[apparmor] [PATCH 1/2] tests: Verify delegation of fd passing

Seth Arnold seth.arnold at canonical.com
Fri Aug 9 02:23:26 UTC 2013 

On Thu, Aug 08, 2013 at 06:57:20PM -0700, Tyler Hicks wrote:
> This patch broadens the testing of file descriptor passing over Unix
> domain sockets, but the real focus is on passing a file descriptor from
> an unconfined server to a confined client. The confined client should
> have full access to the file descriptor, despite not having a
> corresponding file rule in its profile, due to delegation.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/unix_fd_server.sh | 77 ++++++++++++++++++++++++++---
>  1 file changed, 71 insertions(+), 6 deletions(-)
> 
> diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
> index 3092635..68fdcf2 100755
> --- a/tests/regression/apparmor/unix_fd_server.sh
> +++ b/tests/regression/apparmor/unix_fd_server.sh
> @@ -42,27 +42,92 @@ EOM
>  # lets just be on the safe side
>  rm -f ${socket}
>  
> -# PASS - unconfined client
> +# PASS - unconfined -> unconfined
> +
> +runchecktest "fd passing; unconfined -> unconfined" pass $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# PASS - confined -> unconfined
>  
>  genprofile $file:$okperm $socket:rw $fd_client:ux
>  
> -runchecktest "fd passing; unconfined client" pass $file $socket $fd_client
> +runchecktest "fd passing; confined -> unconfined" pass $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# FAIL - confined (bad perm) -> unconfined
> +
> +genprofile $file:$badperm $socket:rw $fd_client:ux
> +
> +runchecktest "fd passing; confined (bad perm) -> unconfined" fail $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# FAIL - confined (no perm) -> unconfined
> +
> +genprofile $socket:rw $fd_client:ux
> +
> +runchecktest "fd passing; confined (no perm) -> unconfined" fail $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# PASS (due to delegation) - unconfined -> confined
> +
> +genprofile image=$fd_client $file:$okperm $socket:rw
> +runchecktest "fd passing; unconfined -> confined" pass $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# PASS (due to delegation) - unconfined -> confined (no perm)
> +
> +genprofile image=$fd_client $socket:rw
> +runchecktest "fd passing; unconfined -> confined (no perm)" pass $file $socket $fd_client
>  
>  sleep 1
>  rm -f ${socket}
>  
> -# PASS - confined client, rw access to the file
> +# PASS - confined -> confined
>  
>  genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> -runchecktest "fd passing; confined client w/ rw" pass $file $socket $fd_client
> +runchecktest "fd passing; confined -> confined" pass $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# FAIL - confined (bad perm) -> confined
> +
> +genprofile $file:$badperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> +runchecktest "fd passing; confined (bad perm) -> confined" fail $file $socket $fd_client
>  
>  sleep 1
>  rm -f ${socket}
> -# FAIL - confined client, w access to the file
> +
> +# FAIL - confined (no perm) -> confined
> +
> +genprofile $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> +runchecktest "fd passing; confined (no perm) -> confined" fail $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> +
> +# FAIL - confined -> confined (bad perm)
>  
>  genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
> -runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client
> +runchecktest "fd passing; confined -> confined (bad perm)" fail $file $socket $fd_client
>  
>  sleep 1
>  rm -f ${socket}
>  
> +# FAIL - confined -> confined (no perm)
> +
> +genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $socket:rw
> +runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd_client
> +
> +sleep 1
> +rm -f ${socket}
> -- 
> 1.8.3.2
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130808/c9188814/attachment.pgp>

More information about the AppArmor mailing list