The AppArmor kernel ABI v7 requires that a 'unix create,' rule be granted to confined processes that call socket(AF_UNIX, type, 0). This is true for pathname, abstract, and unnamed UNIX domain sockets since the address type of a socket is not yet known when socket(2) is called.
Signed-off-by: Tyler Hicks <[email protected]> --- tests/regression/apparmor/unix_socket_pathname.sh | 40 ++++++++++++++++++----- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/tests/regression/apparmor/unix_socket_pathname.sh b/tests/regression/apparmor/unix_socket_pathname.sh index b6f6b69..45d74b9 100755 --- a/tests/regression/apparmor/unix_socket_pathname.sh +++ b/tests/regression/apparmor/unix_socket_pathname.sh @@ -45,6 +45,12 @@ if [ "$(have_features policy/versions/v7)" == "true" ] ; then badserver2=w fi +# af_unix support requires 'unix create' to call socket() +af_unix= +if [ "$(have_features network/af_unix)" == "true" ] ; then + af_unix="unix:create" +fi + okclient=rw badclient1=r badclient2=w @@ -71,19 +77,19 @@ testsocktype() # PASS - server w/ access to the file - genprofile $sockpath:$okserver $client:Ux + genprofile $sockpath:$okserver $af_unix $client:Ux runchecktest "$testdesc; confined server w/ access ($okserver)" pass $args removesocket $sockpath # FAIL - server w/o access to the file - genprofile $client:Ux + genprofile $af_unix $client:Ux runchecktest "$testdesc; confined server w/o access" fail $args removesocket $sockpath # FAIL - server w/ bad access to the file - genprofile $sockpath:$badserver1 $client:Ux + genprofile $sockpath:$badserver1 $af_unix $client:Ux runchecktest "$testdesc; confined server w/ bad access ($badserver1)" fail $args removesocket $sockpath @@ -92,35 +98,53 @@ testsocktype() if [ -n "$badserver2" ] ; then # FAIL - server w/ bad access to the file - genprofile $sockpath:$badserver2 $client:Ux + genprofile $sockpath:$badserver2 $af_unix $client:Ux runchecktest "$testdesc; confined server w/ bad access ($badserver2)" fail $args removesocket $sockpath fi + if [ -n "$af_unix" ] ; then + # FAIL - server w/o af_unix access + + genprofile $sockpath:$okserver $client:Ux + runchecktest "$testdesc; confined server w/o af_unix" fail $args + removesockets $sockpath + fi + + server="$sockpath:$okserver $af_unix $client:px" + # PASS - client w/ access to the file - genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$okclient + genprofile $server -- image=$client $sockpath:$okclient $af_unix runchecktest "$testdesc; confined client w/ access ($okclient)" pass $args removesocket $sockpath # FAIL - client w/o access to the file - genprofile $sockpath:$okserver $client:px -- image=$client + genprofile $server -- image=$client $af_unix runchecktest "$testdesc; confined client w/o access" fail $args removesocket $sockpath # FAIL - client w/ bad access to the file - genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient1 + genprofile $server -- image=$client $sockpath:$badclient1 $af_unix runchecktest "$testdesc; confined client w/ bad access ($badclient1)" fail $args removesocket $sockpath # FAIL - client w/ bad access to the file - genprofile $sockpath:$okserver $client:px -- image=$client $sockpath:$badclient2 + genprofile $server -- image=$client $sockpath:$badclient2 runchecktest "$testdesc; confined client w/ bad access ($badclient2)" fail $args removesocket $sockpath + if [ -n "$af_unix" ] ; then + # FAIL - client w/o af_unix access + + genprofile $server -- image=$client $sockpath:$okclient + runchecktest "$testdesc; confined client w/o af_unix" fail $args + removesocket $sockpath + fi + removeprofile } -- 2.1.0 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
