AppArmor

Differences between revisions 41 and 42
Revision 41 as of 2014-09-09 17:46:53
Size: 10267
Editor: jdstrand
Comment:
Revision 42 as of 2014-09-09 17:58:20
Size: 10331
Editor: jdstrand
Comment:
Deletions are marked like this. Additions are marked like this.
Line 94: Line 94:
# new (adb as non-root) # adb as root
$ adb shell /tmp/tests/image/privileged/check-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu

# when new adb as non-root lands, use this: (as of 2014/09/09, still not in 14.09-proposed)
Line 98: Line 103:
# old (adb as root)
$ adb shell /tmp/tests/image/privileged/check-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu

Dependents/Clients

  • click-apparmor
  • apparmor-easyprof-ubuntu
  • ubuntu-app-launch (uses apparmor kernel interface via upstart)
  • lxc
  • libvirt
  • usermetrics (uses libapparmor)

Test Plan

autopkgtests

  1. Run autopkgtests for important rdepends. Do they all exit with status '0':
    • click-apparmor:
      1. make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)

      2. download the new AppArmor binaries to ../binary

      3. run the tests
        • 14.04:

          $ adt-run -B ../binary/*.deb --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
        • 14.10:

          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
          # or if also have new click-apparmor source:
          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/click-apparmor*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
    • apparmor-easyprof-ubuntu:
      1. make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)

      2. download the new AppArmor binaries to ../binary

      3. run the tests
        • 14.04:

          $ adt-run -B ../binary/*.deb --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
        • 14.10:

          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
          # or if also have new appamror-easyprof-ubuntu source:
          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/apparmor-easyprof-ubuntu*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
    • OPTIONAL: lxc (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)

      1. Create a pristine VM for testing

      2. from within the checkout of the lp:auto-package-testing branch:

        bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc

Common tests

  1. Install image on phone/emulator (x86) and have an up to date Ubuntu Desktop and/or Server VM
  2. Install freshly built packages that are needed for landing and reboot
    • Eg:
      • devel: copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor

      • rtm: copy_sppa_to_repos --include-devel -a amd64,i386,armhf --ppa=ci-train-ppa-service/landing-002 --distribution=ubuntu-rtm -r 14.09 apparmor

  3. Verify the system comes up and has networking (dhclient profile)
  4. Verify the output of aa-status. It should report:

    1. many profiles loaded (eg, 20 or more)
    2. many profiles in enforce mode (eg, 20 or more)
    3. 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)
    4. some process should have a profile defined
    5. some process should be in enforce mode (the same number as '4', above)
    6. 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
    7. 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)

Touch only

  1. Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing:
    • verify networking comes up (has an ip address)
    • browser launches and can navigate pages
    • system settings opens
    • MTP music file to ~/Music (adb push to /home/phablet/Music on emulator)
    • MTP video file to ~/Videos (adb push to /home/phablet/Videos on emulator)
    • music-app can play copied music file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
    • Videos scope can play copied video file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
  2. Verify apps launch via ubuntu-app-launch on Ubuntu Touch:
    • Ensure that confined apps launch
      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch a confined app (eg, start the weather app). Does it start?
      • are there any AppArmor denials in /var/log/syslog for the app? (there should be none)

      • Run sudo aa-status, is the process for the app running under confinement (in enforce mode)?

    • Ensure that webapps launch
      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch a webapp (eg, start the facebook webapp). Does it start?
      • are there any AppArmor denials in /var/log/syslog for the webapp? (there should be none* (apparmor="DENIED" operation="dbus_bind"  bus="session" name="org.freedesktop.Application" mask="bind" pid=6603 profile="<profile name>" is expected as of 2014-09-09)

      • Run sudo aa-status, is the process for the webapp running under confinement (in enforce mode)?

    • Ensure that "unconfined" click apps launch (ie, those using the unconfined template):

      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch an unconfined click app (eg, start the terminal or file manager (armhf) or music-app on emulator (verify it is still using the unconfined template in /var/lib/apparmor/clicks/*music*.json)). Does it start?
      • are there any AppArmor denials in /var/log/syslog for the app? (there should be none)

      • Run sudo aa-status, is the process for the app running under an AppArmor label (ie, profile)?

  3. Run image tests on Ubuntu Touch (emulator or touch image):

    $ bzr branch lp:qa-regression-testing
    $ cd qa-regression-testing
    $ adb push ./tests /tmp/tests
    # adb as root
    $ adb shell /tmp/tests/image/privileged/check-apparmor
    $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor
    $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
    
    # when new adb as non-root lands, use this: (as of 2014/09/09, still not in 14.09-proposed)
    $ adb shell sudo -i /tmp/tests/image/privileged/check-apparmor
    $ adb shell /tmp/tests/image/unprivileged/click-apparmor # emulator may have 1 failure. if so, try again
    $ adb shell /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
  4. SKIP (usermetrics don't seem to work any more): Run libusermetrics tests on Touch

    • The above page was removed. For now:
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"
      • Install 'Hydrate' from the app store
      • Launch it (search for 'hydrate' in Search in the Application scope
      • Within Hydrate, tap 'add water
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"

Desktop (some can be run on Server) only

  1. Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works
  2. Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions):

    $ bzr branch lp:qa-regression-testing
    $ cd qa-regression-testing
    $ ./scripts/make-test-tarball ./scripts/test-apparmor.py
    # To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do:
    $ tar -zxf qrt-test-apparmor.tar.gz
    $ cd ./qrt-test-apparmor
    $ sudo ./install-packages test-apparmor.py
    $ sudo ./test-apparmor.py -v
  3. Run image tests on Ubuntu Desktop/Server:
    • Desktop:

      $ bzr branch lp:qa-regression-testing
      $ cd qa-regression-testing
      $ scp -r ./tests username@vm:/tmp/tests
      $ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor
      $ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools ubuntu-app-launch ubuntu-sdk-libs

      At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):

      $ /tmp/tests/image/unprivileged/click-apparmor
      $ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
  4. Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:

    ~$ sudo apt-get install lxc
    # optionally adjust MIRROR in /etc/default/lxc
    ~$ sudo lxc-create -t ubuntu -n CN
    ~$ sudo lxc-start -n CN
    ...
    Ubuntu Trusty Tahr (development branch) CN console
    
    CN login: ubuntu
    Password:
    ...

    Run a few external commands:

    $ sudo lxc-ls
    CN
    $ sudo lxc-info --name CN
    Name:           CN
    State:          RUNNING
    PID:            24354
    IP:             10.0.3.153
    CPU use:        1.80 seconds
    BlkIO use:      12.18 MiB
    Memory use:     20.58 MiB
    KMem use:       0 bytes
    Link:           vethYD8QMX
     TX bytes:      2.90 KiB
     RX bytes:      6.77 KiB
     Total bytes:   9.67 KiB
    $ sudo lxc-console --name CN
    Connected to tty 1
    Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself
    
    Ubuntu Utopic Unicorn (development branch) CN tty1
    
    CN login:
    ...
    $ sudo lxc-attach --name CN uptime
     22:29:49 up  1:10,  1 user,  load average: 0.06, 0.31, 0.58

    When done, shut it down with:

    $ sudo shutdown -h now
    ...
     0. Will now halt
    ~$
  5. Verify qemu/kvm libvirt VMs start with new AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)

  6. Verify lightdm guest session works correctly (there will be apparmor denials, but this is expected)

Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)