lxc-test-apparmor: flush the pipe before exiting child to make sure the parent's read returns. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

tests: Avoid the download template when possible The use of the download template with an hardcoded --arch=amd64 in aa.c was causing test failures on any platform incapable of running amd64 binaries. This wasn't noticed in the CI environment as we run the tests within containers on an amd64 kernel but this caused failures on the Ubuntu CI environment. Instead, let's use the busybox template, tweaking the configuration when needed to match the needs of the testcase. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

tests: apparmor: Always end with a newline Some error messages in lxc-test-apparmor didn't end with a newline, leading to slightly difficult to read output. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

apparmor: auto-generate the blacklist rules This uses the generate-apparmor-rules.py script I sent out some time ago to auto-generate apparmor rules based on a higher level set of block/allow rules. Add apparmor policy testcase to make sure that some of the paths we expect to be denied (and allowed) write access to are in fact in effect in the final policy. With this policy, libvirt in a container is able to start its default network, which previously it could not. v2: address feedback from stgraber put lxc-generate-aa-rules.py into EXTRA_DIST add lxc-test-apparmor, container-base and container-rules to .gitignore take lxc-test-apparmor out of EXTRA_DIST make lxc-generate-aa-rules.py pep8-compliant don't automatically generate apparmor rules This is only bc we can't be guaranteed that python3 will be available. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>