Commit 3ce02853 authored by Luis Araujo's avatar Luis Araujo

Remove the apparmor-folks tests

Folks test cases are not so relevant anymore.

The apparmor-folks test case has not been executed for several releases
already (it was not executed for 18.12 and for 18.09 was only executed
for half the platforms with some failures too).

This commit removes the apparmor-folks tests.
Signed-off-by: Luis Araujo's avatarLuis Araujo <luis.araujo@collabora.co.uk>
parent c4634da4
......@@ -4,7 +4,6 @@ pkglibdir = /usr/lib/apertis-tests
SUBDIRS = \
apparmor/goals \
apparmor/folks \
apparmor/geoclue \
apparmor/tracker \
apparmor/ofono \
......@@ -33,7 +32,6 @@ COPY = \
$(wildcard apparmor/*.yaml) \
apertis_tests_lib \
apparmor/automated \
apparmor/folks \
apparmor/run-aa-test \
common \
dbus \
......
all:
:
clean:
:
install:
:
check:
test $$(id -u) = 0
for p in $(wildcard usr.*); do apparmor_parser -r $$p || exit $$?; done
${CURDIR}/test-folks
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ $# -ne 0 ]; then
echo "Usage: $0"
exit 1
fi
${TEST_DIR}/../../folks/folks-alias-persistence.sh
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ $# -ne 0 ]; then
echo "Usage: $0"
exit 1
fi
${TEST_DIR}/../../folks/folks-eds-compatibility.sh
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ $# -ne 0 ]; then
echo "Usage: $0"
exit 1
fi
${TEST_DIR}/../../folks/folks-metacontacts-linking.sh
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ $# -ne 0 ]; then
echo "Usage: $0"
exit 1
fi
${TEST_DIR}/../../folks/folks-metacontacts-unlinking.sh
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
if [ $# -ne 0 ]; then
echo "Usage: $0"
exit 1
fi
${TEST_DIR}/../../folks/folks-metacontacts-antilinking.sh
#!/bin/sh
# vim: tw=0
set -e
TEST_DIR="$(cd "$(dirname "$0")" && pwd)"
RUN_AA_TEST="${RUN_AA_TEST:-${TEST_DIR}/../run-aa-test}"
TESTS="R1.13b_folks-alias-persistence.sh
R1.13b_folks-eds-compatibility.sh
R1.13b_folks-metacontacts-linking.sh
R1.13b_folks-metacontacts-unlinking.sh
R6.4.2_folks-metacontacts-antilinking.sh
test-malicious.sh"
for IN in ${TEST_DIR}/*.in; do
OUT="${IN%.in}"
sed -e "s!@CURDIR@!${TEST_DIR}!g" \
< "$IN" > "$OUT"
done
apparmor_parser -r ${TEST_DIR}/*.profile
# If a previous test has (wrongly) created this file, it's going to
# be a problem for us.
rm -f /home/user/_file_which_do_not_exist_
e=0
for TEST in $TESTS; do
EXPECTED_RULE="`basename $TEST .sh`.expected"
"${RUN_AA_TEST}" "${TEST_DIR}"/${EXPECTED_RULE} "${TEST_DIR}"/${TEST} || e=1
done
exit $e
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:w
operation:open
name:/home/user/_file_which_do_not_exist_
request_mask:w
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:r
operation:open
name:/home/user/.bash_history
request_mask:r
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:d
operation:unlink
name:/home/user/.bash_history
request_mask:d
## alternative ##
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:c
operation:mknod
name:/home/user/_file_which_do_not_exist_
request_mask:c
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:r
operation:open
name:/home/user/.bash_history
request_mask:r
====
profile:/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh
sdmode:REJECTING
denied_mask:d
operation:unlink
name:/home/user/.bash_history
request_mask:d
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:w
operation:open
name:/home/user/_file_which_do_not_exist_
request_mask:w
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:r
operation:open
name:/home/user/.bash_history
request_mask:r
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:d
operation:unlink
name:/home/user/.bash_history
request_mask:d
## alternative ##
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:c
operation:mknod
name:/home/user/_file_which_do_not_exist_
request_mask:c
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:r
operation:open
name:/home/user/.bash_history
request_mask:r
====
profile:@CURDIR@/test-malicious.sh
sdmode:REJECTING
denied_mask:d
operation:unlink
name:/home/user/.bash_history
request_mask:d
# Author: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
# Profile in Folks' AppArmor test suite, to check for malicous access
#include <tunables/global>
@CURDIR@/test-malicious.sh {
#include <abstractions/chaiwala-base>
#include <abstractions/folks>
# let us read our own /proc for debugging
owner @{PROC}/@{pid}/attr/current r,
ptrace (read) peer=@{profile_name},
# being a bash script we need to allow some more stuff in order to test
# what we need to test: file permission in $HOME
/dev/tty rw,
/bin/touch ixrm,
/bin/cat ixrm,
/bin/rm ixrm,
@CURDIR@/test-malicious.sh rm,
}
#!/bin/sh
set -e
set -x
e=0
cat /proc/$$/attr/current
# Test <abstractions/folks> in malicious ways
# Here we test that an attacker cannot access files we mean not to be accessible
#NOTE: the profile for this script will allow /bin/touch and the other binaries
# as well as the abstractions/consoles
# This should not be accessible and auditd should complain
if touch $HOME/_file_which_do_not_exist_; then
echo "that should not have worked"
e=1
fi
# This should not be accessible and auditd should complain
if cat $HOME/.bash_history; then
echo "that should not have worked"
e=1
fi
# This should not be accessible and auditd should complain
if rm -f $HOME/.bash_history; then
echo "that should not have worked"
e=1
fi
exit $e
# Author: Cosimo Alfarano <cosimo.alfarano@collabora.co.uk>
# Profile in Folks' AppArmor test suite, to check for malicous access
#include <tunables/global>
/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh {
#include <abstractions/chaiwala-base>
#include <abstractions/folks>
# let us read our own /proc for debugging
owner @{PROC}/@{pid}/attr/current r,
ptrace (read) peer=@{profile_name},
# being a shell script we need to allow some more stuff in order to test
# what we need to test: file permission in $HOME
/dev/tty rw,
/bin/touch ixrm,
/bin/cat ixrm,
/bin/rm ixrm,
/usr/lib/chaiwala-apparmor-folks-tests/test-malicious.sh rm,
}
......@@ -2,7 +2,6 @@ usr/lib/apertis-tests/apertis_tests_lib
usr/lib/apertis-tests/apparmor/*.sh
usr/lib/apertis-tests/apparmor/*.yaml
usr/lib/apertis-tests/apparmor/automated
usr/lib/apertis-tests/apparmor/folks
usr/lib/apertis-tests/apparmor/run-aa-test
usr/lib/apertis-tests/common
usr/lib/apertis-tests/dbus
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment