[apparmor] [PATCH v3 8/7] tests: Separate client and server AF_UNIX pathname permissions
Tyler Hicks
tyhicks at canonical.com
Mon Sep 29 23:56:07 UTC 2014
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
* New patch to address feedback from sbeattie
tests/regression/apparmor/unix_socket_pathname.sh | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 78f62b4..30b743c 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -50,9 +50,11 @@ fi
# af_unix support requires 'unix getopt' to call getsockopt()
# af_unix support requires 'unix setopt' to call setsockopt()
# af_unix support requires 'unix getattr' to call getsockname()
-af_unix=
+af_unix_okserver=
+af_unix_okclient=
if [ "$(have_features network/af_unix)" == "true" ] ; then
- af_unix="unix:(create,getopt,setopt,getattr)"
+ af_unix_okserver="create,getopt,setopt"
+ af_unix_okclient="create,getopt,setopt,getattr"
fi
okclient=rw
@@ -75,6 +77,7 @@ testsocktype()
local socktype=$1 # stream, dgram, or seqpacket
local testdesc="AF_UNIX pathname socket ($socktype)"
local args="$sockpath $socktype $message $client"
+ local af_unix
removesockets $sockpath $client_sockpath
@@ -83,6 +86,10 @@ testsocktype()
runchecktest "$testdesc; unconfined" pass $args
removesockets $sockpath $client_sockpath
+ if [ -n "$af_unix_okserver" ]; then
+ af_unix="unix:(${af_unix_okserver})"
+ fi
+
# PASS - server w/ access to the file
genprofile $sockpath:$okserver $af_unix $client:Ux
@@ -112,7 +119,7 @@ testsocktype()
fi
- if [ -n "$af_unix" ] ; then
+ if [ -n "$af_unix_okserver" ] ; then
# FAIL - server w/o af_unix access
genprofile $sockpath:$okserver $client:Ux
@@ -122,6 +129,14 @@ testsocktype()
server="$sockpath:$okserver $client_sockpath:$okserver $af_unix $client:px"
+ # We are transitioning from testing the server program to testing the
+ # client program. Reset the af_unix variable and, if necessary,
+ # reinitialize it with the needed client permissions.
+ af_unix=
+ if [ -n "$af_unix_okclient" ]; then
+ af_unix="unix:(${af_unix_okclient})"
+ fi
+
# PASS - client w/ access to the file
genprofile $server -- image=$client $sockpath:$okclient $af_unix
@@ -146,7 +161,7 @@ testsocktype()
runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
removesockets $sockpath $client_sockpath
- if [ -n "$af_unix" ] ; then
+ if [ -n "$af_unix_okclient" ] ; then
# FAIL - client w/o af_unix access
genprofile $server -- image=$client $sockpath:$okclient
--
2.1.0
More information about the AppArmor
mailing list