lsm: add a test for apparmor

Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

lsm: add a test for apparmor
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
c6e724f6 · Tycho Andersen · Pavel Emelyanov · cf7a7338 · c6e724f6 · c6e724f6
Commit c6e724f6 authored May 06, 2015 by Tycho Andersen Committed by Pavel Emelyanov May 08, 2015
6 changed files
--- a/test/zdtm.sh
+++ b/test/zdtm.sh
@@ -198,6 +198,7 @@ generate_test_list()
 		ns/static/clean_mntns
 		static/remap_dead_pid
 		static/poll
+		static/apparmor
 	"

 	TEST_CR_KERNEL="
@@ -330,6 +331,7 @@ mntns_rw_ro_rw
 netns-dev
 sockets00
 cow01
+apparmor
 "

 CRIU_CPT=$CRIU

--- a/test/zdtm/.gitignore
+++ b/test/zdtm/.gitignore
 /lib/libzdtmtst.a
+/live/static/apparmor
 /live/static/arm-neon00
 /live/static/bind-mount
 /live/static/busyloop00

--- a/test/zdtm/live/static/Makefile
+++ b/test/zdtm/live/static/Makefile
@@ -122,6 +122,7 @@ TST_NOFILE	=				\
 		remap_dead_pid			\
 		aio00				\
 		fd				\
+		apparmor				\
 #		jobctl00			\

 TST_FILE	=				\

--- a/test/zdtm/live/static/apparmor.c
+++ b/test/zdtm/live/static/apparmor.c
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/mount.h>
+#include <linux/limits.h>
+#include <signal.h>
+#include "zdtmtst.h"
+
+const char *test_doc	= "Check that an apparmor profile is restored";
+const char *test_author	= "Tycho Andersen <tycho.andersen@canonical.com>";
+
+#define PROFILE "criu_test"
+
+int setprofile()
+{
+	char profile[1024];
+	int fd, len;
+
+	len = snprintf(profile, sizeof(profile), "changeprofile " PROFILE);
+	if (len < 0 || len >= sizeof(profile)) {
+		fail("bad sprintf\n");
+		return -1;
+	}
+
+	fd = open("/proc/self/attr/current", O_WRONLY);
+	if (fd < 0) {
+		fail("couldn't open fd\n");
+		return -1;
+	}
+
+	/* apparmor wants this in exactly one write, so we use write() here
+	 * vs. fprintf Just To Be Sure */
+	len = write(fd, profile, len);
+	close(fd);
+
+	if (len < 0) {
+		fail("couldn't write profile\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+int checkprofile()
+{
+	FILE *f;
+	char path[PATH_MAX], profile[1024];
+	int len;
+
+	sprintf(path, "/proc/self/attr/current");
+
+	f = fopen(path, "r");
+	if (!f) {
+		fail("couldn't open lsm current\n");
+		return -1;
+	}
+
+	len = fscanf(f, "%[^ \n]s", profile);
+	fclose(f);
+	if (len != 1) {
+		fail("wrong number of items scanned %d\n", len);
+		return -1;
+	}
+
+	if (strcmp(profile, PROFILE) != 0) {
+		fail("bad profile .%s. expected .%s.\n", profile, PROFILE);
+		return -1;
+	}
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	test_init(argc, argv);
+
+	if (access("/sys/kernel/security/apparmor", F_OK) != 0) {
+		skip("apparmor not enabled\n");
+		return 1;
+	}
+
+	if (system("apparmor_parser -r apparmor.profile") < 0) {
+		fail("apparmor profile parse failed");
+		return -1;
+	}
+
+	setprofile();
+
+	test_daemon();
+	test_waitsig();
+
+	if (checkprofile(0) == 0)
+		pass();
+
+	return 0;
+}
--- a/test/zdtm/live/static/apparmor.checkskip
+++ b/test/zdtm/live/static/apparmor.checkskip
+#!/bin/bash
+
+test -d /sys/kernel/security/apparmor
--- a/test/zdtm/live/static/apparmor.profile
+++ b/test/zdtm/live/static/apparmor.profile
+# vim:syntax=apparmor
+
+profile criu_test {
+	/** rwmlkix,
+	capability,
+	unix,
+	signal,
+}