QA Regression Testing

Merge ~georgiag/qa-regression-testing:unpriv_userns_transition into qa-regression-testing:master

Proposed by Georgia Garcia on 2024-02-05

Status:	Merged
Approved by:	Georgia Garcia on 2024-02-08
Approved revision:	35f294b9a9bea9cb577ef3842b29544c56f0e3d0
Merged at revision:	35f294b9a9bea9cb577ef3842b29544c56f0e3d0
Proposed branch:	~georgiag/qa-regression-testing:unpriv_userns_transition
Merge into:	qa-regression-testing:master
Diff against target:	52 lines (+27/-0) 1 file modified scripts/test-apparmor.py (+27/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Alex Murray		2024-02-05	Approve on 2024-02-08
Review via email: mp+460050@code.launchpad.net

Revision history for this message

Alex Murray (alexmurray) wrote on 2024-02-08:

LGTM - tested with apparmor 4.0.0~alpha4-0ubuntu1 for noble.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Georgia Garcia

Steve Beattie

Ubuntu Security Team

 diff --git a/scripts/test-apparmor.py b/scripts/test-apparmor.py
 index 3636f7a..f15491d 100755
 --- a/scripts/test-apparmor.py
 +++ b/scripts/test-apparmor.py
@@ -115,6 +115,8 @@ class ApparmorTest(testlib.TestlibCase, PrivateApparmorTest):
              self.assertEqual(expected, rc, result + report)
              self.cache_dir = report.rstrip()
++        self.restore_unprivileged_userns = False
++
      def tearDown(self):
          '''Clean up after each test_* function'''
          self.user = None
@@ -140,6 +142,11 @@ class ApparmorTest(testlib.TestlibCase, PrivateApparmorTest):
                  shutil.move(bak, p)
                  testlib.cmd(['apparmor_parser', '-R', "/etc/apparmor.d/%s" % os.path.basename(p)])
++        if self.restore_unprivileged_userns:
++            self.restore_unprivileged_userns = False
++            if os.path.exists('/etc/apparmor.d/unprivileged_userns'):
++                testlib.cmd(['apparmor_parser', '-a', '/etc/apparmor.d/unprivileged_userns'])
++
          testlib.config_restore(self.repository_conf)
      def _add_profile(self, profile=None, complain=False):
@@ -1529,6 +1536,26 @@ int __attribute__((constructor)) testlib_func(){
          result = 'Got exit code %d, expected %d\n' % (rc, expected)
          self.assertEqual(expected, rc, result + report)
++        # check if transition to unconfined to unprivileged_userns is available
++        if os.path.isfile('/sys/kernel/security/apparmor/features/namespaces/userns_create'):
++            with open('/sys/kernel/security/apparmor/profiles') as fprofiles:
++                loaded_profiles = fprofiles.read();
++                if 'unprivileged_userns' in loaded_profiles:
++                    self.announce("checking unshare transitions to unprivileged_userns")
++                    rc, report = testlib.cmd(['sudo', '-u', self.user.login, '/usr/bin/unshare', '-U', 'true'])
++                    expected = 0
++                    result = 'Got exit code %d, expected %d\n' % (rc, expected)
++                    self.assertEqual(expected, rc, result + report)
++
++                    # unload unprivileged_userns profile, let tearDown reload
++                    self.announce("remove unprivileged_userns profile")
++                    if os.path.exists('/etc/apparmor.d/unprivileged_userns'):
++                        self.restore_unprivileged_userns=True
++                        testlib.cmd(['apparmor_parser', '-R', '/etc/apparmor.d/unprivileged_userns'])
++                        expected = 0
++                        result = 'Got exit code %d, expected %d\n' % (rc, expected)
++                        self.assertEqual(expected, rc, result + report)
++
          self.announce("checking unshare fails")
          rc, report = testlib.cmd(['sudo', '-u', self.user.login, '/usr/bin/unshare', '-U', 'true'])
          expected = 1

QA Regression Testing

Merge ~georgiag/qa-regression-testing:unpriv_userns_transition into qa-regression-testing:master

Commit message

Description of the change

Preview Diff

Subscribers