[apparmor] [PATCH v2 06/11] tests: Don't use autobinding in unix_socket_client

Tyler Hicks tyhicks at canonical.com
Mon Sep 15 19:55:59 UTC 2014 

The unix_socket_client test program was using an abstract socket, which
was set up using the autobind feature, when testing any socket address
types.

To more accurately test a specific address type, this patch changes the
client code to use whatever address type that the server is using. The
string ".client" will be added to the end of the server's address.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/unix_socket_client.c    | 29 ++++++++++++++--
 tests/regression/apparmor/unix_socket_pathname.sh | 40 +++++++++++++----------
 2 files changed, 49 insertions(+), 20 deletions(-)

diff --git a/tests/regression/apparmor/unix_socket_client.c b/tests/regression/apparmor/unix_socket_client.c
index bda7db6..30e5ee7 100644
--- a/tests/regression/apparmor/unix_socket_client.c
+++ b/tests/regression/apparmor/unix_socket_client.c
@@ -24,6 +24,9 @@
 
 #define MSG_BUF_MAX	1024
 
+#define SUN_PATH_SUFFIX		".client"
+#define SUN_PATH_SUFFIX_LEN	strlen(SUN_PATH_SUFFIX)
+
 static int connection_based_messaging(int sock)
 {
 	char msg_buf[MSG_BUF_MAX];
@@ -44,14 +47,33 @@ static int connection_based_messaging(int sock)
 	return 0;
 }
 
-static int connectionless_messaging(int sock)
+static int connectionless_messaging(int sock, struct sockaddr_un *peer_addr,
+				    socklen_t peer_addr_len)
 {
 	struct sockaddr_un addr;
+	size_t peer_path_len = peer_addr_len - sizeof(addr.sun_family);
+	size_t path_len = peer_path_len + SUN_PATH_SUFFIX_LEN;
 	char msg_buf[MSG_BUF_MAX];
 	int rc;
 
+	if (path_len > sizeof(addr.sun_path)) {
+		fprintf(stderr, "FAIL CLIENT - path_len too big\n");
+		return 1;
+	}
+
+	/**
+	 * Subtract 1 to get rid of nul-terminator in pathname address types.
+	 * We're essentially moving the nul char so path_len stays the same.
+	 */
+	if (peer_addr->sun_path[0])
+		peer_path_len--;
+
 	addr.sun_family = AF_UNIX;
-	rc = bind(sock, (struct sockaddr *)&addr, sizeof(sa_family_t));
+	memcpy(addr.sun_path, peer_addr->sun_path, peer_path_len);
+	strcpy(addr.sun_path + peer_path_len, SUN_PATH_SUFFIX);
+
+	rc = bind(sock, (struct sockaddr *)&addr,
+		  path_len + sizeof(addr.sun_family));
 	if (rc < 0) {
 		perror("FAIL CLIENT - bind");
 		return 1;
@@ -174,7 +196,8 @@ int main(int argc, char *argv[])
 
 	rc = (type == SOCK_STREAM || type == SOCK_SEQPACKET) ?
 		connection_based_messaging(sock) :
-		connectionless_messaging(sock);
+		connectionless_messaging(sock, &peer_addr,
+				sun_path_len + sizeof(peer_addr.sun_family));
 	if (rc)
 		exit(1);
 
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 17ed855..d089d09 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -32,7 +32,8 @@ requires_features policy/versions/v6
 settest unix_socket
 
 client=$bin/unix_socket_client
-sockpath=${tmpdir}/unix_socket.sock
+sockpath=${tmpdir}/aa_sock
+client_sockpath=${tmpdir}/aa_sock.client
 message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
 8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
 
@@ -57,11 +58,15 @@ okclient=rw
 badclient1=r
 badclient2=w
 
-removesocket()
+removesockets()
 {
-	if [ -S "$1" ]; then
-		rm -f "$1"
-	fi
+	local sock
+
+	for sock in "$@"; do
+		if [ -S "$sock" ]; then
+			rm -f "$sock"
+		fi
+	done
 }
 
 testsocktype()
@@ -70,30 +75,30 @@ testsocktype()
 	local testdesc="AF_UNIX pathname socket ($socktype)"
 	local args="$sockpath $socktype $message $client"
 
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# PASS - unconfined
 
 	runchecktest "$testdesc; unconfined" pass $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# PASS - server w/ access to the file
 
 	genprofile $sockpath:$okserver $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# FAIL - server w/o access to the file
 
 	genprofile $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/o access" fail $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# FAIL - server w/ bad access to the file
 
 	genprofile $sockpath:$badserver1 $af_unix $client:Ux
 	runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# $badserver2 is set to non-null at the top of the test script if the
 	# kernel advertises ABI v7 or newer
@@ -102,7 +107,8 @@ testsocktype()
 
 		genprofile $sockpath:$badserver2 $af_unix $client:Ux
 		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
-		removesocket $sockpath
+		removesockets $sockpath $client_sockpath
+
 	fi
 
 	if [ -n "$af_unix" ] ; then
@@ -113,38 +119,38 @@ testsocktype()
 		removesockets $sockpath
 	fi
 
-	server="$sockpath:$okserver $af_unix $client:px"
+	server="$sockpath:$okserver $client_sockpath:$okserver $af_unix $client:px"
 
 	# PASS - client w/ access to the file
 
 	genprofile $server -- image=$client $sockpath:$okclient $af_unix
 	runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# FAIL - client w/o access to the file
 
 	genprofile $server -- image=$client $af_unix
 	runchecktest "$testdesc; confined client w/o access" fail $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# FAIL - client w/ bad access to the file
 
 	genprofile $server -- image=$client $sockpath:$badclient1 $af_unix
 	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	# FAIL - client w/ bad access to the file
 
 	genprofile $server -- image=$client $sockpath:$badclient2
 	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
-	removesocket $sockpath
+	removesockets $sockpath $client_sockpath
 
 	if [ -n "$af_unix" ] ; then
 		# FAIL - client w/o af_unix access
 
 		genprofile $server -- image=$client $sockpath:$okclient
 		runchecktest "$testdesc; confined client w/o af_unix" fail $args
-		removesocket $sockpath
+		removesockets $sockpath $client_sockpath
 	fi
 
 	removeprofile
-- 
2.1.0

More information about the AppArmor mailing list