From 7b9ee8967b58c99a4d2545758deaf4cf20a62dc0 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 18 Apr 2025 03:51:45 +0000 Subject: [PATCH] apparmor test: add an overlay container start make sure that when we start an overlay container, the init pid is aa-confined. Signed-off-by: Serge Hallyn --- src/tests/aa.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) diff --git a/src/tests/aa.c b/src/tests/aa.c index 5002beeaf..68d532b4f 100644 --- a/src/tests/aa.c +++ b/src/tests/aa.c @@ -15,16 +15,46 @@ #include #define MYNAME "test-aa" +#define MYNAME2 "test-aa-o1" + +static char *read_file(char *fname) { + FILE *f = fopen(fname, "r"); + ssize_t ret; + size_t len = 0; + char *v = NULL; + + if (!f) { + fprintf(stderr, "Failed to open %s: %m\n", fname); + return NULL; + } + ret = getline(&v, &len, f); + if (ret == -1) { + fprintf(stderr, "Failed reading a line from %s: %m\n", fname); + free(v); + if (f) + fclose(f); + return NULL; + } + if (f) + fclose(f); + return v; +} static void try_to_remove(void) { - struct lxc_container *c; + struct lxc_container *c, *c2; c = lxc_container_new(MYNAME, NULL); if (c) { if (c->is_defined(c)) c->destroy(c); lxc_container_put(c); } + c2 = lxc_container_new(MYNAME2, NULL); + if (c2) { + if (c2->is_defined(c2)) + c2->destroy(c2); + lxc_container_put(c2); + } } static int test_attach_write_file(void* payload) @@ -138,7 +168,9 @@ static bool test_aa_policy(struct lxc_container *c) int main(int argc, char *argv[]) { - struct lxc_container *c; + struct lxc_container *c, *c2= NULL; + char *v = NULL; + try_to_remove(); c = lxc_container_new(MYNAME, NULL); if (!c) { @@ -178,10 +210,45 @@ int main(int argc, char *argv[]) c->stop(c); + c2 = c->clone(c, MYNAME2, NULL, LXC_CLONE_SNAPSHOT, "overlayfs", NULL, 0, NULL); + if (!c2) { + fprintf(stderr, "Error cloning " MYNAME " to " MYNAME2 "\n"); + goto err; + } + + c2->want_daemonize(c2, true); + if (!c2->startl(c2, 0, NULL)) { + fprintf(stderr, "Error starting container\n"); + goto err; + } + + char pidstr[50]; + snprintf(pidstr, 50, "/proc/%d/attr/current", c2->init_pid(c2)); + v = read_file(pidstr); + if (!v) { + fprintf(stderr, "Failed to read the apparmor profile name from '%s'\n", pidstr); + goto err; + } + + fprintf(stderr, "apparmor policy of clone: %s\n", v); + char *exp1 = "lxc-"; + if (strncmp(v, exp1, strlen(exp1)) != 0) { + fprintf(stderr, "Wrong profile: %s", v); + goto err; + } + if (strstr(v, "(enforce)") == NULL) { + fprintf(stderr, "Wrong profile: %s", v); + goto err; + } + + c2->stop(c2); + + free(v); try_to_remove(); exit(EXIT_SUCCESS); err: + free(v); try_to_remove(); exit(EXIT_FAILURE); } -- 2.47.2