[apparmor] [PATCH] tests: Update unix_socket.sh for kernel ABI v7

Mon, 11 Aug 2014 16:07:28 -0700 

Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.

Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.

Signed-off-by: Tyler Hicks <[email protected]>
---
 tests/regression/apparmor/unix_socket.sh | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/tests/regression/apparmor/unix_socket.sh 
b/tests/regression/apparmor/unix_socket.sh
index 0df0db3..3d70886 100755
--- a/tests/regression/apparmor/unix_socket.sh
+++ b/tests/regression/apparmor/unix_socket.sh
@@ -34,8 +34,15 @@ sockpath_pathname=${tmpdir}/unix_socket.sock
 sockpath_abstract="@apparmor_unix_socket"
 message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\
 8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c
+
+# v6 requires 'w' and v7 requires 'rw'
 okserver=w
-badserver=r
+badserver1=r
+badserver2=
+if [ "$(have_features policy/versions/v7)" == "true" ] ; then
+       okserver=rw
+       badserver2=w
+fi
 
 okclient=rw
 badclient1=r
@@ -91,10 +98,20 @@ testsocktype()
 
        # FAIL - server w/ bad access to the file
 
-       genprofile $sockpath:$badserver $client:Ux
-       runchecktest "$testdesc; confined server w/ bad access ($badserver)" 
fail $args
+       genprofile $sockpath:$badserver1 $client:Ux
+       runchecktest "$testdesc; confined server w/ bad access ($badserver1)" 
fail $args
        removesocket $sockpath
 
+       # $badserver2 is set to non-null at the top of the test script if the
+       # kernel advertises ABI v7 or newer
+       if [ -n "$badserver2" ] ; then
+               # FAIL - server w/ bad access to the file
+
+               genprofile $sockpath:$badserver2 $client:Ux
+               runchecktest "$testdesc; confined server w/ bad access 
($badserver2)" fail $args
+               removesocket $sockpath
+       fi
+
        # PASS - client w/ access to the file
 
        genprofile $sockpath:$okserver $client:px -- image=$client 
$sockpath:$okclient
-- 
2.1.0.rc1


-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to