[apparmor] [PATCH 2/2] tests: Verify delegation of fd inheritance

Fri Aug 9 02:18:40 UTC 2013

On Thu, Aug 08, 2013 at 06:57:21PM -0700, Tyler Hicks wrote:
> Add a new set of tests that tests delegation of file descriptors when
> inherited across combinations of confined and unconfined processes.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

> ---
>  tests/regression/apparmor/Makefile          |  3 ++
>  tests/regression/apparmor/fd_inheritance.c  | 59 ++++++++++++++++++++++
>  tests/regression/apparmor/fd_inheritance.sh | 76 +++++++++++++++++++++++++++++
>  tests/regression/apparmor/fd_inheritor.c    | 61 +++++++++++++++++++++++
>  4 files changed, 199 insertions(+)
>  create mode 100644 tests/regression/apparmor/fd_inheritance.c
>  create mode 100755 tests/regression/apparmor/fd_inheritance.sh
>  create mode 100644 tests/regression/apparmor/fd_inheritor.c
> 
> diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
> index 2021f51..e686ddc 100644
> --- a/tests/regression/apparmor/Makefile
> +++ b/tests/regression/apparmor/Makefile
> @@ -33,6 +33,8 @@ SRC=access.c \
>      fchgrp.c \
>      fchmod.c \
>      fchown.c \
> +    fd_inheritance.c \
> +    fd_inheritor.c \
>      fork.c \
>      link.c \
>      link_subset.c \
> @@ -123,6 +125,7 @@ TESTS=access \
>        exec \
>        exec_qual \
>        fchdir \
> +      fd_inheritance \
>        fork \
>        i18n \
>        link \
> diff --git a/tests/regression/apparmor/fd_inheritance.c b/tests/regression/apparmor/fd_inheritance.c
> new file mode 100644
> index 0000000..43d7a14
> --- /dev/null
> +++ b/tests/regression/apparmor/fd_inheritance.c
> @@ -0,0 +1,59 @@
> +/*
> + *   Copyright (c) 2013
> + *   Canonical, Ltd. (All rights reserved)
> + *
> + *   This program is free software; you can redistribute it and/or
> + *   modify it under the terms of version 2 of the GNU General Public
> + *   License published by the Free Software Foundation.
> + *
> + *   This program is distributed in the hope that it will be useful,
> + *   but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *   GNU General Public License for more details.
> + *
> + *   You should have received a copy of the GNU General Public License
> + *   along with this program; if not, contact Novell, Inc. or Canonical
> + *   Ltd.
> + */
> +
> +#include <fcntl.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/stat.h>
> +#include <sys/types.h>
> +#include <unistd.h>
> +
> +#define BUF_LEN		128
> +#define FD_STR_LEN	4
> +
> +int main(int argc, char *argv[])
> +{
> +	char buf[BUF_LEN + 1], fd_str[FD_STR_LEN + 1];
> +	int fd, rc;
> +
> +	if (argc != 3) {
> +		fprintf(stderr, "Usage: %s <file> <exec>\n", argv[0]);
> +		exit(1);
> +	}
> +
> +	fd = open(argv[1], O_RDONLY);
> +	if (fd < 0) {
> +		perror("FAIL - open");
> +		exit(1);
> +	}
> +
> +	memset(buf, 0, sizeof(buf));
> +	rc = read(fd, buf, BUF_LEN);
> +	if (rc < 0) {
> +		perror("FAIL - read");
> +		exit(1);
> +	}
> +
> +	memset(fd_str, 0, sizeof(fd_str));
> +	snprintf(fd_str, FD_STR_LEN, "%d", fd);
> +	execl(argv[2], argv[2], fd_str, buf, NULL);
> +
> +	perror("FAIL - execl");
> +	exit(1);
> +}
> diff --git a/tests/regression/apparmor/fd_inheritance.sh b/tests/regression/apparmor/fd_inheritance.sh
> new file mode 100755
> index 0000000..1356ae8
> --- /dev/null
> +++ b/tests/regression/apparmor/fd_inheritance.sh
> @@ -0,0 +1,76 @@
> +#!/bin/bash
> +#
> +#   Copyright (c) 2013
> +#   Canonical, Ltd. (All rights reserved)
> +#
> +#   This program is free software; you can redistribute it and/or
> +#   modify it under the terms of version 2 of the GNU General Public
> +#   License published by the Free Software Foundation.
> +#
> +#   This program is distributed in the hope that it will be useful,
> +#   but WITHOUT ANY WARRANTY; without even the implied warranty of
> +#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +#   GNU General Public License for more details.
> +#
> +#   You should have received a copy of the GNU General Public License
> +#   along with this program; if not, contact Novell, Inc. or Canonical
> +#   Ltd.
> +#
> +
> +#=NAME fd_inheritance
> +#=DESCRIPTION
> +# This test verifies that file descriptor inheritance results in the expected
> +# delegation, or lack thereof, between various combinations of confined and
> +# unconfined processes.
> +#=END
> +
> +pwd=`dirname $0`
> +pwd=`cd $pwd ; /bin/pwd`
> +
> +bin=$pwd
> +
> +. $bin/prologue.inc
> +
> +file=$tmpdir/file
> +inheritor=$bin/fd_inheritor
> +okperm=r
> +badperm=w
> +
> +cat > $file << EOF
> +0a7eb75b2a54eaf86aa8d7b4c6cc945c
> +70a2265ba96d962d993c97689ff09904
> +d3e773e2a4a0cc9d7e28eb217a4241ce
> +1437d6c55ef788d3bcd27ab14e9382a9
> +EOF
> +
> +runchecktest "fd inheritance; unconfined -> unconfined" pass $file $inheritor
> +
> +genprofile $file:$okperm $inheritor:Ux
> +runchecktest "fd inheritance; confined -> unconfined" pass $file $inheritor
> +
> +genprofile $file:$badperm $inheritor:Ux
> +runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file $inheritor
> +
> +genprofile $inheritor:Ux
> +runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file $inheritor
> +
> +genprofile image=$inheritor $file:$okperm
> +runchecktest "fd inheritance; unconfined -> confined" pass $file $inheritor
> +
> +genprofile image=$inheritor
> +runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file $inheritor
> +
> +genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$okperm
> +runchecktest "fd inheritance; confined -> confined" pass $file $inheritor
> +
> +genprofile $file:$badperm $inheritor:Px -- image=$inheritor $file:$okperm
> +runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file $inheritor
> +
> +genprofile $inheritor:Px -- image=$inheritor $file:$okperm
> +runchecktest "fd inheritance; confined (no perm) -> confined" fail $file $inheritor
> +
> +genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$badperm
> +runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file $inheritor
> +
> +genprofile $file:$okperm $inheritor:Px -- image=$inheritor
> +runchecktest "fd inheritance; confined -> confined (no perm)" fail $file $inheritor
> diff --git a/tests/regression/apparmor/fd_inheritor.c b/tests/regression/apparmor/fd_inheritor.c
> new file mode 100644
> index 0000000..dbae6fd
> --- /dev/null
> +++ b/tests/regression/apparmor/fd_inheritor.c
> @@ -0,0 +1,61 @@
> +/*
> + *   Copyright (c) 2013
> + *   Canonical, Ltd. (All rights reserved)
> + *
> + *   This program is free software; you can redistribute it and/or
> + *   modify it under the terms of version 2 of the GNU General Public
> + *   License published by the Free Software Foundation.
> + *
> + *   This program is distributed in the hope that it will be useful,
> + *   but WITHOUT ANY WARRANTY; without even the implied warranty of
> + *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + *   GNU General Public License for more details.
> + *
> + *   You should have received a copy of the GNU General Public License
> + *   along with this program; if not, contact Novell, Inc. or Canonical
> + *   Ltd.
> + */
> +
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <sys/types.h>
> +#include <unistd.h>
> +
> +#define BUF_LEN		128
> +
> +int main(int argc, char *argv[])
> +{
> +	char buf[BUF_LEN + 1];
> +	int fd, rc;
> +
> +	if (argc != 3) {
> +		fprintf(stderr, "Usage: %s <fd#> <contents>\n", argv[0]);
> +		exit(1);
> +	}
> +
> +	fd = atoi(argv[1]);
> +
> +	rc = lseek(fd, 0, SEEK_SET);
> +	if (rc) {
> +		perror("FAIL INHERITOR - lseek");
> +		exit(1);
> +	}
> +
> +	memset(buf, 0, sizeof(buf));
> +	rc = read(fd, buf, BUF_LEN);
> +	if (rc < 0) {
> +		perror("FAIL INHERITOR - read");
> +		exit(1);
> +	}
> +
> +	if (strcmp(argv[2], buf)) {
> +		fprintf(stderr,
> +			"FAIL INHERITOR - expected \"%s\" but read \"%s\"\n",
> +			argv[2], buf);
> +		exit(1);
> +	}
> +
> +	printf("PASS\n");
> +	exit(0);
> +}
> -- 
> 1.8.3.2
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130808/1cf86b93/attachment-0001.pgp>