[apparmor] [PATCH] tests: Add named_pipe tests to only place child process into a hat

Tyler Hicks tyhicks at canonical.com
Tue Jun 10 22:26:07 UTC 2014 

The child process changes into a hat while the parent process stays in
the main profile.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/named_pipe.sh | 34 +++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/tests/regression/apparmor/named_pipe.sh b/tests/regression/apparmor/named_pipe.sh
index 24c36a7..e63456f 100755
--- a/tests/regression/apparmor/named_pipe.sh
+++ b/tests/regression/apparmor/named_pipe.sh
@@ -61,14 +61,44 @@ runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
 genprofile $common
 runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
 
-# PIPE - in a subprofile.
+# PIPE - child in subprofile.
+
+genprofile $common ${fifo}:${okparent} hat:$subchild $common ${fifo}:${okchild}
+
+runchecktest "NAMED PIPE (child subprofile)" pass nochange ${subchild} ${fifo}
+
+# PIPE - child in subprofile - no child access.
+
+genprofile $common ${fifo}:${okparent} hat:$subchild $common
+
+runchecktest "NAMED PIPE no child access (child subprofile)" fail nochange ${subchild} ${fifo}
+
+# PIPE - child in subprofile - bad child access.
+
+genprofile $common ${fifo}:${okparent} hat:$subchild $common ${fifo}:${badchild}
+
+runchecktest "NAMED PIPE bad child access (child subprofile)" fail nochange ${subchild} ${fifo}
+
+# PIPE - child in subprofile - no parent access.
+
+genprofile $common hat:$subchild $common
+
+runchecktest "NAMED PIPE no parent access (child subprofile)" fail nochange ${subchild} ${fifo}
+
+# PIPE - child in subprofile - bad parent access.
+
+genprofile $common ${fifo}:${badparent} hat:$subchild $common ${fifo}:${badchild}
+
+runchecktest "NAMED PIPE bad parent access (child subprofile)" fail nochange ${subchild} ${fifo}
+
+# PIPE - in the same subprofile.
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile $common ${fifo}:${okperm} hat:$subtest $common ${fifo}:${okperm}
 
 runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
 
-# PIPE - in a subprofile - no access
+# PIPE - in the same subprofile - no access
 
 #rm -f ${fifo} && mknod ${fifo} p
 genprofile $common ${fifo}:${okperm} hat:$subtest $common
-- 
1.9.1

More information about the AppArmor mailing list