[apparmor] [PATCH v3 8/7] tests: Separate client and server AF_UNIX pathname permissions

[Tyler Hicks]

The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

* New patch to address feedback from sbeattie

 tests/regression/apparmor/unix_socket_pathname.sh | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 78f62b4..30b743c 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -50,9 +50,11 @@ fi
 # af_unix support requires 'unix getopt' to call getsockopt()
 # af_unix support requires 'unix setopt' to call setsockopt()
 # af_unix support requires 'unix getattr' to call getsockname()
-af_unix=
+af_unix_okserver=
+af_unix_okclient=
 if [ "$(have_features network/af_unix)" == "true" ] ; then
-	af_unix="unix:(create,getopt,setopt,getattr)"
+	af_unix_okserver="create,getopt,setopt"
+	af_unix_okclient="create,getopt,setopt,getattr"
 fi
 
 okclient=rw
@@ -75,6 +77,7 @@ testsocktype()
 	local socktype=$1 # stream, dgram, or seqpacket
 	local testdesc="AF_UNIX pathname socket ($socktype)"
 	local args="$sockpath $socktype $message $client"
+	local af_unix
 
 	removesockets $sockpath $client_sockpath
 
@@ -83,6 +86,10 @@ testsocktype()
 	runchecktest "$testdesc; unconfined" pass $args
 	removesockets $sockpath $client_sockpath
 
+	if [ -n "$af_unix_okserver" ]; then
+		af_unix="unix:(${af_unix_okserver})"
+	fi
+
 	# PASS - server w/ access to the file
 
 	genprofile $sockpath:$okserver $af_unix $client:Ux
@@ -112,7 +119,7 @@ testsocktype()
 
 	fi
 
-	if [ -n "$af_unix" ] ; then
+	if [ -n "$af_unix_okserver" ] ; then
 		# FAIL - server w/o af_unix access
 
 		genprofile $sockpath:$okserver $client:Ux
@@ -122,6 +129,14 @@ testsocktype()
 
 	server="$sockpath:$okserver $client_sockpath:$okserver $af_unix $client:px"
 
+	# We are transitioning from testing the server program to testing the
+	# client program. Reset the af_unix variable and, if necessary,
+	# reinitialize it with the needed client permissions.
+	af_unix=
+	if [ -n "$af_unix_okclient" ]; then
+		af_unix="unix:(${af_unix_okclient})"
+	fi
+
 	# PASS - client w/ access to the file
 
 	genprofile $server -- image=$client $sockpath:$okclient $af_unix
@@ -146,7 +161,7 @@ testsocktype()
 	runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
 	removesockets $sockpath $client_sockpath
 
-	if [ -n "$af_unix" ] ; then
+	if [ -n "$af_unix_okclient" ] ; then
 		# FAIL - client w/o af_unix access
 
 		genprofile $server -- image=$client $sockpath:$okclient
-- 
2.1.0