From 7e1040b855da26edf9f3cd287cf84d335759d5e3 Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@collabora.co.uk>
Date: Mon, 21 Nov 2016 21:18:15 +0000
Subject: [PATCH 10/10] Activation test: exercise what happens with nonexistent
 AppArmor labels

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
---
 test/Makefile.am                                                   | 3 ++-
 test/data/dbus-installed-tests.aaprofile.in                        | 3 +++
 .../com.example.SendDeniedByNonexistentAppArmorLabel.service.in    | 6 ++++++
 .../systemd-activation/com.example.SystemdActivatable3.service     | 4 ----
 .../systemd-activation/com.example.SystemdActivatable3.service.in  | 7 +++++++
 test/sd-activation.c                                               | 3 +++
 6 files changed, 21 insertions(+), 5 deletions(-)
 create mode 100644 test/data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in
 delete mode 100644 test/data/systemd-activation/com.example.SystemdActivatable3.service
 create mode 100644 test/data/systemd-activation/com.example.SystemdActivatable3.service.in

diff --git a/test/Makefile.am b/test/Makefile.am
index 3773132..959b86e 100644
--- a/test/Makefile.am
+++ b/test/Makefile.am
@@ -380,6 +380,8 @@ in_data = \
 	data/dbus-installed-tests.aaprofile.in \
 	data/systemd-activation/com.example.ReceiveDeniedByAppArmorLabel.service.in \
 	data/systemd-activation/com.example.SendDeniedByAppArmorLabel.service.in \
+	data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in \
+	data/systemd-activation/com.example.SystemdActivatable3.service.in \
 	data/valid-config-files-system/debug-allow-all-fail.conf.in \
 	data/valid-config-files-system/debug-allow-all-pass.conf.in \
 	data/valid-config-files/debug-allow-all-sha1.conf.in \
@@ -468,7 +470,6 @@ static_data = \
 	data/systemd-activation/com.example.SendDeniedByAppArmorName.service \
 	data/systemd-activation/com.example.SystemdActivatable1.service \
 	data/systemd-activation/com.example.SystemdActivatable2.service \
-	data/systemd-activation/com.example.SystemdActivatable3.service \
 	data/systemd-activation/org.freedesktop.systemd1.service \
 	data/valid-config-files/basic.conf \
 	data/valid-config-files/basic.d/basic.conf \
diff --git a/test/data/dbus-installed-tests.aaprofile.in b/test/data/dbus-installed-tests.aaprofile.in
index de34c2d..b19ee7a 100644
--- a/test/data/dbus-installed-tests.aaprofile.in
+++ b/test/data/dbus-installed-tests.aaprofile.in
@@ -50,6 +50,9 @@
 
     deny dbus send peer=(label=@DBUS_TEST_EXEC@/test-apparmor-activation//com.example.SendDeniedByAppArmorLabel),
     deny dbus send peer=(name=com.example.SendDeniedByAppArmorName),
+
+    # There is no profile of this name. That's deliberate.
+    deny dbus send peer=(label=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SendDeniedByNonexistentAppArmorLabel),
   }
 
   # Used when we check that XML-based policy still works.
diff --git a/test/data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in b/test/data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in
new file mode 100644
index 0000000..bf843b1
--- /dev/null
+++ b/test/data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in
@@ -0,0 +1,6 @@
+[D-BUS Service]
+Name=com.example.SendDeniedByNonexistentAppArmorLabel
+Exec=/bin/false SendDeniedByNonexistentAppArmorLabel
+SystemdService=dbus-com.example.SendDeniedByNonexistentAppArmorLabel.service
+# This label is not defined in any AppArmor profile
+AssumedAppArmorLabel=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SendDeniedByNonexistentAppArmorLabel
diff --git a/test/data/systemd-activation/com.example.SystemdActivatable3.service b/test/data/systemd-activation/com.example.SystemdActivatable3.service
deleted file mode 100644
index f6f0559..0000000
--- a/test/data/systemd-activation/com.example.SystemdActivatable3.service
+++ /dev/null
@@ -1,4 +0,0 @@
-[D-BUS Service]
-Name=com.example.SystemdActivatable3
-Exec=/bin/false 3
-SystemdService=dbus-com.example.SystemdActivatable3.service
diff --git a/test/data/systemd-activation/com.example.SystemdActivatable3.service.in b/test/data/systemd-activation/com.example.SystemdActivatable3.service.in
new file mode 100644
index 0000000..0518064
--- /dev/null
+++ b/test/data/systemd-activation/com.example.SystemdActivatable3.service.in
@@ -0,0 +1,7 @@
+[D-BUS Service]
+Name=com.example.SystemdActivatable3
+Exec=/bin/false 3
+SystemdService=dbus-com.example.SystemdActivatable3.service
+# This AppArmor label doesn't actually exist, but that's OK - nothing
+# prevents us from sending messages to it.
+AssumedAppArmorLabel=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SystemdActivatable3
diff --git a/test/sd-activation.c b/test/sd-activation.c
index f296d32..24ac210 100644
--- a/test/sd-activation.c
+++ b/test/sd-activation.c
@@ -828,6 +828,9 @@ main (int argc,
   g_test_add ("/sd-activation/apparmor/deny-send/by-label", Fixture,
       "com.example.SendDeniedByAppArmorLabel",
       setup, test_deny_send, teardown);
+  g_test_add ("/sd-activation/apparmor/deny-send/by-nonexistent-label", Fixture,
+      "com.example.SendDeniedByNonexistentAppArmorLabel",
+      setup, test_deny_send, teardown);
   g_test_add ("/sd-activation/apparmor/deny-send/by-name", Fixture,
       "com.example.SendDeniedByAppArmorName",
       setup, test_deny_send, teardown);
-- 
2.10.2