[apparmor] [PATCH] tests: getopt is not required for bound AF_UNIX pathname sockets
Tyler Hicks
tyhicks at canonical.com
Tue Sep 30 23:49:08 UTC 2014
Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
tests/regression/apparmor/unix_socket_pathname.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh
index 344c86d..2fefcc9 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -53,7 +53,7 @@ fi
af_unix_okserver=
af_unix_okclient=
if [ "$(have_features network/af_unix)" == "true" ] ; then
- af_unix_okserver="create,getopt,setopt"
+ af_unix_okserver="create,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
fi
--
2.1.0
More information about the AppArmor
mailing list