[apparmor] [PATCH v2 04/11] tests: Update unix_socket_pathname.sh socket tests for v7

Tyler Hicks tyhicks at canonical.com
Mon Sep 15 19:55:57 UTC 2014


The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/unix_socket_pathname.sh | 40 ++++++++++++++++++-----
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index b6f6b69..45d74b9 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -45,6 +45,12 @@ if [ "$(have_features policy/versions/v7)" == "true" ] ; then
 	badserver2=w
 fi
 
+# af_unix support requires 'unix create' to call socket()
+af_unix=
+if [ "$(have_features network/af_unix)" == "true" ] ; then
+	af_unix="unix:create"
+fi
+
 okclient=rw
 badclient1=r
 badclient2=w
@@ -71,19 +77,19 @@ testsocktype()
 
 	# PASS - server w/ access to the file
 
-	genprofile $sockpath:$okserver $client:Ux
+	genprofile $sockpath:$okserver $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args
 	removesocket $sockpath
 
 	# FAIL - server w/o access to the file
 
-	genprofile $client:Ux
+	genprofile $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/o access" fail $args
 	removesocket $sockpath
 
 	# FAIL - server w/ bad access to the file
 
-	genprofile $sockpath:$badserver1 $client:Ux
+	genprofile $sockpath:$badserver1 $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
 	removesocket $sockpath
 
@@ -92,35 +98,53 @@ testsocktype()
 	if [ -n "$badserver2" ] ; then
 		# FAIL - server w/ bad access to the file
 
-		genprofile $sockpath:$badserver2 $client:Ux
+		genprofile $sockpath:$badserver2 $af_unix $client:Ux
 		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
 		removesocket $sockpath
 	fi
 
+	if [ -n "$af_unix" ] ; then
+		# FAIL - server w/o af_unix access
+
+		genprofile $sockpath:$okserver $client:Ux
+		runchecktest "$testdesc; confined server w/o af_unix" fail $args
+		removesockets $sockpath
+	fi
+
+	server="$sockpath:$okserver $af_unix $client:px"
+
 	# PASS - client w/ access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
+	genprofile $server -- image=$client $sockpath:$okclient $af_unix
 	runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
 	removesocket $sockpath
 
 	# FAIL - client w/o access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client
+	genprofile $server -- image=$client $af_unix
 	runchecktest "$testdesc; confined client w/o access" fail $args
 	removesocket $sockpath
 
 	# FAIL - client w/ bad access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1
+	genprofile $server -- image=$client $sockpath:$badclient1 $af_unix
 	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
 	removesocket $sockpath
 
 	# FAIL - client w/ bad access to the file
 
-	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2
+	genprofile $server -- image=$client $sockpath:$badclient2
 	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
 	removesocket $sockpath
 
+	if [ -n "$af_unix" ] ; then
+		# FAIL - client w/o af_unix access
+
+		genprofile $server -- image=$client $sockpath:$okclient
+		runchecktest "$testdesc; confined client w/o af_unix" fail $args
+		removesocket $sockpath
+	fi
+
 	removeprofile
 }
 
-- 
2.1.0




More information about the AppArmor mailing list