Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
interfaces: allow read access to /etc/machine-id and @{PROC}/@{pid}/smaps #1441
Conversation
jdstrand
added some commits
Jun 29, 2016
|
Looks good. (we should start to figure out spread tests for stuff like this) |
zyga
merged commit 9f4c69d
into
snapcore:master
Jun 29, 2016
|
Thanks! As for spread tests, I think by far the most important test is making sure the policy compiles. The best way to do this would be to create a snap with all the interfaces for classic and one for all the interfaces on native and then generate/load the policy into the kernel (or just run apparmor_parser -QTK /path/to/profile which doesn't require root and proves it compiles). I went down the road in another project of trying to do tests for each rule, but this is a maintenance nightmare since there are thousands of rules. File rules are easy enough to test (cat /path/to/file for read for example), but unix, dbus, etc, etc get difficult fast. Seccomp rules are harder still since you end up writing C code to use the syscall). That said, a combination is probably acceptable-- do the compile tests and then for really important rules add tests (ie, make sure we never allow loading a kernel module). |
jdstrand commentedJun 29, 2016
No description provided.