[apparmor] [PATCH v3 4/7] tests: Test the getattr permission in unix_socket_client
Steve Beattie
steve at nxnw.org
Thu Sep 25 10:19:08 UTC 2014
On Mon, Sep 22, 2014 at 07:09:14PM -0500, Tyler Hicks wrote:
> The client will now do a getsockname() on its socket in order to test
> the AppArmor 'getattr' unix rule permission.
>
> Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
Acked-by: Steve Beattie <steve at nxnw.org>
Though I'd like to see a couple of future changes:
1) only the client needs the getattr permission, would be better to only
grant it there.
2) negative test for the getattr permission on the client.
Thanks.
> diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
> index af73593..78f62b4 100755
> --- a/tests/regression/apparmor/unix_socket_pathname.sh
> +++ b/tests/regression/apparmor/unix_socket_pathname.sh
> @@ -49,9 +49,10 @@ fi
> # af_unix support requires 'unix create' to call socket()
> # af_unix support requires 'unix getopt' to call getsockopt()
> # af_unix support requires 'unix setopt' to call setsockopt()
> +# af_unix support requires 'unix getattr' to call getsockname()
> af_unix=
> if [ "$(have_features network/af_unix)" == "true" ] ; then
> - af_unix="unix:(create,getopt,setopt)"
> + af_unix="unix:(create,getopt,setopt,getattr)"
> fi
>
> okclient=rw
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140925/5f4df4b3/attachment.pgp>
More information about the AppArmor
mailing list