Cross Reference: /lxc/src/tests/lxc-test-apparmor-mount

	lxc-test-apparmor-mount revision 7aff4f43fd84b021db12b2ffed1a4aa1b4cf65ef
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn#!/bin/sh
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# apparmor_mount: test proper handling of apparmor in kernels
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# without mount features
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# These require the ubuntu lxc package to be installed.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This program is free software; you can redistribute it and/or
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# modify it under the terms of the GNU Lesser General Public
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# License as published by the Free Software Foundation; either
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# version 2.1 of the License, or (at your option) any later version.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This library is distributed in the hope that it will be useful,
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# but WITHOUT ANY WARRANTY; without even the implied warranty of
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Lesser General Public License for more details.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# You should have received a copy of the GNU Lesser General Public
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# License along with this library; if not, write to the Free Software
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This test assumes an Ubuntu host
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynset -e
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynFAIL() {
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo -n "Failed " >&2
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "$*" >&2
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn}
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd() {
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    sudo -i -u $TUSER \
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn        env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn            XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn}
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynDONE=0
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynMOUNTSR=/sys/kernel/security/apparmor/features/mount
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyndnam=`mktemp -d`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncname=`basename $dnam`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncleanup() {
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    run_cmd lxc-destroy -f -n $cname || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    umount -l $MOUNTSR || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    rmdir $dnam || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    pkill -u $(id -u $TUSER) -9
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    rm -Rf $HDIR /run/user/$(id -u $TUSER)
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    deluser $TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    if [ $DONE -eq 0 ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn        echo "FAIL"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn        exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    fi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "PASS"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn}
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyntrap cleanup exit
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# Only run on a normally configured ubuntu lxc system
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ ! -d /sys/class/net/lxcbr0 ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "lxcbr0 is not configured."
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "$(id -u)" != "0" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "ERROR: Must run as root."
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# This would be much simpler if we could run it as
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# root.  However, in order to not have the bind mount
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# of an empty directory over the securitfs 'mount' directory
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# be removed, we need to do this as non-root.
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynwhich newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn# create a test user
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynTUSER=lxcunpriv
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynHDIR=/home/$TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynARCH=i386
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif type dpkg >/dev/null 2>&1; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    ARCH=$(dpkg --print-architecture)
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyndeluser $TUSER && rm -Rf $HDIR || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynuseradd $TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynmkdir -p $HDIR
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "$TUSER veth lxcbr0 2" > /etc/lxc/lxc-usernet
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynusermod -v 910000-919999 -w 910000-919999 $TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynmkdir -p $HDIR/.config/lxc/
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncat > $HDIR/.config/lxc/default.conf << EOF
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.network.type = veth
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.network.link = lxcbr0
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.id_map = u 0 910000 9999
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynlxc.id_map = g 0 910000 9999
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynEOF
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynchown -R $TUSER: $HDIR
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynmkdir -p /run/user/$(id -u $TUSER)
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynchown -R $TUSER: /run/user/$(id -u $TUSER)
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncd $HDIR
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncgm create all $TUSER
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyncgm movepid all $TUSER $$
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd mkdir -p $HDIR/.cache/lxc
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn[ -d /var/cache/lxc/download ] && \
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    chown -R $TUSER: $HDIR/.cache/lxc
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-create -t download -n $cname -- -d ubuntu -r trusty -a $ARCH
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test default confined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-start -n $cname -d
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-wait -n $cname -s RUNNING
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynpid=`run_cmd lxc-info -p -H -n $cname`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynprofile=`cat /proc/$pid/attr/current`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "x$profile" != "xlxc-container-default (enforce)" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: confined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-stop -n $cname
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test regular unconfined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-start -n $cname -d
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-wait -n $cname -s RUNNING
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynpid=`run_cmd lxc-info -p -H -n $cname`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynprofile=`cat /proc/$pid/attr/current`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "x$profile" != "xunconfined" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: unconfined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-stop -n $cname
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "masking $MOUNTSR"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynmount --bind $dnam $MOUNTSR
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test default confined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-start -n $cname -d || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsleep 3
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynpid=`run_cmd lxc-info -p -H -n $cname` || true
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ -n "$pid" -a "$pid" != "-1" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: confined container started without mount restrictions"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "pid was $pid"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "test regular unconfined container"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-start -n $cname -d
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-wait -n $cname -s RUNNING
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynpid=`run_cmd lxc-info -p -H -n $cname`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "$pid" = "-1" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: unconfined container failed to start without mount restrictions"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynprofile=`cat /proc/$pid/attr/current`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "x$profile" != "xunconfined" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: confined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-stop -n $cname
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "testing override"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynsed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynecho "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-start -n $cname -d
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-wait -n $cname -s RUNNING
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynpid=`run_cmd lxc-info -p -H -n $cname`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "$pid" = "-1" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: excepted container failed to start without mount restrictions"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynprofile=`cat /proc/$pid/attr/current`
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynif [ "x$profile" != "xlxc-container-default (enforce)" ]; then
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    echo "FAIL: confined container was in profile $profile"
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn    exit 1
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynfi
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallynrun_cmd lxc-stop -n $cname
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge Hallyn
7aff4f43fd84b021db12b2ffed1a4aa1b4cf65efSerge HallynDONE=1