[apparmor] [PATCH v2 04/11] tests: Update unix_socket_pathname.sh socket tests for v7
Tyler Hicks
tyhicks at canonical.com
Mon Sep 15 19:55:57 UTC 2014
The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
granted to confined processes that call socket(AF_UNIX, type, 0). This
is true for pathname, abstract, and unnamed UNIX domain sockets since
the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/unix_socket_pathname.sh | 40 ++++++++++++++++++-----
1 file changed, 32 insertions(+), 8 deletions(-)
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index b6f6b69..45d74b9 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -45,6 +45,12 @@ if [ "$(have_features policy/versions/v7)" == "true" ] ; then
badserver2=w
fi
+# af_unix support requires 'unix create' to call socket()
+af_unix=
+if [ "$(have_features network/af_unix)" == "true" ] ; then
+ af_unix="unix:create"
+fi
+
okclient=rw
badclient1=r
badclient2=w
@@ -71,19 +77,19 @@ testsocktype()
# PASS - server w/ access to the file
- genprofile $sockpath:$okserver $client:Ux
+ genprofile $sockpath:$okserver $af_unix $client:Ux
runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args
removesocket $sockpath
# FAIL - server w/o access to the file
- genprofile $client:Ux
+ genprofile $af_unix $client:Ux
runchecktest "$testdesc; confined server w/o access" fail $args
removesocket $sockpath
# FAIL - server w/ bad access to the file
- genprofile $sockpath:$badserver1 $client:Ux
+ genprofile $sockpath:$badserver1 $af_unix $client:Ux
runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
removesocket $sockpath
@@ -92,35 +98,53 @@ testsocktype()
if [ -n "$badserver2" ] ; then
# FAIL - server w/ bad access to the file
- genprofile $sockpath:$badserver2 $client:Ux
+ genprofile $sockpath:$badserver2 $af_unix $client:Ux
runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
removesocket $sockpath
fi
+ if [ -n "$af_unix" ] ; then
+ # FAIL - server w/o af_unix access
+
+ genprofile $sockpath:$okserver $client:Ux
+ runchecktest "$testdesc; confined server w/o af_unix" fail $args
+ removesockets $sockpath
+ fi
+
+ server="$sockpath:$okserver $af_unix $client:px"
+
# PASS - client w/ access to the file
- genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
+ genprofile $server -- image=$client $sockpath:$okclient $af_unix
runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
removesocket $sockpath
# FAIL - client w/o access to the file
- genprofile $sockpath:$okserver $client:px -- image=$client
+ genprofile $server -- image=$client $af_unix
runchecktest "$testdesc; confined client w/o access" fail $args
removesocket $sockpath
# FAIL - client w/ bad access to the file
- genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1
+ genprofile $server -- image=$client $sockpath:$badclient1 $af_unix
runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
removesocket $sockpath
# FAIL - client w/ bad access to the file
- genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2
+ genprofile $server -- image=$client $sockpath:$badclient2
runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
removesocket $sockpath
+ if [ -n "$af_unix" ] ; then
+ # FAIL - client w/o af_unix access
+
+ genprofile $server -- image=$client $sockpath:$okclient
+ runchecktest "$testdesc; confined client w/o af_unix" fail $args
+ removesocket $sockpath
+ fi
+
removeprofile
}
--
2.1.0
More information about the AppArmor
mailing list