[apparmor] [PATCH v2 10/11] tests: Add abstract socket tests
Tyler Hicks
tyhicks at canonical.com
Mon Sep 15 19:56:03 UTC 2014
Tests abstract UNIX domain sockets with various combinations of implied
permissions, explicit permissions, and conditionals. It also tests with
bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/unix_socket.inc | 179 ++++++++++++++++++++++
tests/regression/apparmor/unix_socket_abstract.sh | 109 +++++++++++++
2 files changed, 288 insertions(+)
create mode 100755 tests/regression/apparmor/unix_socket.inc
create mode 100755 tests/regression/apparmor/unix_socket_abstract.sh
diff --git a/tests/regression/apparmor/unix_socket.inc b/tests/regression/apparmor/unix_socket.inc
new file mode 100755
index 0000000..3131293
--- /dev/null
+++ b/tests/regression/apparmor/unix_socket.inc
@@ -0,0 +1,179 @@
+# Copyright (C) 2014 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, contact Canonical Ltd.
+
+client=$bin/unix_socket_client
+message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
+8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
+
+test_server()
+{
+ local addr_type="$1" # abstract or unnamed
+ local l_access="$2" # local perms
+ local type="$3" # stream, dgram, or seqpacket
+ local addr="$4" # socket address
+ local p_access="$5" # peer perms
+ local p_label="$6" # client socket label
+ local p_addr="$7" # optional peer socket address
+ local bad_type="$8"
+ local bad_addr="$9"
+ local bad_p_label="${10}"
+ local bad_p_addr="${11}" # optional
+
+ local desc="AF_UNIX $addr_type socket ($type);"
+ local s_access="${l_access},${p_access}" # combined server perms
+ local access # used as an iterator
+ local args="$addr $type $message $client"
+
+ runchecktest "$desc unconfined server" pass $args
+
+ desc+=" confined server"
+
+ genprofile "unix:ALL" $client:Ux
+ runchecktest "$desc (implicit perms)" pass $args
+
+ genprofile "unix:($s_access)" $client:Ux
+ runchecktest "$desc (explicit perms)" pass $args
+
+ genprofile "unix:($s_access):addr=$addr" $client:Ux
+ runchecktest "$desc (addr)" pass $args
+
+ genprofile "unix:($s_access):type=$type" $client:Ux
+ runchecktest "$desc (type)" pass $args
+
+ genprofile "unix:($l_access)" "unix:peer=(label=$p_label)" $client:Ux
+ runchecktest "$desc (peer label w/ implicit perms)" pass $args
+
+ genprofile "unix:($l_access)" "unix:($p_access):peer=(label=$p_label)" $client:Ux
+ runchecktest "$desc (peer label w/ explicit perms)" pass $args
+
+ if [ -n "$p_addr" ]; then
+ genprofile "unix:($l_access)" "unix:($p_access):peer=(addr=$p_addr)" $client:Ux
+ runchecktest "$desc (peer addr)" pass $args
+ fi
+
+ genprofile "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):addr=$addr:peer=(label=$p_label)" $client:Ux
+ runchecktest "$desc (type, addr, peer label)" pass $args
+
+ if [ -n "$p_addr" ]; then
+ genprofile "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label addr=$p_addr)" $client:Ux
+ runchecktest "$desc (type, addr, peer label, peer addr)" pass $args
+ fi
+
+ genprofile $client:Ux
+ runchecktest "$desc (no unix rule)" fail $args
+
+ for access in ${s_access//,/ }; do
+ genprofile "unix:(${s_access//$access/})" $client:Ux
+ runchecktest "$desc (missing perm: $access)" fail $args
+ done
+
+ genprofile "unix:($s_access):addr=$bad_addr" $client:Ux
+ runchecktest "$desc (bad addr)" fail $args
+
+ genprofile "unix:($s_access):type=$bad_type" $client:Ux
+ runchecktest "$desc (bad type)" fail $args
+
+ genprofile "unix:($l_access)" "unix:($p_access):peer=(label=$bad_p_label)" $client:Ux
+ runchecktest "$desc (bad peer label)" fail $args
+
+ if [ -n "$bad_p_addr" ]; then
+ genprofile "unix:($l_access)" "unix:($p_access):peer=(addr=$bad_p_addr)" $client:Ux
+ runchecktest "$desc (bad peer addr)" fail $args
+ fi
+
+ removeprofile
+}
+
+test_client()
+{
+ local addr_type="$1" # abstract or unnamed
+ local l_access="$2" # local perms
+ local type="$3" # stream, dgram, or seqpacket
+ local addr="$4" # optional socket address
+ local p_access="$5" # peer perms
+ local p_label="$6" # client socket label
+ local p_addr="$7" # peer socket address
+ local bad_type="$8"
+ local bad_addr="$9" # optional
+ local bad_p_label="${10}"
+ local bad_p_addr="${11}"
+
+ local desc="AF_UNIX $addr_type socket ($type);"
+ local c_access="${l_access},${p_access}" # combined client perms
+ local access # used as an iterator
+ local server="unix:ALL $client:px"
+ local args="$p_addr $type $message $client"
+
+ runchecktest "$desc unconfined client" pass $args
+
+ desc+=" confined client"
+
+ genprofile $server -- image=$client "unix:ALL"
+ runchecktest "$desc (implicit perms)" pass $args
+
+ genprofile $server -- image=$client "unix:($c_access)"
+ runchecktest "$desc (explicit perms)" pass $args
+
+ genprofile $server -- image=$client "unix:($c_access):type=$type"
+ runchecktest "$desc (type)" pass $args
+
+ if [ -n "$addr" ]; then
+ genprofile $server -- image=$client "unix:($c_access):addr=$addr"
+ runchecktest "$desc (addr)" pass $args
+ fi
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix::peer=(label=$p_label)"
+ runchecktest "$desc (peer label w/ implicit perms)" pass $args
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$p_label)"
+ runchecktest "$desc (peer label w/ explicit perms)" pass $args
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(addr=$p_addr)"
+ runchecktest "$desc (peer addr)" pass $args
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$p_label addr=$p_addr)"
+ runchecktest "$desc (peer label, peer addr)" pass $args
+
+ genprofile $server -- image=$client "unix:($l_access):type=$type" "unix:($p_access):type=$type:peer=(label=$p_label addr=$p_addr)"
+ runchecktest "$desc (type, peer label, peer addr)" pass $args
+
+ if [ -n "$addr" ]; then
+ genprofile $server -- image=$client "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label addr=$p_addr)"
+ runchecktest "$desc (type, addr, peer label, peer addr)" pass $args
+ fi
+
+ genprofile $server -- image=$client
+ runchecktest "$desc (no unix rule)" fail $args
+
+ for access in ${c_access//,/ }; do
+ genprofile $server -- image=$client "unix:(${c_access//$access/})"
+ runchecktest "$desc (missing perm: $access)" fail $args
+ done
+
+ genprofile $server -- image=$client "unix:($s_access):type=$bad_type"
+ runchecktest "$desc (bad type)" fail $args
+
+ if [ -n "$bad_addr" ]; then
+ genprofile $server -- image=$client "unix:($s_access):addr=$bad_addr"
+ runchecktest "$desc (bad addr)" fail $args
+ fi
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$bad_p_label)"
+ runchecktest "$desc (bad peer label)" fail $args
+
+ genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(addr=$bad_p_addr)"
+ runchecktest "$desc (bad peer addr)" fail $args
+
+ removeprofile
+}
diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh
new file mode 100755
index 0000000..32ed888
--- /dev/null
+++ b/tests/regression/apparmor/unix_socket_abstract.sh
@@ -0,0 +1,109 @@
+#! /bin/bash
+#
+# Copyright (C) 2014 Canonical, Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, contact Canonical Ltd.
+
+#=NAME unix_socket_pathname
+#=DESCRIPTION
+# This tests access to pathname unix domain sockets. The server opens a socket,
+# forks a client with it's own profile, sends a message to the client over the
+# socket, and sees what happens.
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+. $bin/unix_socket.inc
+requires_features policy/versions/v7
+requires_features network/af_unix
+
+settest unix_socket
+
+addr=@aa_sock
+client_addr=${addr}.client
+
+# Test abstract stream server and client
+test_server "abstract" \
+ "create,bind,listen,getopt,setopt,shutdown" \
+ stream \
+ "$addr" \
+ "accept,read,write" \
+ "unconfined" \
+ "" \
+ dgram \
+ "${addr}XXX" \
+ "XXX" \
+ ""
+test_client "abstract" \
+ "create,getopt,setopt,getattr" \
+ stream \
+ "" \
+ "connect,write,read" \
+ "$test" \
+ "$addr" \
+ seqpacket \
+ "" \
+ "${test}XXX" \
+ "${addr}XXX"
+
+# Test abstract dgram server and client
+test_server "abstract" \
+ "create,bind,getopt,setopt,shutdown" \
+ dgram \
+ "$addr" \
+ "read,write" \
+ "unconfined" \
+ "$client_addr" \
+ seqpacket \
+ "${addr}XXX" \
+ "XXX" \
+ "${client_addr}XXX"
+test_client "abstract" \
+ "create,bind,getopt,setopt,getattr" \
+ dgram \
+ "$client_addr" \
+ "write,read" \
+ "$test" \
+ "$addr" \
+ stream \
+ "${client_addr}XXX" \
+ "${test}XXX" \
+ "${addr}XXX"
+
+# Test abstract seqpacket server and client
+test_server "abstract" \
+ "create,bind,listen,getopt,setopt,shutdown" \
+ seqpacket \
+ "$addr" \
+ "accept,read,write" \
+ "unconfined" \
+ "" \
+ stream \
+ "${addr}XXX" \
+ "XXX" \
+ ""
+test_client "abstract" \
+ "create,getopt,setopt,getattr" \
+ seqpacket \
+ "" \
+ "connect,write,read" \
+ "$test" \
+ "$addr" \
+ dgram \
+ "" \
+ "${test}XXX" \
+ "${addr}XXX"
--
2.1.0
More information about the AppArmor
mailing list