apparmor-utils automated

medium

Image Types:
basesdk-amd64 / minimal-armhf-internal / minimal-armhf / minimal-arm64 / minimal-amd64 / sdk-amd64 / target-armhf / target-amd64
Image Deployment:
APT
Type:
functional

Description

Test apparmor_parser and other tools in apparmor package can be executed


Pre Conditions

  1. Ensure Rootfs is remounted as read/write.
  2. $ sudo mount -o remount,rw /
  3. Install dependencies
  4. $ sudo apt install apparmor-utils-tests busybox apertis-tests-apparmor-report
  5. Restart the system to restore the filesystem state to read-only before running the test.
  6. $ sudo reboot
  7. Clone the tests repository from another computer (Note that the branch being tested may change depending on the release, please make sure to clone the correct branch for the release in question):
  8. $ git clone --branch apertis/v2022dev2 https://gitlab.apertis.org/pkg/apertis-tests.git
  9. Copy the test directory apertis-tests to the target device:
  10. $ DUT_IP=<device-ip>
    $ scp -r apertis-tests user@$DUT_IP:
  11. Log into the target device:
  12. $ ssh user@$DUT_IP

Execution Steps

  1. Enter test directory:
  2. $ cd apertis-tests
  3. Run the the following commands:
  4. $ common/run-test-in-systemd --name=aa-enforce-test --timeout 90 -- sh /usr/lib/apparmor-utils-tests/aa-enforce-test.sh
    $ common/run-test-in-systemd --name=apparmor_parser --timeout 90 -- sh /usr/lib/apparmor-utils-tests/apparmor_parser.sh
    $ sudo journalctl -b -t audit -o cat | /usr/bin/aa_log_extract_tokens.sh ALLOWED DENIED

Expected

The test will show on stdout OK,FAIL or SKIP and exit code will be non zero if at least one subtest will fail. A similar output will be shown:

checking /bin/true is enforced: OK -

If the test_profile_syntax test-case in the apparmor-basic-profiles test is failing, please report that failure instead: it produces better diagnostics.

When that test case is failing, the go in complain mode, change for enforced profiles in enforce->complain, change in complaininig profiles in enforce->complain, gran total enforce/disable and change for enforced profiles in enforce->disable test-cases in this test are also expected to fail.

Notes

  • Make sure that you have disconnect the ethernet connection to the target before you start the tethering process.
  • Implement a minimum set of test to be sure things works properly. No advanced features tested.
  • This test depends on all AppArmor profiles being syntactically valid, and does not have useful diagnostics if they are not. If the test_profile_syntax test-case in the apparmor-basic-profiles test fails, please report that failure instead. You can mention this failure in the same bug report, but please do not report it separately.