Activation test: exercise what happens with nonexistent AppArmor labels

Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98666

test/Makefile.am

@@ -385,6 +385,8 @@ in_data = \
 	data/dbus-installed-tests.aaprofile.in \
 	data/systemd-activation/com.example.ReceiveDeniedByAppArmorLabel.service.in \
 	data/systemd-activation/com.example.SendDeniedByAppArmorLabel.service.in \
+	data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in \
+	data/systemd-activation/com.example.SystemdActivatable3.service.in \
 	data/valid-config-files-system/debug-allow-all-fail.conf.in \
 	data/valid-config-files-system/debug-allow-all-pass.conf.in \
 	data/valid-config-files/debug-allow-all-sha1.conf.in \
@@ -473,7 +475,6 @@ static_data = \
 	data/systemd-activation/com.example.SendDeniedByAppArmorName.service \
 	data/systemd-activation/com.example.SystemdActivatable1.service \
 	data/systemd-activation/com.example.SystemdActivatable2.service \
-	data/systemd-activation/com.example.SystemdActivatable3.service \
 	data/systemd-activation/org.freedesktop.systemd1.service \
 	data/valid-config-files/basic.conf \
 	data/valid-config-files/basic.d/basic.conf \

test/data/dbus-installed-tests.aaprofile.in

@@ -50,6 +50,9 @@
 
     deny dbus send peer=(label=@DBUS_TEST_EXEC@/test-apparmor-activation//com.example.SendDeniedByAppArmorLabel),
     deny dbus send peer=(name=com.example.SendDeniedByAppArmorName),
+
+    # There is no profile of this name. That's deliberate.
+    deny dbus send peer=(label=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SendDeniedByNonexistentAppArmorLabel),
   }
 
   # Used when we check that XML-based policy still works.

test/data/systemd-activation/com.example.SendDeniedByNonexistentAppArmorLabel.service.in

@@ -0,0 +1,6 @@
+[D-BUS Service]
+Name=com.example.SendDeniedByNonexistentAppArmorLabel
+Exec=/bin/false SendDeniedByNonexistentAppArmorLabel
+SystemdService=dbus-com.example.SendDeniedByNonexistentAppArmorLabel.service
+# This label is not defined in any AppArmor profile
+AssumedAppArmorLabel=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SendDeniedByNonexistentAppArmorLabel

test/data/systemd-activation/com.example.SystemdActivatable3.service

@@ -1,4 +0,0 @@
-[D-BUS Service]
-Name=com.example.SystemdActivatable3
-Exec=/bin/false 3
-SystemdService=dbus-com.example.SystemdActivatable3.service

test/data/systemd-activation/com.example.SystemdActivatable3.service.in

@@ -0,0 +1,7 @@
+[D-BUS Service]
+Name=com.example.SystemdActivatable3
+Exec=/bin/false 3
+SystemdService=dbus-com.example.SystemdActivatable3.service
+# This AppArmor label doesn't actually exist, but that's OK - nothing
+# prevents us from sending messages to it.
+AssumedAppArmorLabel=@DBUS_TEST_EXEC@/test-apparmor-activation-com.example.SystemdActivatable3

test/sd-activation.c

@@ -828,6 +828,9 @@ main (int argc,
   g_test_add ("/sd-activation/apparmor/deny-send/by-label", Fixture,
       "com.example.SendDeniedByAppArmorLabel",
       setup, test_deny_send, teardown);
+  g_test_add ("/sd-activation/apparmor/deny-send/by-nonexistent-label", Fixture,
+      "com.example.SendDeniedByNonexistentAppArmorLabel",
+      setup, test_deny_send, teardown);
   g_test_add ("/sd-activation/apparmor/deny-send/by-name", Fixture,
       "com.example.SendDeniedByAppArmorName",
       setup, test_deny_send, teardown);