[apparmor] [PATCH 1/6] tests: Create lists of unix_socket perm tests

Seth Arnold seth.arnold at canonical.com
Sat Sep 6 00:46:19 UTC 2014 

On Thu, Sep 04, 2014 at 06:55:41AM -0500, Tyler Hicks wrote:
> Create a list for each category (good server perms, bad server perms,
> good client perms, and bad client perms) of UNIX domain socket tests so
> that they can be looped through.
> 
> This makes it easier to append additional tests to the list based upon
> conditions such as kernel ABI, address type, etc.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/unix_socket.sh | 90 +++++++++++++-------------------
>  1 file changed, 35 insertions(+), 55 deletions(-)
> 
> diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
> index 3d70886..b4fd59d 100755
> --- a/tests/regression/apparmor/unix_socket.sh
> +++ b/tests/regression/apparmor/unix_socket.sh
> @@ -35,19 +35,6 @@ sockpath_abstract="@apparmor_unix_socket"
>  message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
>  8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
>  
> -# v6 requires 'w' and v7 requires 'rw'
> -okserver=w
> -badserver1=r
> -badserver2=
> -if [ "$(have_features policy/versions/v7)" == "true" ] ; then
> -	okserver=rw
> -	badserver2=w
> -fi
> -
> -okclient=rw
> -badclient1=r
> -badclient2=w
> -
>  isabstract()
>  {
>  	[ "${1:0:1}" == "@" ]
> @@ -66,6 +53,19 @@ testsocktype()
>  	local sockpath=$2 # fs path or "@NAME" for an abstract sock
>  	local socktype=$3 # stream, dgram, or seqpacket
>  	local args="$sockpath $socktype $message $client"
> +	local i=0
> +
> +	# assume, by default, that the sock addr is of the pathname type
> +	local okservers=("$sockpath:w")
> +	local badservers=("" "$sockpath:r")
> +	local okclients=("$sockpath:rw")
> +	local badclients=("" "$sockpath:r" "$sockpath:w")
> +
> +	# v6 requires 'w' and v7 requires 'rw'
> +	if [ "$(have_features policy/versions/v7)" == "true" ] ; then
> +		okservers=("$sockpath:rw")
> +		badservers+=("$sockpath:w")
> +	fi
>  
>  	removesocket $sockpath
>  
> @@ -84,57 +84,37 @@ testsocktype()
>  		return
>  	fi
>  
> -	# PASS - server w/ access to the file
> -
> -	genprofile $sockpath:$okserver $client:Ux
> -	runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args
> -	removesocket $sockpath
> -
> -	# FAIL - server w/o access to the file
> -
> -	genprofile $client:Ux
> -	runchecktest "$testdesc; confined server w/o access" fail $args
> -	removesocket $sockpath
> +	for ((i=0; i<${#okservers[@]}; i++)); do
> +		# PASS - server w/ access to the file
>  
> -	# FAIL - server w/ bad access to the file
> -
> -	genprofile $sockpath:$badserver1 $client:Ux
> -	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
> -	removesocket $sockpath
> +		genprofile ${okservers[i]} $client:Ux
> +		runchecktest "$testdesc; confined server  ok[$i]" pass $args
> +		removesocket $sockpath
> +	done
>  
> -	# $badserver2 is set to non-null at the top of the test script if the
> -	# kernel advertises ABI v7 or newer
> -	if [ -n "$badserver2" ] ; then
> +	for ((i=0; i<${#badservers[@]}; i++)); do
>  		# FAIL - server w/ bad access to the file
>  
> -		genprofile $sockpath:$badserver2 $client:Ux
> -		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
> +		genprofile ${badservers[i]} $client:Ux
> +		runchecktest "$testdesc; confined server bad[$i]" fail $args
>  		removesocket $sockpath
> -	fi
> -
> -	# PASS - client w/ access to the file
> -
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
> -	runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
> -	removesocket $sockpath
> -
> -	# FAIL - client w/o access to the file
> -
> -	genprofile $sockpath:$okserver $client:px -- image=$client
> -	runchecktest "$testdesc; confined client w/o access" fail $args
> -	removesocket $sockpath
> +	done
>  
> -	# FAIL - client w/ bad access to the file
> +	for ((i=0; i<${#okclients[@]}; i++)); do
> +		# PASS - client w/ access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1
> -	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
> -	removesocket $sockpath
> +		genprofile ${okservers[0]} $client:px -- image=$client ${okclients[i]}
> +		runchecktest "$testdesc; confined client  ok[$i]" pass $args
> +		removesocket $sockpath
> +	done
>  
> -	# FAIL - client w/ bad access to the file
> +	for ((i=0; i<${#badclients[@]}; i++)); do
> +		# FAIL - client w/ bad access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2
> -	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
> -	removesocket $sockpath
> +		genprofile ${okservers[0]} $client:px -- image=$client ${badclients[i]}
> +		runchecktest "$testdesc; confined client bad[$i]" fail $args
> +		removesocket $sockpath
> +	done
>  
>  	removeprofile
>  }
> -- 
> 2.1.0
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140905/f92ef3e2/attachment-0001.pgp>

More information about the AppArmor mailing list