[apparmor] [PATCH 3/6] tests: Update unix_socket.sh pathname based socket tests for v7
Tyler Hicks
tyhicks at canonical.com
Thu Sep 4 11:55:43 UTC 2014
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/unix_socket.sh | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
index 10fa59d..8fd70dd 100755
--- a/tests/regression/apparmor/unix_socket.sh
+++ b/tests/regression/apparmor/unix_socket.sh
@@ -61,10 +61,17 @@ testsocktype()
local okclients=("$sockpath:rw")
local badclients=("" "$sockpath:r" "$sockpath:w")
- # v6 requires 'w' and v7 requires 'rw'
if [ "$(have_features policy/versions/v7)" == "true" ] ; then
- okservers=("$sockpath:rw")
- badservers+=("$sockpath:w")
+ # v7 requires 'unix create' to call socket()
+ # v7 requires 'rw' for the server
+ okservers=("$sockpath:rw unix:create")
+ badservers=("" \
+ "$sockpath:r unix:create" \
+ "$sockpath:w unix:create" \
+ "unix:create" \
+ )
+ okclients=("${okservers[@]}")
+ badclients=("${badservers[@]}")
fi
removesocket $sockpath
--
2.1.0
More information about the AppArmor
mailing list