~ubuntu-branches/ubuntu/wily/apparmor/wily

echo "Error: ${testname} failed. Test '${_testdesc}' actual confinement '$actual_confinement' differed from expected confinement '$expected_confinement'"

testfailed

}

# ENFORCE mode

# confined parent, exec child with 'px'

# case 1: parent profile grants access (should be irrelevant)

# child profile grants access

# expected behaviour: child should be able to access resource

genprofile $test2:px $file:$fileperm -- image=$test2 $file:$fileperm

local_runchecktest "enforce px case1" pass $test2 $test2 $file

# case 2: parent profile grants access (should be irrelevant)

# child profile disallows access

# expected behaviour: child should be unable to access resource

genprofile $test2:px $file:$fileperm -- image=$test2

local_runchecktest "enforce px case2" fail $test2 $test2 $file

# case 3: parent profile disallows access (should be irrelevant)

# child profile allows access

# expected behaviour: child should be able to access resource

genprofile $test2:px -- image=$test2 $file:$fileperm

local_runchecktest "enforce px case3" pass $test2 $test2 $file

# case 4: parent profile grants access (should be irrelevant)

# missing child profile

# expected behaviour: exec of child fails

genprofile $test2:px $file:$fileperm

local_runchecktest "enforce px case4" fail "n/a" $test2 $file

100

# confined parent, exec child with 'ix'

101

# case 1: parent profile grants access

102

# child profile grants access (should be irrelevant)

103

# expected behaviour: child should be able to access resource

104

105

genprofile $test2:rix $file:$fileperm -- image=$test2 $file:$fileperm

106

local_runchecktest "enforce ix case1" pass $test1 $test2 $file

107

108

# case 2: parent profile grants access

109

# child profile disallows access (should be irrelevant)

110

# expected behaviour: child should be able to access resource

111

112

genprofile $test2:rix $file:$fileperm -- image=$test2

113

local_runchecktest "enforce ix case2" pass $test1 $test2 $file

114

115

# case 3: parent profile disallows access

116

# child profile allows access (should be irrelevant)

117

# expected behaviour: child should be unable to access resource

118

119

genprofile $test2:rix -- image=$test2 $file:$fileperm

120

local_runchecktest "enforce ix case3" fail $test1 $test2 $file

121

122

# case 4: parent profile grants access

123

# missing child profile (irrelvant)

124

# expected behaviour: child should be able to access resource

125

126

genprofile $test2:rix $file:$fileperm

127

local_runchecktest "enforce ix case4" pass $test1 $test2 $file

128

129

# confined parent, exec child with 'ux'

130

# case 1: parent profile grants access (should be irrelevant)

131

# expected behaviour, child should be able to access resource

132

133

genprofile $test2:ux $file:$fileperm

134

local_runchecktest "enforce ux case1" pass "unconstrained" $test2 $file

135

136

# case 2: parent profile denies access (should be irrelevant)

137

# expected behaviour, child should be able to access resource

138

139

genprofile $test2:ux

140

local_runchecktest "enforce ux case1" pass "unconstrained" $test2 $file

141

142

# confined parent, exec child with conflicting exec qualifiers

143

# case 1:

144

# expected behaviour: exec of child fails

145

146

genprofile $test2_rex1:px $test2_rex2:ix -- image=$test2 $file:$fileperm

147

local_runchecktest "enforce conflicting exec qual" fail "n/a" $test2 $file

148

149

# unconfined parent

150

# case 1: child profile exists, child profile grants access

151

# expected behaviour: child should be able to access resource

152

153

genprofile image=$test2 $file:$fileperm

154

local_runchecktest "enforce unconfined case1" pass $test2 $test2 $file

155

156

# case 2: child profile exists, child profile denies access

157

# expected behaviour: child should be unable to access resource

158

159

genprofile image=$test2

160

local_runchecktest "enforce unconfined case2" fail $test2 $test2 $file

161

162

# case 3: no child profile exists, unconfined

163

# expected behaviour: child should be able to access resource

164

165

removeprofile

166

local_runchecktest "enforce unconfined case3" pass "unconstrained" $test2 $file

167

168

# -----------------------------------------------------------------------

169

170

# COMPLAIN mode -- all the tests again but with profiles loaded in

171

# complain mode rather than enforce mode

172

173

# confined parent, exec child with 'px'

174

# case 1: expected behaviour: as enforce

175

# case 2: expected behaviour: child should be able to access resource

176

# case 3: expected behaviour: as enforce

177

# case 4: expected behaviour: child should be able to access resource

178

# verify child is in null-complain-profile

179

180

# confined parent, exec child with 'ix'

181

# case 1: expected behaviour: as enforce

182

# case 2: expected behaviour: as enforce

183

# case 3: expected behaviour: child should be able to access resource

184

# case 4: expected behaviour: as enforce

185

186

# constrined parent, exec child with 'ux'

187

# case 1: expected behaviour, child should be able to access resource

188

# case 2: expected behaviour, child should be able to access resource

189

190

# confined parent, exec child with conflicting exec qualifiers

191

# case 1: child should be able to access resource

192

# verify that child is in null-complain-profile

193

194

# unconfined parent

195

# case 1: expected behaviour: as enforce

196

# case 2: expected behaviour, child should be able to access resource

197

# case 3: expected behaviour: as enforce

198

Older »