[apparmor] [PATCH 2/4] tests: Update socketpair.sh for af_unix mediation
Tyler Hicks
tyhicks at canonical.com
Thu Sep 4 22:43:22 UTC 2014
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/socketpair.sh | 39 ++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh
index 8af3be2..802657c 100755
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@@ -30,6 +30,15 @@ do_test()
exec="/proc/*/attr/exec:w"
np1="new_profile_1"
np2="new_profile_2"
+af_unix_create=""
+af_unix_inherit=""
+
+if [ "$(have_features network/af_unix)" == "true" ]; then
+ # AppArmor requires that the process inheriting the sock file
+ # descriptors have send,receive perms in its profile
+ af_unix_create="unix:(create,getopt)"
+ af_unix_inherit="unix:(getopt,send,receive)"
+fi
# Ensure everything works as expected when unconfined
do_test "unconfined" pass "unconfined" "(null)"
@@ -39,7 +48,7 @@ do_test "unconfined bad con" fail "uncon" "(null)"
do_test "unconfined bad mode" fail "unconfined" "(null)XXX"
# Ensure correct labeling under confinement
-genprofile
+genprofile $af_unix_create
do_test "confined" pass "$test" "enforce"
# Test the test
@@ -47,41 +56,41 @@ do_test "confined bad con" fail "/bad${test}" "enforce"
do_test "confined bad mode" fail "$test" "inforce"
# Ensure correct mode when using the complain flag
-genprofile flag:complain
+genprofile flag:complain $af_unix_create
do_test "complain" pass "$test" "complain"
# Test the test
-genprofile flag:complain
+genprofile flag:complain $af_unix_create
do_test "complain bad mode" fail "$test" "enforce"
# Ensure correct mode when using the audit flag
-genprofile flag:audit
+genprofile flag:audit $af_unix_create
do_test "complain" pass "$test" "enforce"
# Ensure correct labeling after passing fd pair across exec
-genprofile $exec 'change_profile->':$np1 -- image=$np1 addimage:$test
+genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
do_test "confined exec transition" pass "$test" "enforce" "$np1"
# Ensure correct labeling after passing fd pair across a no-transition exec
# NOTE: The test still calls aa_change_onexec(), so change_profile -> $test
# is still needed
-genprofile $exec 'change_profile->':$test
+genprofile $af_unix_create $exec 'change_profile->':$test
do_test "confined exec no transition" pass "$test" "enforce" "$test"
# Ensure correct complain mode after passing fd pair across exec
-genprofile flag:complain $exec 'change_profile->':$np1 -- \
- image=$np1 addimage:$test
+genprofile flag:complain $af_unix_create $exec 'change_profile->':$np1 -- \
+ image=$np1 addimage:$test $af_unix_inherit
do_test "confined exec transition from complain" pass "$test" "complain" "$np1"
# Ensure correct enforce mode after passing fd pair across exec
-genprofile $exec 'change_profile->':$np1 -- \
- image=$np1 addimage:$test flag:complain
+genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
+ image=$np1 addimage:$test flag:complain $af_unix_inherit
do_test "confined exec transition to complain" pass "$test" "enforce" "$np1"
# Ensure correct labeling after passing fd pair across 2 execs
-gp_args="$exec change_profile->:$np1 -- \
- image=$np1 addimage:$test $exec change_profile->:$np2 -- \
- image=$np2 addimage:$test"
+gp_args="$af_unix_create $exec change_profile->:$np1 -- \
+ image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \
+ image=$np2 addimage:$test $af_unix_inherit"
genprofile $gp_args
do_test "confined 2 exec transitions" pass "$test" "enforce" "$np1" "$np2"
@@ -90,9 +99,9 @@ do_test "confined 2 exec transitions bad con" fail "$test" "enforce" "$np1" "$np
do_test "confined 2 exec transitions bad mode" fail "$test" "complain" "$np1" "$np2"
# Ensure correct labeling after passing fd pair across exec to unconfined
-genprofile $exec 'change_profile->':unconfined
+genprofile $af_unix_create $exec 'change_profile->':unconfined
do_test "confined exec transition to unconfined" pass "$test" "enforce" "unconfined"
# Ensure correct labeling after passing fd pair across exec from unconfined
-genprofile image=$np1 addimage:$test
+genprofile image=$np1 addimage:$test $af_unix_inherit
do_test "unconfined exec transition ton confined" pass "unconfined" "(null)" "$np1"
--
2.1.0
More information about the AppArmor
mailing list