Fix apparmor's tests

The tests provided by apparmor-chaiwala-system are curently failing with the following log:

WARNING: tempfile is deprecated; consider using mktemp instead.
Error: exec failed. Test 'EXEC /bin/ls (no profile, but inherit)' was expected to 'pass'. Reason for failure 'FAILED, child did not exit normally'
Files retained in: /tmp/apparmor-chaiwala-system-ScQgRbp1uQ-tQ1bC6
/var/lib/lava-5827464/1/tests/6_apparmor-chaiwala-system/apparmor-chaiwala-system/goals/exec.sh: PASSED - /tmp/apparmor-chaiwala-system-ScQgRbp1uQ-tQ1bC6
mkdir: cannot create directory '/Applications/home/Storage/chaiwala': Permission denied
touch: cannot touch '/Applications/home/Storage/chaiwala/foo': No such file or directory
mkdir: cannot create directory '/Applications/home/Storage': Permission denied
touch: cannot touch '/Applications/home/Storage/foo': No such file or directory
Error: read failed. Test 'try to open /Applications/home/Storage/chaiwala/foo (ok)' was expected to 'pass'. Reason for failure 'FAILED: No such file or directory'

tempfile is deprecated and should be replaced by mktemp

ls is now provided by /usr/bin/coreutils from rust-coreutils. This needs to adapt the generated AppArmor profile to be able to access both ls and coreutils binaries.
Moreover this also requests to add access to files used by coreutils, or other binaries provided by coreutils used during the test, e.g. like rm.

ping is now provided by /usr/bin/busybox. This needs to adapt the generated AppArmor profile to be able to access both ping and busybox binaries.

Since 2021/11/29 the /Applications folder has been removed from the Apertis images, preventing this test to be able to create and access files under this folder on OSTree images.

https://phabricator.apertis.org/T8668

Signed-off-by: Frédéric Danis frederic.danis@collabora.com

goals/exec.sh

@@ -28,8 +28,13 @@ usr_binary_profile_ARGS="-c1 localhost"
 lib_binary_no_profile=/usr/lib/ssl/misc/c_issuer
 lib_binary_profile=/usr/lib/telepathy/telepathy-gabble
 
+# 'ls' is provided by coreutils
+coreutils=`which coreutils`
+# 'ping' is provided by busybox
+busybox=`which busybox`
+
 # Generate a profile including chaiwala-base + permission to exec $usr_binary_no_profile
-genprofile abstraction:chaiwala-base "$usr_binary_no_profile:Pix"
+genprofile abstraction:chaiwala-base "$usr_binary_no_profile:Pix" "$coreutils:Pix"
 # $usr_binary_no_profile passes for the inherit rule (Pix), since it can exec
 # the binary and access ARGS.
 runchecktest "EXEC $usr_binary_no_profile (no profile, but inherit)" pass $usr_binary_no_profile $usr_binary_no_profile_ARGS
@@ -42,10 +47,10 @@ runchecktest "EXEC $usr_binary_no_profile (no profile, no inherit)" fail $usr_bi
 # NOTE: We need to pass -T to disable tunables because tunables are automatically
 # included with abstractions, and that leads to a duplicate include, and an
 # AppArmor parser error.
-genprofile abstraction:chaiwala-base "$usr_binary_profile:Pix" -- image="$usr_binary_profile" abstraction:nameservice network:raw capability:net_raw -T
+genprofile abstraction:chaiwala-base "$usr_binary_profile:Pix" "$busybox:Pix" -- image="$busybox" abstraction:nameservice network:raw capability:net_raw -T
 runchecktest "EXEC $usr_binary_profile (profiled)" pass $usr_binary_profile $usr_binary_profile_ARGS
 runchecktest "EXEC $lib_binary_no_profile (no profile, out of traditional bin paths)" fail $lib_binary_no_profile
 runchecktest "EXEC $lib_binary_profile (profiled, out of traditional bin paths)" fail $lib_binary_profile
 
-genprofile abstraction:chaiwala-base "$usr_binary_no_profile:Pix" -- image=$usr_binary_no_profile /:r /*:r
+genprofile abstraction:chaiwala-base "$usr_binary_no_profile:Pix" "$coreutils:Pix" -- image="$coreutils" /:r /*:r /proc/**/maps:r /tmp/apparmor-chaiwala-system*/*:rw
 runchecktest "EXEC $usr_binary_no_profile with sibling profile (profiled and profiles allows resource)" pass $usr_binary_no_profile /