From: Wolfgang Bumiller Date: Tue, 24 Jul 2018 11:59:04 +0000 (+0200) Subject: tests: add test for generated apparmor profiles X-Git-Tag: lxc-3.1.0~192^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7311a84e5bd0758931033b1a0ce649baa720a58;p=thirdparty%2Flxc.git tests: add test for generated apparmor profiles Signed-off-by: Wolfgang Bumiller --- diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am index 00d4c0b7a..e1532a102 100644 --- a/src/tests/Makefile.am +++ b/src/tests/Makefile.am @@ -81,6 +81,7 @@ if DISTRO_UBUNTU bin_SCRIPTS += \ lxc-test-lxc-attach \ lxc-test-apparmor-mount \ + lxc-test-apparmor-generated \ lxc-test-checkpoint-restore \ lxc-test-snapdeps \ lxc-test-symlink \ @@ -114,6 +115,7 @@ EXTRA_DIST = \ lxc-test-rootfs \ lxc-test-autostart \ lxc-test-apparmor-mount \ + lxc-test-apparmor-generated \ lxc-test-checkpoint-restore \ lxc-test-cloneconfig \ lxc-test-createconfig \ diff --git a/src/tests/lxc-test-apparmor-generated b/src/tests/lxc-test-apparmor-generated new file mode 100755 index 000000000..be2e32619 --- /dev/null +++ b/src/tests/lxc-test-apparmor-generated @@ -0,0 +1,84 @@ +#!/bin/sh + +# lxc: linux Container library + +# This is a test script for generated apparmor profiles + +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +if ! which apparmor_parser >/dev/null 2>&1; then + echo 'SKIP: test for generated apparmor profiles: apparmor_parser missing' +fi +exit 0 + +DONE=0 +KNOWN_RELEASES="precise trusty xenial yakkety zesty" +LOGFILE="/tmp/lxc-test-$$.log" +cleanup() { + lxc-destroy -n $CONTAINER_NAME >/dev/null 2>&1 || true + + if [ $DONE -eq 0 ]; then + [ -f "$LOGFILE" ] && cat "$LOGFILE" >&2 + rm -f "$LOGFILE" + echo "FAIL" + exit 1 + fi + rm -f "$LOGFILE" + echo "PASS" +} + +ARCH=i386 +if type dpkg >/dev/null 2>&1; then + ARCH=$(dpkg --print-architecture) +fi + +trap cleanup EXIT HUP INT TERM +set -eu + +# Create a container +CONTAINER_NAME=lxc-test-apparmor-generated + +# default release is trusty, or the systems release if recognized +release=trusty +if [ -f /etc/lsb-release ]; then + . /etc/lsb-release + rels=$(ubuntu-distro-info --supported 2>/dev/null) || + rels="$KNOWN_RELEASES" + for r in $rels; do + [ "$DISTRIB_CODENAME" = "$r" ] && release="$r" + done +fi + +lxc-create -t download -n $CONTAINER_NAME -B dir -- -d ubuntu -r $release -a $ARCH +CONTAINER_PATH=$(dirname $(lxc-info -n $CONTAINER_NAME -c lxc.rootfs.path -H) | sed -e 's/dir://') +cp $CONTAINER_PATH/config $CONTAINER_PATH/config.bak + +# Set the profile to be auto-generated +echo "lxc.apparmor.profile = generated" >> $CONTAINER_PATH/config + +# Start it +lxc-start -n $CONTAINER_NAME -lDEBUG -o "$LOGFILE" +lxc-wait -n $CONTAINER_NAME -t 5 -s RUNNING || (echo "Container didn't start" && exit 1) +pid=`lxc-info -p -H -n $CONTAINER_NAME` +profile=`cat /proc/$pid/attr/current` +expected_profile="lxc-${CONTAINER_NAME}_//&:lxc-${CONTAINER_NAME}_<-var-lib-lxc>:unconfined (enforce)" +lxc-stop -n $CONTAINER_NAME -k +if [ "x$profile" != "x$expected_profile" ]; then + echo "FAIL: container was in profile $profile" >&2 + echo "expected profile: $expected_profile" >&2 + exit 1 +fi + +DONE=1