apparmor test: add an overlay container start

make sure that when we start an overlay container, the
init pid is aa-confined.

Signed-off-by: Serge Hallyn <serge@hallyn.com>

diff --git a/src/tests/aa.c b/src/tests/aa.c
index 5002beeafe6442f81dc05aa83b6b66f417a1279d..68d532b4f8fefbaad977322c4f3ac1c30306c73c 100644 (file)
--- a/src/tests/aa.c
+++ b/src/tests/aa.c
@@ -15,16 +15,46 @@
 #include <string.h>
 
 #define MYNAME "test-aa"
+#define MYNAME2 "test-aa-o1"
+
+static char *read_file(char *fname) {
+       FILE *f = fopen(fname, "r");
+       ssize_t ret;
+       size_t len = 0;
+       char *v = NULL;
+
+       if (!f) {
+               fprintf(stderr, "Failed to open %s: %m\n", fname);
+               return NULL;
+       }
+       ret = getline(&v, &len, f);
+       if (ret == -1) {
+               fprintf(stderr, "Failed reading a line from %s: %m\n", fname);
+               free(v);
+               if (f)
+                       fclose(f);
+               return NULL;
+       }
+       if (f)
+               fclose(f);
+       return v;
+}
 
 static void try_to_remove(void)
 {
-       struct lxc_container *c;
+       struct lxc_container *c, *c2;
        c = lxc_container_new(MYNAME, NULL);
        if (c) {
                if (c->is_defined(c))
                        c->destroy(c);
                lxc_container_put(c);
        }
+       c2 = lxc_container_new(MYNAME2, NULL);
+       if (c2) {
+               if (c2->is_defined(c2))
+                       c2->destroy(c2);
+               lxc_container_put(c2);
+       }
 }
 
 static int test_attach_write_file(void* payload)
@@ -138,7 +168,9 @@ static bool test_aa_policy(struct lxc_container *c)
 
 int main(int argc, char *argv[])
 {
-       struct lxc_container *c;
+       struct lxc_container *c, *c2= NULL;
+       char *v = NULL;
+
        try_to_remove();
        c = lxc_container_new(MYNAME, NULL);
        if (!c) {
@@ -178,10 +210,45 @@ int main(int argc, char *argv[])
 
        c->stop(c);
 
+       c2 = c->clone(c, MYNAME2, NULL, LXC_CLONE_SNAPSHOT, "overlayfs", NULL, 0, NULL);
+       if (!c2) {
+               fprintf(stderr, "Error cloning " MYNAME " to " MYNAME2 "\n");
+               goto err;
+       }
+
+       c2->want_daemonize(c2, true);
+       if (!c2->startl(c2, 0, NULL)) {
+               fprintf(stderr, "Error starting container\n");
+               goto err;
+       }
+
+       char pidstr[50];
+       snprintf(pidstr, 50, "/proc/%d/attr/current", c2->init_pid(c2));
+       v = read_file(pidstr);
+       if (!v) {
+               fprintf(stderr, "Failed to read the apparmor profile name from '%s'\n", pidstr);
+               goto err;
+       }
+
+       fprintf(stderr, "apparmor policy of clone: %s\n", v);
+       char *exp1 = "lxc-";
+       if (strncmp(v, exp1, strlen(exp1)) != 0) {
+               fprintf(stderr, "Wrong profile: %s", v);
+               goto err;
+       }
+       if (strstr(v, "(enforce)") == NULL) {
+               fprintf(stderr, "Wrong profile: %s", v);
+               goto err;
+       }
+
+       c2->stop(c2);
+
+       free(v);
        try_to_remove();
        exit(EXIT_SUCCESS);
 
 err:
+       free(v);
        try_to_remove();
        exit(EXIT_FAILURE);
 }