On Mon, Sep 22, 2014 at 07:09:14PM -0500, Tyler Hicks wrote:
> The client will now do a getsockname() on its socket in order to test
> the AppArmor 'getattr' unix rule permission.
> 
> Signed-off-by: Tyler Hicks <[email protected]>

Acked-by: Steve Beattie <[email protected]>

Though I'd like to see a couple of future changes:

1) only the client needs the getattr permission, would be better to only
   grant it there.

2) negative test for the getattr permission on the client.

Thanks.

> diff --git a/tests/regression/apparmor/unix_socket_pathname.sh 
> b/tests/regression/apparmor/unix_socket_pathname.sh
> index af73593..78f62b4 100755
> --- a/tests/regression/apparmor/unix_socket_pathname.sh
> +++ b/tests/regression/apparmor/unix_socket_pathname.sh
> @@ -49,9 +49,10 @@ fi
>  # af_unix support requires 'unix create' to call socket()
>  # af_unix support requires 'unix getopt' to call getsockopt()
>  # af_unix support requires 'unix setopt' to call setsockopt()
> +# af_unix support requires 'unix getattr' to call getsockname()
>  af_unix=
>  if [ "$(have_features network/af_unix)" == "true" ] ; then
> -     af_unix="unix:(create,getopt,setopt)"
> +     af_unix="unix:(create,getopt,setopt,getattr)"
>  fi
>  
>  okclient=rw



-- 
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/

Attachment: signature.asc
Description: Digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to