[apparmor] [PATCH 3/6] tests: Update unix_socket.sh pathname based socket tests for v7

[Seth Arnold]

On Thu, Sep 04, 2014 at 06:55:43AM -0500, Tyler Hicks wrote:
> The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
> granted to confined processes that call socket(AF_UNIX, type, 0). This
> is true for pathname, abstract, and unnamed UNIX domain sockets since
> the address type of a socket is not yet known when socket(2) is called.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>

Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks

> ---
>  tests/regression/apparmor/unix_socket.sh | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/tests/regression/apparmor/unix_socket.sh b/tests/regression/apparmor/unix_socket.sh
> index 10fa59d..8fd70dd 100755
> --- a/tests/regression/apparmor/unix_socket.sh
> +++ b/tests/regression/apparmor/unix_socket.sh
> @@ -61,10 +61,17 @@ testsocktype()
>  	local okclients=("$sockpath:rw")
>  	local badclients=("" "$sockpath:r" "$sockpath:w")
>  
> -	# v6 requires 'w' and v7 requires 'rw'
>  	if [ "$(have_features policy/versions/v7)" == "true" ] ; then
> -		okservers=("$sockpath:rw")
> -		badservers+=("$sockpath:w")
> +		# v7 requires 'unix create' to call socket()
> +		# v7 requires 'rw' for the server
> +		okservers=("$sockpath:rw unix:create")
> +		badservers=("" \
> +			    "$sockpath:r unix:create" \
> +			    "$sockpath:w unix:create" \
> +			    "unix:create" \
> +			   )
> +		okclients=("${okservers[@]}")
> +		badclients=("${badservers[@]}")
>  	fi
>  
>  	removesocket $sockpath
> -- 
> 2.1.0
> 
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140905/b7cca8ae/attachment.pgp>