mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-31 06:16:03 +00:00
Code Issues Releases Wiki Activity

tests: Separate client and server AF_UNIX pathname permissions

Browse Source 
The client and server programs require a different set of AF_UNIX
permissions. This patch makes it so that the unix rules are constructed
differently depending on the program under test.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Tyler Hicks
2014-09-30 11:34:32 -05:00
parent 0262f44eb7
commit 84b6f98007
1 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
tests/regression/apparmor/unix_socket_pathname.sh
View File

@@ -50,9 +50,11 @@ fi
# af_unix support requires 'unix getopt' to call getsockopt()
# af_unix support requires 'unix setopt' to call setsockopt()
# af_unix support requires 'unix getattr' to call getsockname()
af_unix=
af_unix_okserver=
af_unix_okclient=
if [ "$(have_features network/af_unix)" == "true" ] ; then
af_unix="unix:(create,getopt,setopt,getattr)"
af_unix_okserver="create,getopt,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
fi
okclient=rw
@@ -75,6 +77,7 @@ testsocktype()
local socktype=$1 # stream, dgram, or seqpacket
local testdesc="AF_UNIX pathname socket ($socktype)"
local args="$sockpath $socktype $message $client"
local af_unix
removesockets $sockpath $client_sockpath
@@ -83,6 +86,10 @@ testsocktype()
runchecktest "$testdesc; unconfined" pass $args
removesockets $sockpath $client_sockpath
if [ -n "$af_unix_okserver" ]; then
af_unix="unix:(${af_unix_okserver})"
fi
# PASS - server w/ access to the file
genprofile $sockpath:$okserver $af_unix $client:Ux
@@ -112,7 +119,7 @@ testsocktype()
fi
if [ -n "$af_unix" ] ; then
if [ -n "$af_unix_okserver" ] ; then
# FAIL - server w/o af_unix access
genprofile $sockpath:$okserver $client:Ux
@@ -122,6 +129,14 @@ testsocktype()
server="$sockpath:$okserver $client_sockpath:$okserver $af_unix $client:px"
# We are transitioning from testing the server program to testing the
# client program. Reset the af_unix variable and, if necessary,
# reinitialize it with the needed client permissions.
af_unix=
if [ -n "$af_unix_okclient" ]; then
af_unix="unix:(${af_unix_okclient})"
fi
# PASS - client w/ access to the file
genprofile $server -- image=$client $sockpath:$okclient $af_unix
@@ -146,7 +161,7 @@ testsocktype()
runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args
removesockets $sockpath $client_sockpath
if [ -n "$af_unix" ] ; then
if [ -n "$af_unix_okclient" ] ; then
# FAIL - client w/o af_unix access
genprofile $server -- image=$client $sockpath:$okclient