AppArmor

Differences between revisions 16 and 17
Revision 16 as of 2014-03-28 02:41:48
Size: 5985
Editor: jdstrand
Comment:
Revision 17 as of 2014-03-28 03:05:42
Size: 6055
Editor: jdstrand
Comment:
Deletions are marked like this. Additions are marked like this.
Line 94: Line 94:
  * lxc (NEEDS UPDATING): from stgraber, "follow http://packaging.ubuntu.com/html/auto-pkg-test.html to setup the adt environment, once you do, just run: `bin/run-adt-test -P -p ppa:your/ppa lxc`"   * lxc
   0. [[http://packaging.ubuntu.com/html/auto-pkg-test.html#executing-the-test|Create a pristine VM]] for testing
   0. from within the checkout of the lp:auto-package-testing branch:{{{
bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc
}}}

Dependents/Clients

  • click-apparmor
  • apparmor-easyprof-ubuntu
  • upstart-app-launch (uses apparmor kernel interface via upstart)
  • lxc
  • libvirt
  • usermetrics (uses libapparmor)

Test Plan

  • Install image on phone and have an up to date Ubuntu Desktop and/or Server VM
  • Install freshly built packages that are needed for landing and reboot
    • eg, copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor

  • Verify the system comes up and has networking (dhclient profile)
  • Verify the output of aa-status. It should report:

    1. many profiles loaded (eg, 20 or more)
    2. many profiles in enforce mode (eg, 20 or more)
    3. 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)
    4. some process should have a profile defined
    5. some process should be in enforce mode (the same number as '4', above)
    6. 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
    7. 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)
  • Verify apps launch via upstart-app-launch on Ubuntu Touch:
    • Ensure that apps launch
      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch an app (eg, start the weather app). Does it start?
      • are there any AppArmor denials in /var/log/syslog for the app? (there should be none)

      • Run sudo aa-status, is the process for the app running under confinement (in enforce mode)?

    • Ensure that webapps launch
      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch a webapp (eg, start the facebook webapp). Does it start?
      • are there any AppArmor denials in /var/log/syslog for the webapp? (there should be none)

      • Run sudo aa-status, is the process for the webapp running under confinement (in enforce mode)?

  • Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing - eg, verify networking, that the browser launches, system settings opens
  • Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works
  • Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions):

    $ bzr branch lp:qa-regression-testing
    $ cd qa-regression-testing
    $ ./scripts/make-test-tarball ./scripts/test-apparmor.py
    # To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do:
    $ tar -zxf qrt-test-apparmor.tar.gz
    $ cd ./qrt-test-apparmor
    $ sudo ./install-packages test-apparmor.py
    $ sudo ./test-apparmor.py -v
  • Run image tests on Ubuntu Touch (emulator or touch image) and Ubuntu Desktop/Server:
    • Touch:

      $ bzr branch lp:qa-regression-testing
      $ cd qa-regression-testing
      $ adb push ./tests /tmp/tests
      $ adb shell /tmp/tests/image/privileged/check-apparmor
      $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor
      $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
    • Desktop:

      $ bzr branch lp:qa-regression-testing
      $ cd qa-regression-testing
      $ scp -r ./tests username@vm:/tmp/tests
      $ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor
      $ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools upstart-app-launch ubuntu-sdk-libs

      At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):

      $ /tmp/tests/image/unprivileged/click-apparmor
      $ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
  • Run libusermetrics tests on Touch

    • The above page was removed. For now:
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"
      • Install 'Hydrate' from the app store
      • Launch it (search for 'hydrate' in Search in the Application scope
      • Within Hydrate, tap 'add water
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"
  • Run autopkgtests for important rdepends. Do they all exit with status '0':
    • click-apparmor:
      1. make sure the schroot is up to date (eg, trusty-amd64)

      2. download the new AppArmor binaries to ./debs

      3. run the tests

        $ adt-run -B ./*.deb --apt-source click-apparmor --- adt-virt-schroot trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
    • apparmor-easyprof-ubuntu:
      1. make sure the schroot is up to date (eg, trusty-amd64)

      2. download the new AppArmor binaries to ./debs

      3. run the tests

        $ adt-run -B ./*.deb --apt-source apparmor-easyprof-ubuntu --- adt-virt-schroot trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
    • lxc
      1. Create a pristine VM for testing

      2. from within the checkout of the lp:auto-package-testing branch:

        bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc
  • Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:

    ~$ sudo apt-get install lxc
    ~$ sudo lxc-create -t ubuntu -n CN
    ~$ sudo lxc-start -n CN
    ...
    Ubuntu Trusty Tahr (development branch) CN console
    
    CN login: ubuntu
    Password:
    ...
    $ sudo shutdown -h now
    ...
     * Will now halt
    ~$
  • Verify qemu/kvm libvirt VMs start with new AppArmor on Ubuntu Desktop/Server

    • TBD

Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)