Commit bbf36571 authored by Emanuele Aina's avatar Emanuele Aina Committed by Frédéric Dalleau

apparmor: Drop automated/, now shipped by tests/apparmor-basic-profiles

The tests/apparmor-basic-profiles repository now ships the contents of the
`automated/` folder, drop the obsolete duplicate.
Signed-off-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.com>
parent 2fd0ef5d
#!/bin/sh
# vim: set sts=4 sw=4 et tw=0 :
#
set -e
while [ "$#" -gt 0 ]; do
case "$1" in
(--debug)
DEBUG=2
set -x
shift
;;
(*)
echo "unknown argument '$1'" >&2
exit 2
;;
esac
done
TESTDIR=$(cd $(dirname $0); pwd; cd - >/dev/null 2>&1)
. "${TESTDIR}/../../common/common.sh"
APPARMOR_PROFILES_DIRS="/etc/apparmor.d /etc/apparmor.d/local /etc/apparmor.d/tunables"
AUDIT_LOG="/var/log/audit/audit.log"
#########
# Setup #
#########
trap "setup_failure" EXIT
# For example, test_profiles_are_applied() has problems if you run it as
# root because programs behave differently if you run them as root instead
# of a normal user.
check_not_root
setup_success
###########
# Execute #
###########
_watch_audit_logs() {
sudo tail -n 0 -f "${AUDIT_LOG}" > "$1"
}
# Check whether apparmor is enabled
test_apparmor_enabled() {
if ! [ -d /etc/apparmor.d ]; then
whine "AppArmor profile directory not found"
return 1
fi
if ! [ -e /sys/module/apparmor ]; then
whine "AppArmor module not loaded"
return 1
fi
if ! [ -e /sys/kernel/security/apparmor/profiles ]; then
whine "AppArmor profiles list not available"
return 1
fi
if ! sudo grep . /sys/kernel/security/apparmor/profiles > /dev/null; then
whine "Did not find anything in the AppArmor profile set"
return 1
fi
if [ "$DEBUG" != 0 ]; then
echo "# AppArmor profiles loaded:"
sudo env LC_ALL=C sort /sys/kernel/security/apparmor/profiles | \
sed -e 's/^/# /'
fi
}
# Check if profiles are being parsed correctly
test_profile_parsing() {
local ret=0
if ! /sbin/apparmor_parser -Q "${TESTDIR}/test-profiles/usr.lib.valid-profile"; then
whine "Failed to parse a valid profile!"
ret=1
fi
if /sbin/apparmor_parser -Q "${TESTDIR}/test-profiles/usr.lib.invalid-profile"; then
whine "Successfully parsed an invalid profile!"
ret=1
fi
return $ret
}
# Check if profiles have any syntax errors
test_profile_syntax() {
local i
local ret=0
for i in ${APPARMOR_PROFILES_DIRS}; do
if ! [ -d "$i" ]; then
whine "Invalid apparmor profile directory: $i"
fi
done
for i in $(find ${APPARMOR_PROFILES_DIRS} -maxdepth 1 -type f); do
if [ -e "$i" ] && sudo apparmor_parser -Q "$i"; then
:
else
whine "Failed to parse $i"
ret=1
fi
done
return $ret
}
# Check whether all the profiles are in complain mode
test_profiles_complain_mode() {
PROFILED="$(sudo aa-status --profiled)"
COMPLAINING="$(sudo aa-status --complaining)"
if [ "${PROFILED}" != "${COMPLAINING}" ]; then
whine "Not all profiles are in complain mode (${COMPLAINING}/${PROFILED})"
return 1
fi
return 0
}
# Check whether profiles are being applied properly by comparing the audit
# accesses against a "good" audit log for the same run
test_profiles_are_applied() {
local each workdir
workdir="$(create_temp_workdir)"
for each in "${workdir}/profile-auditing"/*; do
## Run, and store the logs
_watch_audit_logs "$each/audit.log" &
$(cat $each/run)
_sleep 3 && kill %1 && sync
## Extract logs
# This hacky way of passing information via environment variables is a
# temporary measure till we add option parsing to aa_log_extract_tokens.pl
AA_PROFILE_WANTED=$(cat $each/aa-profile-wanted) aa_log_extract_tokens.pl AUDITING > "$each/filtered-audit.log" < "$each/audit.log"
sync && _sleep 1
## Compare logs
# For now, we do a straight compare, completely ignoring the
# possibility of out-of-order resource access. Later, we should write
# a small function to do a set-compare to ensure that the same resources
# are accessed each time, but ignoring the order.
diff -u "$each/log" "$each/filtered-audit.log"
done
}
trap "test_failure" EXIT
src_test_pass <<-EOF
test_apparmor_enabled
test_profile_parsing
test_profile_syntax
#test_profiles_complain_mode
#test_profiles_are_applied
EOF
test_success
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
/usr/lib/apertis-tests/apparmor/automated/telepathy/mission-control-5 {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/xdg-desktop>
# ERROR HERE: missing comma
/usr/share/glib-*/schemas/ r
/usr/share/glib-*/schemas/** r,
/usr/share/telepathy/ r,
/usr/share/telepathy/** r,
/usr/lib/mission-control-plugins.*/ r,
/usr/lib/mission-control-plugins.*/*.so mr,
# ERROR HERE: invalid permission symbol 'Z'
owner @{HOME}/.mission-control/ rwZ,
owner @{HOME}/.mission-control/** rw,
owner @{HOME}/.cache/.mc_connections rw,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner @{HOME}/.local/share/telepathy/ rw,
owner @{HOME}/.local/share/telepathy/mission-control/ rw,
owner @{HOME}/.local/share/telepathy/mission-control/* rwk,
# Site-specific additions and overrides. See local/README for details.
# Please note that accesses in local/usr.lib.telepathy are also applied to
# /usr/lib/telepathy/telepathy-*.
#include <local/usr.lib.telepathy>
# ERROR HERE: unknown file included
#include <local/unknown.file>
}
# This could be broken out into the various binaries, but for now, ok
/usr/lib/apertis-tests/apparmor/automated/telepathy/telepathy-* {
#include <abstractions/base>
#include <abstractions/dbus-session>
#include <abstractions/p11-kit>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
#include <abstractions/xdg-desktop>
/{usr/,}bin/dash ix,
/usr/bin/gconftool-2 ix,
# Maybe in abstractions?
audit deny owner /** m,
/var/lib/opencryptoki/modules/ r,
/var/lib/opencryptoki/modules/* r,
owner @{HOME}/.{cache,config}/dconf/user rw,
# from gnome abstraction
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
owner /{,var/}run/gdm/*/database r,
owner /{,var/}run/lightdm/authority/[0-9]* r,
owner @{PROC}/[0-9]*/fd/ r,
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
/etc/purple/prefs.xml r,
/usr/share/purple/ r,
/usr/share/purple/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/lib/purple*/ r,
/usr/lib/purple*/*.so mr,
/usr/lib/telepathy/*/ r,
/usr/lib/telepathy/*/*.so mr,
/usr/lib/libproxy*/*/modules/ r,
/usr/lib/libproxy*/*/modules/*.so mr,
# for telepathy-butterfly (LP: #816429)
#include <abstractions/python>
/usr/include/python{2,3}*/pyconfig.h r,
deny @{PROC}/[0-9]*/mounts r,
deny /sbin/ldconfig x,
deny /usr/bin/gcc-[0-9]* x,
/{usr/,}bin/uname ix,
# for telepathy-haze (LP: #867793, LP: #871497, LP: #942973)
owner @{HOME}/.config/indicators/** r,
owner @{HOME}/.config/indicators/**/ w,
owner @{HOME}/.config/indicators/messages/applications-blacklist/pidgin-libnotify* rw,
# telepathy-haze and skype
deny @{PROC}/ r,
/usr/bin/skype PUx,
owner @{HOME}/.cache/telepathy/ rw,
owner @{HOME}/.cache/telepathy/** rwk,
owner @{HOME}/.local/share/telepathy*/ rw,
owner @{HOME}/.local/share/telepathy*/** rwk,
owner @{HOME}/.cache/wocky/ rw,
owner @{HOME}/.cache/wocky/caps/ rw,
owner @{HOME}/.cache/wocky/caps/*.db{,-journal} rwk,
owner @{HOME}/.local/share/TpLogger/ rw,
owner @{HOME}/.local/share/TpLogger/** rwk,
# Site-specific additions and overrides. See local/README for details.
# Please note that accesses in local/usr.lib.telepathy are also applied to
# /usr/lib/telepathy/mission-control-5.
#include <local/usr.lib.telepathy>
}
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
#include <tunables/global>
/usr/lib/apertis-tests/apparmor/automated/telepathy/mission-control-5 {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
#include <abstractions/xdg-desktop>
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
/usr/share/telepathy/ r,
/usr/share/telepathy/** r,
/usr/lib/mission-control-plugins.*/ r,
/usr/lib/mission-control-plugins.*/*.so mr,
owner @{HOME}/.mission-control/ rw,
owner @{HOME}/.mission-control/** rw,
owner @{HOME}/.cache/.mc_connections rw,
owner @{HOME}/.{cache,config}/dconf/user rw,
owner @{HOME}/.local/share/telepathy/ rw,
owner @{HOME}/.local/share/telepathy/mission-control/ rw,
owner @{HOME}/.local/share/telepathy/mission-control/* rwk,
# Site-specific additions and overrides. See local/README for details.
# Please note that accesses in local/usr.lib.telepathy are also applied to
# /usr/lib/telepathy/telepathy-*.
# disabled following line, file not exists anymore
# include <local/usr.lib.telepathy>
}
# This could be broken out into the various binaries, but for now, ok
/usr/lib/apertis-tests/apparmor/automated/telepathy/telepathy-* {
#include <abstractions/base>
#include <abstractions/dbus-session>
#include <abstractions/p11-kit>
#include <abstractions/nameservice>
#include <abstractions/ssl_certs>
#include <abstractions/user-tmp>
#include <abstractions/xdg-desktop>
/{usr/,}bin/dash ix,
/usr/bin/gconftool-2 ix,
# Maybe in abstractions?
audit deny owner /** m,
/var/lib/opencryptoki/modules/ r,
/var/lib/opencryptoki/modules/* r,
owner @{HOME}/.{cache,config}/dconf/user rw,
# from gnome abstraction
/usr/share/gvfs/remote-volume-monitors/ r,
/usr/share/gvfs/remote-volume-monitors/* r,
owner /{,var/}run/gdm/*/database r,
owner /{,var/}run/lightdm/authority/[0-9]* r,
owner @{PROC}/[0-9]*/fd/ r,
/usr/share/glib-*/schemas/ r,
/usr/share/glib-*/schemas/** r,
/etc/purple/prefs.xml r,
/usr/share/purple/ r,
/usr/share/purple/** r,
/usr/share/themes/ r,
/usr/share/themes/** r,
/usr/lib/purple*/ r,
/usr/lib/purple*/*.so mr,
/usr/lib/telepathy/*/ r,
/usr/lib/telepathy/*/*.so mr,
/usr/lib/libproxy*/*/modules/ r,
/usr/lib/libproxy*/*/modules/*.so mr,
# for telepathy-butterfly (LP: #816429)
#include <abstractions/python>
/usr/include/python{2,3}*/pyconfig.h r,
deny @{PROC}/[0-9]*/mounts r,
deny /sbin/ldconfig x,
deny /usr/bin/gcc-[0-9]* x,
/{usr/,}bin/uname ix,
# for telepathy-haze (LP: #867793, LP: #871497, LP: #942973)
owner @{HOME}/.config/indicators/** r,
owner @{HOME}/.config/indicators/**/ w,
owner @{HOME}/.config/indicators/messages/applications-blacklist/pidgin-libnotify* rw,
# telepathy-haze and skype
deny @{PROC}/ r,
/usr/bin/skype PUx,
owner @{HOME}/.cache/telepathy/ rw,
owner @{HOME}/.cache/telepathy/** rwk,
owner @{HOME}/.local/share/telepathy*/ rw,
owner @{HOME}/.local/share/telepathy*/** rwk,
owner @{HOME}/.cache/wocky/ rw,
owner @{HOME}/.cache/wocky/caps/ rw,
owner @{HOME}/.cache/wocky/caps/*.db{,-journal} rwk,
owner @{HOME}/.local/share/TpLogger/ rw,
owner @{HOME}/.local/share/TpLogger/** rwk,
# Site-specific additions and overrides. See local/README for details.
# Please note that accesses in local/usr.lib.telepathy are also applied to
# /usr/lib/telepathy/mission-control-5.
# disabled following line, file not exists anymore
# include <local/usr.lib.telepathy>
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment