[apparmor] [PATCH] tests: Add more named pipe tests
Tyler Hicks
tyhicks at canonical.com
Tue Jun 10 16:56:20 UTC 2014
On 2014-06-09 22:15:08, Steve Beattie wrote:
> On Thu, Jun 05, 2014 at 06:21:31PM -0500, Tyler Hicks wrote:
> > Allow for the parent and child processes to change into separate hats to
> > verify named pipe communications between hats with varying permissions.
> >
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> Acked-by: Steve Beattie <steve at nxnw.org>
Thanks for the review!
Unfortunately, I found an issue with this patch. It doesn't add signal
rules to the profiles when the kernel is performing signal mediation.
The parent process kills the child at exit, so "signal," needs to be
added to all the hats. I'll send out a patch for this.
>
> Some additional test dimensions to consider:
> 1) parent or child in a hat, but not the other
Which one of these two scenarios are you talking about:
1) One process in the main profile and the other in a hat
2) One process unconfined and the other in a hat
The first one is already tested earlier in named_pipe.sh. The second one
is not currently tested.
> 2) wrong access to the named pipe in one hat (e.g. requires read, given
> write access)
I'll send out a patch that adds these tests.
Tyler
>
> Thanks!
>
> > ---
> > tests/regression/apparmor/named_pipe.c | 69 +++++++++++++++++++++++----------
> > tests/regression/apparmor/named_pipe.sh | 37 +++++++++++++++---
> > 2 files changed, 79 insertions(+), 27 deletions(-)
> >
> > diff --git a/tests/regression/apparmor/named_pipe.c b/tests/regression/apparmor/named_pipe.c
> > index 382f779..8e1d1ad 100644
> > --- a/tests/regression/apparmor/named_pipe.c
> > +++ b/tests/regression/apparmor/named_pipe.c
> > @@ -66,14 +66,6 @@ int do_parent (char * hat, char * file)
> > {
> > int fd;
> >
> > - fd=open(file, O_RDONLY, 0);
> > - if (fd == -1){
> > - fprintf(stderr, "FAIL: open read %s failed - %s\n",
> > - file,
> > - strerror(errno));
> > - return 1;
> > - }
> > -
> > /* change hat if hatname != nochange */
> > if (strcmp(hat, "nochange") != 0){
> > if (change_hat(hat, SD_ID_MAGIC+1) == -1){
> > @@ -83,21 +75,28 @@ int do_parent (char * hat, char * file)
> > }
> > }
> >
> > - return(do_read(fd));
> > -}
> > -
> > -int do_child (char * hat, char * file)
> > -{
> > - int fd;
> > + if (alarm(5) != 0) {
> > + fprintf(stderr, "FAIL: alarm already set\n");
> > + exit(1);
> > + }
> >
> > - fd=open(file, O_WRONLY, 0);
> > + fd=open(file, O_RDONLY, 0);
> > if (fd == -1){
> > - fprintf(stderr, "FAIL: open write %s failed - %s\n",
> > + fprintf(stderr, "FAIL: open read %s failed - %s\n",
> > file,
> > strerror(errno));
> > return 1;
> > }
> >
> > + alarm(0);
> > +
> > + return(do_read(fd));
> > +}
> > +
> > +int do_child (char * hat, char * file)
> > +{
> > + int fd;
> > +
> > /* change hat if hatname != nochange */
> > if (strcmp(hat, "nochange") != 0){
> > if (change_hat(hat, SD_ID_MAGIC+1) == -1){
> > @@ -107,22 +106,49 @@ int do_child (char * hat, char * file)
> > }
> > }
> >
> > + fd=open(file, O_WRONLY, 0);
> > + if (fd == -1){
> > + fprintf(stderr, "FAIL: open write %s failed - %s\n",
> > + file,
> > + strerror(errno));
> > + return 1;
> > + }
> > +
> > return (do_write(fd));
> > }
> >
> > +pid_t pid = -1;
> > +
> > +void kill_child(void)
> > +{
> > + if (pid > 0)
> > + kill(pid, SIGKILL);
> > +}
> > +
> > +void sigalrm_handler(int sig)
> > +{
> > + fprintf(stderr, "FAIL: parent timed out waiting for child\n");
> > + exit(1);
> > +}
> > +
> > int main(int argc, char *argv[])
> > {
> > int rc;
> > - pid_t pid;
> > int waitstatus;
> > int read_error = 0;
> >
> > - if (argc != 3){
> > - fprintf(stderr, "usage: %s hatname filename\n",
> > + if (argc != 4){
> > + fprintf(stderr, "usage: %s parent_hatname child_hatname filename\n",
> > argv[0]);
> > return 1;
> > }
> >
> > + if (signal(SIGALRM, sigalrm_handler) == SIG_ERR) {
> > + fprintf(stderr, "FAIL: signal failed - %s\n",
> > + strerror(errno));
> > + exit(1);
> > + }
> > +
> > pid = fork();
> > if (pid == -1) {
> > fprintf(stderr, "FAIL: fork failed - %s\n",
> > @@ -130,7 +156,8 @@ int main(int argc, char *argv[])
> > exit(1);
> > } else if (pid != 0) {
> > /* parent */
> > - read_error = do_parent(argv[1], argv[2]);
> > + atexit(kill_child);
> > + read_error = do_parent(argv[1], argv[3]);
> > rc = wait(&waitstatus);
> > if (rc == -1){
> > fprintf(stderr, "FAIL: wait failed - %s\n",
> > @@ -139,7 +166,7 @@ int main(int argc, char *argv[])
> > }
> > } else {
> > /* child */
> > - exit(do_child(argv[1], argv[2]));
> > + exit(do_child(argv[2], argv[3]));
> > }
> >
> > if ((WIFEXITED(waitstatus) != 0) && (WEXITSTATUS(waitstatus) == 0)
> > diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
> > index 9253bd4..0b09daf 100755
> > --- a/tests/regression/apparmor/named_pipe.sh
> > +++ b/tests/regression/apparmor/named_pipe.sh
> > @@ -22,38 +22,63 @@ bin=$pwd
> >
> > . $bin/prologue.inc
> >
> > -subtest=sub
> > fifo=${tmpdir}/pipe
> > +
> > +subtest=sub
> > okperm=rw
> >
> > +subparent=parent
> > +okparent=r
> > +
> > +subchild=child
> > +okchild=w
> > +
> > mknod ${fifo} p
> >
> > # NAMED PIPE - no confinement
> >
> > -runchecktest "NAMED PIPE (no confinement)" pass nochange ${fifo}
> > +runchecktest "NAMED PIPE (no confinement)" pass nochange nochange ${fifo}
> >
> > # PIPE - confined.
> >
> > #rm -f ${fifo} && mknod ${fifo} p
> > genprofile $fifo:${okperm}
> > -runchecktest "NAMED PIPE RW (confinement)" pass nochange ${fifo}
> > +runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
> >
> > # PIPE - confined - no access.
> >
> > #rm -f ${fifo} && mknod ${fifo} p
> > genprofile
> > -runchecktest "NAMED PIPE (confinement)" fail nochange ${fifo}
> > +runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
> >
> > # PIPE - in a subprofile.
> >
> > #rm -f ${fifo} && mknod ${fifo} p
> > genprofile ${fifo}:${okperm} hat:$subtest ${fifo}:${okperm}
> >
> > -runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${fifo}
> > +runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
> >
> > # PIPE - in a subprofile - no access
> >
> > #rm -f ${fifo} && mknod ${fifo} p
> > genprofile ${fifo}:${okperm} hat:$subtest
> >
> > -runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${fifo}
> > +runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${subtest} ${fifo}
> > +
> > +# PIPE - in separate subprofiles
> > +
> > +genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild ${fifo}:${okchild}
> > +
> > +runchecktest "NAMED PIPE RW (parent & child subprofiles)" pass ${subparent} ${subchild} ${fifo}
> > +
> > +# PIPE - in separate subprofiles - no access for child
> > +
> > +genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
> > +
> > +runchecktest "NAMED PIPE R (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
> > +
> > +# PIPE - in separate subprofiles - no access for parent
> > +
> > +genprofile hat:$subparent hat:$subchild ${fifo}:${okchild}
> > +
> > +runchecktest "NAMED PIPE W (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140610/050ba847/attachment.pgp>
More information about the AppArmor
mailing list