[apparmor] [PATCH] tests: Add more named pipe tests

Tyler Hicks tyhicks at canonical.com
Thu Jun 5 23:21:31 UTC 2014


Allow for the parent and child processes to change into separate hats to
verify named pipe communications between hats with varying permissions.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/named_pipe.c  | 69 +++++++++++++++++++++++----------
 tests/regression/apparmor/named_pipe.sh | 37 +++++++++++++++---
 2 files changed, 79 insertions(+), 27 deletions(-)

diff --git a/tests/regression/apparmor/named_pipe.c b/tests/regression/apparmor/named_pipe.c
index 382f779..8e1d1ad 100644
--- a/tests/regression/apparmor/named_pipe.c
+++ b/tests/regression/apparmor/named_pipe.c
@@ -66,14 +66,6 @@ int do_parent (char * hat, char * file)
 {
 	int fd;
 
-	fd=open(file, O_RDONLY, 0);
-	if (fd == -1){
-		fprintf(stderr, "FAIL: open read %s failed - %s\n",
-			file,
-			strerror(errno));
-		return 1;
-	}
-
 	/* change hat if hatname != nochange */
 	if (strcmp(hat, "nochange") != 0){
 		if (change_hat(hat, SD_ID_MAGIC+1) == -1){
@@ -83,21 +75,28 @@ int do_parent (char * hat, char * file)
 		}
 	}
 
-	return(do_read(fd));
-}
-
-int do_child (char * hat, char * file)
-{
-	int fd;
+	if (alarm(5) != 0) {
+		fprintf(stderr, "FAIL: alarm already set\n");
+		exit(1);
+	}
 
-	fd=open(file, O_WRONLY, 0);
+	fd=open(file, O_RDONLY, 0);
 	if (fd == -1){
-		fprintf(stderr, "FAIL: open write %s failed - %s\n",
+		fprintf(stderr, "FAIL: open read %s failed - %s\n",
 			file,
 			strerror(errno));
 		return 1;
 	}
 
+	alarm(0);
+
+	return(do_read(fd));
+}
+
+int do_child (char * hat, char * file)
+{
+	int fd;
+
 	/* change hat if hatname != nochange */
 	if (strcmp(hat, "nochange") != 0){
 		if (change_hat(hat, SD_ID_MAGIC+1) == -1){
@@ -107,22 +106,49 @@ int do_child (char * hat, char * file)
 		}
 	}
 
+	fd=open(file, O_WRONLY, 0);
+	if (fd == -1){
+		fprintf(stderr, "FAIL: open write %s failed - %s\n",
+			file,
+			strerror(errno));
+		return 1;
+	}
+
 	return (do_write(fd));
 }
 
+pid_t pid = -1;
+
+void kill_child(void)
+{
+	if (pid > 0)
+		kill(pid, SIGKILL);
+}
+
+void sigalrm_handler(int sig)
+{
+	fprintf(stderr, "FAIL: parent timed out waiting for child\n");
+	exit(1);
+}
+
 int main(int argc, char *argv[])
 {
 	int rc;
-	pid_t pid;
 	int waitstatus;
 	int read_error = 0;
 
-	if (argc != 3){
-		fprintf(stderr, "usage: %s hatname filename\n",
+	if (argc != 4){
+		fprintf(stderr, "usage: %s parent_hatname child_hatname filename\n",
 			argv[0]);
 		return 1;
 	}
 
+	if (signal(SIGALRM, sigalrm_handler) == SIG_ERR) {
+		fprintf(stderr, "FAIL: signal failed - %s\n",
+			strerror(errno));
+		exit(1);
+	}
+
 	pid = fork();
 	if (pid == -1) {
 		fprintf(stderr, "FAIL: fork failed - %s\n",
@@ -130,7 +156,8 @@ int main(int argc, char *argv[])
 		exit(1);
 	} else if (pid != 0) {
 		/* parent */
-		read_error = do_parent(argv[1], argv[2]);
+		atexit(kill_child);
+		read_error = do_parent(argv[1], argv[3]);
 		rc = wait(&waitstatus);
 		if (rc == -1){
 			fprintf(stderr, "FAIL: wait failed - %s\n",
@@ -139,7 +166,7 @@ int main(int argc, char *argv[])
 		}
 	} else {
 		/* child */
-		exit(do_child(argv[1], argv[2]));
+		exit(do_child(argv[2], argv[3]));
 	}
 
 	if ((WIFEXITED(waitstatus) != 0) && (WEXITSTATUS(waitstatus) == 0) 
diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index 9253bd4..0b09daf 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -22,38 +22,63 @@ bin=$pwd
 
 . $bin/prologue.inc
 
-subtest=sub
 fifo=${tmpdir}/pipe
+
+subtest=sub
 okperm=rw
 
+subparent=parent
+okparent=r
+
+subchild=child
+okchild=w
+
 mknod ${fifo} p
 
 # NAMED PIPE - no confinement 
 
-runchecktest "NAMED PIPE (no confinement)" pass nochange ${fifo}
+runchecktest "NAMED PIPE (no confinement)" pass nochange nochange ${fifo}
 
 # PIPE - confined.
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile $fifo:${okperm}
-runchecktest "NAMED PIPE RW (confinement)" pass nochange ${fifo}
+runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
 
 # PIPE - confined - no access.
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile 
-runchecktest "NAMED PIPE (confinement)" fail nochange ${fifo}
+runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
 
 # PIPE - in a subprofile.
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile ${fifo}:${okperm} hat:$subtest ${fifo}:${okperm}
 
-runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${fifo}
+runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
 
 # PIPE - in a subprofile - no access
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile ${fifo}:${okperm} hat:$subtest
 
-runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${fifo}
+runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${subtest} ${fifo}
+
+# PIPE - in separate subprofiles
+
+genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild ${fifo}:${okchild}
+
+runchecktest "NAMED PIPE RW (parent & child subprofiles)" pass ${subparent} ${subchild} ${fifo}
+
+# PIPE - in separate subprofiles - no access for child
+
+genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
+
+runchecktest "NAMED PIPE R (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
+
+# PIPE - in separate subprofiles - no access for parent
+
+genprofile hat:$subparent hat:$subchild ${fifo}:${okchild}
+
+runchecktest "NAMED PIPE W (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
-- 
1.9.1




More information about the AppArmor mailing list