- Image Types:
- basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf-internal / target-amd64
- Image Deployment:
Test that the session lockdown profile is not blocking more than it should.
- Ensure Rootfs is remounted as read/write.
- Install dependencies
- Restart the system to restore the filesystem state to read-only before running the test.
$ sudo mount -o remount,rw /
$ sudo apt install apertis-tests-apparmor-report apparmor-utils
$ sudo reboot
- First of all clean the auditd logs to ensure only new messages are seen:
- Then reboot the image.
- Ensure pulseaudio is running:
- No need to check the output of the command.
- Now ensure AppArmor is enabled and working, by running aa-status:
- Then ensure the audit log file has no AppArmor complaints:
$ echo -n | sudo tee /var/log/audit/audit.log
$ sudo reboot
$ pactl stat
$ sudo aa-status
$ sudo cat /var/log/audit/audit.log | sudo aa_log_extract_tokens.pl REJECTING
aa-status should show at least the following processes in complain mode:
And at least the following processes in enforce mode:
Note that there may be processes in other modes, such as in enforce mode, uncontained, or complain mode. Also note that the confinement status of profiles is irrelevant.
The aa_log_extract_tokens.pl command above should have no output.