From 040db79da2c596335f4870842f7595a07faa3c213bc98fc52dee9ec3545bf388 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 18 Jun 2019 22:31:34 +0000 Subject: [PATCH 1/2] Accepting request 710679 from home:cboltz - update to 2.13.3 - profile updates for dnsmasq, dovecot, identd, syslog-ng - new "lsb_release" profile (only used when using "Px -> lsb_release") - fix buggy syntax in tunables/share - several abstraction updates - parser: fix "Px -> foo-bar" (the "-" was rejected before) - several bugfixes in aa-genprof and aa-logprof - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 for the detailed upstream changelog - drop upstream(ed) patches: - apparmor-nameservice-resolv-conf-link.patch - profile_filename_cornercase.diff - dnsmasq-libvirtd.diff - dnsmasq-revert-alternation.diff - usrmerge-fixes.diff - libapparmor-swig-4.diff libapparmor: - update to AppArmor 2.13.1 - some fixes in cache handling - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 for the detailed upstream changelog OBS-URL: https://build.opensuse.org/request/show/710679 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=246 --- apparmor-2.13.2.tar.gz | 3 - apparmor-2.13.2.tar.gz.asc | 17 - apparmor-2.13.3.tar.gz | 3 + apparmor-2.13.3.tar.gz.asc | 17 + apparmor-nameservice-resolv-conf-link.patch | 11 - apparmor.changes | 20 + apparmor.spec | 28 +- dnsmasq-libvirtd.diff | 27 - dnsmasq-revert-alternation.diff | 38 - libapparmor-swig-4.diff | 31 - libapparmor.changes | 8 + libapparmor.spec | 2 +- profile_filename_cornercase.diff | 28 - usrmerge-fixes.diff | 957 -------------------- 14 files changed, 51 insertions(+), 1139 deletions(-) delete mode 100644 apparmor-2.13.2.tar.gz delete mode 100644 apparmor-2.13.2.tar.gz.asc create mode 100644 apparmor-2.13.3.tar.gz create mode 100644 apparmor-2.13.3.tar.gz.asc delete mode 100644 apparmor-nameservice-resolv-conf-link.patch delete mode 100644 dnsmasq-libvirtd.diff delete mode 100644 dnsmasq-revert-alternation.diff delete mode 100644 libapparmor-swig-4.diff delete mode 100644 profile_filename_cornercase.diff delete mode 100644 usrmerge-fixes.diff diff --git a/apparmor-2.13.2.tar.gz b/apparmor-2.13.2.tar.gz deleted file mode 100644 index 92b9d68..0000000 --- a/apparmor-2.13.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:844def9926dfda5c7858428d06e44afc80573f9706458b6e7282edbb40b11a30 -size 7369240 diff --git a/apparmor-2.13.2.tar.gz.asc b/apparmor-2.13.2.tar.gz.asc deleted file mode 100644 index 698eb7e..0000000 --- a/apparmor-2.13.2.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAlwczB8aHGFwcGFybW9y -QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLtQ7BAAkhe2XlK/VUYTLHDYp9Ku -v7F8fNsUAl+fAnUBr8zyqHqUDhcJuknE097DO1SIqkqYwn3wm4SC9otEwodHLXpQ -ruDPLd1id1+440toHDDD0vEJD3AOPTyxrH5Py3OwulZ5AmVdzGiiqy2u57dHucqQ -wg6ZJqXC+HeiaGWvEeh0vWAVrg/NyLNCHV6nAvYW1QoS/86MkbPJygA2srVWME3n -EFiTJdHuRUVqAus2a48tGnLmg0jokF8iUK27HBJVYb38md9Ve3483BfUc0eaWDqb -2x48PK1U3qEw/p7kwhmXKCsMwpFN2+2kjxTYm0htwYwAempKfqDAqdQa3J1C6XLL -g0x4QtXdIwjdr3/gKyYH5ZoAxSYEfRqA4jRg7jh4mNCsNvdIfhbtexJwiSBQbugw -5WygriBvHcxeYlWzLVwKfYqsuvZH+MaL+6XKraIzSz1WhooRGXqYCsAksXFNVVeP -+fAGSsZyC3XRKnj2EGe7vAnpc28vZa+Yg2MUiaAeqldP8/mIjw/v/flABP2BhCB6 -yAa7UrXvheG3cu/RzMGfMVs5fdhMaK49/YR4FL7i/CpLOCLTDeP+wIzQWeObY0CU -IwhVwz90PZklvEWsUchApzjKLAuEv2avY81Ij47BkPfjcKf3Q2VPTP34uTnw0axT -RIP58VSpAJmOYwgdcxzph2s= -=uFF9 ------END PGP SIGNATURE----- diff --git a/apparmor-2.13.3.tar.gz b/apparmor-2.13.3.tar.gz new file mode 100644 index 0000000..c82a7fc --- /dev/null +++ b/apparmor-2.13.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:267053234c68cdb122c5294d7c276b6e2f5fa7e75c6c2d23e3ce69f95d9a7639 +size 7384974 diff --git a/apparmor-2.13.3.tar.gz.asc b/apparmor-2.13.3.tar.gz.asc new file mode 100644 index 0000000..089036e --- /dev/null +++ b/apparmor-2.13.3.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJOBAABCgA4FiEEPs3Lpfs00lSWHMU/ZonmTj02ZLsFAl0IkgAaHGFwcGFybW9y +QGxpc3RzLnVidW50dS5jb20ACgkQZonmTj02ZLszZQ/8D1nea3CtBqCN3u2nsfVi +DLCuE41lGgVwHamnJLcoW80+98udq1OqJfudN47bg3593C/C8AvWElthgfXCnlFc +y6Njcc6qyJWbx0eEcIu/SlmuclqC1ukbbdj5nNEhwDGxtahrUSdWvM4suQm8dCSi +zGAJRm4Tc7I63Vy4SDc7ibRtix6SmxwyZHlGpdiuz3ShqR45Tqyrs2gkmT2oj93E +1VSaQrEGNVmQMXBmpw45WgVjz3DlakT4FfHqvmnPqrg1qEhdpZE+U0NzwOU987QS +o4gdR3foumY6KpzD5BbXxl3blqeBw38hILMOq8lJ8Zsq9hrUPbcySBYyvr85yBu0 +MDDgrzexUBYbko2rIKY4CmOuswx/pYznqssErujEkEUKHMgAdJX2z7TC25AMQjF6 +ISvjZiCyHP5+vUqa7ym0CCiGNaOIENqRc4lmmwONOMSdBmvnrwiZewJA8Mmlei+G ++v5Vr2c8H8EJh3D2eWuYg/At2COhFvJpAh04qJ3btPylY3rprn98SnYlw/TmbljR +upxaYs8I72WI8yX9Ty7fDBN92O+3zxxUM9dAeIXSFiLuQXrYcVx1d/ILTsLuogM/ +OwFOQeHzDCNwNMVwYvQ1jDhu7/fZlmJZk0c9OLK+ZppXD05Hy4bfGNx4GbgQr6aX +IsT+gbT2AkIFO33V56KZVIo= +=Favj +-----END PGP SIGNATURE----- diff --git a/apparmor-nameservice-resolv-conf-link.patch b/apparmor-nameservice-resolv-conf-link.patch deleted file mode 100644 index 95987ac..0000000 --- a/apparmor-nameservice-resolv-conf-link.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- apparmor-2.13/profiles/apparmor.d/abstractions/nameservice -+++ apparmor-2.13/profiles/apparmor.d/abstractions/nameservice -@@ -39,7 +39,7 @@ - /etc/resolv.conf r, - # On systems where /etc/resolv.conf is managed programmatically, it is - # a symlink to /{,var/}run/(whatever program is managing it)/resolv.conf. -- /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman}/resolv.conf r, -+ /{,var/}run/{resolvconf,NetworkManager,systemd/resolve,connman,netconfig}/resolv.conf r, - /etc/resolvconf/run/resolv.conf r, - /{,var/}run/systemd/resolve/stub-resolv.conf r, - diff --git a/apparmor.changes b/apparmor.changes index 2e15c35..dc15b89 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz + +- update to 2.13.3 + - profile updates for dnsmasq, dovecot, identd, syslog-ng + - new "lsb_release" profile (only used when using "Px -> lsb_release") + - fix buggy syntax in tunables/share + - several abstraction updates + - parser: fix "Px -> foo-bar" (the "-" was rejected before) + - several bugfixes in aa-genprof and aa-logprof + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 + for the detailed upstream changelog +- drop upstream(ed) patches: + - apparmor-nameservice-resolv-conf-link.patch + - profile_filename_cornercase.diff + - dnsmasq-libvirtd.diff + - dnsmasq-revert-alternation.diff + - usrmerge-fixes.diff + - libapparmor-swig-4.diff + ------------------------------------------------------------------- Wed Jun 5 11:36:25 UTC 2019 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index fcd54d7..765ee95 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -35,7 +35,7 @@ %define apache_module_path %(/usr/sbin/apxs2 -q LIBEXECDIR) Name: apparmor -Version: 2.13.2 +Version: 2.13.3 Release: 0 Summary: AppArmor userlevel parser utility License: GPL-2.0-or-later @@ -62,28 +62,9 @@ Patch5: ruby-2_0-mkmf-destdir.patch # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) Patch7: apparmor-lessopen-profile.patch -# fate#325872 netconfig: write resolv.conf to /run with link to /etc - submitted upstream 2018-12-22 https://gitlab.com/apparmor/apparmor/merge_requests/294 -Patch8: apparmor-nameservice-resolv-conf-link.patch - -# drop check that lets aa-logprof error out in a corner-case (log event for a non-existing profile while a profile file with the default filename for that non-existing profile exists) - boo#1120472 -# submitted upstream 2019-01-02 - https://gitlab.com/apparmor/apparmor/merge_requests/296 (master + 2.13) and https://gitlab.com/apparmor/apparmor/merge_requests/297 (2.12) -Patch9: profile_filename_cornercase.diff - # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix) Patch10: apparmor-lessopen-nfs-workaround.diff -# add peer=libvirtd to dnsmasq profile (from upstream 20fe099cede7cb5ec7dcf62a5427936766a6d4e4) -Patch11: dnsmasq-libvirtd.diff - -# revert path alternation in dnsmasq profile to avoid breaking libvirtd (boo#1127073, submitted upstream 2019-02-26 as https://gitlab.com/apparmor/apparmor/merge_requests/346) -Patch12: dnsmasq-revert-alternation.diff - -# fix usrmerge (and accidently also update-alternatives) test failures (boo#1127877, from upstream https://gitlab.com/apparmor/apparmor/merge_requests/331) -Patch13: usrmerge-fixes.diff - -# fix libapparmor tests with swig 4.0 (from upstream https://gitlab.com/apparmor/apparmor/merge_requests/384) -Patch14: libapparmor-swig-4.diff - PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apparmor_bin_prefix /lib/apparmor @@ -371,13 +352,7 @@ SubDomain. %patch2 %patch5 -p1 %patch7 -%patch8 -p1 -%patch9 -p1 %patch10 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 %build %define _lto_cflags %{nil} @@ -609,6 +584,7 @@ fi %config(noreplace) %{_sysconfdir}/apparmor.d/bin.* %config(noreplace) %{_sysconfdir}/apparmor.d/sbin.* %config(noreplace) %{_sysconfdir}/apparmor.d/usr.* +%config(noreplace) %{_sysconfdir}/apparmor.d/lsb_release %config(noreplace) %{_sysconfdir}/apparmor.d/nvidia_modprobe %config(noreplace) %{_sysconfdir}/apparmor.d/local/* %dir /usr/share/apparmor/ diff --git a/dnsmasq-libvirtd.diff b/dnsmasq-libvirtd.diff deleted file mode 100644 index b6fa17c..0000000 --- a/dnsmasq-libvirtd.diff +++ /dev/null @@ -1,27 +0,0 @@ -commit 20fe099cede7cb5ec7dcf62a5427936766a6d4e4 -Author: Christian Boltz -Date: Sun Jan 13 17:38:09 2019 +0100 - - dnsmasq: allow peer=libvirtd to support named profile - - The /usr/sbin/libvirtd profile will get a profile name ("libvirtd"). - - This patch adjusts the dnsmasq profile to support the named profile in - addition to the "old" path-based profile name. - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=1118952#c3 - -diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq -index a308e3f7..2627f6d6 100644 ---- a/profiles/apparmor.d/usr.sbin.dnsmasq -+++ b/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -28,7 +28,9 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { - network inet6 raw, - - signal (receive) peer=/usr/{bin,sbin}/libvirtd, -+ signal (receive) peer=libvirtd, - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, -+ ptrace (readby) peer=libvirtd, - - owner /dev/tty rw, - diff --git a/dnsmasq-revert-alternation.diff b/dnsmasq-revert-alternation.diff deleted file mode 100644 index 689d734..0000000 --- a/dnsmasq-revert-alternation.diff +++ /dev/null @@ -1,38 +0,0 @@ -commit 4b9a07eb9be98c56a622379ba2055f0f9d5dce30 -Author: Christian Boltz -Date: Tue Feb 26 21:05:16 2019 +0100 - - Revert /usr/{bin,sbin}/ alternation in dnsmasq profile - - Even if we expected it to stay compatible with peer=/usr/sbin/dnsmasq in - the libvirtd profile, practise shows that we were wrong. - - This patch reverts the profile name to /usr/sbin/dnsmasq, and re-adds - the libvirtd peer name /usr/sbin/libvirtd to avoid breaking libvirtd. - - References: https://bugzilla.opensuse.org/show_bug.cgi?id=1127073 - -diff --git a/profiles/apparmor.d/usr.sbin.dnsmasq b/profiles/apparmor.d/usr.sbin.dnsmasq -index 3f66a17e..2dc8902e 100644 ---- a/profiles/apparmor.d/usr.sbin.dnsmasq -+++ b/profiles/apparmor.d/usr.sbin.dnsmasq -@@ -12,7 +12,7 @@ - @{TFTP_DIR}=/var/tftp /srv/tftpboot - - #include --/usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) { -+/usr/sbin/dnsmasq flags=(attach_disconnected) { - #include - #include - #include -@@ -28,8 +28,10 @@ - network inet6 raw, - - signal (receive) peer=/usr/{bin,sbin}/libvirtd, -+ signal (receive) peer=/usr/sbin/libvirtd, - signal (receive) peer=libvirtd, - ptrace (readby) peer=/usr/{bin,sbin}/libvirtd, -+ ptrace (readby) peer=/usr/sbin/libvirtd, - ptrace (readby) peer=libvirtd, - - owner /dev/tty rw, diff --git a/libapparmor-swig-4.diff b/libapparmor-swig-4.diff deleted file mode 100644 index 83736fc..0000000 --- a/libapparmor-swig-4.diff +++ /dev/null @@ -1,31 +0,0 @@ -commit a6ac6f4cfcc3d4fe1064087389004c3cc8b41207 -Author: John Johansen -Date: Tue Jun 4 13:16:43 2019 -0700 - - libapparmor python: Fix 'aa_log_record' object has no attribute '__getattr__' - - When building with swig 4 we are seeing the error - - AttributeError: 'aa_log_record' object has no attribute '__getattr__' - - Which forces swig to use modern classes which do not generate __getattr__ - methods. - - issue: https://gitlab.com/apparmor/apparmor/issues/33 - Acked-by: Seth Arnold - Acked-by: Steve Beattie - Signed-off-by: John Johansen - -diff --git a/libraries/libapparmor/swig/python/test/test_python.py.in b/libraries/libapparmor/swig/python/test/test_python.py.in -index 54bd70a9..75c71415 100644 ---- a/libraries/libapparmor/swig/python/test/test_python.py.in -+++ b/libraries/libapparmor/swig/python/test/test_python.py.in -@@ -109,7 +109,7 @@ class AAPythonBindingsTests(unittest.TestCase): - - new_record = dict() - for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]: -- value = record.__getattr__(key) -+ value = getattr(record, key) - if key == "event" and value in EVENT_MAP: - new_record[key] = EVENT_MAP[value] - elif key == "version": diff --git a/libapparmor.changes b/libapparmor.changes index 98212bb..73832ec 100644 --- a/libapparmor.changes +++ b/libapparmor.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Jun 18 20:50:19 UTC 2019 - Christian Boltz + +- update to AppArmor 2.13.1 + - some fixes in cache handling + - see https://gitlab.com/apparmor/apparmor/wikis/Release_Notes_2.13.3 + for the detailed upstream changelog + ------------------------------------------------------------------- Tue Apr 23 11:34:08 UTC 2019 - Martin Liška diff --git a/libapparmor.spec b/libapparmor.spec index d974f2a..969ea58 100644 --- a/libapparmor.spec +++ b/libapparmor.spec @@ -18,7 +18,7 @@ Name: libapparmor -Version: 2.13.2 +Version: 2.13.3 Release: 0 Summary: Utility library for AppArmor License: LGPL-2.1-or-later diff --git a/profile_filename_cornercase.diff b/profile_filename_cornercase.diff deleted file mode 100644 index 738b216..0000000 --- a/profile_filename_cornercase.diff +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py -index f0961d93..50e842b2 100644 ---- a/utils/apparmor/logparser.py -+++ b/utils/apparmor/logparser.py -@@ -13,7 +13,6 @@ - # - # ---------------------------------------------------------------------- - import ctypes --import os - import re - import sys - import time -@@ -449,14 +448,7 @@ class ReadLog: - # Check cache of profiles - if self.active_profiles.filename_from_profile_name(program): - return True -- # Check the disk for profile -- prof_path = self.get_profile_filename(program) -- #print(prof_path) -- if os.path.isfile(prof_path): -- # Add to cache of profile -- raise AppArmorBug('This should never happen, please open a bugreport!') -- # self.active_profiles[program] = prof_path -- # return True -+ - return False - - def get_profile_filename(self, profile): diff --git a/usrmerge-fixes.diff b/usrmerge-fixes.diff deleted file mode 100644 index 2b95d56..0000000 --- a/usrmerge-fixes.diff +++ /dev/null @@ -1,957 +0,0 @@ -commit f75ec6fef6de26c0c9da8ecda4d28510720b52f3 -Author: Steve Beattie -Date: Wed Feb 13 16:57:52 2019 +0000 - - usr merge fixups - - Debian and Ubuntu have releases coming out with usr-merge in place. For - these systems, /bin and /sbin are symlinks to their respective /usr - directories. This breaks a few tests in the python utils and in the - regression tests. This patch series fixes them, mostly by performing - realpath() calls when necessary. For the ptrace regression test, - it copies the called /bin/true binary into the created temporary - directory and executes it from there. (Good for other reasons, too.) - - (cherry picked from commit b4ab8476e4721b922d2de193b9203bba0c192bf9) - Signed-off-by: Steve Beattie - Acked-by: John Johansen - MR: https://gitlab.com/apparmor/apparmor/merge_requests/331 - -diff --git a/tests/regression/apparmor/mkprofile.pl b/tests/regression/apparmor/mkprofile.pl -index 7ca5ef12..6b192406 100755 ---- a/tests/regression/apparmor/mkprofile.pl -+++ b/tests/regression/apparmor/mkprofile.pl -@@ -132,10 +132,10 @@ sub gen_binary($) { - my $hashbang = head($bin); - if ($hashbang && $hashbang =~ /^#!\s*(\S+)/) { - my $interpreter = $1; -- gen_file("$interpreter:rix"); -+ gen_file(realpath($interpreter) . ":rix"); - gen_elf_binary($interpreter); - } else { -- gen_elf_binary($bin) -+ gen_elf_binary(realpath($bin)) - } - } - -diff --git a/tests/regression/apparmor/ptrace.sh b/tests/regression/apparmor/ptrace.sh -index c3363479..320d65e8 100755 ---- a/tests/regression/apparmor/ptrace.sh -+++ b/tests/regression/apparmor/ptrace.sh -@@ -30,26 +30,29 @@ bin=$pwd - - helper=$pwd/ptrace_helper - -+bin_true=${tmpdir}/true -+cp -pL /bin/true ${tmpdir}/true -+ - # -n number of syscalls to perform - # -c have the child call ptrace_me, else parent does ptrace_attach - # -h transition child to ptrace_helper before doing ptrace (used to test - # x transitions with ptrace) - # test base line of unconfined tracing unconfined --runchecktest "test 1" pass -n 100 /bin/true --runchecktest "test 1 -c" pass -c -n 100 /bin/true -+runchecktest "test 1" pass -n 100 ${bin_true} -+runchecktest "test 1 -c" pass -c -n 100 ${bin_true} - runchecktest "test 1 -h" pass -h -n 100 $helper - runchecktest "test 1 -hc" pass -h -c -n 100 $helper --runchecktest "test 1 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 1 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 1 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - # test that unconfined can ptrace before profile attaches --genprofile image=/bin/true signal:ALL --runchecktest "test 2" pass -n 100 /bin/true --runchecktest "test 2 -c" pass -c -n 100 /bin/true -+genprofile image=${bin_true} signal:ALL -+runchecktest "test 2" pass -n 100 ${bin_true} -+runchecktest "test 2 -c" pass -c -n 100 ${bin_true} - runchecktest "test 2 -h" pass -h -n 100 $helper - runchecktest "test 2 -hc" pass -h -c -n 100 $helper --runchecktest "test 2 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 2 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 2 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - - if [ "$(kernel_features ptrace)" == "true" -a "$(parser_supports 'ptrace,')" == "true" ] ; then -diff --git a/tests/regression/apparmor/ptrace_v5.inc b/tests/regression/apparmor/ptrace_v5.inc -index 56833667..4a692402 100644 ---- a/tests/regression/apparmor/ptrace_v5.inc -+++ b/tests/regression/apparmor/ptrace_v5.inc -@@ -13,133 +13,133 @@ - genprofile image=$helper - runchecktest "test 3 -h" pass -h -n 100 $helper - runchecktest "test 3 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 3 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - # lack of 'r' perm is currently not working - genprofile image=$helper $helper:ix - runchecktest "test 4 -h" pass -h -n 100 $helper - runchecktest "test 4 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 4 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - genprofile image=$helper $helper:rix - runchecktest "test 5 -h" pass -h -n 100 $helper - runchecktest "test 5 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 5 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper ${bin_true} - --genprofile image=$helper $helper:ix /bin/true:rix -+genprofile image=$helper $helper:ix ${bin_true}:rix - runchecktest "test 6 -h" pass -h -n 100 $helper - runchecktest "test 6 -hc " pass -h -c -n 100 $helper --runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 6 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced child can ptrace_me to unconfined have unconfined trace them --genprofile image=/bin/true --runchecktest "test 7" pass -n 100 /bin/true -+genprofile image=${bin_true} -+runchecktest "test 7" pass -n 100 ${bin_true} - # pass - ptrace_attach is done in unconfined helper --runchecktest "test 7 -c " pass -c -n 100 /bin/true -+runchecktest "test 7 -c " pass -c -n 100 ${bin_true} - runchecktest "test 7 -h" pass -h -n 100 $helper - # pass - ptrace_attach is done in unconfined helper - runchecktest "test 7 -hc " pass -h -c -n 100 $helper --runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 7 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper ${bin_true} - --genprofile image=$helper $helper:ix /bin/true:rix --runchecktest "test 7a" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rix -+runchecktest "test 7a" pass -n 100 ${bin_true} - # pass - ptrace_attach is allowed from confined process to unconfined --runchecktest "test 7a -c " pass -c -n 100 /bin/true -+runchecktest "test 7a -c " pass -c -n 100 ${bin_true} - runchecktest "test 7a -h" pass -h -n 100 $helper - # pass - ptrace_attach is allowed from confined process to unconfined - runchecktest "test 7a -hc " pass -h -c -n 100 $helper --runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 7a -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced helper from unconfined --genprofile image=$helper $helper:ix /bin/true:rpx -- image=/bin/true --runchecktest "test 8" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rpx -- image=${bin_true} -+runchecktest "test 8" pass -n 100 ${bin_true} - # pass - ptrace_attach is done before exec --runchecktest "test 8 -c " pass -c -n 100 /bin/true -+runchecktest "test 8 -c " pass -c -n 100 ${bin_true} - runchecktest "test 8 -h" pass -h -n 100 $helper - runchecktest "test 8 -hc " pass -h -c -n 100 $helper - # pass - can px if tracer can ptrace target --runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 8 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced helper from unconfined --genprofile image=$helper $helper:ix /bin/true:rux -- image=/bin/true --runchecktest "test 9" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rux -- image=${bin_true} -+runchecktest "test 9" pass -n 100 ${bin_true} - # pass - ptrace_attach is done before exec --runchecktest "test 9 -c " pass -c -n 100 /bin/true -+runchecktest "test 9 -c " pass -c -n 100 ${bin_true} - runchecktest "test 9 -h" pass -h -n 100 $helper - runchecktest "test 9 -hc " pass -h -c -n 100 $helper - # pass - can ux if tracer can ptrace target --runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 9 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - genprofile - # fail due to no exec permission --runchecktest "test 10" fail -n 100 /bin/true --runchecktest "test 10 -c" fail -c -n 100 /bin/true -+runchecktest "test 10" fail -n 100 ${bin_true} -+runchecktest "test 10 -c" fail -c -n 100 ${bin_true} - runchecktest "test 10 -h" fail -h -n 100 $helper - runchecktest "test 10 -hc" fail -h -c -n 100 $helper --runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 10 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper ${bin_true} - --genprofile /bin/true:ix $helper:ix -+genprofile ${bin_true}:ix $helper:ix - # fail due to missing r permission --#runchecktest "test 11" fail -n 100 /bin/true --#runchecktest "test 11 -c" fail -c -n 100 /bin/true -+#runchecktest "test 11" fail -n 100 ${bin_true} -+#runchecktest "test 11 -c" fail -c -n 100 ${bin_true} - #runchecktest "test 11 -h" fail -h -n 100 $helper - #runchecktest "test 11 -hc" fail -h -c -n 100 $helper --#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true --#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true -+#runchecktest "test 11 -h prog" fail -h -n 100 $helper ${bin_true} -+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - # pass allowed to ix self --genprofile /bin/true:rix $helper:rix --runchecktest "test 12" pass -n 100 /bin/true --runchecktest "test 12 -c" pass -c -n 100 /bin/true -+genprofile ${bin_true}:rix $helper:rix -+runchecktest "test 12" pass -n 100 ${bin_true} -+runchecktest "test 12 -c" pass -c -n 100 ${bin_true} - runchecktest "test 12 -h" pass -h -n 100 $helper - runchecktest "test 12 -hc" pass -h -c -n 100 $helper --runchecktest "test 12 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 12 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 12 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #ptraced confined app can't px - fails to unset profile --genprofile image=$helper $helper:rix /bin/true:rpx --runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rpx -+runchecktest "test 13 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - #ptraced confined app can ux - if the tracer is unconfined - # --genprofile image=$helper $helper:rix /bin/true:rux --runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rux -+runchecktest "test 14a -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper ${bin_true} - #ptraced confined app can't ux - if the tracer can't trace unconfined --genprofile $helper:rpx -- image=$helper $helper:rix /bin/true:rux --runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile $helper:rpx -- image=$helper $helper:rix ${bin_true}:rux -+runchecktest "test 14b -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an unconfined app - genprofile $helper:rux - runchecktest "test 15 -h" fail -h -n 100 $helper --runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true} - #an unconfined app can't ask a confined app to trace it - runchecktest "test 15 -hc" fail -h -c -n 100 $helper --runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an app confined by a different profile - genprofile $helper:rpx -- image=$helper - runchecktest "test 15 -h" fail -h -n 100 $helper --runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true} - #a confined app can't ask another confined app with a different profile to - #trace it - runchecktest "test 15 -hc" fail -h -c -n 100 $helper --runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - -diff --git a/tests/regression/apparmor/ptrace_v6.inc b/tests/regression/apparmor/ptrace_v6.inc -index 37781551..b0cf983a 100644 ---- a/tests/regression/apparmor/ptrace_v6.inc -+++ b/tests/regression/apparmor/ptrace_v6.inc -@@ -25,186 +25,186 @@ genprofile image=$helper signal:ALL ptrace:tracedby:peer=unconfined - - runchecktest "test 3 -h" pass -h -n 100 $helper - runchecktest "test 3 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 3 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 3 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 3 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - # lack of 'r' perm is currently not working - genprofile image=$helper $helper:ix signal:ALL - runchecktest "test 4 -h" pass -h -n 100 $helper - runchecktest "test 4 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 4 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 4 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 4 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - genprofile image=$helper $helper:rix signal:ALL - runchecktest "test 5 -h" pass -h -n 100 $helper - runchecktest "test 5 -hc " pass -h -c -n 100 $helper --# can't exec /bin/true so fail --runchecktest "test 5 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper /bin/true -+# can't exec ${bin_true} so fail -+runchecktest "test 5 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 5 -hc prog" fail -h -c -n 100 $helper ${bin_true} - --genprofile image=$helper $helper:ix /bin/true:rix signal:ALL -+genprofile image=$helper $helper:ix ${bin_true}:rix signal:ALL - runchecktest "test 6 -h" pass -h -n 100 $helper - runchecktest "test 6 -hc " pass -h -c -n 100 $helper --runchecktest "test 6 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 6 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 6 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced child can ptrace_me to unconfined have unconfined trace them --genprofile image=/bin/true signal:ALL --runchecktest "test 7" pass -n 100 /bin/true -+genprofile image=${bin_true} signal:ALL -+runchecktest "test 7" pass -n 100 ${bin_true} - # pass - ptrace_attach is done in unconfined helper --runchecktest "test 7 -c " pass -c -n 100 /bin/true -+runchecktest "test 7 -c " pass -c -n 100 ${bin_true} - runchecktest "test 7 -h" pass -h -n 100 $helper - # pass - ptrace_attach is done in unconfined helper - runchecktest "test 7 -hc " pass -h -c -n 100 $helper --runchecktest "test 7 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 7 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 7 -hc prog" pass -h -c -n 100 $helper ${bin_true} - --genprofile image=$helper $helper:ix /bin/true:rix signal:ALL --runchecktest "test 7a" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rix signal:ALL -+runchecktest "test 7a" pass -n 100 ${bin_true} - # pass - ptrace_attach is allowed from confined process to unconfined --runchecktest "test 7a -c " pass -c -n 100 /bin/true -+runchecktest "test 7a -c " pass -c -n 100 ${bin_true} - runchecktest "test 7a -h" pass -h -n 100 $helper - # pass - ptrace_attach is allowed from confined process to unconfined - runchecktest "test 7a -hc " pass -h -c -n 100 $helper --runchecktest "test 7a -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 7a -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 7a -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced helper from unconfined --genprofile image=$helper $helper:ix /bin/true:rpx signal:ALL -- image=/bin/true signal:ALL --runchecktest "test 8" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rpx signal:ALL -- image=${bin_true} signal:ALL -+runchecktest "test 8" pass -n 100 ${bin_true} - # pass - ptrace_attach is done before exec --runchecktest "test 8 -c " pass -c -n 100 /bin/true -+runchecktest "test 8 -c " pass -c -n 100 ${bin_true} - runchecktest "test 8 -h" pass -h -n 100 $helper - runchecktest "test 8 -hc " pass -h -c -n 100 $helper - # pass - can px if tracer can ptrace target --runchecktest "test 8 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 8 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 8 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #traced helper from unconfined --genprofile image=$helper $helper:ix /bin/true:rux signal:ALL -- image=/bin/true signal:ALL --runchecktest "test 9" pass -n 100 /bin/true -+genprofile image=$helper $helper:ix ${bin_true}:rux signal:ALL -- image=${bin_true} signal:ALL -+runchecktest "test 9" pass -n 100 ${bin_true} - # pass - ptrace_attach is done before exec --runchecktest "test 9 -c " pass -c -n 100 /bin/true -+runchecktest "test 9 -c " pass -c -n 100 ${bin_true} - runchecktest "test 9 -h" pass -h -n 100 $helper - runchecktest "test 9 -hc " pass -h -c -n 100 $helper - # pass - can ux if tracer can ptrace target --runchecktest "test 9 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper /bin/true -+runchecktest "test 9 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 9 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - genprofile signal:ALL - # fail due to no exec permission --runchecktest "test 10" fail -n 100 /bin/true --runchecktest "test 10 -c" fail -c -n 100 /bin/true -+runchecktest "test 10" fail -n 100 ${bin_true} -+runchecktest "test 10 -c" fail -c -n 100 ${bin_true} - runchecktest "test 10 -h" fail -h -n 100 $helper - runchecktest "test 10 -hc" fail -h -c -n 100 $helper --runchecktest "test 10 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 10 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 10 -hc prog" fail -h -c -n 100 $helper ${bin_true} - --genprofile /bin/true:ix $helper:ix signal:ALL -+genprofile ${bin_true}:ix $helper:ix signal:ALL - # fail due to missing r permission --#runchecktest "test 11" fail -n 100 /bin/true --#runchecktest "test 11 -c" fail -c -n 100 /bin/true -+#runchecktest "test 11" fail -n 100 ${bin_true} -+#runchecktest "test 11 -c" fail -c -n 100 ${bin_true} - #runchecktest "test 11 -h" fail -h -n 100 $helper - #runchecktest "test 11 -hc" fail -h -c -n 100 $helper --#runchecktest "test 11 -h prog" fail -h -n 100 $helper /bin/true --#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper /bin/true -+#runchecktest "test 11 -h prog" fail -h -n 100 $helper ${bin_true} -+#runchecktest "test 11 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - # fail was pass in v5 allowed to ix self --genprofile /bin/true:rix $helper:rix signal:ALL --runchecktest "test 12" fail -n 100 /bin/true --runchecktest "test 12 -c" fail -c -n 100 /bin/true -+genprofile ${bin_true}:rix $helper:rix signal:ALL -+runchecktest "test 12" fail -n 100 ${bin_true} -+runchecktest "test 12 -c" fail -c -n 100 ${bin_true} - runchecktest "test 12 -h" fail -h -n 100 $helper - runchecktest "test 12 -hc" fail -h -c -n 100 $helper --runchecktest "test 12 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 12 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 12 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #ptraced confined app traced by unconfined can px --genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix --runchecktest "test 13u -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rpx signal:ALL -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13u -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13u -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #ptraced confined app traced by profile without ptrace on targeted can't px --genprofile /bin/true:rpx signal:ALL -- image=/bin/true /bin/true:rix --runchecktest "test 13 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile ${bin_true}:rpx signal:ALL -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - #ptraced confined app can ux - if the tracer is unconfined - # --genprofile image=$helper $helper:rix /bin/true:rux signal:ALL --runchecktest "test 14a -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL -+runchecktest "test 14a -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 14a -hc prog" pass -h -c -n 100 $helper ${bin_true} - #ptraced confined app can't ux - if the tracer can't trace unconfined --genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL --runchecktest "test 14b -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL -+runchecktest "test 14b -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 14b -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an unconfined app - genprofile $helper:rux signal:ALL - runchecktest "test 15 -h" fail -h -n 100 $helper --runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true} - #an unconfined app can't ask a confined app to trace it - runchecktest "test 15 -hc" fail -h -c -n 100 $helper --runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an app confined by a different profile - genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL - runchecktest "test 15 -h" fail -h -n 100 $helper --runchecktest "test 15 -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15 -h prog" fail -h -n 100 $helper ${bin_true} - #a confined app can't ask another confined app with a different profile to - #trace it - runchecktest "test 15 -hc" fail -h -c -n 100 $helper --runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - ################### cap:sys_ptrace doesn't change results from above ########################## - # fail was pass in v5 allowed to ix self --genprofile /bin/true:rix $helper:rix signal:ALL cap:sys_ptrace --runchecktest "test 12c" fail -n 100 /bin/true --runchecktest "test 12c -c" fail -c -n 100 /bin/true -+genprofile ${bin_true}:rix $helper:rix signal:ALL cap:sys_ptrace -+runchecktest "test 12c" fail -n 100 ${bin_true} -+runchecktest "test 12c -c" fail -c -n 100 ${bin_true} - runchecktest "test 12c -h" fail -h -n 100 $helper - runchecktest "test 12c -hc" fail -h -c -n 100 $helper --runchecktest "test 12c -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 12c -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 12c -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #ptraced confined app traced by unconfined can px --genprofile image=$helper $helper:rix /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace --runchecktest "test 13cu -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rpx signal:ALL cap:sys_ptrace -- image=${bin_true} ${bin_true}:rix cap:sys_ptrace -+runchecktest "test 13cu -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13cu -hc prog" pass -h -c -n 100 $helper ${bin_true} - - #ptraced confined app traced by profile without ptrace on targeted can't px --genprofile /bin/true:rpx signal:ALL cap:sys_ptrace -- image=/bin/true /bin/true:rix cap:sys_ptrace --runchecktest "test 13c -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile ${bin_true}:rpx signal:ALL cap:sys_ptrace -- image=${bin_true} ${bin_true}:rix cap:sys_ptrace -+runchecktest "test 13c -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13c -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - #ptraced confined app can ux - if the tracer is unconfined - # --genprofile image=$helper $helper:rix /bin/true:rux signal:ALL cap:sys_ptrace --runchecktest "test 14ca -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL cap:sys_ptrace -+runchecktest "test 14ca -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 14ca -hc prog" pass -h -c -n 100 $helper ${bin_true} - #ptraced confined app can't ux - if the tracer can't trace unconfined --genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL --runchecktest "test 14cb -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL -+runchecktest "test 14cb -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 14cb -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an unconfined app - genprofile $helper:rux signal:ALL cap:sys_ptrace - runchecktest "test 15c -h" fail -h -n 100 $helper --runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15c -h prog" fail -h -n 100 $helper ${bin_true} - #an unconfined app can't ask a confined app to trace it - runchecktest "test 15c -hc" fail -h -c -n 100 $helper --runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an app confined by a different profile - genprofile $helper:rpx signal:ALL cap:sys_ptrace -- image=$helper signal:ALL cap:sys_ptrace - runchecktest "test 15c -h" fail -h -n 100 $helper --runchecktest "test 15c -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15c -h prog" fail -h -n 100 $helper ${bin_true} - #a confined app can't ask another confined app with a different profile to - #trace it - runchecktest "test 15c -hc" fail -h -c -n 100 $helper --runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - ################################################################################ -@@ -213,163 +213,163 @@ runchecktest "test 15c -hc prog" fail -h -c -n 100 $helper /bin/true - - ##### Now do tests with ptrace rules in profiles ####### - # pass in v5 allowed to ix self --genprofile /bin/true:rix $helper:rix signal:ALL ptrace:ALL --runchecktest "test 12p" pass -n 100 /bin/true --runchecktest "test 12p -c" pass -c -n 100 /bin/true -+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:ALL -+runchecktest "test 12p" pass -n 100 ${bin_true} -+runchecktest "test 12p -c" pass -c -n 100 ${bin_true} - runchecktest "test 12p -h" pass -h -n 100 $helper - runchecktest "test 12p -hc" pass -h -c -n 100 $helper --runchecktest "test 12p -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rix $helper:rix signal:ALL ptrace:peer=$test --runchecktest "test 12p1" pass -n 100 /bin/true --runchecktest "test 12p1 -c" pass -c -n 100 /bin/true -+runchecktest "test 12p -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 12p -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:peer=$test -+runchecktest "test 12p1" pass -n 100 ${bin_true} -+runchecktest "test 12p1 -c" pass -c -n 100 ${bin_true} - runchecktest "test 12p1 -h" pass -h -n 100 $helper - runchecktest "test 12p1 -hc" pass -h -c -n 100 $helper --runchecktest "test 12p1 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rix $helper:rix signal:ALL ptrace:peer=notaprofile --runchecktest "test 12p2" fail -n 100 /bin/true --runchecktest "test 12p2 -c" fail -c -n 100 /bin/true -+runchecktest "test 12p1 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 12p1 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rix $helper:rix signal:ALL ptrace:peer=notaprofile -+runchecktest "test 12p2" fail -n 100 ${bin_true} -+runchecktest "test 12p2 -c" fail -c -n 100 ${bin_true} - runchecktest "test 12p2 -h" fail -h -n 100 $helper - runchecktest "test 12p2 -hc" fail -h -c -n 100 $helper --runchecktest "test 12p2 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 12p2 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 12p2 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - #ptraced confined app traced by profile can px --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix --runchecktest "test 13p1 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p3 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p5 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p7 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p9 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper /bin/true -- -- --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix --runchecktest "test 13p11 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p31 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p51 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p71 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p91 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=/bin/true -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper /bin/true -- -- --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix --runchecktest "test 13p12 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p32 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p52 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p72 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p92 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper /bin/true -- --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix --runchecktest "test 13p13 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p33 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p53 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p73 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p93 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper /bin/true -- --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix --runchecktest "test 13p14 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p34 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p54 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p74 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p94 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper /bin/true -- --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix --runchecktest "test 13p15 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby --runchecktest "test 13p35 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=$test --runchecktest "test 13p55 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:tracedby:peer=notaprofile --runchecktest "test 13p75 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace --runchecktest "test 13p95 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=$test --runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper /bin/true --genprofile /bin/true:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=/bin/true /bin/true:rix ptrace:trace:peer=notaprofile --runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p1 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p2 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p3 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p4 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p5 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p6 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p7 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p8 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p9 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe -hc prog" fail -h -c -n 100 $helper ${bin_true} -+ -+ -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p11 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p21 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p31 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p41 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p51 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p61 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p71 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p81 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p91 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa1 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb1 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc1 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:trace:peer=${bin_true} -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd1 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe1 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+ -+ -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p12 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p22 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p32 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p42 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p52 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 13p62 -hc prog" pass -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p72 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p82 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p92 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa2 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb2 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc2 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:ALL -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd2 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe2 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+ -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p13 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p23 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p33 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p43 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p53 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p63 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p73 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p83 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p93 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa3 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb3 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc3 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd3 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe3 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+ -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p14 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p24 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p34 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p44 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p54 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p64 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p74 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p84 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p94 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa4 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb4 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc4 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:tracedby:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd4 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe4 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+ -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix -+runchecktest "test 13p15 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p25 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby -+runchecktest "test 13p35 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p45 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=$test -+runchecktest "test 13p55 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p65 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:tracedby:peer=notaprofile -+runchecktest "test 13p75 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13p85 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace -+runchecktest "test 13p95 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pa5 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=$test -+runchecktest "test 13pb5 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pc5 -hc prog" fail -h -c -n 100 $helper ${bin_true} -+genprofile ${bin_true}:rpx $helper:rix signal:ALL ptrace:peer=$test ptrace:peer=notaprofile -- image=${bin_true} ${bin_true}:rix ptrace:trace:peer=notaprofile -+runchecktest "test 13pd5 -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper ${bin_true} - - - ### todo Variations of below tests -@@ -377,30 +377,30 @@ runchecktest "test 13pe5 -hc prog" fail -h -c -n 100 $helper /bin/true - - #ptraced confined app can ux - if the tracer is unconfined - # --genprofile image=$helper $helper:rix /bin/true:rux signal:ALL --runchecktest "test 14pa -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile image=$helper $helper:rix ${bin_true}:rux signal:ALL -+runchecktest "test 14pa -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test 14pa -hc prog" pass -h -c -n 100 $helper ${bin_true} - #ptraced confined app can't ux - if the tracer can't trace unconfined --genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix /bin/true:rux signal:ALL --runchecktest "test 14pb -h prog" fail -h -n 100 $helper /bin/true --runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper /bin/true -+genprofile $helper:rpx signal:ALL -- image=$helper $helper:rix ${bin_true}:rux signal:ALL -+runchecktest "test 14pb -h prog" fail -h -n 100 $helper ${bin_true} -+runchecktest "test 14pb -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an unconfined app - genprofile $helper:rux signal:ALL - runchecktest "test 15p -h" fail -h -n 100 $helper --runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15p -h prog" fail -h -n 100 $helper ${bin_true} - #an unconfined app can't ask a confined app to trace it - runchecktest "test 15p -hc" fail -h -c -n 100 $helper --runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper ${bin_true} - - #confined app can't ptrace an app confined by a different profile - genprofile $helper:rpx signal:ALL -- image=$helper signal:ALL - runchecktest "test 15p -h" fail -h -n 100 $helper --runchecktest "test 15p -h prog" fail -h -n 100 $helper /bin/true -+runchecktest "test 15p -h prog" fail -h -n 100 $helper ${bin_true} - #a confined app can't ask another confined app with a different profile to - #trace it - runchecktest "test 15p -hc" fail -h -c -n 100 $helper --runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true -+runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper ${bin_true} - - # Test LP: #1390592 - # The bug was a policy compilation bug that triggers in a rule such as -@@ -408,9 +408,9 @@ runchecktest "test 15p -hc prog" fail -h -c -n 100 $helper /bin/true - # a-f|A-F|0-9 to trigger the bug. A parser affected by this bug will create a - # bad binary policy that causes the kernel to unexpectedly deny the ptrace - # 'trace' of a process confined by profile ABC. --genprofile "$helper rpx -> ABC" signal:ALL ptrace:trace:peer=ABC -- image=ABC addimage:$helper /bin/true:rix signal:ALL ptrace:tracedby:peer=$test --runchecktest "test LP: #1390592 -h prog" pass -h -n 100 $helper /bin/true --runchecktest "test LP: #1390592 -hc prog" pass -h -c -n 100 $helper /bin/true -+genprofile "$helper rpx -> ABC" signal:ALL ptrace:trace:peer=ABC -- image=ABC addimage:$helper ${bin_true}:rix signal:ALL ptrace:tracedby:peer=$test -+runchecktest "test LP: #1390592 -h prog" pass -h -n 100 $helper ${bin_true} -+runchecktest "test LP: #1390592 -hc prog" pass -h -c -n 100 $helper ${bin_true} - - ## TODO: ptrace read tests - ## TODO: ptrace + change_profile -diff --git a/utils/test/fake_ldd b/utils/test/fake_ldd -index 60f5c675..afec6eba 100755 ---- a/utils/test/fake_ldd -+++ b/utils/test/fake_ldd -@@ -5,7 +5,7 @@ import sys - if len(sys.argv) != 2: - raise Exception('wrong number of arguments in fake_ldd') - --if sys.argv[1] == '/AATest/bin/bash' or sys.argv[1] == '/bin/bash': -+if sys.argv[1] in ['/AATest/bin/bash', '/bin/bash', '/usr/bin/bash']: - print(' linux-vdso.so.1 (0x00007ffcf97f4000)') - print(' libreadline.so.6 => /AATest/lib64/libreadline.so.6 (0x00007f2c41324000)') - print(' libtinfo.so.6 => /AATest/lib64/libtinfo.so.6 (0x00007f2c410f9000)') -diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py -index d93b8eae..56b14c6e 100644 ---- a/utils/test/test-aa.py -+++ b/utils/test/test-aa.py -@@ -135,6 +135,9 @@ class AaTest_create_new_profile(AATest): - apparmor.aa.load_include('abstractions/bash') - - exp_interpreter_path, exp_abstraction = expected -+ # damn symlinks! -+ if exp_interpreter_path: -+ exp_interpreter_path = os.path.realpath(exp_interpreter_path) - - program = self.writeTmpfile('script', params) - profile = create_new_profile(program) -@@ -178,11 +181,8 @@ class AaTest_get_interpreter_and_abstraction(AATest): - interpreter_path, abstraction = get_interpreter_and_abstraction(program) - - # damn symlinks! -- if exp_interpreter_path and os.path.islink(exp_interpreter_path): -- dirname = os.path.dirname(exp_interpreter_path) -- exp_interpreter_path = os.readlink(exp_interpreter_path) -- if not exp_interpreter_path.startswith('/'): -- exp_interpreter_path = os.path.join(dirname, exp_interpreter_path) -+ if exp_interpreter_path: -+ exp_interpreter_path = os.path.realpath(exp_interpreter_path) - - self.assertEqual(interpreter_path, exp_interpreter_path) - self.assertEqual(abstraction, exp_abstraction) From c2744d57c41aace00a43d0dd75c71e68a65b46fd5fa4796a87750dd2fe7f0019 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Tue, 18 Jun 2019 22:47:39 +0000 Subject: [PATCH 2/2] Accepting request 710682 from home:cboltz - re-number remaining patches OBS-URL: https://build.opensuse.org/request/show/710682 OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=247 --- apparmor.changes | 1 + apparmor.spec | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.changes b/apparmor.changes index dc15b89..dc1c35f 100644 --- a/apparmor.changes +++ b/apparmor.changes @@ -17,6 +17,7 @@ Tue Jun 18 20:51:07 UTC 2019 - Christian Boltz - dnsmasq-revert-alternation.diff - usrmerge-fixes.diff - libapparmor-swig-4.diff +- re-number remaining patches ------------------------------------------------------------------- Wed Jun 5 11:36:25 UTC 2019 - Christian Boltz diff --git a/apparmor.spec b/apparmor.spec index 765ee95..02f2daa 100644 --- a/apparmor.spec +++ b/apparmor.spec @@ -57,13 +57,13 @@ Patch1: apparmor-enable-profile-cache.diff Patch2: apparmor-samba-include-permissions-for-shares.diff # Ruby 2.0 mkmf prefixes everything with $(DESTDIR), bnc#822277, kkaempf@suse.de -Patch5: ruby-2_0-mkmf-destdir.patch +Patch3: ruby-2_0-mkmf-destdir.patch # bug 906858 - confine lessopen.sh (submitted upstream 2014-12-21) -Patch7: apparmor-lessopen-profile.patch +Patch4: apparmor-lessopen-profile.patch # workaround for boo#1119937 / lp#1784499 - allow network access for reading files on NFS (proper solution needs kernel fix) -Patch10: apparmor-lessopen-nfs-workaround.diff +Patch5: apparmor-lessopen-nfs-workaround.diff PreReq: sed BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -350,9 +350,9 @@ SubDomain. %setup -q %patch1 %patch2 -%patch5 -p1 -%patch7 -%patch10 +%patch3 -p1 +%patch4 +%patch5 %build %define _lto_cflags %{nil}