Add test cases for Tiny container AppArmor enforcement

Check if AppArmor profile for dbus-daemon in the container is loaded. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Add test cases for Tiny container AppArmor enforcement
Check if AppArmor profile for dbus-daemon in the container is loaded. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
325a867b · Denis Pynkin · Denis Pynkin · 06ce3119 · 325a867b · 325a867b
Commit 325a867b authored 6 years ago by Denis Pynkin Committed by Denis Pynkin 6 years ago
--- a/test-cases/tiny-container-system-aa-enforcement.yaml
+++ b/test-cases/tiny-container-system-aa-enforcement.yaml
+metadata:
+  name: tiny-container-system-aa-enforcement
+  format: "Apertis Test Definition 1.0"
+  image-types:
+    tiny-lxc: [ armhf-internal, arm64, amd64 ]
+  image-deployment:
+    - APT
+  type: functional
+  exec-type: automated
+  priority: medium
+  maintainer: "Apertis Project"
+  description: "Test that the AppArmor profile for dbus-daemon is loaded in system-wide
+                privileged container"
+
+  expected:
+    - "Test command should report \"pass\"."
+
+install:
+  git-repos:
+    - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git
+      branch: master
+
+run:
+  steps:
+    - "# Enter test directory:"
+    - cd tiny-image-recipes
+    - "# Setup the AppArmor profile for container:"
+    - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-system/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr
+    - "# Check that the AppArmor profile for dbus-daemon in the container is loaded"
+    - lavatests/test-aa-enforcement -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-system"
+
+parse:
+  pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))"
--- a/test-cases/tiny-container-user-aa-enforcement.yaml
+++ b/test-cases/tiny-container-user-aa-enforcement.yaml
+metadata:
+  name: tiny-container-user-aa-enforcement
+  format: "Apertis Test Definition 1.0"
+  image-types:
+    tiny-lxc: [ armhf-internal, arm64, amd64 ]
+  image-deployment:
+    - APT
+  type: functional
+  exec-type: automated
+  priority: medium
+  maintainer: "Apertis Project"
+  description: "Test that the AppArmor profile for dbus-daemon is loaded in
+                unprivileged container started as user"
+
+  expected:
+    - "Test command should report \"pass\"."
+
+install:
+  git-repos:
+    - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git
+      branch: master
+
+run:
+  steps:
+    - "# Enter test directory:"
+    - cd tiny-image-recipes
+    - "# Ensure we allow user mapping:"
+    - sysctl -w kernel.unprivileged_userns_clone=1
+    - "# Setup the AppArmor profile for container:"
+    - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-userns/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr
+    - "# Make sure user have correct mappings for test:"
+    - usermod --add-subuids 1000-1000 user
+    - usermod --add-subuids 100000-165535 user
+    - usermod --add-subgids 1000-1000 user
+    - usermod --add-subgids 100000-165535 user
+    - "# Check that the AppArmor profile for dbus-daemon in the container is loaded"
+    - sudo -u user -H lavatests/test-aa-enforcement -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-userns"
+
+parse:
+  pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))"