2
# Copyright (C) 2014 Canonical, Ltd.
4
# This program is free software; you can redistribute it and/or
5
# modify it under the terms of the GNU General Public License as
6
# published by the Free Software Foundation, version 2 of the
11
# This test verifies that the pivot_root syscall is indeed restricted for
16
pwd=`cd $pwd ; /bin/pwd`
22
disk_img=$tmpdir/disk_img
23
new_root=$tmpdir/new_root/
24
put_old=${new_root}put_old/
29
pivot_root_cleanup() {
31
if [ $? -eq 0 ] ; then
35
mountpoint -q "$new_root"
36
if [ $? -eq 0 ] ; then
40
do_onexit="pivot_root_cleanup"
42
# Create disk image since pivot_root doesn't allow old root and new root to be
43
# on the same filesystem
44
dd if=/dev/zero of="$disk_img" bs=1024 count=512 2> /dev/null
45
/sbin/mkfs -t "$fstype" -F "$disk_img" > /dev/null 2> /dev/null
46
/bin/mkdir "$new_root"
47
/bin/mount -o loop -t "$fstype" "$disk_img" "$new_root"
49
# Must mount proc because the pivot_root test program calls aa_getcon() after
50
# pivot_root() and aa_getcon() reads /proc/<PID>/attr/current
52
mount -t proc proc "$proc"
54
# Will be used for pivot_root()'s put_old parameter
59
local desc="PIVOT_ROOT ($1)"
62
runchecktest "$desc" "$@"
65
# Needed for aa_getcon()
66
cur="/proc/*/attr/current:r"
68
# Needed for clone(CLONE_NEWNS) and pivot_root()
69
cap=capability:sys_admin
71
# A profile name that'll be used to test AA's transitions during pivot_root()
75
# Ensure everything works as expected when unconfined
76
do_test "unconfined" pass "$put_old" "$new_root" unconfined
78
# Ensure the test binary is accurately doing post pivot_root profile verification
79
do_test "unconfined, bad context" fail "$put_old" "$new_root" "$bad"
81
# Ensure failure when no perms are granted
83
do_test "no perms" fail "$put_old" "$new_root" "$test"
85
if [ "$(have_features mount)" != "true" ] ; then
86
# pivot_root mediation isn't supported by this kernel, so verify that
87
# capability sys_admin is sufficient and skip the remaining tests
89
do_test "cap" pass "$put_old" "$new_root" "$test"
94
# Ensure failure when no pivot_root perms are granted
96
do_test "cap only" fail "$put_old" "$new_root" "$test"
98
# Ensure failure when everything except capability sys_admin is granted
99
genprofile $cur "pivot_root:ALL"
100
do_test "bare rule, no cap" fail "$put_old" "$new_root" "$test"
102
# Give sufficient perms with full pivot_root access
103
genprofile $cur $cap "pivot_root:ALL"
104
do_test "bare rule" pass "$put_old" "$new_root" "$test"
106
# Give sufficient perms and specify new_root
107
genprofile $cur $cap "pivot_root:$new_root"
108
do_test "new_root" pass "$put_old" "$new_root" "$test"
110
# Ensure failure when new_root is bad
111
genprofile $cur $cap "pivot_root:$bad"
112
do_test "bad new_root" fail "$put_old" "$new_root" "$test"
114
# Give sufficient perms and specify put_old
115
genprofile $cur $cap "pivot_root:oldroot=$put_old"
116
do_test "put_old" pass "$put_old" "$new_root" "$test"
118
# Ensure failure when put_old is bad
119
genprofile $cur $cap "pivot_root:oldroot=$bad"
120
do_test "bad put_old" fail "$put_old" "$new_root" "$test"
122
# Give sufficient perms and specify put_old and new_root
123
genprofile $cur $cap "pivot_root:oldroot=$put_old $new_root"
124
do_test "put_old, new_root" pass "$put_old" "$new_root" "$test"
126
# Ensure failure when put_old is bad
127
genprofile $cur $cap "pivot_root:oldroot=$bad $new_root"
128
do_test "bad put_old, new_root" fail "$put_old" "$new_root" "$test"
130
# Ensure failure when new_root is bad
131
genprofile $cur $cap "pivot_root:oldroot=$put_old $bad"
132
do_test "put_old, bad new_root" fail "$put_old" "$new_root" "$test"
134
# Give sufficient perms and perform a profile transition
135
genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
136
do_test "transition" pass "$put_old" "$new_root" "$new_prof"
138
# Ensure failure when the the new profile can't read /proc/<PID>/attr/current
139
genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof
140
do_test "transition, no perms" fail "$put_old" "$new_root" "$new_prof"
142
# Ensure failure when the new profile doesn't exist
143
genprofile $cap "pivot_root:-> $bad" -- image=$new_prof $cur
144
do_test "bad transition" fail "$put_old" "$new_root" "$new_prof"
146
# Ensure the test binary is accurately doing post pivot_root profile verification
147
genprofile $cap "pivot_root:-> $new_prof" -- image=$new_prof $cur
148
do_test "bad transition comparison" fail "$put_old" "$new_root" "$test"
150
# Give sufficient perms with new_root and a transition
151
genprofile $cap "pivot_root:$new_root -> $new_prof" -- image=$new_prof $cur
152
do_test "new_root, transition" pass "$put_old" "$new_root" "$new_prof"
154
# Ensure failure when the new profile doesn't exist and new_root is specified
155
genprofile $cap "pivot_root:$new_root -> $bad" -- image=$new_prof $cur
156
do_test "new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"
158
# Give sufficient perms with new_root, put_old, and a transition
159
genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $new_prof" -- image=$new_prof $cur
160
do_test "put_old, new_root, transition" pass "$put_old" "$new_root" "$new_prof"
162
# Ensure failure when the new profile doesn't exist and new_root and put_old are specified
163
genprofile $cap "pivot_root:oldroot=$put_old $new_root -> $bad" -- image=$new_prof $cur
164
do_test "put_old, new_root, bad transition" fail "$put_old" "$new_root" "$new_prof"