From 325a867bd94df95975ca58afdbb75ddc11e021ee Mon Sep 17 00:00:00 2001 From: Denis Pynkin <denis.pynkin@collabora.com> Date: Sat, 2 Mar 2019 04:50:23 +0300 Subject: [PATCH] Add test cases for Tiny container AppArmor enforcement Check if AppArmor profile for dbus-daemon in the container is loaded. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com> --- .../tiny-container-system-aa-enforcement.yaml | 33 +++++++++++++++ .../tiny-container-user-aa-enforcement.yaml | 40 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 test-cases/tiny-container-system-aa-enforcement.yaml create mode 100644 test-cases/tiny-container-user-aa-enforcement.yaml diff --git a/test-cases/tiny-container-system-aa-enforcement.yaml b/test-cases/tiny-container-system-aa-enforcement.yaml new file mode 100644 index 0000000..7ae6d8a --- /dev/null +++ b/test-cases/tiny-container-system-aa-enforcement.yaml @@ -0,0 +1,33 @@ +metadata: + name: tiny-container-system-aa-enforcement + format: "Apertis Test Definition 1.0" + image-types: + tiny-lxc: [ armhf-internal, arm64, amd64 ] + image-deployment: + - APT + type: functional + exec-type: automated + priority: medium + maintainer: "Apertis Project" + description: "Test that the AppArmor profile for dbus-daemon is loaded in system-wide + privileged container" + + expected: + - "Test command should report \"pass\"." + +install: + git-repos: + - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git + branch: master + +run: + steps: + - "# Enter test directory:" + - cd tiny-image-recipes + - "# Setup the AppArmor profile for container:" + - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-system/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr + - "# Check that the AppArmor profile for dbus-daemon in the container is loaded" + - lavatests/test-aa-enforcement -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-system" + +parse: + pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))" diff --git a/test-cases/tiny-container-user-aa-enforcement.yaml b/test-cases/tiny-container-user-aa-enforcement.yaml new file mode 100644 index 0000000..bec4507 --- /dev/null +++ b/test-cases/tiny-container-user-aa-enforcement.yaml @@ -0,0 +1,40 @@ +metadata: + name: tiny-container-user-aa-enforcement + format: "Apertis Test Definition 1.0" + image-types: + tiny-lxc: [ armhf-internal, arm64, amd64 ] + image-deployment: + - APT + type: functional + exec-type: automated + priority: medium + maintainer: "Apertis Project" + description: "Test that the AppArmor profile for dbus-daemon is loaded in + unprivileged container started as user" + + expected: + - "Test command should report \"pass\"." + +install: + git-repos: + - url: https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git + branch: master + +run: + steps: + - "# Enter test directory:" + - cd tiny-image-recipes + - "# Ensure we allow user mapping:" + - sysctl -w kernel.unprivileged_userns_clone=1 + - "# Setup the AppArmor profile for container:" + - sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-userns/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr + - "# Make sure user have correct mappings for test:" + - usermod --add-subuids 1000-1000 user + - usermod --add-subuids 100000-165535 user + - usermod --add-subgids 1000-1000 user + - usermod --add-subgids 100000-165535 user + - "# Check that the AppArmor profile for dbus-daemon in the container is loaded" + - sudo -u user -H lavatests/test-aa-enforcement -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-userns" + +parse: + pattern: "(?P<test_case_id>.*-*):\\s+(?P<result>(pass|fail))" -- GitLab