[apparmor] [PATCH v3 9/7] tests: Add negative tests for missing individual AF_UNIX pathname perms

[Tyler Hicks]

Iterate through the individual client and server AF_UNIX pathname
permissions and remove them, one-by-one, to verify that the test fails.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---

* New patch to address feedback from sbeattie

 tests/regression/apparmor/unix_socket_pathname.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 30b743c..344c86d 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -78,6 +78,7 @@ testsocktype()
 	local testdesc="AF_UNIX pathname socket ($socktype)"
 	local args="$sockpath $socktype $message $client"
 	local af_unix
+	local af_unix_access
 
 	removesockets $sockpath $client_sockpath
 
@@ -125,6 +126,17 @@ testsocktype()
 		genprofile $sockpath:$okserver $client:Ux
 		runchecktest "$testdesc; confined server w/o af_unix" fail $args
 		removesockets $sockpath $client_sockpath
+
+		# Split the list of AF_UNIX accesses up at the ',' characters
+		# so that they can be iterated through. Remove each access,
+		# one-by-one, and verify that the test fails.
+		for access in ${af_unix_okserver//,/ }; do
+			# FAIL - server w/ a missing af_unix access
+
+			genprofile $sockpath:$okserver "unix:(${af_unix_okserver//$access/})" $client:Ux
+			runchecktest "$testdesc; confined server w/ a missing af_unix access ($access)" fail $args
+			removesockets $sockpath $client_sockpath
+		done
 	fi
 
 	server="$sockpath:$okserver $client_sockpath:$okserver $af_unix $client:px"
@@ -167,6 +179,17 @@ testsocktype()
 		genprofile $server -- image=$client $sockpath:$okclient
 		runchecktest "$testdesc; confined client w/o af_unix" fail $args
 		removesockets $sockpath $client_sockpath
+
+		# Split the list of AF_UNIX accesses up at the ',' characters
+		# so that they can be iterated through. Remove each access,
+		# one-by-one, and verify that the test fails.
+		for access in ${af_unix_okclient//,/ }; do
+			# FAIL - client w/ a missing af_unix access
+
+			genprofile $server -- image=$client $sockpath:$okclient "unix:(${af_unix_okclient//$access/})"
+			runchecktest "$testdesc; confined client w/ a missing af_unix access ($access)" fail $args
+			removesockets $sockpath $client_sockpath
+		done
 	fi
 
 	removeprofile
-- 
2.1.0