[apparmor] [PATCH] tests: Update unix_socket.sh for kernel ABI v7
Seth Arnold
seth.arnold at canonical.com
Tue Aug 12 01:15:20 UTC 2014
On Mon, Aug 11, 2014 at 06:06:09PM -0500, Tyler Hicks wrote:
> Kernel ABI v6 only required 'w' permissions for the parent process that
> creates the socket, accepts a connection, writes to the socket, and
> reads from the socket.
>
> Kernel ABI v7 will require 'rw' permissions for the parent process. This
> change detects the current kernel ABI version and adjusts the parent
> process's confinement appropriately. It also performs a negative test to
> make sure that 'w' is not sufficient.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks
> ---
> tests/regression/apparmor/unix_socket.sh | 23 ++++++++++++++++++++---
> 1 file changed, 20 insertions(+), 3 deletions(-)
>
> diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
> index 0df0db3..3d70886 100755
> --- a/tests/regression/apparmor/unix_socket.sh
> +++ b/tests/regression/apparmor/unix_socket.sh
> @@ -34,8 +34,15 @@ sockpath_pathname=${tmpdir}/unix_socket.sock
> sockpath_abstract="@apparmor_unix_socket"
> message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
> 8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
> +
> +# v6 requires 'w' and v7 requires 'rw'
> okserver=w
> -badserver=r
> +badserver1=r
> +badserver2=
> +if [ "$(have_features policy/versions/v7)" == "true" ] ; then
> + okserver=rw
> + badserver2=w
> +fi
>
> okclient=rw
> badclient1=r
> @@ -91,10 +98,20 @@ testsocktype()
>
> # FAIL - server w/ bad access to the file
>
> - genprofile $sockpath:$badserver $client:Ux
> - runchecktest "$testdesc; confined server w/ bad access ($badserver)" fail $args
> + genprofile $sockpath:$badserver1 $client:Ux
> + runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
> removesocket $sockpath
>
> + # $badserver2 is set to non-null at the top of the test script if the
> + # kernel advertises ABI v7 or newer
> + if [ -n "$badserver2" ] ; then
> + # FAIL - server w/ bad access to the file
> +
> + genprofile $sockpath:$badserver2 $client:Ux
> + runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
> + removesocket $sockpath
> + fi
> +
> # PASS - client w/ access to the file
>
> genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
> --
> 2.1.0.rc1
>
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140811/a4227b64/attachment.pgp>
More information about the AppArmor
mailing list