2
# $Id: changehat_misc.sh 61 2006-05-19 18:32:14Z steve-beattie $
4
# Copyright (C) 2002-2005 Novell/SUSE
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of the GNU General Public License as
8
# published by the Free Software Foundation, version 2 of the
13
# Variety of tests verifying entry to subprofiles and return back to parent.
14
# AppArmor has rigid requirements around the correct use of the magic# token
15
# passed to changehat.
19
pwd=`cd $pwd ; /bin/pwd`
36
genprofile $file:$okperm
38
runchecktest "NO CHANGEHAT (access parent file)" pass nochange $file
39
runchecktest "NO CHANGEHAT (access sub file)" fail nochange $subfile
41
# CHANGEHAT TEST - test if can enter and exit a subprofile
43
genprofile $file:$okperm hat:$subtest $subfile:$okperm
45
runchecktest "CHANGEHAT (access parent file)" pass $subtest $file
46
runchecktest "CHANGEHAT (access sub file)" fail $subtest $subfile
48
# CHANGEHAT - test enter subprofile -> fork -> exit subprofile
49
settest changehat_misc2
51
genprofile $file:$okperm hat:$subtest $subfile:$okperm
53
runchecktest "FORK BETWEEN CHANGEHATS (access parent file)" pass $subtest $file
54
runchecktest "FORK BETWEEN CHANGEHATS (access sub file)" fail $subtest $subfile
56
# CHANGEHAT FROM ONE SUBPROFILE TO ANOTHER
57
settest changehat_twice
59
genprofile hat:$subtest $subfile:$okperm hat:$subtest2 $file:$okperm
61
runchecktest "CHANGEHAT (subprofile->subprofile)" pass $subtest $subtest2 goodmagic $file
64
echo "*** A 'Killed' message from bash is expected for the following test"
65
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
67
# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
69
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
70
settest changehat_fail
72
genprofile hat:$subtest
74
runchecktest "CHANGEHAT (bad subprofile)" fail ${subtest2}
77
echo "*** A 'Killed' message from bash is expected for the following test"
78
runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
80
# Attempt to changehat out of a profile when the magic token is 0
81
# ugh, need dynlibs from open test
83
open_dynlibs=${dynlibs}
84
settest changehat_wrapper
86
genprofile hat:open ${dynlibs} ${bin}/open:rix ${file}:${okperm}
88
runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file}
89
runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file}
91
if [ -f /proc/self/attr/current ] ; then
92
# do some tests of writing directly to /proc/self/attr/current, skipping
93
# libimmunx. Only do these tests if the extended attribute exists.
94
runchecktest "CHANGEHAT (subprofile/write to /proc/attr/current)" pass --manual=123456 open ${file}
95
runchecktest "CHANGEHAT (exit subprofile/write to /proc/attr/current)" pass --manual=123456 --exit_hat open ${file}
96
runchecktest "CHANGEHAT (noexit subprofile/write 0 to /proc/attr/current)" pass --manual=0 open ${file}
97
runchecktest "CHANGEHAT (noexit subprofile/write 00000000 to /proc/attr/current)" pass --manual=00000000 open ${file}
98
# verify that the kernel accepts the command "changehat ^hat\0" and
99
# treats an empty token as 0.
100
runchecktest "CHANGEHAT (noexit subprofile/write \"\" to /proc/attr/current)" fail --manual="" open ${file}
101
runchecktest "CHANGEHAT (exit of noexit subprofile/write 0 to /proc/attr/current)" fail --manual=0 --exit_hat open ${file}
102
runchecktest "CHANGEHAT (exit of noexit subprofile/write 00000000 to /proc/attr/current)" fail --manual=00000000 --exit_hat open ${file}
103
runchecktest "CHANGEHAT (exit of noexit subprofile/write \"\" to /proc/attr/current)" fail --manual="" --exit_hat open ${file}
106
# CHANGEHAT and PTHREADS: test that change_hat functions correctly in
107
# the presence of threads
108
settest changehat_pthread
109
genprofile $file:$okperm "/proc/**:w" hat:fez $subfile:$okperm "/proc/**:w"
110
runchecktest "CHANGEHAT PTHREAD (access parent file)" fail $file
111
runchecktest "CHANGEHAT PTHREAD (access sub file)" pass $subfile