[apparmor] [patch] tests: fix socketpair tests for added af_unix crosscheck

Tyler Hicks tyhicks at canonical.com
Thu Sep 18 15:43:39 UTC 2014 

On 2014-09-17 23:32:10, Steve Beattie wrote:
> The new af_unix apparmor kernel patches include the first step towards
> implicit labeling. As a result, when a file descriptor is inherited
> across one profile boundary to another, both labels' policies are
> checked for valid access to the file descriptor. However, due to a quirk
> in the linux kernel, when a socket is opened, the file descriptor is
> marked as having read and write (aka send and receive) access. When the
> crosscheck revalidation occurs, this means that the policy being
> inherited from requires read/write access to the socket descriptor, even
> if the process never reads or writes to it. This resulted in a few
> failures in the socketpair tests.
> 
> The following patch adjusts the failing tests to include the neccessary
> send and receive permissions, as well as adding additional tests that
> are expected to fail when they are not present, to try to ensure that
> if our crosscheck behavior changes, we catch it.
> 
> Signed-off-by: Steve Beattie <steve at nxnw.org>

Acked-by: Tyler Hicks <tyhicks at canonical.com>

Thanks!

> ---
>  tests/regression/apparmor/socketpair.sh |   27 ++++++++++++++++++++++++---
>  1 file changed, 24 insertions(+), 3 deletions(-)
> 
> Index: b/tests/regression/apparmor/socketpair.sh
> ===================================================================
> --- a/tests/regression/apparmor/socketpair.sh
> +++ b/tests/regression/apparmor/socketpair.sh
> @@ -31,12 +31,14 @@ exec="/proc/*/attr/exec:w"
>  np1="new_profile_1"
>  np2="new_profile_2"
>  af_unix_create=""
> +af_unix_create_label=""
>  af_unix_inherit=""
>  
>  if [ "$(have_features network/af_unix)" == "true" ]; then
>  	# AppArmor requires that the process inheriting the sock file
>  	# descriptors have send,receive perms in its profile
>  	af_unix_create="unix:(create,getopt)"
> +	af_unix_create_label="unix:(send,receive)"
>  	af_unix_inherit="unix:(getopt,send,receive)"
>  fi
>  
> @@ -68,9 +70,19 @@ genprofile flag:audit $af_unix_create
>  do_test "complain" pass "$test" "enforce"
>  
>  # Ensure correct labeling after passing fd pair across exec
> -genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
> +# NOTE: due to label crosscheck, parent needs 'rw' access
> +genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
>  do_test "confined exec transition" pass "$test" "enforce" "$np1"
>  
> +# af_unix_create is set to non-null at the top of the test script if
> +# the kernel advertises supporting unix sockets
> +if [ -n "${af_unix_create}" ] ; then
> +	# Ensure label crosscheck still requires parent needs' rw' access
> +	# after passing fd pair across exec
> +	genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
> +	do_test "confined exec transition, crosscheck rejection" fail "$test" "enforce" "$np1"
> +fi
> +
>  # Ensure correct labeling after passing fd pair across a no-transition exec
>  # NOTE: The test still calls aa_change_onexec(), so change_profile -> $test
>  #       is still needed
> @@ -83,12 +95,21 @@ genprofile flag:complain $af_unix_create
>  do_test "confined exec transition from complain" pass "$test" "complain" "$np1"
>  
>  # Ensure correct enforce mode after passing fd pair across exec
> -genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
> +genprofile $af_unix_create ${af_unix_create_label} $exec 'change_profile->':$np1 -- \
>  	   image=$np1 addimage:$test flag:complain $af_unix_inherit
>  do_test "confined exec transition to complain" pass "$test" "enforce" "$np1"
>  
> +# af_unix_create is set to non-null at the top of the test script if
> +# the kernel advertises supporting unix sockets
> +if [ -n "${af_unix_create}" ] ; then
> +	# Ensure label crosscheck enforced in complain mode after passing fd pair across exec
> +	genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
> +		   image=$np1 addimage:$test flag:complain $af_unix_inherit
> +	do_test "confined exec transition to complain, crosscheck rejection" fail "$test" "enforce" "$np1"
> +fi
> +
>  # Ensure correct labeling after passing fd pair across 2 execs
> -gp_args="$af_unix_create $exec change_profile->:$np1 -- \
> +gp_args="$af_unix_create ${af_unix_create_label} $exec change_profile->:$np1 -- \
>  	 image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \
>  	 image=$np2 addimage:$test $af_unix_inherit"
>  genprofile $gp_args
> -- 
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140918/8bb3498c/attachment.pgp>

More information about the AppArmor mailing list