[apparmor] [PATCH] tests: Add more named pipe tests
Tyler Hicks
tyhicks at canonical.com
Thu Jun 5 23:21:31 UTC 2014
Allow for the parent and child processes to change into separate hats to
verify named pipe communications between hats with varying permissions.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/named_pipe.c | 69 +++++++++++++++++++++++----------
tests/regression/apparmor/named_pipe.sh | 37 +++++++++++++++---
2 files changed, 79 insertions(+), 27 deletions(-)
diff --git a/tests/regression/apparmor/named_pipe.c b/tests/regression/apparmor/named_pipe.c
index 382f779..8e1d1ad 100644
--- a/tests/regression/apparmor/named_pipe.c
+++ b/tests/regression/apparmor/named_pipe.c
@@ -66,14 +66,6 @@ int do_parent (char * hat, char * file)
{
int fd;
- fd=open(file, O_RDONLY, 0);
- if (fd == -1){
- fprintf(stderr, "FAIL: open read %s failed - %s\n",
- file,
- strerror(errno));
- return 1;
- }
-
/* change hat if hatname != nochange */
if (strcmp(hat, "nochange") != 0){
if (change_hat(hat, SD_ID_MAGIC+1) == -1){
@@ -83,21 +75,28 @@ int do_parent (char * hat, char * file)
}
}
- return(do_read(fd));
-}
-
-int do_child (char * hat, char * file)
-{
- int fd;
+ if (alarm(5) != 0) {
+ fprintf(stderr, "FAIL: alarm already set\n");
+ exit(1);
+ }
- fd=open(file, O_WRONLY, 0);
+ fd=open(file, O_RDONLY, 0);
if (fd == -1){
- fprintf(stderr, "FAIL: open write %s failed - %s\n",
+ fprintf(stderr, "FAIL: open read %s failed - %s\n",
file,
strerror(errno));
return 1;
}
+ alarm(0);
+
+ return(do_read(fd));
+}
+
+int do_child (char * hat, char * file)
+{
+ int fd;
+
/* change hat if hatname != nochange */
if (strcmp(hat, "nochange") != 0){
if (change_hat(hat, SD_ID_MAGIC+1) == -1){
@@ -107,22 +106,49 @@ int do_child (char * hat, char * file)
}
}
+ fd=open(file, O_WRONLY, 0);
+ if (fd == -1){
+ fprintf(stderr, "FAIL: open write %s failed - %s\n",
+ file,
+ strerror(errno));
+ return 1;
+ }
+
return (do_write(fd));
}
+pid_t pid = -1;
+
+void kill_child(void)
+{
+ if (pid > 0)
+ kill(pid, SIGKILL);
+}
+
+void sigalrm_handler(int sig)
+{
+ fprintf(stderr, "FAIL: parent timed out waiting for child\n");
+ exit(1);
+}
+
int main(int argc, char *argv[])
{
int rc;
- pid_t pid;
int waitstatus;
int read_error = 0;
- if (argc != 3){
- fprintf(stderr, "usage: %s hatname filename\n",
+ if (argc != 4){
+ fprintf(stderr, "usage: %s parent_hatname child_hatname filename\n",
argv[0]);
return 1;
}
+ if (signal(SIGALRM, sigalrm_handler) == SIG_ERR) {
+ fprintf(stderr, "FAIL: signal failed - %s\n",
+ strerror(errno));
+ exit(1);
+ }
+
pid = fork();
if (pid == -1) {
fprintf(stderr, "FAIL: fork failed - %s\n",
@@ -130,7 +156,8 @@ int main(int argc, char *argv[])
exit(1);
} else if (pid != 0) {
/* parent */
- read_error = do_parent(argv[1], argv[2]);
+ atexit(kill_child);
+ read_error = do_parent(argv[1], argv[3]);
rc = wait(&waitstatus);
if (rc == -1){
fprintf(stderr, "FAIL: wait failed - %s\n",
@@ -139,7 +166,7 @@ int main(int argc, char *argv[])
}
} else {
/* child */
- exit(do_child(argv[1], argv[2]));
+ exit(do_child(argv[2], argv[3]));
}
if ((WIFEXITED(waitstatus) != 0) && (WEXITSTATUS(waitstatus) == 0)
diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index 9253bd4..0b09daf 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -22,38 +22,63 @@ bin=$pwd
. $bin/prologue.inc
-subtest=sub
fifo=${tmpdir}/pipe
+
+subtest=sub
okperm=rw
+subparent=parent
+okparent=r
+
+subchild=child
+okchild=w
+
mknod ${fifo} p
# NAMED PIPE - no confinement
-runchecktest "NAMED PIPE (no confinement)" pass nochange ${fifo}
+runchecktest "NAMED PIPE (no confinement)" pass nochange nochange ${fifo}
# PIPE - confined.
#rm -f ${fifo} && mknod ${fifo} p
genprofile $fifo:${okperm}
-runchecktest "NAMED PIPE RW (confinement)" pass nochange ${fifo}
+runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
# PIPE - confined - no access.
#rm -f ${fifo} && mknod ${fifo} p
genprofile
-runchecktest "NAMED PIPE (confinement)" fail nochange ${fifo}
+runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
# PIPE - in a subprofile.
#rm -f ${fifo} && mknod ${fifo} p
genprofile ${fifo}:${okperm} hat:$subtest ${fifo}:${okperm}
-runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${fifo}
+runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
# PIPE - in a subprofile - no access
#rm -f ${fifo} && mknod ${fifo} p
genprofile ${fifo}:${okperm} hat:$subtest
-runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${fifo}
+runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${subtest} ${fifo}
+
+# PIPE - in separate subprofiles
+
+genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild ${fifo}:${okchild}
+
+runchecktest "NAMED PIPE RW (parent & child subprofiles)" pass ${subparent} ${subchild} ${fifo}
+
+# PIPE - in separate subprofiles - no access for child
+
+genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
+
+runchecktest "NAMED PIPE R (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
+
+# PIPE - in separate subprofiles - no access for parent
+
+genprofile hat:$subparent hat:$subchild ${fifo}:${okchild}
+
+runchecktest "NAMED PIPE W (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
--
1.9.1
More information about the AppArmor
mailing list