From 2f85b775d3b25e8ae7b165b0d01ddb45932a1fb4 Mon Sep 17 00:00:00 2001 From: Tyler Hicks Date: Wed, 10 Sep 2014 21:30:24 -0500 Subject: [PATCH] tests: Update socketpair.sh for af_unix mediation Signed-off-by: Tyler Hicks Acked-by: Seth Arnold --- tests/regression/apparmor/socketpair.sh | 39 +++++++++++++++---------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/tests/regression/apparmor/socketpair.sh b/tests/regression/apparmor/socketpair.sh index 8af3be299..802657c80 100755 --- a/tests/regression/apparmor/socketpair.sh +++ b/tests/regression/apparmor/socketpair.sh @@ -30,6 +30,15 @@ do_test() exec="/proc/*/attr/exec:w" np1="new_profile_1" np2="new_profile_2" +af_unix_create="" +af_unix_inherit="" + +if [ "$(have_features network/af_unix)" == "true" ]; then + # AppArmor requires that the process inheriting the sock file + # descriptors have send,receive perms in its profile + af_unix_create="unix:(create,getopt)" + af_unix_inherit="unix:(getopt,send,receive)" +fi # Ensure everything works as expected when unconfined do_test "unconfined" pass "unconfined" "(null)" @@ -39,7 +48,7 @@ do_test "unconfined bad con" fail "uncon" "(null)" do_test "unconfined bad mode" fail "unconfined" "(null)XXX" # Ensure correct labeling under confinement -genprofile +genprofile $af_unix_create do_test "confined" pass "$test" "enforce" # Test the test @@ -47,41 +56,41 @@ do_test "confined bad con" fail "/bad${test}" "enforce" do_test "confined bad mode" fail "$test" "inforce" # Ensure correct mode when using the complain flag -genprofile flag:complain +genprofile flag:complain $af_unix_create do_test "complain" pass "$test" "complain" # Test the test -genprofile flag:complain +genprofile flag:complain $af_unix_create do_test "complain bad mode" fail "$test" "enforce" # Ensure correct mode when using the audit flag -genprofile flag:audit +genprofile flag:audit $af_unix_create do_test "complain" pass "$test" "enforce" # Ensure correct labeling after passing fd pair across exec -genprofile $exec 'change_profile->':$np1 -- image=$np1 addimage:$test +genprofile $af_unix_create $exec 'change_profile->':$np1 -- image=$np1 addimage:$test $af_unix_inherit do_test "confined exec transition" pass "$test" "enforce" "$np1" # Ensure correct labeling after passing fd pair across a no-transition exec # NOTE: The test still calls aa_change_onexec(), so change_profile -> $test # is still needed -genprofile $exec 'change_profile->':$test +genprofile $af_unix_create $exec 'change_profile->':$test do_test "confined exec no transition" pass "$test" "enforce" "$test" # Ensure correct complain mode after passing fd pair across exec -genprofile flag:complain $exec 'change_profile->':$np1 -- \ - image=$np1 addimage:$test +genprofile flag:complain $af_unix_create $exec 'change_profile->':$np1 -- \ + image=$np1 addimage:$test $af_unix_inherit do_test "confined exec transition from complain" pass "$test" "complain" "$np1" # Ensure correct enforce mode after passing fd pair across exec -genprofile $exec 'change_profile->':$np1 -- \ - image=$np1 addimage:$test flag:complain +genprofile $af_unix_create $exec 'change_profile->':$np1 -- \ + image=$np1 addimage:$test flag:complain $af_unix_inherit do_test "confined exec transition to complain" pass "$test" "enforce" "$np1" # Ensure correct labeling after passing fd pair across 2 execs -gp_args="$exec change_profile->:$np1 -- \ - image=$np1 addimage:$test $exec change_profile->:$np2 -- \ - image=$np2 addimage:$test" +gp_args="$af_unix_create $exec change_profile->:$np1 -- \ + image=$np1 addimage:$test $af_unix_inherit $exec change_profile->:$np2 -- \ + image=$np2 addimage:$test $af_unix_inherit" genprofile $gp_args do_test "confined 2 exec transitions" pass "$test" "enforce" "$np1" "$np2" @@ -90,9 +99,9 @@ do_test "confined 2 exec transitions bad con" fail "$test" "enforce" "$np1" "$np do_test "confined 2 exec transitions bad mode" fail "$test" "complain" "$np1" "$np2" # Ensure correct labeling after passing fd pair across exec to unconfined -genprofile $exec 'change_profile->':unconfined +genprofile $af_unix_create $exec 'change_profile->':unconfined do_test "confined exec transition to unconfined" pass "$test" "enforce" "unconfined" # Ensure correct labeling after passing fd pair across exec from unconfined -genprofile image=$np1 addimage:$test +genprofile image=$np1 addimage:$test $af_unix_inherit do_test "unconfined exec transition ton confined" pass "unconfined" "(null)" "$np1"