[apparmor] [PATCH] tests: Update unix_socket.sh for kernel ABI v7

Seth Arnold seth.arnold at canonical.com
Tue Aug 12 01:15:20 UTC 2014


On Mon, Aug 11, 2014 at 06:06:09PM -0500, Tyler Hicks wrote:
> Kernel ABI v6 only required 'w' permissions for the parent process that
> creates the socket, accepts a connection, writes to the socket, and
> reads from the socket.
> 
> Kernel ABI v7 will require 'rw' permissions for the parent process. This
> change detects the current kernel ABI version and adjusts the parent
> process's confinement appropriately. It also performs a negative test to
> make sure that 'w' is not sufficient.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/unix_socket.sh | 23 ++++++++++++++++++++---
>  1 file changed, 20 insertions(+), 3 deletions(-)
> 
> diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
> index 0df0db3..3d70886 100755
> --- a/tests/regression/apparmor/unix_socket.sh
> +++ b/tests/regression/apparmor/unix_socket.sh
> @@ -34,8 +34,15 @@ sockpath_pathname=${tmpdir}/unix_socket.sock
>  sockpath_abstract="@apparmor_unix_socket"
>  message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
>  8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
> +
> +# v6 requires 'w' and v7 requires 'rw'
>  okserver=w
> -badserver=r
> +badserver1=r
> +badserver2=
> +if [ "$(have_features policy/versions/v7)" == "true" ] ; then
> +	okserver=rw
> +	badserver2=w
> +fi
>  
>  okclient=rw
>  badclient1=r
> @@ -91,10 +98,20 @@ testsocktype()
>  
>  	# FAIL - server w/ bad access to the file
>  
> -	genprofile $sockpath:$badserver $client:Ux
> -	runchecktest "$testdesc; confined server w/ bad access ($badserver)" fail $args
> +	genprofile $sockpath:$badserver1 $client:Ux
> +	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
>  	removesocket $sockpath
>  
> +	# $badserver2 is set to non-null at the top of the test script if the
> +	# kernel advertises ABI v7 or newer
> +	if [ -n "$badserver2" ] ; then
> +		# FAIL - server w/ bad access to the file
> +
> +		genprofile $sockpath:$badserver2 $client:Ux
> +		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
> +		removesocket $sockpath
> +	fi
> +
>  	# PASS - client w/ access to the file
>  
>  	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
> -- 
> 2.1.0.rc1
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140811/a4227b64/attachment.pgp>


More information about the AppArmor mailing list