[apparmor] [PATCH 2/2] tests: Verify delegation of fd inheritance

Fri Aug 9 01:57:21 UTC 2013

Add a new set of tests that tests delegation of file descriptors when
inherited across combinations of confined and unconfined processes.

Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 tests/regression/apparmor/Makefile          |  3 ++
 tests/regression/apparmor/fd_inheritance.c  | 59 ++++++++++++++++++++++
 tests/regression/apparmor/fd_inheritance.sh | 76 +++++++++++++++++++++++++++++
 tests/regression/apparmor/fd_inheritor.c    | 61 +++++++++++++++++++++++
 4 files changed, 199 insertions(+)
 create mode 100644 tests/regression/apparmor/fd_inheritance.c
 create mode 100755 tests/regression/apparmor/fd_inheritance.sh
 create mode 100644 tests/regression/apparmor/fd_inheritor.c

diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile
index 2021f51..e686ddc 100644
--- a/tests/regression/apparmor/Makefile
+++ b/tests/regression/apparmor/Makefile
@@ -33,6 +33,8 @@ SRC=access.c \
     fchgrp.c \
     fchmod.c \
     fchown.c \
+    fd_inheritance.c \
+    fd_inheritor.c \
     fork.c \
     link.c \
     link_subset.c \
@@ -123,6 +125,7 @@ TESTS=access \
       exec \
       exec_qual \
       fchdir \
+      fd_inheritance \
       fork \
       i18n \
       link \
diff --git a/tests/regression/apparmor/fd_inheritance.c b/tests/regression/apparmor/fd_inheritance.c
new file mode 100644
index 0000000..43d7a14
--- /dev/null
+++ b/tests/regression/apparmor/fd_inheritance.c
@@ -0,0 +1,59 @@
+/*
+ *   Copyright (c) 2013
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define BUF_LEN		128
+#define FD_STR_LEN	4
+
+int main(int argc, char *argv[])
+{
+	char buf[BUF_LEN + 1], fd_str[FD_STR_LEN + 1];
+	int fd, rc;
+
+	if (argc != 3) {
+		fprintf(stderr, "Usage: %s <file> <exec>\n", argv[0]);
+		exit(1);
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd < 0) {
+		perror("FAIL - open");
+		exit(1);
+	}
+
+	memset(buf, 0, sizeof(buf));
+	rc = read(fd, buf, BUF_LEN);
+	if (rc < 0) {
+		perror("FAIL - read");
+		exit(1);
+	}
+
+	memset(fd_str, 0, sizeof(fd_str));
+	snprintf(fd_str, FD_STR_LEN, "%d", fd);
+	execl(argv[2], argv[2], fd_str, buf, NULL);
+
+	perror("FAIL - execl");
+	exit(1);
+}
diff --git a/tests/regression/apparmor/fd_inheritance.sh b/tests/regression/apparmor/fd_inheritance.sh
new file mode 100755
index 0000000..1356ae8
--- /dev/null
+++ b/tests/regression/apparmor/fd_inheritance.sh
@@ -0,0 +1,76 @@
+#!/bin/bash
+#
+#   Copyright (c) 2013
+#   Canonical, Ltd. (All rights reserved)
+#
+#   This program is free software; you can redistribute it and/or
+#   modify it under the terms of version 2 of the GNU General Public
+#   License published by the Free Software Foundation.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, contact Novell, Inc. or Canonical
+#   Ltd.
+#
+
+#=NAME fd_inheritance
+#=DESCRIPTION
+# This test verifies that file descriptor inheritance results in the expected
+# delegation, or lack thereof, between various combinations of confined and
+# unconfined processes.
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+file=$tmpdir/file
+inheritor=$bin/fd_inheritor
+okperm=r
+badperm=w
+
+cat > $file << EOF
+0a7eb75b2a54eaf86aa8d7b4c6cc945c
+70a2265ba96d962d993c97689ff09904
+d3e773e2a4a0cc9d7e28eb217a4241ce
+1437d6c55ef788d3bcd27ab14e9382a9
+EOF
+
+runchecktest "fd inheritance; unconfined -> unconfined" pass $file $inheritor
+
+genprofile $file:$okperm $inheritor:Ux
+runchecktest "fd inheritance; confined -> unconfined" pass $file $inheritor
+
+genprofile $file:$badperm $inheritor:Ux
+runchecktest "fd inheritance; confined (bad perm) -> unconfined" fail $file $inheritor
+
+genprofile $inheritor:Ux
+runchecktest "fd inheritance; confined (no perm) -> unconfined" fail $file $inheritor
+
+genprofile image=$inheritor $file:$okperm
+runchecktest "fd inheritance; unconfined -> confined" pass $file $inheritor
+
+genprofile image=$inheritor
+runchecktest "fd inheritance; unconfined -> confined (no perm)" pass $file $inheritor
+
+genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$okperm
+runchecktest "fd inheritance; confined -> confined" pass $file $inheritor
+
+genprofile $file:$badperm $inheritor:Px -- image=$inheritor $file:$okperm
+runchecktest "fd inheritance; confined (bad perm) -> confined" fail $file $inheritor
+
+genprofile $inheritor:Px -- image=$inheritor $file:$okperm
+runchecktest "fd inheritance; confined (no perm) -> confined" fail $file $inheritor
+
+genprofile $file:$okperm $inheritor:Px -- image=$inheritor $file:$badperm
+runchecktest "fd inheritance; confined -> confined (bad perm)" fail $file $inheritor
+
+genprofile $file:$okperm $inheritor:Px -- image=$inheritor
+runchecktest "fd inheritance; confined -> confined (no perm)" fail $file $inheritor
diff --git a/tests/regression/apparmor/fd_inheritor.c b/tests/regression/apparmor/fd_inheritor.c
new file mode 100644
index 0000000..dbae6fd
--- /dev/null
+++ b/tests/regression/apparmor/fd_inheritor.c
@@ -0,0 +1,61 @@
+/*
+ *   Copyright (c) 2013
+ *   Canonical, Ltd. (All rights reserved)
+ *
+ *   This program is free software; you can redistribute it and/or
+ *   modify it under the terms of version 2 of the GNU General Public
+ *   License published by the Free Software Foundation.
+ *
+ *   This program is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU General Public License for more details.
+ *
+ *   You should have received a copy of the GNU General Public License
+ *   along with this program; if not, contact Novell, Inc. or Canonical
+ *   Ltd.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#define BUF_LEN		128
+
+int main(int argc, char *argv[])
+{
+	char buf[BUF_LEN + 1];
+	int fd, rc;
+
+	if (argc != 3) {
+		fprintf(stderr, "Usage: %s <fd#> <contents>\n", argv[0]);
+		exit(1);
+	}
+
+	fd = atoi(argv[1]);
+
+	rc = lseek(fd, 0, SEEK_SET);
+	if (rc) {
+		perror("FAIL INHERITOR - lseek");
+		exit(1);
+	}
+
+	memset(buf, 0, sizeof(buf));
+	rc = read(fd, buf, BUF_LEN);
+	if (rc < 0) {
+		perror("FAIL INHERITOR - read");
+		exit(1);
+	}
+
+	if (strcmp(argv[2], buf)) {
+		fprintf(stderr,
+			"FAIL INHERITOR - expected \"%s\" but read \"%s\"\n",
+			argv[2], buf);
+		exit(1);
+	}
+
+	printf("PASS\n");
+	exit(0);
+}
-- 
1.8.3.2


