[apparmor] [PATCH 1/2] tests: Verify delegation of fd passing

[Tyler Hicks]

This patch broadens the testing of file descriptor passing over Unix
domain sockets, but the real focus is on passing a file descriptor from
an unconfined server to a confined client. The confined client should
have full access to the file descriptor, despite not having a
corresponding file rule in its profile, due to delegation.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/unix_fd_server.sh | 77 ++++++++++++++++++++++++++---
 1 file changed, 71 insertions(+), 6 deletions(-)

diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
index 3092635..68fdcf2 100755
--- a/tests/regression/apparmor/unix_fd_server.sh
+++ b/tests/regression/apparmor/unix_fd_server.sh
@@ -42,27 +42,92 @@ EOM
 # lets just be on the safe side
 rm -f ${socket}
 
-# PASS - unconfined client
+# PASS - unconfined -> unconfined
+
+runchecktest "fd passing; unconfined -> unconfined" pass $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# PASS - confined -> unconfined
 
 genprofile $file:$okperm $socket:rw $fd_client:ux
 
-runchecktest "fd passing; unconfined client" pass $file $socket $fd_client
+runchecktest "fd passing; confined -> unconfined" pass $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# FAIL - confined (bad perm) -> unconfined
+
+genprofile $file:$badperm $socket:rw $fd_client:ux
+
+runchecktest "fd passing; confined (bad perm) -> unconfined" fail $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# FAIL - confined (no perm) -> unconfined
+
+genprofile $socket:rw $fd_client:ux
+
+runchecktest "fd passing; confined (no perm) -> unconfined" fail $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# PASS (due to delegation) - unconfined -> confined
+
+genprofile image=$fd_client $file:$okperm $socket:rw
+runchecktest "fd passing; unconfined -> confined" pass $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# PASS (due to delegation) - unconfined -> confined (no perm)
+
+genprofile image=$fd_client $socket:rw
+runchecktest "fd passing; unconfined -> confined (no perm)" pass $file $socket $fd_client
 
 sleep 1
 rm -f ${socket}
 
-# PASS - confined client, rw access to the file
+# PASS - confined -> confined
 
 genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
-runchecktest "fd passing; confined client w/ rw" pass $file $socket $fd_client
+runchecktest "fd passing; confined -> confined" pass $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# FAIL - confined (bad perm) -> confined
+
+genprofile $file:$badperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
+runchecktest "fd passing; confined (bad perm) -> confined" fail $file $socket $fd_client
 
 sleep 1
 rm -f ${socket}
-# FAIL - confined client, w access to the file
+
+# FAIL - confined (no perm) -> confined
+
+genprofile $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
+runchecktest "fd passing; confined (no perm) -> confined" fail $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
+
+# FAIL - confined -> confined (bad perm)
 
 genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
-runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client
+runchecktest "fd passing; confined -> confined (bad perm)" fail $file $socket $fd_client
 
 sleep 1
 rm -f ${socket}
 
+# FAIL - confined -> confined (no perm)
+
+genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $socket:rw
+runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd_client
+
+sleep 1
+rm -f ${socket}
-- 
1.8.3.2