[apparmor] [PATCH] tests: Update unix_socket.sh for kernel ABI v7
Tyler Hicks
tyhicks at canonical.com
Mon Aug 11 23:06:09 UTC 2014
Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.
Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/unix_socket.sh | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
index 0df0db3..3d70886 100755
--- a/tests/regression/apparmor/unix_socket.sh
+++ b/tests/regression/apparmor/unix_socket.sh
@@ -34,8 +34,15 @@ sockpath_pathname=${tmpdir}/unix_socket.sock
sockpath_abstract="@apparmor_unix_socket"
message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
+
+# v6 requires 'w' and v7 requires 'rw'
okserver=w
-badserver=r
+badserver1=r
+badserver2=
+if [ "$(have_features policy/versions/v7)" == "true" ] ; then
+ okserver=rw
+ badserver2=w
+fi
okclient=rw
badclient1=r
@@ -91,10 +98,20 @@ testsocktype()
# FAIL - server w/ bad access to the file
- genprofile $sockpath:$badserver $client:Ux
- runchecktest "$testdesc; confined server w/ bad access ($badserver)" fail $args
+ genprofile $sockpath:$badserver1 $client:Ux
+ runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
removesocket $sockpath
+ # $badserver2 is set to non-null at the top of the test script if the
+ # kernel advertises ABI v7 or newer
+ if [ -n "$badserver2" ] ; then
+ # FAIL - server w/ bad access to the file
+
+ genprofile $sockpath:$badserver2 $client:Ux
+ runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
+ removesocket $sockpath
+ fi
+
# PASS - client w/ access to the file
genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
--
2.1.0.rc1
More information about the AppArmor
mailing list