[apparmor] [PATCH v2 04/11] tests: Update unix_socket_pathname.sh socket tests for v7

Steve Beattie steve at nxnw.org
Tue Sep 16 21:22:57 UTC 2014 

On Mon, Sep 15, 2014 at 02:55:57PM -0500, Tyler Hicks wrote:
> The AppArmor kernel ABI v7 requires that a 'unix create,' rule be
> granted to confined processes that call socket(AF_UNIX, type, 0). This
> is true for pathname, abstract, and unnamed UNIX domain sockets since
> the address type of a socket is not yet known when socket(2) is called.
> 
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> ---
>  tests/regression/apparmor/unix_socket_pathname.sh | 40 ++++++++++++++++++-----
>  1 file changed, 32 insertions(+), 8 deletions(-)
> 
> diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
> index b6f6b69..45d74b9 100755
> --- a/tests/regression/apparmor/unix_socket_pathname.sh
> +++ b/tests/regression/apparmor/unix_socket_pathname.sh
> @@ -92,35 +98,53 @@ testsocktype()
>  	if [ -n "$badserver2" ] ; then
>  		# FAIL - server w/ bad access to the file
>  
> -		genprofile $sockpath:$badserver2 $client:Ux
> +		genprofile $sockpath:$badserver2 $af_unix $client:Ux
>  		runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args
>  		removesocket $sockpath
>  	fi
>  
> +	if [ -n "$af_unix" ] ; then
> +		# FAIL - server w/o af_unix access
> +
> +		genprofile $sockpath:$okserver $client:Ux
> +		runchecktest "$testdesc; confined server w/o af_unix" fail $args
> +		removesockets $sockpath

s/removesockets/removesocket/ here. With that,
Acked-by: Steve Beattie <steve at nxnw.org>

> +	fi
> +
> +	server="$sockpath:$okserver $af_unix $client:px"
> +
>  	# PASS - client w/ access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient
> +	genprofile $server -- image=$client $sockpath:$okclient $af_unix
>  	runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args
>  	removesocket $sockpath
>  
>  	# FAIL - client w/o access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client
> +	genprofile $server -- image=$client $af_unix
>  	runchecktest "$testdesc; confined client w/o access" fail $args
>  	removesocket $sockpath
>  
>  	# FAIL - client w/ bad access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1
> +	genprofile $server -- image=$client $sockpath:$badclient1 $af_unix
>  	runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args
>  	removesocket $sockpath
>  
>  	# FAIL - client w/ bad access to the file
>  
> -	genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2
> +	genprofile $server -- image=$client $sockpath:$badclient2
>  	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
>  	removesocket $sockpath
>  
> +	if [ -n "$af_unix" ] ; then
> +		# FAIL - client w/o af_unix access
> +
> +		genprofile $server -- image=$client $sockpath:$okclient
> +		runchecktest "$testdesc; confined client w/o af_unix" fail $args
> +		removesocket $sockpath
> +	fi
> +
>  	removeprofile
>  }

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140916/708a2fb7/attachment.pgp>

More information about the AppArmor mailing list