AppArmor
6055
Comment:
|
6160
|
Deletions are marked like this. | Additions are marked like this. |
Line 94: | Line 94: |
* lxc | * lxc (BROKEN: FIXME, note runs before promotion to -proposed) |
Line 101: | Line 101: |
# optionally adjust MIRROR in /etc/default/lxc |
Test plan for component: AppArmor
Component Checklist: https://wiki.ubuntu.com/Process/Merges/Checklists/AppArmor
Trunk URL: lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
Ubuntu Package URL (LP): http://launchpad.net/ubuntu/+source/apparmor
Dependents/Clients
- click-apparmor
- apparmor-easyprof-ubuntu
- upstart-app-launch (uses apparmor kernel interface via upstart)
- lxc
- libvirt
- usermetrics (uses libapparmor)
Test Plan
- Install image on phone and have an up to date Ubuntu Desktop and/or Server VM
- Install freshly built packages that are needed for landing and reboot
eg, copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor
- Verify the system comes up and has networking (dhclient profile)
Verify the output of aa-status. It should report:
- many profiles loaded (eg, 20 or more)
- many profiles in enforce mode (eg, 20 or more)
- 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)
- some process should have a profile defined
- some process should be in enforce mode (the same number as '4', above)
- 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
- 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)
- Verify apps launch via upstart-app-launch on Ubuntu Touch:
- Ensure that apps launch
in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then
- launch an app (eg, start the weather app). Does it start?
are there any AppArmor denials in /var/log/syslog for the app? (there should be none)
Run sudo aa-status, is the process for the app running under confinement (in enforce mode)?
- Ensure that webapps launch
in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then
- launch a webapp (eg, start the facebook webapp). Does it start?
are there any AppArmor denials in /var/log/syslog for the webapp? (there should be none)
Run sudo aa-status, is the process for the webapp running under confinement (in enforce mode)?
- Ensure that apps launch
- Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing - eg, verify networking, that the browser launches, system settings opens
- Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works
Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions):
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py # To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ sudo ./test-apparmor.py -v
- Run image tests on Ubuntu Touch (emulator or touch image) and Ubuntu Desktop/Server:
Touch:
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ adb push ./tests /tmp/tests $ adb shell /tmp/tests/image/privileged/check-apparmor $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
Desktop:
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ scp -r ./tests username@vm:/tmp/tests $ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor $ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools upstart-app-launch ubuntu-sdk-libs
At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):
$ /tmp/tests/image/unprivileged/click-apparmor $ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
Run libusermetrics tests on Touch
- The above page was removed. For now:
- Press the power button twice to display the infographic
- Double tap the infographic until you see "# ounces of water consumed today"
- Install 'Hydrate' from the app store
- Launch it (search for 'hydrate' in Search in the Application scope
- Within Hydrate, tap 'add water
- Press the power button twice to display the infographic
- Double tap the infographic until you see "# ounces of water consumed today"
- The above page was removed. For now:
- Run autopkgtests for important rdepends. Do they all exit with status '0':
- click-apparmor:
make sure the schroot is up to date (eg, trusty-amd64)
download the new AppArmor binaries to ./debs
run the tests
$ adt-run -B ./*.deb --apt-source click-apparmor --- adt-virt-schroot trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
- apparmor-easyprof-ubuntu:
make sure the schroot is up to date (eg, trusty-amd64)
download the new AppArmor binaries to ./debs
run the tests
$ adt-run -B ./*.deb --apt-source apparmor-easyprof-ubuntu --- adt-virt-schroot trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
- lxc (BROKEN: FIXME, note runs before promotion to -proposed)
Create a pristine VM for testing
from within the checkout of the lp:auto-package-testing branch:
bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc
- click-apparmor:
Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:
~$ sudo apt-get install lxc # optionally adjust MIRROR in /etc/default/lxc ~$ sudo lxc-create -t ubuntu -n CN ~$ sudo lxc-start -n CN ... Ubuntu Trusty Tahr (development branch) CN console CN login: ubuntu Password: ... $ sudo shutdown -h now ... * Will now halt ~$
Verify qemu/kvm libvirt VMs start with new AppArmor on Ubuntu Desktop/Server
- TBD
Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)