[apparmor] [PATCH 5/5] tests: Add regression tests for dbus eavesdrop rules

Tyler Hicks tyhicks at canonical.com
Fri Dec 6 18:28:00 UTC 2013 

On 2013-12-05 18:59:11, Seth Arnold wrote:
> On Tue, Nov 19, 2013 at 06:16:25PM -0800, Tyler Hicks wrote:
> > Simple regression test that calls AddMatch using a match string that
> > sets up eavesdropping on all method call messages.
> > 
> > The shell script file runs the test unconfined and under a variety of
> > confinement profiles to make sure that eavesdropping confinement is
> > working as intended.
> > 
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> This looks mostly good, a few small comments inline. Address them as you
> wish.
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks for all of the reviews!

<snip>

> > @@ -101,6 +102,7 @@ TESTS=access \
> >        chdir \
> >        clone \
> >        coredump \
> > +      dbus_eavesdrop \
> >        dbus_message \
> >        dbus_service \
> >        deleted \
> > @@ -152,6 +154,9 @@ changehat_pthread: changehat_pthread.c changehat.h
> >  dbus_common.o: dbus_common.c dbus_common.h
> >  	${CC} ${CFLAGS} ${LDFLAGS} $^ -c ${LDLIBS} $(shell pkg-config --cflags --libs dbus-1)
> >  
> > +dbus_eavesdrop: dbus_eavesdrop.c dbus_common.o
> > +	${CC} ${CFLAGS} ${LDFLAGS} $^ -o dbus_eavesdrop ${LDLIBS} $(shell pkg-config --cflags --libs dbus-1)
> > +
> 
> I know this was just following the nearby pattern, but dbus_eavesdrop
> in the recipe could be replaced with $@. Up to you.

I'll clean this new rule and the other rules up in a new patch.

> 
> (I've got a feeling the two rules could even be combined but my make-fu is
> failing me tonight. Another item for the lowest-priority task list. :)

Maybe. I'll give it some thought.

<snip>

> > +gendbusprofile "dbus eavesdrop,"
> > +runchecktest "eavesdrop (confined w/ only eavesdrop allowed)" fail $args
> > +
> > +# Make sure we're okay when confined with appropriate permissions
> > +
> > +gendbusprofile "dbus,"
> > +runchecktest "eavesdrop (dbus allowed)" pass $args
> > +
> > +gendbusprofile "dbus (send eavesdrop),"
> > +runchecktest "eavesdrop (send, receive bind allowed)" pass $args
> 
> I think the text doesn't match the generated profile; receive and bind
> aren't listed explicitly here.

Good catch. I'll change the text to:

  "eavesdrop (send, eavesdrop allowed)"

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20131206/d994066b/attachment.pgp>

More information about the AppArmor mailing list