Re: [libvirt] Resubmission: [PATCH 4/6] sVirt AppArmor security driver

On Tue, 08 Sep 2009, Jamie Strandboge wrote: > > [PATCH 4] > > patch_4_tests.patch: > > Adds tests for virt-aa-helper and the security driver. secaatest.c is > > identical to seclabeltest.c except it initializes the 'apparmor' driver > > instead of 'selinux'. These tests are integrated into 'make check' and > > pass. > > -- Jamie Strandboge | http://www.canonical.com

diff -Nurp ./libvirt.orig/tests/Makefile.am ./libvirt/tests/Makefile.am --- ./libvirt.orig/tests/Makefile.am 2009-08-17 11:00:40.000000000 -0500 +++ ./libvirt/tests/Makefile.am 2009-09-08 15:32:22.000000000 -0500 @@ -77,6 +77,10 @@ if WITH_SECDRIVER_SELINUX noinst_PROGRAMS += seclabeltest endif +if WITH_SECDRIVER_APPARMOR +noinst_PROGRAMS += secaatest +endif + if WITH_CIL noinst_PROGRAMS += object-locking endif @@ -112,6 +116,9 @@ test_scripts += \ virsh-synopsis endif +if WITH_SECDRIVER_APPARMOR +test_scripts += virt-aa-helper-test +endif EXTRA_DIST += $(test_scripts) TESTS = virshtest \ @@ -138,6 +145,10 @@ if WITH_SECDRIVER_SELINUX TESTS += seclabeltest endif +if WITH_SECDRIVER_APPARMOR +TESTS += secaatest +endif + if WITH_LIBVIRTD noinst_PROGRAMS += eventtest TESTS += eventtest @@ -255,6 +266,14 @@ else EXTRA_DIST += seclabeltest.c endif +if WITH_SECDRIVER_APPARMOR +secaatest_SOURCES = \ + secaatest.c +secaatest_LDADD = ../src/libvirt_driver_security.la $(LDADDS) +else +EXTRA_DIST += secaatest.c +endif + qparamtest_SOURCES = \ qparamtest.c testutils.h testutils.c qparamtest_LDADD = $(LDADDS) diff -Nurp ./libvirt.orig/tests/secaatest.c ./libvirt/tests/secaatest.c --- ./libvirt.orig/tests/secaatest.c 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/tests/secaatest.c 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,45 @@ +#include <config.h> + +#include <unistd.h> +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <errno.h> +#include "security.h" + +int +main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) +{ + int ret; + + const char *doi, *model; + virSecurityDriverPtr security_drv; + + ret = virSecurityDriverStartup (&security_drv, "apparmor"); + if (ret == -1) + { + fprintf (stderr, "Failed to start security driver"); + exit (-1); + } + /* No security driver wanted to be enabled: just return */ + if (ret == -2) + return 0; + + model = virSecurityDriverGetModel (security_drv); + if (!model) + { + fprintf (stderr, "Failed to copy secModel model: %s", + strerror (errno)); + exit (-1); + } + + doi = virSecurityDriverGetDOI (security_drv); + if (!doi) + { + fprintf (stderr, "Failed to copy secModel DOI: %s", + strerror (errno)); + exit (-1); + } + + return 0; +} diff -Nurp ./libvirt.orig/tests/virt-aa-helper-test ./libvirt/tests/virt-aa-helper-test --- ./libvirt.orig/tests/virt-aa-helper-test 1969-12-31 18:00:00.000000000 -0600 +++ ./libvirt/tests/virt-aa-helper-test 2009-09-08 15:32:22.000000000 -0500 @@ -0,0 +1,100 @@ +#!/bin/sh +set -e + +output="/dev/null" +use_valgrind="" +ld_library_path="" +if [ ! -z "$1" ] && [ "$1" = "-d" ]; then + output="/dev/stdout" + shift +fi + +exe="../src/virt-aa-helper" +if [ ! -z "$1" ]; then + if [ "$1" = "-v" ]; then + use_valgrind="yes" + exe="./src/.libs/virt-aa-helper" + ld_library_path="./src/.libs" + else + exe="$1" + fi + shift +fi + +if [ ! -x "$exe" ]; then + echo "Could not find '$exe'" + exit 1 +fi + +echo "testing `basename $exe`" >$output +if [ "$use_valgrind" = "yes" ]; then + exe="valgrind --error-exitcode=2 --track-origins=yes $exe" +fi + +extra_args="--dryrun" +errors=0 + +tmpdir=`mktemp -d` +trap "rm -rf $tmpdir" EXIT HUP INT QUIT TERM + +disk1="$tmpdir/1.img" +disk2="$tmpdir/2.img" +relative_disk1="$tmpdir/./../`basename $tmpdir`//./1.img" +nonexistent="$tmpdir/nonexistant.img" +bad_disk="/etc/passwd" +valid_uuid="libvirt-00000000-0000-0000-0000-0123456789ab" +valid_name="foo" +nonexistent_uuid="libvirt-00000000-0000-0000-0000-000000000001" +touch "$disk1" "$disk2" + +testme() { + expected="$1" + outstr="$2" + args="$3" + echo -n " $outstr: " >$output + echo " '$extra_args $args': " >$output + set +e + LD_LIBRARY_PATH="$ld_library_path" $exe $extra_args $args >$output 2>&1 + rc="$?" + set -e + if [ "$rc" = "$expected" ]; then + echo "pass" >$output + else + echo "FAIL: exited with '$rc'" >$output + errors=$(($errors + 1)) + fi +} + +# Expected failures +echo "Expected failures:" >$output +testme "1" "invalid arg" "-z" +testme "1" "invalid case" "-A" +testme "1" "not enough args" "-c" +testme "1" "missing name" "-c -n -u $valid_uuid $disk1" +testme "1" "bad name" "-c -n foo[a-z] -u $valid_uuid $disk1" +testme "1" "no -u with -c" "-c -n $valid_name $disk1" +testme "1" "bad uuid (bad digit)" "-c -n $valid_name -u libvirt-00000000-0000-0000-0000-00000000000g $disk1" +testme "1" "bad uuid (too long)" "-c -n $valid_name -u ${valid_uuid}abcdef $disk1" +testme "1" "bad uuid (too short)" "-c -n $valid_name -u libvirt-00000000-0000-0000-0000-0123456789a $disk1" +testme "1" "missing uuid" "-c -n $valid_name -u $disk1" +testme "1" "no -u with -R" "-R" +testme "1" "non-existent uuid" "-R -u $nonexistent_uuid" +testme "1" "no -u with -r" "-r" +testme "1" "no name with -r" "-r -u $valid_uuid $disk1" +testme "1" "bad disk" "-c -n $valid_name -u $valid_uuid $bad_disk" +testme "1" "bad disk2" "-c -n $valid_name -u $valid_uuid $disk1 $bad_disk $disk2" + +echo "Expected pass:" >$output +testme "0" "create" "-c -n foo -u $valid_uuid $disk1" +testme "0" "create (non-existent disk)" "-c -n foo -u $valid_uuid $nonexistent" +testme "0" "create (relative path)" "-c -n foo -u $valid_uuid $relative_disk1" +testme "0" "replace" "-r -n foo -u $valid_uuid $disk2" +testme "0" "replace (non-existent disk)" "-r -n foo -u $valid_uuid $nonexistent" +testme "0" "help" "-h" + +echo "" >$output +if [ "$errors" != "0" ]; then + echo "FAIL: $errors error(s)" >$output + exit 1 +fi +echo PASS >$output