release=trusty
  94 +if [ -f /etc/lsb-release ]; then
  95 +    . /etc/lsb-release
  96 +    rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
  97 +        rels="$KNOWN_RELEASES"
  98 +    for r in $rels; do
  99 +        [ "$DISTRIB_CODENAME" = "$r" ] && release="$r"
 100 +    done
 101 +fi
 102 +
 103 +lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH
 104 +CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) | sed -e 's/dir://')
 105 +cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak
 106 +
 107 +# Set the profile to be auto-generated
 108 +echo "lxc.apparmor.profile = generated" >> $CONTAINER_PATH/config
 109 +
 110 +# Start it
 111 +lxc-start -n $CONTAINER_NAME -lDEBUG -o "$LOGFILE"
 112 +lxc-wait -n $CONTAINER_NAME -t 5 -s RUNNING || (echo "Container didn't start" && exit 1)
 113 +pid=`lxc-info -p -H -n $CONTAINER_NAME`
 114 +profile=`cat /proc/$pid/attr/current`
 115 +expected_profile="lxc-${CONTAINER_NAME}_</var/lib/lxc>//&:lxc-${CONTAINER_NAME}_<-var-lib-lxc>:unconfined (enforce)"
 116 +lxc-stop -n $CONTAINER_NAME -k
 117 +if [ "x$profile" != "x$expected_profile" ]; then
 118 +       echo "FAIL: container was in profile $profile" >&2
 119 +       echo "expected profile: $expected_profile" >&2
 120 +       exit 1
 121 +fi
 122 +
 123 +DONE=1
 124 --
 125 2.11.0
 126