AppArmor

Differences between revisions 55 and 56
Revision 55 as of 2014-11-17 22:31:01
Size: 14105
Editor: jdstrand
Comment:
Revision 56 as of 2014-11-17 22:32:02
Size: 14107
Editor: jdstrand
Comment:
Deletions are marked like this. Additions are marked like this.
Line 247: Line 247:
== Optional manual test == == Additional information ==

Dependents/Clients

  • click-apparmor
  • apparmor-easyprof-ubuntu
  • ubuntu-app-launch (uses apparmor kernel interface via upstart)
  • lxc
  • libvirt/libvirt-lxc
  • docker.io
  • usermetrics (uses libapparmor)

Test Plan

autopkgtests

  1. Run autopkgtests for important rdepends. Do they all exit with status '0':
    • click-apparmor:

      1. make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)

      2. download the new AppArmor binaries to ../binary

      3. run the tests

        • 14.04: 

          $ adt-run -B ../binary/*.deb --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"

        • 14.10: 

          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
# or if also have new click-apparmor source:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/click-apparmor*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
    • apparmor-easyprof-ubuntu:

      1. make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)

      2. download the new AppArmor binaries to ../binary

      3. run the tests

        • 14.04: 

          $ adt-run -B ../binary/*.deb --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"

        • 14.10: 

          $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
# or if also have new appamror-easyprof-ubuntu source:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/apparmor-easyprof-ubuntu*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"

    • OPTIONAL: lxc (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)

      1. Create a pristine VM for testing

      2. from within the checkout of the lp:auto-package-testing branch:

        bin/run-adt-test -P -p ppa:ci-train-ppa-service/landing-NNN lxc

Common tests

  1. Install image on phone/emulator (x86) and have an up to date Ubuntu Desktop and/or Server VM
  2. Install freshly built packages that are needed for landing and reboot
    • Eg:

      • devel: copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor

      • rtm: copy_sppa_to_repos --include-devel -a amd64,i386,armhf --ppa=ci-train-ppa-service/landing-002 --distribution=ubuntu-rtm -r 14.09 apparmor

  3. Verify the system comes up and has networking (dhclient profile)

  4. Verify the output of aa-status. It should report:

    1. many profiles loaded (eg, 20 or more)
    2. many profiles in enforce mode (eg, 20 or more)
    3. 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)
    4. some process should have a profile defined
    5. some process should be in enforce mode (the same number as '4', above)
    6. 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
    7. 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)

  5. Verify cache files have no errors:

    $ for i in /etc/apparmor.d/cache /var/cache/apparmor ; do echo "= $i =" ; for j in $i/* ; do echo -n "$j: " ; sudo apparmor_parser -B -r $j && echo pass || echo FAIL ; done ; done | grep FAIL

Touch only

  1. Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing:
    • verify networking comes up (has an ip address)
    • browser launches and can navigate pages
    • system settings opens
    • MTP music file to ~/Music (adb push to /home/phablet/Music on emulator)
    • MTP video file to ~/Videos (adb push to /home/phablet/Videos on emulator)
    • music-app can play copied music file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
    • Videos scope can play copied video file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
    • dialer can make/receive calls (verifies telpathy-ofono)
  2. Verify apps launch via ubuntu-app-launch on Ubuntu Touch:
    • Ensure that confined apps launch

      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch a confined app (eg, start the weather app). Does it start?

      • are there any AppArmor denials in /var/log/syslog for the app? (there should be none)

      • Run sudo aa-status, is the process for the app running under confinement (in enforce mode)?

    • Ensure that webapps launch

      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch a webapp (eg, start the facebook webapp). Does it start?

      • are there any AppArmor denials in /var/log/syslog for the webapp? (there should be none* (apparmor="DENIED" operation="dbus_bind"  bus="session" name="org.freedesktop.Application" mask="bind" pid=6603 profile="<profile name>" is expected as of 2014-09-09)

      • Run sudo aa-status, is the process for the webapp running under confinement (in enforce mode)?

    • Ensure that "unconfined" click apps launch (ie, those using the unconfined template):

      • in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then

      • launch an unconfined click app (eg, start the terminal or file manager (armhf) or music-app on emulator (verify it is still using the unconfined template in /var/lib/apparmor/clicks/*music*.json)). Does it start?

      • are there any AppArmor denials in /var/log/syslog for the app? (there should be none)

      • Run sudo aa-status, is the process for the app running under an AppArmor label (ie, profile)?

  3. Run image tests on Ubuntu Touch (emulator or touch image): 

    $ bzr branch lp:qa-regression-testing
$ cd qa-regression-testing
$ adb push ./tests /tmp/tests
# adb as root
$ adb shell /tmp/tests/image/privileged/check-apparmor
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor # 1 skipped test ok
$ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu

# when new adb as non-root lands, use this: (as of 2014/09/09, still not in 14.09-proposed)
$ adb shell sudo -i /tmp/tests/image/privileged/check-apparmor
$ adb shell /tmp/tests/image/unprivileged/click-apparmor # emulator may have 1 failure. if so, try again. 1 skipped test ok
$ adb shell /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu

    It is often useful for debugging to use 'tee' with the above. Eg: ... /tmp/tests/image/unprivileged/click-apparmor | tee /tmp/click-apparmor.log

  4. Launch all apps in the default install (stresses kernel a little) or up to 50 different apps

  5. Run libusermetrics tests on Touch (make sure that /var/lib/usermetrics{,/*} is owned by 'usermetrics' (1372502):

    • The above page was removed. For now:
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"
      • Install 'Hydrate' from the app store
      • Launch it (search for 'hydrate' in Search in the Application scope
      • Within Hydrate, tap 'add water
      • Press the power button twice to display the infographic
      • Double tap the infographic until you see "# ounces of water consumed today"

Desktop only

Note: some of these can also be run on server if preferred.

  1. Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works

  2. Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions. Note: in the exceptional case when there are temporary new expected failures, be sure to update test-apparmor.py for these to not block kernel team processes):

    $ bzr branch lp:qa-regression-testing
$ cd qa-regression-testing
$ ./scripts/make-test-tarball ./scripts/test-apparmor.py
# To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do:
$ tar -zxf qrt-test-apparmor.tar.gz
$ cd ./qrt-test-apparmor
$ sudo ./install-packages test-apparmor.py
$ sudo ./test-apparmor.py -v
  3. Run image tests on Ubuntu Desktop/Server:

    • Desktop: 

      $ bzr branch lp:qa-regression-testing
$ cd qa-regression-testing
$ scp -r ./tests username@vm:/tmp/tests
$ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor
$ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools ubuntu-app-launch ubuntu-sdk-libs

      At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):

      $ /tmp/tests/image/unprivileged/click-apparmor
$ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu

  4. Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:

    ~$ sudo apt-get install lxc
# optionally adjust MIRROR in /etc/default/lxc
~$ sudo lxc-create -t ubuntu -n CN
~$ sudo lxc-start -n CN
...
Ubuntu Trusty Tahr (development branch) CN console

CN login: ubuntu
Password:
...

    Run a few external commands:

    $ sudo lxc-ls
CN
$ sudo lxc-info --name CN
Name:           CN
State:          RUNNING
PID:            24354
IP:             10.0.3.153
CPU use:        1.80 seconds
BlkIO use:      12.18 MiB
Memory use:     20.58 MiB
KMem use:       0 bytes
Link:           vethYD8QMX
 TX bytes:      2.90 KiB
 RX bytes:      6.77 KiB
 Total bytes:   9.67 KiB
$ sudo lxc-console --name CN
Connected to tty 1
Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself

Ubuntu Utopic Unicorn (development branch) CN tty1

CN login:
...
$ sudo lxc-attach --name CN uptime
 22:29:49 up  1:10,  1 user,  load average: 0.06, 0.31, 0.58

    When done, shut it down with (outside the container (tests lxc-start still works to control the container)):

    $ sudo lxc-stop -k -n CN

  5. Verify qemu/kvm libvirt VMs start with new AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)

  6. Verify libvirt-lxc VMs start with new AppArmor on Ubuntu Desktop/Server by following SergeHallyn_libvirtlxc

  7. Verify docker.io (need at least 1.2) containers with new AppArmor on Ubuntu Desktop/Server:

    $ sudo apt-get install docker.io # should not hav elibvirt or lxc co-installed
$ sudo docker pull ubuntu:trusty
...
809ed259f845: Download complete

$ sudo docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
ubuntu              trusty              96864a7d2df3        9 hours ago         205.1 MB

$ sudo docker run ubuntu:trusty uptime
 20:31:21 up 1 min,  0 users,  load average: 0.09, 0.06, 0.03
...

$ sudo docker run -i -t ubuntu:trusty /bin/sh
# ps
  PID TTY          TIME CMD
    1 ?        00:00:00 sh
    7 ?        00:00:00 ps

    At this point, an interactive shell is running in the terminal. In another, try a couple of operations:

    $ sudo aa-status|grep docker
   docker-default
   docker-default (2209)

$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
e0f6f329ad29        ubuntu:trusty       "/bin/sh"           About a minute ago   Up About a minute                       cocky_davinci

$ ps -Z 2209
LABEL                             PID TTY      STAT   TIME COMMAND
docker-default                   2209 pts/1    Ss+    0:00 /bin/sh

$ sudo docker inspect e0f6f329ad29
[{
    "Args": [],
    "Config": {
        "AttachStderr": true,
        "AttachStdin": true,
        "AttachStdout": true,
        "Cmd": [
            "/bin/sh"
        ],
...

    In the terminal running 'sh', now exit:

    # exit

$ sudo docker ps
$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
  8. Verify lightdm guest session works correctly (there will be apparmor denials, but this is expected)

Additional information

While not usually necessary, it might be useful to be able to test AppArmor policy using a binary under some arbitrary Ubuntu Touch confinement policy.

  1. grab the binary from QRT (eg, armhf/confined-basic)

  2. adb push ./confined-basic /tmp

  3. run it on the device under phablet-shell:

    $ aa-exec-click -p <profile to test> -- /tmp/confined-basic -r /path/to/read-only/file
$ aa-exec-click -p <profile to test> -- /tmp/confined-basic -w /path/to/write-only/file
$ aa-exec-click -p <profile to test> -- /tmp/confined-basic -W /path/to/readwrite/file

Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)