tiny-container-user-aa-enforcement automated

medium

Image Types:
tiny-lxc-armhf-internal / tiny-lxc-armhf / tiny-lxc-arm64 / tiny-lxc-amd64
Image Deployment:
LXC
Type:
functional

Description

Test that the AppArmor profile for dbus-daemon is loaded in unprivileged container started as user


Pre Conditions

  1. Clone the tests repository from another computer (Note that the branch being tested may change depending on the release, please make sure to clone the correct branch for the release in question):
  2. $ git clone --branch apertis/v2020dev0 https://gitlab.apertis.org/infrastructure/tiny-image-recipes.git

  3. Copy the test directory tiny-image-recipes to the target device:
  4. $ DUT_IP=<device-ip>

    $ scp -r tiny-image-recipes user@$DUT_IP:

  5. Log into the target device:
  6. $ ssh user@$DUT_IP


Execution Steps

  1. Enter test directory:
  2. $ cd tiny-image-recipes

  3. Ensure we allow user mapping:
  4. $ sysctl -w kernel.unprivileged_userns_clone=1

  5. Setup the AppArmor profile for container:
  6. $ sed s/__NAMESPACE_PLACEHOLDER__/lxc-apertis-tiny-userns/g lxc/lxc-tiny-connectivity-profile-template | apparmor_parser -qr

  7. Make sure user have correct mappings for test:
  8. $ usermod --add-subuids 1000-1000 user

    $ usermod --add-subuids 100000-165535 user

    $ usermod --add-subgids 1000-1000 user

    $ usermod --add-subgids 100000-165535 user

  9. Check that the AppArmor profile for dbus-daemon in the container is loaded
  10. $ sudo -u user -H lavatests/test-aa-enforcement -a "$ARCH" -r "$RELEASE" -d "$IMAGE_DATE" -t lxc/lxc-tiny-connectivity --aa-namespace "lxc-apertis-tiny-userns"


Expected

Test command should report "pass".