mirror of
https://gitlab.com/apparmor/apparmor
synced 2025-08-30 22:05:27 +00:00
fix_changehat_fork.patch
This commit is contained in:
@@ -34,13 +34,15 @@ runchecktest "NO CHANGEHAT (access parent file)" pass nochange $file
|
||||
runchecktest "NO CHANGEHAT (access sub file)" fail nochange $subfile
|
||||
|
||||
# CHANGEHAT TEST
|
||||
|
||||
# Note: As of AppArmor 2.1 (opensuse 10.3) hats are no longer atomic
|
||||
# to profile load/replacement so we need to remove them manually
|
||||
subtest=sub
|
||||
|
||||
genprofile $file:$okperm hat:$subtest $subfile:$okperm
|
||||
|
||||
runchecktest "CHANGEHAT (access parent file)" fail $subtest $file
|
||||
runchecktest "CHANGEHAT (access parent file 1)" fail $subtest $file
|
||||
runchecktest "CHANGEHAT (access sub file)" pass $subtest $subfile
|
||||
echo -n "${testexec}//${subtest}" >/sys/kernel/security/apparmor/.remove
|
||||
|
||||
# CHANGEHAT TEST -- multiple subprofiles
|
||||
|
||||
@@ -49,18 +51,20 @@ subtest3=sub3
|
||||
|
||||
genprofile $file:$okperm hat:$subtest $subfile:$okperm hat:$subtest2 $subfile:$okperm hat:$subtest3 $subfile:$okperm
|
||||
|
||||
runchecktest "CHANGEHAT (access parent file)" fail $subtest $file
|
||||
runchecktest "CHANGEHAT (access parent file 2)" fail $subtest $file
|
||||
runchecktest "CHANGEHAT (access sub file)" pass $subtest $subfile
|
||||
runchecktest "CHANGEHAT (access sub file)" pass $subtest2 $subfile
|
||||
runchecktest "CHANGEHAT (access sub file)" pass $subtest3 $subfile
|
||||
echo -n "${testexec}//${subtest}" >/sys/kernel/security/apparmor/.remove
|
||||
echo -n "${testexec}//${subtest2}" >/sys/kernel/security/apparmor/.remove
|
||||
echo -n "${testexec}//${subtest3}" >/sys/kernel/security/apparmor/.remove
|
||||
|
||||
# CHANGEHAT TEST -- non-existent subprofile access
|
||||
# Should put us into a null-profile
|
||||
|
||||
subtest2=$test.sub2
|
||||
subtest3=$test.sub3
|
||||
|
||||
# NOTE: As of AppArmor 2.1 (opensuse 10.3) this test now passes as
|
||||
# the change_hat failes but it no longer entires the null profile
|
||||
genprofile $file:$okperm hat:$subtest $subfile:$okperm hat:$subtest2 $subfile:$okperm
|
||||
|
||||
runchecktest "CHANGEHAT (access parent file)" fail $subtest3 $file
|
||||
runchecktest "CHANGEHAT (access parent file 3)" pass $subtest3 $file
|
||||
runchecktest "CHANGEHAT (access sub file)" fail $subtest3 $subfile
|
||||
|
Reference in New Issue
Block a user