Tests abstract UNIX domain sockets with various combinations of implied permissions, explicit permissions, and conditionals. It also tests with bad permissions and conditionals.
The new file unix_socket.inc includes a generic set of tests that can be reused by another test script in order to test unnamed AF_UNIX socket mediation. The do_test() function is conditionalized in a way that it can test confined servers and confined clients depending on the arguments passed in. Signed-off-by: Tyler Hicks <[email protected]> --- * Changes since v2: - Added unix_socket_abstract to the TESTS variable in the Makefile - Combined test_server() and test_client() into a single do_test() function + Both functions were doing the same tests and policy variations but one had a confined server and unconfined client while the other had a confined server and client - Adjusted tests to account for "pre-bind" and "post-bind" permissions. Pre-bind permissions can't be specified in rules that contain local addr conditionals as the kernel will fail the local address match. - Fixed NAME and DESCRIPTION metadata in unix_socket_abstract.sh header - Adjusted unix_socket_abstract.sh to call do_test() tests/regression/apparmor/Makefile | 1 + tests/regression/apparmor/unix_socket.inc | 135 ++++++++++++++++++++++ tests/regression/apparmor/unix_socket_abstract.sh | 121 +++++++++++++++++++ 3 files changed, 257 insertions(+) create mode 100755 tests/regression/apparmor/unix_socket.inc create mode 100755 tests/regression/apparmor/unix_socket_abstract.sh diff --git a/tests/regression/apparmor/Makefile b/tests/regression/apparmor/Makefile index 2ef8aca..bacd375 100644 --- a/tests/regression/apparmor/Makefile +++ b/tests/regression/apparmor/Makefile @@ -184,6 +184,7 @@ TESTS=access \ tcp \ unix_fd_server \ unix_socket_pathname \ + unix_socket_abstract \ unlink\ xattrs\ longpath diff --git a/tests/regression/apparmor/unix_socket.inc b/tests/regression/apparmor/unix_socket.inc new file mode 100755 index 0000000..e00ee50 --- /dev/null +++ b/tests/regression/apparmor/unix_socket.inc @@ -0,0 +1,135 @@ +# Copyright (C) 2014 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Canonical Ltd. + +client=$bin/unix_socket_client +message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\ +8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c + +do_test() +{ + local addr_type="$1" # abstract or unnamed + local test_prog="$2" # server or client + local l_u_access="$3" # optional local unbound perms + local l_b_access="$4" # local bound perms + local type="$5" # stream, dgram, or seqpacket + local addr="$6" # optional socket address + local p_access="$7" # peer perms + local p_label="$8" # peer socket label + local p_addr="$9" # optional peer socket address + local bad_type="${10}" + local bad_addr="${11}" # optional + local bad_p_label="${12}" + local bad_p_addr="${13}" # optional + + local desc="AF_UNIX $addr_type socket ($type);" + local l_access # combind local perms: local bound and local unbound + local c_access # combined perms: local bound, local unbound, and peer + local access # used as an iterator + local u_rule # rule for pre-bind accesses + local u_type_rule # rule for pre-bind accesses with a type conditional + local genprof="genprofile" + local args + + if [ "$test_prog" == "server" ]; then + genprof+=" $client:Ux" + args="$addr $type $message $client" + elif [ "$test_prog" == "client" ]; then + genprof+=" unix:ALL $client:px -- image=$client" + args="$p_addr $type $message $client" + fi + + l_access="$l_b_access" + if [ -n "$l_u_access" ]; then + l_access="${l_u_access},${l_access}" + c_access="${l_u_access},${c_access}" + + u_rule="unix:($l_u_access)" + u_type_rule="${u_rule}:type=$type" + fi + c_access="${l_access},${p_access}" + + runchecktest "$desc unconfined $test_prog" pass $args + + desc+=" confined $test_prog" + + $genprof "unix:ALL" + runchecktest "$desc (implicit perms)" pass $args + + $genprof "unix:($c_access)" + runchecktest "$desc (explicit perms)" pass $args + + $genprof "unix:($c_access):type=$type" + runchecktest "$desc (type)" pass $args + + if [ -n "$addr" ]; then + $genprof $u_rule "unix:(${l_b_access},${p_access}):addr=$addr" + runchecktest "$desc (addr)" pass $args + fi + + $genprof "unix:($l_access)" "unix::peer=(label=$p_label)" + runchecktest "$desc (peer label w/ implicit perms)" pass $args + + $genprof "unix:($l_access)" "unix:($p_access):peer=(label=$p_label)" + runchecktest "$desc (peer label w/ explicit perms)" pass $args + + if [ -n "$p_addr" ]; then + $genprof "unix:($l_access)" "unix:($p_access):peer=(addr=$p_addr)" + runchecktest "$desc (peer addr)" pass $args + + $genprof "unix:($l_access)" "unix:($p_access):peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (peer label, peer addr)" pass $args + + $genprof "unix:($l_access):type=$type" "unix:($p_access):type=$type:peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (type, peer label, peer addr)" pass $args + fi + + if [ -n "$addr" ]; then + $genprof $u_type_rule "unix:($l_b_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr" + runchecktest "$desc (type, addr)" pass $args + + $genprof $u_type_rule "unix:($l_b_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label)" + runchecktest "$desc (type, addr, peer label)" pass $args + fi + + if [ -n "$addr" -a -n "$p_addr" ]; then + $genprof $u_type_rule "unix:($l_b_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (type, addr, peer label, peer addr)" pass $args + fi + + $genprof + runchecktest "$desc (no unix rule)" fail $args + + for access in ${c_access//,/ }; do + $genprof "unix:(${c_access//$access/})" + runchecktest "$desc (missing perm: $access)" fail $args + done + + $genprof "unix:($c_access):type=$bad_type" + runchecktest "$desc (bad type)" fail $args + + if [ -n "$bad_addr" ]; then + $genprof $u_rule "unix:(${l_b_access},${p_access}):addr=$bad_addr" + runchecktest "$desc (bad addr)" fail $args + fi + + $genprof "unix:($l_access)" "unix:($p_access):peer=(label=$bad_p_label)" + runchecktest "$desc (bad peer label)" fail $args + + if [ -n "$bad_p_addr" ]; then + $genprof "unix:($l_access)" "unix:($p_access):peer=(addr=$bad_p_addr)" + runchecktest "$desc (bad peer addr)" fail $args + fi + + removeprofile +} diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh new file mode 100755 index 0000000..7c14f3e --- /dev/null +++ b/tests/regression/apparmor/unix_socket_abstract.sh @@ -0,0 +1,121 @@ +#! /bin/bash +# +# Copyright (C) 2014 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Canonical Ltd. + +#=NAME unix_socket_abstract +#=DESCRIPTION +# This tests access to abstract unix domain sockets. The server opens a socket, +# forks a client with it's own profile, sends a message to the client over the +# socket, and sees what happens. +#=END + +pwd=`dirname $0` +pwd=`cd $pwd ; /bin/pwd` + +bin=$pwd + +. $bin/prologue.inc +. $bin/unix_socket.inc +requires_features policy/versions/v7 +requires_features network/af_unix + +settest unix_socket + +addr=@aa_sock +client_addr=${addr}.client + +# Test abstract stream server and client +do_test "abstract" \ + "server" \ + "create,setopt" \ + "bind,listen,getopt,shutdown" \ + stream \ + "$addr" \ + "accept,read,write" \ + "unconfined" \ + "" \ + dgram \ + "${addr}XXX" \ + "XXX" \ + "" +do_test "abstract" \ + "client" \ + "" \ + "create,getopt,setopt,getattr" \ + stream \ + "" \ + "connect,write,read" \ + "$test" \ + "$addr" \ + seqpacket \ + "" \ + "${test}XXX" \ + "${addr}XXX" + +# Test abstract dgram server and client +do_test "abstract" \ + "server" \ + "create,setopt" \ + "bind,getopt,shutdown" \ + dgram \ + "$addr" \ + "read,write" \ + "unconfined" \ + "$client_addr" \ + seqpacket \ + "${addr}XXX" \ + "XXX" \ + "${client_addr}XXX" +do_test "abstract" \ + "client" \ + "create,setopt,getattr" \ + "bind,getopt" \ + dgram \ + "$client_addr" \ + "write,read" \ + "$test" \ + "$addr" \ + stream \ + "${client_addr}XXX" \ + "${test}XXX" \ + "${addr}XXX" + +# Test abstract seqpacket server and client +do_test "abstract" \ + "server" \ + "create,setopt" \ + "bind,listen,getopt,shutdown" \ + seqpacket \ + "$addr" \ + "accept,read,write" \ + "unconfined" \ + "" \ + stream \ + "${addr}XXX" \ + "XXX" \ + "" +do_test "abstract" \ + "client" \ + "" \ + "create,getopt,setopt,getattr" \ + seqpacket \ + "" \ + "connect,write,read" \ + "$test" \ + "$addr" \ + dgram \ + "" \ + "${test}XXX" \ + "${addr}XXX" -- 2.1.0 -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
