7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# apparmor_mount: test proper handling of apparmor in kernels
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# without mount features
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# These require the ubuntu lxc package to be installed.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This program is free software; you can redistribute it and/or
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# modify it under the terms of the GNU Lesser General Public
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# License as published by the Free Software Foundation; either
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# version 2.1 of the License, or (at your option) any later version.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This library is distributed in the hope that it will be useful,
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# but WITHOUT ANY WARRANTY; without even the implied warranty of
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Lesser General Public License for more details.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# You should have received a copy of the GNU Lesser General Public
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# License along with this library; if not, write to the Free Software
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This test assumes an Ubuntu host
f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallyn default_profile="lxc-container-default-cgns (enforce)"
f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallyn default_profile="lxc-container-default (enforce)"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
3a5495cf2f6c1806f5a91d699448b15b510f146ePo-Hsu LinKNOWN_RELEASES="precise trusty xenial yakkety zesty"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynMOUNTSR=/sys/kernel/security/apparmor/features/mount
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn if [ $DONE -eq 0 ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Only run on a normally configured ubuntu lxc system
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "lxcbr0 is not configured."
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "ERROR: Must run as root."
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This would be much simpler if we could run it as
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# root. However, in order to not have the bind mount
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# of an empty directory over the securitfs 'mount' directory
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# be removed, we need to do this as non-root.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynwhich newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# create a test user
efdca59e498ce7a7ff0db091d7d2fec01a91b8eaSerge Hallynecho "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynusermod -v 910000-919999 -w 910000-919999 $TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.network.type = veth
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.network.link = lxcbr0
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.id_map = u 0 910000 9999
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.id_map = g 0 910000 9999
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graberelif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber for d in $(cut -d : -f 2 /proc/self/cgroup); do
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
42e5c9878f0d20b3e9682ef441afed2f0228b298Stéphane Graber --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
177f793ae07431b2db86b5fa1b63cd59f9a66319Serge Hallyn [ -f $d/cgroup.clone_children ] && echo 1 > $d/cgroup.clone_children
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
01c05c821093dc854def146d4bab62885d8eb664Po-Hsu Lin# default release is trusty, or the systems release if recognized
01c05c821093dc854def146d4bab62885d8eb664Po-Hsu Lin rels=$(ubuntu-distro-info --supported 2>/dev/null) ||
01c05c821093dc854def146d4bab62885d8eb664Po-Hsu Linrun_cmd lxc-create -t download -n $cname -- -d ubuntu -r $release -a $ARCH
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test default confined container"
f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallynif [ "x$profile" != "x${default_profile}" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: confined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test regular unconfined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: unconfined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "masking $MOUNTSR"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test default confined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: confined container started without mount restrictions"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "pid was $pid"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test regular unconfined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: unconfined container failed to start without mount restrictions"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: confined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "testing override"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: excepted container failed to start without mount restrictions"
f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallynif [ "x$profile" != "x${default_profile}" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn echo "FAIL: confined container was in profile $profile"