Add updated scripts from old test

Signed-off-by: Martyn Welch <martyn@welchs.me.uk>

Add updated scripts from old test
Signed-off-by: Martyn Welch <martyn@welchs.me.uk>
3c9cdf37 · Martyn Welch · ad308289 · 3c9cdf37 · 3c9cdf37 · 3c9cdf37
Commit 3c9cdf37 authored 6 years ago by Martyn Welch
--- a/dbus
+++ b/dbus
+#!/bin/sh
+# vim: set sts=4 sw=4 et tw=0 :
+
+echo "$0: setup"
+. common/common.sh
+ensure_dbus_session
+
+echo "$0: running dbus-monitor"
+dbus-monitor &
+MONITOR_PID=$!
+
+echo "$0: running server"
+./dbus-server &
+SERVER_PID=$!
+
+echo "$0: waiting a second"
+sleep 1
+
+echo "$0: running test client"
+./dbus-client
+RET=$?
+echo "$0: running test client finished: $RET"
+
+echo "$0: killing server $SERVER_PID"
+kill $SERVER_PID
+
+echo "$0: killing dbus-monitor $MONITOR_PID"
+kill $MONITOR_PID
+
+exit $RET
+
--- a/dbus-client
+++ b/dbus-client
+#!/bin/sh
+
+call_dbus () {
+	OUTPUT=$( busctl --user call org.Test /org/Test org.Test $1 s $1 2>&1 )
+	RET=$?
+
+	if [ "$2" = "Succeed" ]; then
+		if [ "${RET}" != "0" ]; then
+			echo "busctl call should have succeded for \"$1\""
+			exit 1
+		fi
+
+		RETVAL="s \"$1 called.\""
+	else
+		if [ "${RET}" = "0" ]; then
+			echo "busctl call should have failed for \"$1\""
+			exit 1
+		fi
+
+		RETVAL="Access denied"
+	fi
+
+	echo ${OUTPUT} | grep "${RETVAL}"
+	RET=$?
+	if [ "${RET}" != "0" ]; then
+		echo "Didn't find expected return value"
+		exit 1
+	fi
+}
+
+echo -n "$0: AppArmor context: "
+cat /proc/self/attr/current
+
+# Tweak apparmor profile for current directory and install
+CWD=$( pwd )
+
+FILENAME_PATH=$( echo $CWD | tr [/] [.] | sed 's/^.//' )
+FILENAME="${FILENAME_PATH}.dbus-server"
+sed "s|##LOCATION##|${CWD}|" dbus-server.apparmor > ${FILENAME}
+
+for RULE in ${FILENAME} usr.bin.busctl; do
+	sudo apparmor_parser -r ${RULE}
+	RET=$?
+	if [ "$?" != "0" ]; then
+		echo "Unable to apply apparmor rule: $RULE"
+		exit 1
+	fi
+done
+
+call_dbus "Accept" "Succeed"
+
+call_dbus "AuditAndAccept" "Succeed"
+
+call_dbus "Deny" "Fail"
+
+call_dbus "AuditAndDeny" "Fail"
--- a/dbus-server.apparmor
+++ b/dbus-server.apparmor
+#include <tunables/global>
+
+##LOCATION##/dbus-server {
+  #include <abstractions/base>
+  #include <abstractions/dbus-strict>
+  #include <abstractions/dbus-session-strict>
+
+  ##LOCATION##/dbus-server rmPx,
+
+  # let us read our own /proc for debugging
+  owner @{PROC}/@{pid}/attr/current r,
+  ptrace (read) peer=@{profile_name},
+
+  dbus send
+       bus=session
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus bind
+       bus=session
+       name=org.Test,
+
+  dbus receive
+       bus=session,
+}
+
--- a/dbus.expected
+++ b/dbus.expected
--- a/run-aa-test
+++ b/run-aa-test
+#!/bin/sh
+#
+# Copyright © 2018 Collabora Ltd.
+#
+# Based on python version of run-aa-test
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+ALTERNATIVE_SEPARATOR="## alternative ##"
+END=2
+
+case $(echo ${LAUNCH_DBUS} | tr [A-Z] [a-z]) in
+0)
+no)
+false)
+	LAUNCH_DBUS="False"
+	;;
+*)
+	LAUNCH_DBUS="True"
+esac
+
+case $(echo ${RUN_AS_USER} | tr [A-Z] [a-z]) in
+0)
+no)
+false)
+	RUN_AS_USER="False"
+	;;
+*)
+	RUN_AS_USER="True"
+esac
+
+CHAIWALA_UID=1000
+CHAIWALA_USER="user"
+
+# Check parameters
+if [ $# -lt 3 ]; then
+echo 
+	echo "Usage: run-aa-test <expectation-file> <command> <argument-1> <argument-2> …"
+	echo "\"export LAUNCH_DBUS=no\" in the test script to not launch a dbus session."
+	echo "\"export RUN_AS_USER=no\" in the test script to not run as ${CHAIWALA_USER}"
+	exit 1
+fi
+
+EXPECT_FILE=$1
+shift
+
+if [ ! -r ${EXPECT_FILE} ]; then
+	echo "Cannot read specified expectation file: ${EXPECT_FILE}"
+	exit 1
+fi
+
+if [ ! -x $1 ]; then
+	echo "Cannot execute specified test executable: $1"
+	exit 1
+fi
+
+SOMETHING_FAILED="False"
+# typically "normal.expected" or "malicious.expected"
+TEST_TITLE=$( basename ${EXPECT_FILE} )
+
+# Touch .bash_history, which we use in some tests, if it's not there.
+bash_history="/home/${CHAIWALA_USER}/.bash_history"
+if [ ! -r ${bash_history} ]; then
+	RET=$( sudo -u ${CHAIWALA_USER} touch ${bash_history} )
+	if [ $RET != 0 ]; then
+		echo "Failed to create .bash_history: $RET"
+		exit 1
+	fi
+fi
+
+# Catch any new lines added to audit.log
+AUDIT_FILE=$( mktemp )
+tail -n0 -f /var/log/audit/audit.log > ${AUDIT_FILE} &
+AUDIT_PID=$!
+
+if [ "${LAUNCH_DBUS}" = "True" ]; then
+	# Start a new D-Bus session for this test
+	CMD="dbus-run-session -- $*"
+else
+	CMD=$*
+fi
+
+CMDLINE=""
+for PREFIX in '' '/usr/lib/apertis-tests/'; do
+	TOOL="${PREFIX}common/run-test-in-systemd"
+	if [ -x ${TOOL} ]; then
+		CMDLINE=${TOOL}
+		break
+	fi
+done
+
+if [ "$CMDLINE" = "" ]; then
+	echo "common/run-test-in-systemd not found"
+	exit 1
+fi
+
+CMDLINE="${CMDLINE} --no-lava"
+
+if [ "${RUN_AA_TEST_TIMEOUT}" != "" ]; then
+	CMDLINE="${CMDLINE} --timeout=${RUN_AA_TEST_TIMEOUT}"
+fi
+
+if [ "${RUN_AS_USER}" = "True" ]; then
+	CMDLINE="${CMDLINE} --user=${CHAIWALA_UID}"
+else
+	CMDLINE="${CMDLINE} --system"
+fi
+
+CMDLINE="${CMDLINE} ${CMD}"
+
+echo "#=== running test script: ${CMDLINE} ==="
+
+RET=$( setsid ${CMDLINE} )
+
+echo "#--- end of test script, status: ${RET}"
+
+if [ "${RET}" = "0" ]; then
+	echo "${TEST_TITLE}_underlying_tests: pass"
+else
+	echo "# ${CMDLINE} exited ${RET}"
+	# typically "normal.expected_underlying_tests: fail"
+	echo "${TEST_TITLE}_underlying_tests: fail"
+	SOMETHING_FAILED="True"
+fi
+
+# Give auditd time to log the entries.
+sleep 3
+
+# Need to stop tailing audit
+kill ${AUDIT_PID}
+
+echo "#=== ${TEST_TITLE} ==="
+
+echo "#---8<--- raw output in audit log"
+cat ${AUDIT_FILE} | sed 's/^/# /'
+echo "#--->8---"
+
+echo "#---8<--- expected output from aa_log_extract_tokens.pl"
+cat ${EXPECT_FILE} | sed 's/^/# /'
+echo "#--->8---"
+
+EXPECT_SPLIT_DIR=$(mktemp -d)
+
+cp ${EXPECT_FILE} ${EXPECT_SPLIT_DIR}/REMAIN
+
+EXPECT_COUNT=1
+
+SEPARATOR=$( grep -m1 -x -n "${ALTERNATIVE_SEPARATOR}" //REMAIN | cut -d: -f1 )
+while [ "${SEPARATOR}" != "" ]; do
+	echo "SEPARATOR=\"${SEPARATOR}\""
+	echo "REMAIN:"
+	cat ${EXPECT_SPLIT_DIR}/REMAIN
+	head -n $((${SEPARATOR}-1)) ${EXPECT_SPLIT_DIR}/REMAIN > ${EXPECT_SPLIT_DIR}/EXPECT${EXPECT_COUNT}
+	SEPARATOR=$((${SEPARATOR}+1))
+	tail -n +${SEPARATOR} ${EXPECT_SPLIT_DIR}/REMAIN > ${EXPECT_SPLIT_DIR}/REMAIN.new
+	mv ${EXPECT_SPLIT_DIR}/REMAIN.new ${EXPECT_SPLIT_DIR}/REMAIN
+	EXPECT_COUNT=$((${EXPECT_COUNT}+1))
+	SEPARATOR=$( grep -m1 -x -n "${ALTERNATIVE_SEPARATOR}" ${EXPECT_SPLIT_DIR}/REMAIN | cut -d: -f1 )
+done
+
+mv ${EXPECT_SPLIT_DIR}/REMAIN ${EXPECT_SPLIT_DIR}/EXPECT${EXPECT_COUNT}
+
+PARSE_FILE="${EXPECT_SPLIT_DIR}/PARSE"
+
+RET=$( cat ${AUDIT_FILE} | /usr/bin/aa_log_extract_tokens.pl REJECTING > ${PARSE_FILE} )
+
+if [ "${RET}" != "0" ]; then
+	echo "# aa_log_extract_tokens.pl failed, trying line-by-line..."
+
+	LINES=$(wc -l ${AUDIT_FILE} | cut -d ' ' -f1 )
+	
+	cat ${AUDIT_FILE} | while read LINE; do
+		echo ${LINE} | /usr/bin/aa_log_extract_tokens.pl REJECTING 2>${EXPECT_SPLIT_DIR}/STDERR > ${EXPECT_SPLIT_DIR}/STDOUT
+		RET=$?
+		cat ${EXPECT_SPLIT_DIR}/STDOUT >> ${EXPECT_SPLIT_DIR}/ERRPARSE
+
+		cat ${EXPECT_SPLIT_DIR}/STDERR | sed 's/^/E: /' >> ${EXPECT_SPLIT_DIR}/ERRPARSE
+
+		if [ "$RET" != "0" ]; then
+			echo -n "^ original line: ${LINE}" >> ${EXPECT_SPLIT_DIR}/ERRPARSE
+		fi
+	done
+
+	mv ${EXPECT_SPLIT_DIR}/ERRPARSE ${PARSE_FILE}
+fi
+
+echo "#---8<--- actual output from aa_log_extract_tokens.pl"
+cat ${PARSE_FILE} | sed 's/^/# /'
+echo "#--->8---"
+
+MATCH_EXPECTATION = "False"
+
+# We might have alternative expectations, take that into consideration.
+OUTPUT_MD5=$( cat ${PARSE_FILE} | md5sum )
+COUNT=$( ls -1 ${EXPECT_SPLIT_DIR}/EXPECT* | wc -l )
+NUM=1
+while [ $NUM <= $COUNT ]; do
+	EXPECTED_MD5=$( cat ${EXPECT_SPLIT_DIR}/EXPECT${NUM} | md5sum )
+	if [ "${OUTPUT_MD5}" = "${EXPECTED_MD5}" ]; then
+		echo "# audit log matches alternative expectation ${NUM}/${COUNT}"
+		MATCH_EXPECTATION = "True"
+	fi
+	NUM=$((${NUM}+1))
+done
+
+if [ "${MATCH_EXPECTATION}" = "True" ]; then
+	echo "${TEST_TITLE}: pass"
+else
+	echo "#---8<--- diff"
+	diff -urN 
+	echo "#--->8---"
+	echo "${TEST_TITLE}: fail"
+	SOMETHING_FAILED="True"
+fi
+
+if [ "${SOMETHING_FAILED}" = "True" ]; then
+	exit 1
+fi
+
+exit 0
--- a/test-dbus
+++ b/test-dbus
+#!/bin/sh
+# vim: tw=0
+
+TEST_DIR="${TEST_DIR:-/usr/lib/apertis-tests/apparmor/dbus}"
+# Use pre-existing session bus
+export LAUNCH_DBUS="no"
+
+"${TEST_DIR}"/run-aa-test "${TEST_DIR}"/dbus.expected "${TEST_DIR}"/dbus
--- a/usr.bin.busctl
+++ b/usr.bin.busctl
+#include <tunables/global>
+
+/usr/bin/busctl {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+  #include <abstractions/dbus-session-strict>
+
+  /usr/bin/busctl rmPx,
+
+  # let us read our own /proc for debugging
+  owner @{PROC}/@{pid}/attr/current r,
+  ptrace (read) peer=@{profile_name},
+
+  dbus (send)
+       bus=session
+       interface=org.Test
+       path=/org/Test
+       member=Accept,
+
+  audit dbus (send)
+       bus=session
+       interface=org.Test
+       path=/org/Test
+       member=AuditAndAccept,
+
+  deny dbus (send)
+       bus=session
+       interface=org.Test
+       path=/org/Test
+       member=Deny,
+
+  audit deny dbus (send)
+       bus=session
+       interface=org.Test
+       path=/org/Test
+       member=AuditAndDeny,
+}