AppArmor
17048
Comment: In Xenial, I have to use the remote's hash id of the image when lauching.
|
17136
|
Deletions are marked like this. | Additions are marked like this. |
Line 247: | Line 247: |
0. Ensure that the libvirtd group is part of the current session:{{{ $ libvirtd }}} |
Test plan for component: AppArmor
Component Checklist: https://wiki.ubuntu.com/Process/Merges/Checklists/AppArmor
Trunk URL: lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain
Ubuntu Package URL (LP): http://launchpad.net/ubuntu/+source/apparmor
Dependents/Clients
- click-apparmor
- apparmor-easyprof-ubuntu
- ubuntu-app-launch (uses apparmor kernel interface via upstart)
- lxc
- libvirt/libvirt-lxc
- docker.io
- usermetrics (uses libapparmor)
Test Plan
autopkgtests
- Run autopkgtests for important rdepends. Do they all exit with status '0':
- click-apparmor:
make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)
download the new AppArmor binaries to ../binary
- run the tests
14.04:
$ adt-run -B ../binary/*.deb --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
14.10:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source click-apparmor --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED" # or if also have new click-apparmor source: $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/click-apparmor*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
- apparmor-easyprof-ubuntu:
make sure the schroot is up to date (eg, autopkgtest-trusty-amd64)
download the new AppArmor binaries to ../binary
- run the tests
14.04:
$ adt-run -B ../binary/*.deb --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-trusty-amd64 || echo "** AUTOPKGTESTS FAILED"
14.10:
$ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --apt-source apparmor-easyprof-ubuntu --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED" # or if also have new appamror-easyprof-ubuntu source: $ adt-run `for i in ../binary/*.deb ; do echo -n "-B $i " ; done` --source ../source/apparmor-easyprof-ubuntu*.dsc --log-file /tmp/adt.out --- adt-virt-schroot autopkgtest-utopic-amd64 || echo "** AUTOPKGTESTS FAILED"
OPTIONAL: lxc (requires autopkgtest VM. Note: runs before promotion to -proposed, but there are manual tests below that should be performed before upload)
Create a pristine VM for testing:
$ adt-buildvm-ubuntu-cloud -v
Run the lxc autopkgtests after enabling a PPA and updating and dist-upgrading:
$ adt-run --setup-commands='add-apt-repository -ys ppa:apparmor-dev/apparmor-devel' -U --apt-source lxc --log-file /tmp/lxc-adt.out --- adt-virt-qemu adt-xenial-amd64-cloud.img || echo "** AUTOPKGTESTS FAILED"
- click-apparmor:
Common tests
- Install image on phone/emulator (x86) and have an up to date Ubuntu Desktop and/or Server VM
- Install freshly built packages that are needed for landing and reboot
- Eg:
devel: copy_sppa_to_repos --arch=i386,amd64,armhf --include-devel --ppa=ci-train-ppa-service/landing-NNN apparmor
rtm: copy_sppa_to_repos --include-devel -a amd64,i386,armhf --ppa=ci-train-ppa-service/landing-002 --distribution=ubuntu-rtm -r 14.09 apparmor
- Eg:
- Verify the system comes up and has networking (dhclient profile)
Verify the output of aa-status. It should report:
- many profiles loaded (eg, 20 or more)
- many profiles in enforce mode (eg, 20 or more)
- 0 profiles in complain mode (unless apparmor-profiles or some other special package is installed)
- some process should have a profile defined
- some process should be in enforce mode (the same number as '4', above)
- 0 processes in complain mode (unless apparmor-profiles or some other special package is installed)
- 0 processes are unconfined but have a profile defined (the only exception is /usr/bin/lxc-start on Ubuntu Touch)
Verify cache files have no errors:
$ for i in /etc/apparmor.d/cache /var/cache/apparmor ; do echo "= $i =" ; for j in $i/* ; do echo -n "$j: " ; sudo apparmor_parser -B -r $j && echo pass || echo FAIL ; done ; done | grep FAIL
Touch only
- Verify Unity8 on Ubuntu Touch works by performing basic Unity8 manual testing:
- verify networking comes up (has an ip address)
- browser launches and can navigate pages
- system settings opens
- MTP music file to ~/Music (adb push to /home/phablet/Music on emulator)
- MTP video file to ~/Videos (adb push to /home/phablet/Videos on emulator)
- music-app can play copied music file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
- Videos scope can play copied video file on device (verifies mediascanner2 and media-hub. May need to search for it in the scope)
- dialer can make/receive calls (verifies telpathy-ofono)
- Verify apps launch via ubuntu-app-launch on Ubuntu Touch:
- Ensure that confined apps launch
in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then
- launch a confined app (eg, start the weather app). Does it start?
are there any AppArmor denials in /var/log/syslog for the app? (there should be none)
Run sudo aa-status, is the process for the app running under confinement (in enforce mode)?
- Ensure that webapps launch
in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then
- launch a webapp (eg, start the facebook webapp). Does it start?
are there any AppArmor denials in /var/log/syslog for the webapp? (there should be none* (apparmor="DENIED" operation="dbus_bind" bus="session" name="org.freedesktop.Application" mask="bind" pid=6603 profile="<profile name>" is expected as of 2014-09-09)
Run sudo aa-status, is the process for the webapp running under confinement (in enforce mode)?
Ensure that "unconfined" click apps launch (ie, those using the unconfined template):
in a terminal, console or adb shell, tail -f /var/log/syslog | grep DEN, then
- launch an unconfined click app (eg, start the terminal or file manager (armhf) or music-app on emulator (verify it is still using the unconfined template in /var/lib/apparmor/clicks/*music*.json)). Does it start?
are there any AppArmor denials in /var/log/syslog for the app? (there should be none)
Run sudo aa-status, is the process for the app running under an AppArmor label (ie, profile)?
- Ensure that confined apps launch
Run image tests on Ubuntu Touch (emulator or touch image):
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ adb push ./tests /tmp/tests # adb as root $ adb shell /tmp/tests/image/privileged/check-apparmor $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/click-apparmor # 1 skipped test ok $ adb shell sudo -i -u phablet /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu # when new adb as non-root lands, use this: (as of 2014/09/09, still not in 14.09-proposed) $ adb shell sudo -i /tmp/tests/image/privileged/check-apparmor $ adb shell /tmp/tests/image/unprivileged/click-apparmor # emulator may have 1 failure. if so, try again. 1 skipped test ok $ adb shell /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
It is often useful for debugging to use 'tee' with the above. Eg: ... /tmp/tests/image/unprivileged/click-apparmor | tee /tmp/click-apparmor.log
- Launch all apps in the default install (stresses kernel a little) or up to 50 different apps
Run libusermetrics tests on Touch (make sure that /var/lib/usermetrics{,/*} is owned by 'usermetrics' (1372502):
- The above page was removed. For now:
- Ensure the Hydrate app is not installed
- Press the power button twice to display the infographic
- Repeatedly double tap the infographic, verifying that you don't see "# ounces of water consumed today"
- Install 'Hydrate' from the app store
- Launch it (search for 'hydrate' in Search in the Application scope
- Within Hydrate, tap 'add water' to log that you've consumed water for the day
- Press the power button twice to display the infographic
- Repeatedly double tap the infographic until you see "# ounces of water consumed today"
- The above page was removed. For now:
Desktop only
Note: some of these can also be run on server if preferred.
- Verify Ubuntu Desktop and/or Server works by performing basic login testing - eg, verify networking, verify browser launches, verify apt-get works
Run QRT/scripts/test-apparmor.py on Ubuntu Desktop/Server (not Ubuntu Touch, needs extensive read/write permissions. Note: in the exceptional case when there are temporary new expected failures, be sure to update test-apparmor.py for these to not block kernel team processes):
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ ./scripts/make-test-tarball ./scripts/test-apparmor.py # To run, copy /tmp/qrt-test-apparmor.tar.gz to the target system, then do: $ tar -zxf qrt-test-apparmor.tar.gz $ cd ./qrt-test-apparmor $ sudo ./install-packages test-apparmor.py $ sudo ./test-apparmor.py -v
- Run image tests on Ubuntu Desktop/Server:
Desktop:
$ bzr branch lp:qa-regression-testing $ cd qa-regression-testing $ scp -r ./tests username@vm:/tmp/tests $ ssh -tt root@vm /tmp/tests/image/privileged/check-apparmor $ ssh -tt root@vm apt-get install click-apparmor apparmor-easyprof-ubuntu click packagekit-tools ubuntu-app-launch ubuntu-sdk-libs
At this point you'll need to login to Ubuntu Desktop and open a terminal and run (if someone knows how to run this over ssh, please tell :):
$ /tmp/tests/image/unprivileged/click-apparmor $ /tmp/tests/image/unprivileged/apparmor-easyprof-ubuntu
Verify lxc container starts with new AppArmor on Ubuntu Desktop/Server:
~$ sudo apt-get install lxc # optionally adjust MIRROR in /etc/default/lxc ~$ sudo lxc-create -t ubuntu -n CN ~$ sudo lxc-start -n CN # later versions (eg 15.04) may not start in a console ... Ubuntu Trusty Tahr (development branch) CN console CN login: ubuntu Password: ...
Run a few external commands:
$ sudo lxc-ls CN $ sudo lxc-info --name CN Name: CN State: RUNNING PID: 24354 IP: 10.0.3.153 CPU use: 1.80 seconds BlkIO use: 12.18 MiB Memory use: 20.58 MiB KMem use: 0 bytes Link: vethYD8QMX TX bytes: 2.90 KiB RX bytes: 6.77 KiB Total bytes: 9.67 KiB $ sudo lxc-console --name CN Connected to tty 1 Type <Ctrl+a q> to exit the console, <Ctrl+a Ctrl+a> to enter Ctrl+a itself Ubuntu Utopic Unicorn (development branch) CN tty1 CN login: ... $ sudo lxc-attach --name CN uptime 22:29:49 up 1:10, 1 user, load average: 0.06, 0.31, 0.58
When done, shut it down with (outside the container (tests lxc-start still works to control the container)):
$ sudo lxc-stop -k -n CN
Verify lxd container starts with new AppArmor on Ubuntu Desktop/Server:
$ sudo apt-get install lxd $ newgrp lxd $ lxc remote add images images.linuxcontainers.org # this may already be done for you $ lxc image list images: ... | | 0d4bfe75bd0d | yes | Ubuntu trusty (amd64) (20160321_03:49) | x86_64 | 75.60MB | Mar 21, 2016 at 4:19am (UTC) | ... $ lxc launch images:0d4bfe75bd0d ubuntu-64 ... Creating ubuntu-64 Retrieving image: 100% Starting ubuntu-64 $ lxc list +-----------+---------+-------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-------------------+------+------------+-----------+ | ubuntu-64 | RUNNING | 10.0.3.181 (eth0) | | PERSISTENT | 0 | +-----------+---------+-------------------+------+------------+-----------+ $ lxc info ubuntu-64 Name: ubuntu-64 Architecture: i686 Created: 2016/03/22 17:55 UTC Status: Running Type: persistent Profiles: default Pid: 2612 Processes: 8 Ips: eth0: inet 10.0.3.181 vethIKDBKR eth0: inet6 fe80::216:3eff:fe88:59b7 vethIKDBKR lo: inet 127.0.0.1 lo: inet6 ::1 $ lxc exec ubuntu-64 /bin/bash root@ubuntu-64:~# ls root@ubuntu-64:~# uptime 17:58:40 up 3 min, 0 users, load average: 0.01, 0.06, 0.05 $ lxc exec ubuntu-64 ps PID TTY TIME CMD 1552 ? 00:00:00 ps # pull/push files $ lxc file pull ubuntu-64/path/to/file . $ lxc file push /path/to/file ubuntu-64/ $ lxc stop ubuntu-64 $ lxc delete ubuntu-64
Ensure that the libvirtd group is part of the current session:
$ libvirtd
Verify qemu/kvm libvirt VMs start under confinement (verify with sudo aa-status) with new AppArmor on Ubuntu Desktop/Server by using QRT/scripts/test-libvirt.py (note: there are some failures unrelated to apparmor, so do a baseline run before upgrading to compare)
Verify libvirt-lxc VMs start with new AppArmor on Ubuntu Desktop/Server by following SergeHallyn_libvirtlxc
Verify docker.io (need at least 1.2) containers with new AppArmor on Ubuntu Desktop/Server:
$ sudo apt-get install docker.io # should not have libvirt or lxc co-installed $ sudo docker pull ubuntu:trusty ... 809ed259f845: Download complete $ sudo docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE ubuntu trusty 96864a7d2df3 9 hours ago 205.1 MB $ sudo docker run ubuntu:trusty uptime 20:31:21 up 1 min, 0 users, load average: 0.09, 0.06, 0.03 ... $ sudo docker run -i -t ubuntu:trusty /bin/sh # ps PID TTY TIME CMD 1 ? 00:00:00 sh 7 ? 00:00:00 ps
At this point, an interactive shell is running in the terminal. In another, try a couple of operations:
$ sudo aa-status|grep docker docker-default docker-default (2209) $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e0f6f329ad29 ubuntu:trusty "/bin/sh" About a minute ago Up About a minute cocky_davinci $ ps -Z 2209 LABEL PID TTY STAT TIME COMMAND docker-default 2209 pts/1 Ss+ 0:00 /bin/sh $ sudo docker inspect e0f6f329ad29 [{ "Args": [], "Config": { "AttachStderr": true, "AttachStdin": true, "AttachStdout": true, "Cmd": [ "/bin/sh" ], ...
In the terminal running 'sh', now exit:
# exit $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
- Verify lightdm guest session works correctly (there will be apparmor denials, but this is expected)
Verify snappy works ok:
$ sudo apt-get install ubuntu-snappy $ sudo snappy install ubuntu-core $ sudo snappy install hello-world $ su - `id -un` # to update your PATH to include /snaps/bin $ hello-world.evil Hello Evil World! This example demonstrates the app confinement You should see a permission denied error next /snaps/hello-world.canonical/6.0/bin/evil: 9: /snaps/hello-world.canonical/6.0/bin/evil: cannot create /var/tmp/myevil.txt: Permission denied $ hello-world.sh Launching a shell inside the default app confinement. Navigate to your app-specific directories with: $ cd $SNAP $ cd $SNAP_DATA $ cd $SNAP_USER_DATA bash-4.3$ cat /etc/fstab cat: /etc/fstab: Permission denied bash-4.3$ exit $ sudo aa-status | grep hello-world # verify profiles are loaded
Additional information
While not usually necessary, it might be useful to be able to test AppArmor policy using a binary under some arbitrary Ubuntu Touch confinement policy.
grab the binary from QRT (eg, armhf/confined-basic)
adb push ./confined-basic /tmp
run it on the device under phablet-shell:
$ aa-exec-click -p <profile to test> -- /tmp/confined-basic -r /path/to/read-only/file $ aa-exec-click -p <profile to test> -- /tmp/confined-basic -w /path/to/write-only/file $ aa-exec-click -p <profile to test> -- /tmp/confined-basic -W /path/to/readwrite/file
Process/Merges/TestPlans/AppArmor (last edited 2020-08-31 05:59:24 by alexmurray)