[apparmor] [PATCH 1/6] tests: Create lists of unix_socket perm tests

Tyler Hicks tyhicks at canonical.com
Thu Sep 4 11:55:41 UTC 2014


Create a list for each category (good server perms, bad server perms,
good client perms, and bad client perms) of UNIX domain socket tests so
that they can be looped through.

This makes it easier to append additional tests to the list based upon
conditions such as kernel ABI, address type, etc.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/unix_socket.sh | 90 +++++++++++++-------------------
 1 file changed, 35 insertions(+), 55 deletions(-)

diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
index 3d70886..b4fd59d 100755
--- a/tests/regression/apparmor/unix_socket.sh
+++ b/tests/regression/apparmor/unix_socket.sh
@@ -35,19 +35,6 @@ sockpath_abstract="@apparmor_unix_socket"
 message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
 8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
 
-# v6 requires 'w' and v7 requires 'rw'
-okserver=w
-badserver1=r
-badserver2=
-if [ "$(have_features policy/versions/v7)" == "true" ] ; then
-	okserver=rw
-	badserver2=w
-fi
-
-okclient=rw
-badclient1=r
-badclient2=w
-
 isabstract()
 {
 	[ "${1:0:1}" == "@" ]
@@ -66,6 +53,19 @@ testsocktype()
 	local sockpath=$2 # fs path or "@NAME" for an abstract sock
 	local socktype=$3 # stream, dgram, or seqpacket
 	local args="$sockpath $socktype $message $client"
+	local i=0
+
+	# assume, by default, that the sock addr is of the pathname type
+	local okservers=("$sockpath:w")
+	local badservers=("" "$sockpath:r")
+	local okclients=("$sockpath:rw")
+	local badclients=("" "$sockpath:r" "$sockpath:w")
+
+	# v6 requires 'w' and v7 requires 'rw'
+	if [ "$(have_features policy/versions/v7)" == "true" ] ; then
+		okservers=("$sockpath:rw")
+		badservers+=("$sockpath:w")
+	fi
 
 	removesocket $sockpath
 
@@ -84,57 +84,37 @@ testsocktype()
 		return
 	fi
 
-	# PASS - server w/ access to the file
-
-	genprofile $sockpath:$okserver $client:Ux
-	runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args
-	removesocket $sockpath
-
-	# FAIL - server w/o access to the file
-
-	genprofile $client:Ux
-	runchecktest "$testdesc; confined server w/o access" fail $args
-	removesocket $sockpath
+	for ((i=0; i<${#okservers[@]}; i++)); do
+		# PASS - server w/ access to the file
 
-	# FAIL - server w/ bad access to the file
-
-	genprofile $sockpath:$badserver1 $client:Ux
-	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
-	removesocket $sockpath
+		genprofile ${okservers[i]} $client:Ux
+		runchecktest "$testdesc; confined server  ok[$i]" pass $args
+		removesocket $sockpath
+	done
 
-	# $badserver2 is set to non-null at the top of the test script if the
-	# kernel advertises ABI v7 or newer
-	if [ -n "$badserver2" ] ; then
+	for ((i=0; i<${#badservers[@]}; i++)); do
 		# FAIL - server w/ bad access to the file
 
-		genprofile $sockpath:$badserver2 $client:Ux
-		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
+		genprofile ${badservers[i]} $client:Ux
+		runchecktest "$testdesc; confined server bad[$i]" fail $args
 		removesocket $sockpath
-	fi
-
-	# PASS - client w/ access to the file
-
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
-	runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
-	removesocket $sockpath
-
-	# FAIL - client w/o access to the file
-
-	genprofile $sockpath:$okserver $client:px -- image=$client
-	runchecktest "$testdesc; confined client w/o access" fail $args
-	removesocket $sockpath
+	done
 
-	# FAIL - client w/ bad access to the file
+	for ((i=0; i<${#okclients[@]}; i++)); do
+		# PASS - client w/ access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1
-	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
-	removesocket $sockpath
+		genprofile ${okservers[0]} $client:px -- image=$client ${okclients[i]}
+		runchecktest "$testdesc; confined client  ok[$i]" pass $args
+		removesocket $sockpath
+	done
 
-	# FAIL - client w/ bad access to the file
+	for ((i=0; i<${#badclients[@]}; i++)); do
+		# FAIL - client w/ bad access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2
-	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
-	removesocket $sockpath
+		genprofile ${okservers[0]} $client:px -- image=$client ${badclients[i]}
+		runchecktest "$testdesc; confined client bad[$i]" fail $args
+		removesocket $sockpath
+	done
 
 	removeprofile
 }
-- 
2.1.0




More information about the AppArmor mailing list