[apparmor] [PATCH 2/4] tests: Update socketpair.sh for af_unix mediation

Tyler Hicks tyhicks at canonical.com
Thu Sep 11 02:12:37 UTC 2014 

On 2014-09-10 18:31:27, Seth Arnold wrote:
> On Thu, Sep 04, 2014 at 05:43:22PM -0500, Tyler Hicks wrote:
> > Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
> 
> Acked-by: Seth Arnold <seth.arnold at canonical.com>

Thanks!

> 
> Is the 'getopt' permission in af_unix_create still necessary?

It is. The server and client programs both call getsockopt() on their
respective sockets.

Tyler

> 
> Thanks
> 
> > ---
> >  tests/regression/apparmor/socketpair.sh | 39 ++++++++++++++++++++-------------
> >  1 file changed, 24 insertions(+), 15 deletions(-)
> > 
> > diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh
> > index 8af3be2..802657c 100755
> > --- a/tests/regression/apparmor/socketpair.sh
> > +++ b/tests/regression/apparmor/socketpair.sh
> > @@ -30,6 +30,15 @@ do_test()
> >  exec="/proc/*/attr/exec:w"
> >  np1="new_profile_1"
> >  np2="new_profile_2"
> > +af_unix_create=""
> > +af_unix_inherit=""
> > +
> > +if [ "$(have_features network/af_unix)" == "true" ]; then
> > +	# AppArmor requires that the process inheriting the sock file
> > +	# descriptors have send,receive perms in its profile
> > +	af_unix_create="unix:(create,getopt)"
> > +	af_unix_inherit="unix:(getopt,send,receive)"
> > +fi
> >  
> >  # Ensure everything works as expected when unconfined
> >  do_test "unconfined" pass "unconfined" "(null)"
> > @@ -39,7 +48,7 @@ do_test "unconfined bad con" fail "uncon" "(null)"
> >  do_test "unconfined bad mode" fail "unconfined" "(null)XXX"
> >  
> >  # Ensure correct labeling under confinement
> > -genprofile
> > +genprofile $af_unix_create
> >  do_test "confined" pass "$test" "enforce"
> >  
> >  # Test the test
> > @@ -47,41 +56,41 @@ do_test "confined bad con" fail "/bad${test}" "enforce"
> >  do_test "confined bad mode" fail "$test" "inforce"
> >  
> >  # Ensure correct mode when using the complain flag
> > -genprofile flag:complain
> > +genprofile flag:complain $af_unix_create
> >  do_test "complain" pass "$test" "complain"
> >  
> >  # Test the test
> > -genprofile flag:complain
> > +genprofile flag:complain $af_unix_create
> >  do_test "complain bad mode" fail "$test" "enforce"
> >  
> >  # Ensure correct mode when using the audit flag
> > -genprofile flag:audit
> > +genprofile flag:audit $af_unix_create
> >  do_test "complain" pass "$test" "enforce"
> >  
> >  # Ensure correct labeling after passing fd pair across exec
> > -genprofile $exec 'change_profile->':$np1 -- image=$np1 addimage:$test
> > +genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit
> >  do_test "confined exec transition" pass "$test" "enforce" "$np1"
> >  
> >  # Ensure correct labeling after passing fd pair across a no-transition exec
> >  # NOTE: The test still calls aa_change_onexec(), so change_profile -> $test
> >  #       is still needed
> > -genprofile $exec 'change_profile->':$test
> > +genprofile $af_unix_create $exec 'change_profile->':$test
> >  do_test "confined exec no transition" pass "$test" "enforce" "$test"
> >  
> >  # Ensure correct complain mode after passing fd pair across exec
> > -genprofile flag:complain $exec 'change_profile->':$np1 -- \
> > -	   image=$np1 addimage:$test
> > +genprofile flag:complain $af_unix_create $exec 'change_profile->':$np1 -- \
> > +	   image=$np1 addimage:$test $af_unix_inherit
> >  do_test "confined exec transition from complain" pass "$test" "complain" "$np1"
> >  
> >  # Ensure correct enforce mode after passing fd pair across exec
> > -genprofile $exec 'change_profile->':$np1 -- \
> > -	   image=$np1 addimage:$test flag:complain
> > +genprofile $af_unix_create $exec 'change_profile->':$np1 -- \
> > +	   image=$np1 addimage:$test flag:complain $af_unix_inherit
> >  do_test "confined exec transition to complain" pass "$test" "enforce" "$np1"
> >  
> >  # Ensure correct labeling after passing fd pair across 2 execs
> > -gp_args="$exec change_profile->:$np1 -- \
> > -	 image=$np1 addimage:$test $exec change_profile->:$np2 -- \
> > -	 image=$np2 addimage:$test"
> > +gp_args="$af_unix_create $exec change_profile->:$np1 -- \
> > +	 image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \
> > +	 image=$np2 addimage:$test $af_unix_inherit"
> >  genprofile $gp_args
> >  do_test "confined 2 exec transitions" pass "$test" "enforce" "$np1" "$np2"
> >  
> > @@ -90,9 +99,9 @@ do_test "confined 2 exec transitions bad con" fail "$test" "enforce" "$np1" "$np
> >  do_test "confined 2 exec transitions bad mode" fail "$test" "complain" "$np1" "$np2"
> >  
> >  # Ensure correct labeling after passing fd pair across exec to unconfined
> > -genprofile $exec 'change_profile->':unconfined
> > +genprofile $af_unix_create $exec 'change_profile->':unconfined
> >  do_test "confined exec transition to unconfined" pass "$test" "enforce" "unconfined"
> >  
> >  # Ensure correct labeling after passing fd pair across exec from unconfined
> > -genprofile image=$np1 addimage:$test
> > +genprofile image=$np1 addimage:$test $af_unix_inherit
> >  do_test "unconfined exec transition ton confined" pass "unconfined" "(null)" "$np1"
> > -- 
> > 2.1.0
> > 
> > 
> > -- 
> > AppArmor mailing list
> > AppArmor at lists.ubuntu.com
> > Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> > 



> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140910/4269cee2/attachment-0001.pgp>

More information about the AppArmor mailing list