On Mon, Aug 11, 2014 at 06:06:09PM -0500, Tyler Hicks wrote: > Kernel ABI v6 only required 'w' permissions for the parent process that > creates the socket, accepts a connection, writes to the socket, and > reads from the socket. > > Kernel ABI v7 will require 'rw' permissions for the parent process. This > change detects the current kernel ABI version and adjusts the parent > process's confinement appropriately. It also performs a negative test to > make sure that 'w' is not sufficient. > > Signed-off-by: Tyler Hicks <[email protected]>
Acked-by: Seth Arnold <[email protected]> Thanks > --- > tests/regression/apparmor/unix_socket.sh | 23 ++++++++++++++++++++--- > 1 file changed, 20 insertions(+), 3 deletions(-) > > diff --git a/tests/regression/apparmor/unix_socket.sh > b/tests/regression/apparmor/unix_socket.sh > index 0df0db3..3d70886 100755 > --- a/tests/regression/apparmor/unix_socket.sh > +++ b/tests/regression/apparmor/unix_socket.sh > @@ -34,8 +34,15 @@ sockpath_pathname=${tmpdir}/unix_socket.sock > sockpath_abstract="@apparmor_unix_socket" > message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\ > 8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c > + > +# v6 requires 'w' and v7 requires 'rw' > okserver=w > -badserver=r > +badserver1=r > +badserver2= > +if [ "$(have_features policy/versions/v7)" == "true" ] ; then > + okserver=rw > + badserver2=w > +fi > > okclient=rw > badclient1=r > @@ -91,10 +98,20 @@ testsocktype() > > # FAIL - server w/ bad access to the file > > - genprofile $sockpath:$badserver $client:Ux > - runchecktest "$testdesc; confined server w/ bad access ($badserver)" > fail $args > + genprofile $sockpath:$badserver1 $client:Ux > + runchecktest "$testdesc; confined server w/ bad access ($badserver1)" > fail $args > removesocket $sockpath > > + # $badserver2 is set to non-null at the top of the test script if the > + # kernel advertises ABI v7 or newer > + if [ -n "$badserver2" ] ; then > + # FAIL - server w/ bad access to the file > + > + genprofile $sockpath:$badserver2 $client:Ux > + runchecktest "$testdesc; confined server w/ bad access > ($badserver2)" fail $args > + removesocket $sockpath > + fi > + > # PASS - client w/ access to the file > > genprofile $sockpath:$okserver $client:px -- image=$client > $sockpath:$okclient > -- > 2.1.0.rc1 > > > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor >
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
