[apparmor] [PATCH 3/4] tests: Update unix_fd_server.sh for af_unix mediation
Tyler Hicks
tyhicks at canonical.com
Thu Sep 11 02:16:10 UTC 2014
On 2014-09-10 18:53:27, Seth Arnold wrote:
> On Thu, Sep 04, 2014 at 05:43:23PM -0500, Tyler Hicks wrote:
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
>
> Acked-by: Seth Arnold <seth.arnold at canonical.com>
Thanks again!
>
> Though I noticed that the unix:create is being passed along to the
> -> confined processes as well -- is it necessary there, too?
It is. It creates its own socket and connects to the server's socket so
that the server can send the fd descriptor across.
Tyler
>
> Thanks
>
> > ---
> > tests/regression/apparmor/unix_fd_server.sh | 27 ++++++++++++++++-----------
> > 1 file changed, 16 insertions(+), 11 deletions(-)
> >
> > diff --git a/tests/regression/apparmor/unix_fd_server.sh b/tests/regression/apparmor/unix_fd_server.sh
> > index 6bc5158..b38ec68 100755
> > --- a/tests/regression/apparmor/unix_fd_server.sh
> > +++ b/tests/regression/apparmor/unix_fd_server.sh
> > @@ -25,6 +25,11 @@ socket=${tmpdir}/unix_fd_test
> > fd_client=$PWD/unix_fd_client
> > okperm=rw
> > badperm=w
> > +af_unix=""
> > +
> > +if [ "$(have_features network/af_unix)" == "true" ]; then
> > + af_unix="unix:create"
> > +fi
> >
> > # Content generated with:
> > # dd if=/dev/urandom bs=32 count=4 2> /dev/null | od -x | head -8 | sed -e 's/^[[:xdigit:]]\{7\}//g' -e 's/ //g'
> > @@ -51,7 +56,7 @@ rm -f ${socket}
> >
> > # PASS - confined -> unconfined
> >
> > -genprofile $file:$okperm $socket:rw $fd_client:ux
> > +genprofile $file:$okperm $af_unix $socket:rw $fd_client:ux
> >
> > runchecktest "fd passing; confined -> unconfined" pass $file $socket $fd_client
> >
> > @@ -60,7 +65,7 @@ rm -f ${socket}
> >
> > # FAIL - confined (bad perm) -> unconfined
> >
> > -genprofile $file:$badperm $socket:rw $fd_client:ux
> > +genprofile $file:$badperm $af_unix $socket:rw $fd_client:ux
> >
> > runchecktest "fd passing; confined (bad perm) -> unconfined" fail $file $socket $fd_client
> >
> > @@ -69,7 +74,7 @@ rm -f ${socket}
> >
> > # FAIL - confined (no perm) -> unconfined
> >
> > -genprofile $socket:rw $fd_client:ux
> > +genprofile $af_unix $socket:rw $fd_client:ux
> >
> > runchecktest "fd passing; confined (no perm) -> unconfined" fail $file $socket $fd_client
> >
> > @@ -78,7 +83,7 @@ rm -f ${socket}
> >
> > # PASS (due to delegation) - unconfined -> confined
> >
> > -genprofile image=$fd_client $file:$okperm $socket:rw
> > +genprofile image=$fd_client $file:$okperm $af_unix $socket:rw
> > runchecktest "fd passing; unconfined -> confined" pass $file $socket $fd_client
> >
> > sleep 1
> > @@ -86,7 +91,7 @@ rm -f ${socket}
> >
> > # PASS (due to delegation) - unconfined -> confined (no perm)
> >
> > -genprofile image=$fd_client $socket:rw
> > +genprofile image=$fd_client $af_unix $socket:rw
> > runchecktest "fd passing; unconfined -> confined (no perm)" pass $file $socket $fd_client
> >
> > sleep 1
> > @@ -94,7 +99,7 @@ rm -f ${socket}
> >
> > # PASS - confined -> confined
> >
> > -genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> > +genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix $socket:rw
> > runchecktest "fd passing; confined -> confined" pass $file $socket $fd_client
> >
> > sleep 1
> > @@ -102,7 +107,7 @@ rm -f ${socket}
> >
> > # FAIL - confined (bad perm) -> confined
> >
> > -genprofile $file:$badperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> > +genprofile $file:$badperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix $socket:rw
> > runchecktest "fd passing; confined (bad perm) -> confined" fail $file $socket $fd_client
> >
> > sleep 1
> > @@ -110,7 +115,7 @@ rm -f ${socket}
> >
> > # FAIL - confined (no perm) -> confined
> >
> > -genprofile $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
> > +genprofile $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix $socket:rw
> > runchecktest "fd passing; confined (no perm) -> confined" fail $file $socket $fd_client
> >
> > sleep 1
> > @@ -118,7 +123,7 @@ rm -f ${socket}
> >
> > # FAIL - confined -> confined (bad perm)
> >
> > -genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
> > +genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $af_unix $socket:rw
> > runchecktest "fd passing; confined -> confined (bad perm)" fail $file $socket $fd_client
> >
> > sleep 1
> > @@ -126,7 +131,7 @@ rm -f ${socket}
> >
> > # FAIL - confined -> confined (no perm)
> >
> > -genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $socket:rw
> > +genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $af_unix $socket:rw
> > runchecktest "fd passing; confined -> confined (no perm)" fail $file $socket $fd_client
> >
> > sleep 1
> > @@ -135,7 +140,7 @@ rm -f ${socket}
> > if [ "$(have_features policy/versions/v6)" == "true" ] ; then
> > # FAIL - confined client, no access to the socket file
> >
> > - genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm
> > + genprofile $file:$okperm $af_unix $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $af_unix
> > runchecktest "fd passing; confined client w/o socket access" fail $file $socket $fd_client
> >
> > sleep 1
> > --
> > 2.1.0
> >
> >
> > --
> > AppArmor mailing list
> > AppArmor at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> >
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140910/37746500/attachment.pgp>
More information about the AppArmor
mailing list