[apparmor] [patch] tests: fix socketpair tests for added af_unix crosscheck

[Steve Beattie]

The new af_unix apparmor kernel patches include the first step towards
implicit labeling. As a result, when a file descriptor is inherited
across one profile boundary to another, both labels' policies are
checked for valid access to the file descriptor. However, due to a quirk
in the linux kernel, when a socket is opened, the file descriptor is
marked as having read and write (aka send and receive) access. When the
crosscheck revalidation occurs, this means that the policy being
inherited from requires read/write access to the socket descriptor, even
if the process never reads or writes to it. This resulted in a few
failures in the socketpair tests.

The following patch adjusts the failing tests to include the neccessary
send and receive permissions, as well as adding additional tests that
are expected to fail when they are not present, to try to ensure that
if our crosscheck behavior changes, we catch it.

Signed-off-by: Steve Beattie <steve at nxnw.org>
---
 tests/regression/apparmor/socketpair.sh |   27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

Index: b/tests/regression/apparmor/socketpair.sh
===================================================================
--- a/tests/regression/apparmor/socketpair.sh
+++ b/tests/regression/apparmor/socketpair.sh
@@ -31,12 +31,14 @@ exec="/proc/*/attr/exec:w"
 np1="new_profile_1"
 np2="new_profile_2"
 af_unix_create=""
+af_unix_create_label=""
 af_unix_inherit=""
 
 if [ "$(have_features network/af_unix)" == "true" ]; then
 	# AppArmor requires that the process inheriting the sock file
 	# descriptors have send,receive perms in its profile
 	af_unix_create="unix:(create,getopt)"
+	af_unix_create_label="unix:(send,receive)"
 	af_unix_inherit="unix:(getopt,send,receive)"
 fi
 
@@ -68,9 +70,19 @@ genprofile flag:audit $af_unix_create
 do_test "complain" pass "$test" "enforce"
 
 # Ensure correct labeling after passing fd pair across exec
-genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
+# NOTE: due to label crosscheck, parent needs 'rw' access
+genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
 do_test "confined exec transition" pass "$test" "enforce" "$np1"
 
+# af_unix_create is set to non-null at the top of the test script if
+# the kernel advertises supporting unix sockets
+if [ -n "${af_unix_create}" ] ; then
+	# Ensure label crosscheck still requires parent needs' rw' access
+	# after passing fd pair across exec
+	genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
+	do_test "confined exec transition, crosscheck rejection" fail "$test" "enforce" "$np1"
+fi
+
 # Ensure correct labeling after passing fd pair across a no-transition exec
 # NOTE: The test still calls aa_change_onexec(), so change_profile -> $test
 #       is still needed
@@ -83,12 +95,21 @@ genprofile flag:complain $af_unix_create
 do_test "confined exec transition from complain" pass "$test" "complain" "$np1"
 
 # Ensure correct enforce mode after passing fd pair across exec
-genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
+genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- \
 	   image=$np1 addimage:$test flag:complain $af_unix_inherit
 do_test "confined exec transition to complain" pass "$test" "enforce" "$np1"
 
+# af_unix_create is set to non-null at the top of the test script if
+# the kernel advertises supporting unix sockets
+if [ -n "${af_unix_create}" ] ; then
+	# Ensure label crosscheck enforced in complain mode after passing fd pair across exec
+	genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
+		   image=$np1 addimage:$test flag:complain $af_unix_inherit
+	do_test "confined exec transition to complain, crosscheck rejection" fail "$test" "enforce" "$np1"
+fi
+
 # Ensure correct labeling after passing fd pair across 2 execs
-gp_args="$af_unix_create $exec change_profile->:$np1 -- \
+gp_args="$af_unix_create ${af_unix_create_label} $exec change_profile->:$np1 -- \
 	 image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \
 	 image=$np2 addimage:$test $af_unix_inherit"
 genprofile $gp_args
-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140917/ade4ba7d/attachment-0001.pgp>