Cross Reference: /lxc/src/tests/lxc-test-apparmor-mount

	lxc-test-apparmor-mount revision efdca59e498ce7a7ff0db091d7d2fec01a91b8ea
6357N/A#!/bin/sh
6357N/A
6357N/A# apparmor_mount: test proper handling of apparmor in kernels
6357N/A# without mount features
6357N/A
6357N/A# These require the ubuntu lxc package to be installed.
6357N/A
6357N/A# This program is free software; you can redistribute it and/or
6357N/A# modify it under the terms of the GNU Lesser General Public
6357N/A# License as published by the Free Software Foundation; either
6357N/A# version 2.1 of the License, or (at your option) any later version.
6357N/A
6357N/A# This library is distributed in the hope that it will be useful,
6357N/A# but WITHOUT ANY WARRANTY; without even the implied warranty of
6357N/A# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
6357N/A# Lesser General Public License for more details.
6357N/A
6357N/A# You should have received a copy of the GNU Lesser General Public
6357N/A# License along with this library; if not, write to the Free Software
6357N/A# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6357N/A
6357N/A# This test assumes an Ubuntu host
6357N/A
6357N/Aset -e
6357N/A
6357N/AFAIL() {
6357N/A    echo -n "Failed " >&2
6357N/A    echo "$*" >&2
6357N/A    exit 1
6357N/A}
6357N/A
6357N/Arun_cmd() {
6357N/A    sudo -i -u $TUSER \
6357N/A        env http_proxy=${http_proxy:-} https_proxy=${https_proxy:-} \
6357N/A            XDG_RUNTIME_DIR=/run/user/$(id -u $TUSER) $*
6357N/A}
6357N/A
6357N/ADONE=0
6357N/AMOUNTSR=/sys/kernel/security/apparmor/features/mount
6357N/Adnam=`mktemp -d`
6357N/Acname=`basename $dnam`
6357N/Acleanup() {
6357N/A    run_cmd lxc-destroy -f -n $cname || true
6357N/A    umount -l $MOUNTSR || true
6357N/A    rmdir $dnam || true
6357N/A    pkill -u $(id -u $TUSER) -9
6357N/A    sed -i '/lxcunpriv/d' /run/lxc/nics /etc/lxc/lxc-usernet
6357N/A    sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid
6357N/A    rm -Rf $HDIR /run/user/$(id -u $TUSER)
6357N/A    deluser $TUSER
6357N/A    if [ $DONE -eq 0 ]; then
6357N/A        echo "FAIL"
6357N/A        exit 1
6357N/A    fi
6357N/A    echo "PASS"
6357N/A}
6357N/A
6357N/Atrap cleanup exit
6357N/A
6357N/A# Only run on a normally configured ubuntu lxc system
6357N/Aif [ ! -d /sys/class/net/lxcbr0 ]; then
6357N/A    echo "lxcbr0 is not configured."
6357N/A    exit 1
6357N/Afi
6357N/Aif [ "$(id -u)" != "0" ]; then
6357N/A    echo "ERROR: Must run as root."
6357N/A    exit 1
6357N/Afi
6357N/A
6357N/A# This would be much simpler if we could run it as
6357N/A# root.  However, in order to not have the bind mount
6357N/A# of an empty directory over the securitfs 'mount' directory
6357N/A# be removed, we need to do this as non-root.

which newuidmap >/dev/null 2>&1 || { echo "'newuidmap' command is missing" >&2; exit 1; }
# create a test user
TUSER=lxcunpriv
HDIR=/home/$TUSER

ARCH=i386
if type dpkg >/dev/null 2>&1; then
    ARCH=$(dpkg --print-architecture)
fi

deluser $TUSER && rm -Rf $HDIR || true
useradd $TUSER

mkdir -p $HDIR
echo "$TUSER veth lxcbr0 2" >> /etc/lxc/lxc-usernet
sed -i '/^lxcunpriv:/d' /etc/subuid /etc/subgid

usermod -v 910000-919999 -w 910000-919999 $TUSER

mkdir -p $HDIR/.config/lxc/
cat > $HDIR/.config/lxc/default.conf << EOF
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.id_map = u 0 910000 9999
lxc.id_map = g 0 910000 9999
EOF
chown -R $TUSER: $HDIR

mkdir -p /run/user/$(id -u $TUSER)
chown -R $TUSER: /run/user/$(id -u $TUSER)

cd $HDIR

if which cgm >/dev/null 2>&1; then
    cgm create all $TUSER
    cgm chown all $TUSER $(id -u $TUSER) $(id -g $TUSER)
    cgm movepid all $TUSER $$
elif [ -e /sys/fs/cgroup/cgmanager/sock ]; then
    for d in $(cut -d : -f 2 /proc/self/cgroup); do
        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Create \
            string:$d string:$TUSER >/dev/null

        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.Chown \
            string:$d string:$TUSER int32:$(id -u $TUSER) int32:$(id -g $TUSER) >/dev/null

        dbus-send --print-reply --address=unix:path=/sys/fs/cgroup/cgmanager/sock \
            --type=method_call /org/linuxcontainers/cgmanager org.linuxcontainers.cgmanager0_0.MovePid \
            string:$d string:$TUSER int32:$$ >/dev/null
    done
else
    for d in /sys/fs/cgroup/*; do
        [ ! -d $d/lxctest ] && mkdir $d/lxctest
        chown -R $TUSER: $d/lxctest
        echo $$ > $d/lxctest/tasks
    done
fi


run_cmd mkdir -p $HDIR/.cache/lxc
[ -d /var/cache/lxc/download ] && \
    cp -R /var/cache/lxc/download $HDIR/.cache/lxc && \
    chown -R $TUSER: $HDIR/.cache/lxc

run_cmd lxc-create -t download -n $cname -- -d ubuntu -r trusty -a $ARCH

echo "test default confined container"
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
    echo "FAIL: confined container was in profile $profile"
    exit 1
fi
run_cmd lxc-stop -n $cname

echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xunconfined" ]; then
    echo "FAIL: unconfined container was in profile $profile"
    exit 1
fi
run_cmd lxc-stop -n $cname

echo "masking $MOUNTSR"
mount --bind $dnam $MOUNTSR

echo "test default confined container"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d || true
sleep 3
pid=`run_cmd lxc-info -p -H -n $cname` || true
if [ -n "$pid" -a "$pid" != "-1" ]; then
    echo "FAIL: confined container started without mount restrictions"
    echo "pid was $pid"
    exit 1
fi

echo "test regular unconfined container"
echo "lxc.aa_profile = unconfined" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
    echo "FAIL: unconfined container failed to start without mount restrictions"
    exit 1
fi
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xunconfined" ]; then
    echo "FAIL: confined container was in profile $profile"
    exit 1
fi
run_cmd lxc-stop -n $cname

echo "testing override"
sed -i '/aa_profile/d' $HDIR/.local/share/lxc/$cname/config
echo "lxc.aa_allow_incomplete = 1" >> $HDIR/.local/share/lxc/$cname/config
run_cmd lxc-start -n $cname -d
run_cmd lxc-wait -n $cname -s RUNNING
pid=`run_cmd lxc-info -p -H -n $cname`
if [ "$pid" = "-1" ]; then
    echo "FAIL: excepted container failed to start without mount restrictions"
    exit 1
fi
profile=`cat /proc/$pid/attr/current`
if [ "x$profile" != "xlxc-container-default (enforce)" ]; then
    echo "FAIL: confined container was in profile $profile"
    exit 1
fi
run_cmd lxc-stop -n $cname

DONE=1