From 0905a4c21743e0483095029d4012f08e7117e7dc Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Wed, 20 Jul 2016 20:47:41 +0100
Subject: [PATCH] session-lockdown-no-deny: don't assert that all processes are
running
The Tracker services are started on-demand, while Xorg might not be
installed.
Also continue testing if one of these assertions fails: just log it
as "not OK".
Reviewed-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D3771
---
apparmor/session-lockdown/no-deny | 68 +++++++++++++++++++++++++------
1 file changed, 56 insertions(+), 12 deletions(-)
diff --git a/apparmor/session-lockdown/no-deny b/apparmor/session-lockdown/no-deny
index 3eb4bd1..70b4332 100755
--- a/apparmor/session-lockdown/no-deny
+++ b/apparmor/session-lockdown/no-deny
@@ -31,6 +31,11 @@ def ok(details):
test_number += 1
print('ok {} - {}'.format(test_number, details))
+def skip(details):
+ global test_number
+ test_number += 1
+ print('ok {} # SKIP - {}'.format(test_number, details))
+
def not_ok(details):
global test_number
global failures
@@ -213,18 +218,57 @@ def after_reboot():
complain_processes = filter_processes(processes, 'complain')
complain_process_profiles = [x[1] for x in complain_processes]
- # These processes should (currently) be in complain mode
- assert '/usr/sbin/connmand' in complain_process_profiles
-
- # We might not have Xorg if we are on a Wayland image
- if os.path.exists('/usr/bin/Xorg'):
- assert '/usr/bin/Xorg' in complain_process_profiles
-
- # These processes should (currently) be in enforce mode
- assert '/usr/bin/pulseaudio' in enforce_process_profiles
- assert '/usr/lib/tracker/tracker-miner-fs' in enforce_process_profiles
- assert '/usr/lib/tracker/tracker-store' in enforce_process_profiles
- assert '/usr/sbin/ofonod' in enforce_process_profiles
+ # The set of profiles represented by at least one process.
+ profiles_running = set()
+ for pid, data in processes.items():
+ profiles_running.add(data['profile'])
+
+ # Processes that are currently meant to be in complain mode, and
+ # if they aren't running it's a problem (either because we started
+ # them explicitly or they are meant to run on boot)
+ for profile in (
+ '/usr/sbin/connmand',
+ ):
+ if profile in complain_process_profiles:
+ ok('{} in complain mode'.format(profile))
+ else:
+ not_ok('{} should be in complain mode'.format(profile))
+
+ # Processes that are currently meant to be in complain mode, and
+ # might not be running at all
+ for profile in (
+ '/usr/bin/Xorg',
+ ):
+ if profile not in profiles_running:
+ skip('{} not running'.format(profile))
+ elif profile in complain_process_profiles:
+ ok('{} in complain mode'.format(profile))
+ else:
+ not_ok('{} should be in complain mode'.format(profile))
+
+ # Processes that are currently meant to be in complain mode, and
+ # if they aren't running it's a problem
+ for profile in (
+ '/usr/bin/pulseaudio',
+ '/usr/sbin/ofonod',
+ ):
+ if profile in enforce_process_profiles:
+ ok('{} in enforce mode'.format(profile))
+ else:
+ not_ok('{} should be in enforce mode'.format(profile))
+
+ # Processes that are currently meant to be in enforce mode, and
+ # might not be running at all
+ for profile in (
+ '/usr/lib/tracker/tracker-miner-fs',
+ '/usr/lib/tracker/tracker-store',
+ ):
+ if profile not in profiles_running:
+ skip('{} not running'.format(profile))
+ elif profile in enforce_process_profiles:
+ ok('{} in enforce mode'.format(profile))
+ else:
+ not_ok('{} should be in enforce mode'.format(profile))
saw_denial = False
--
GitLab