On 2014-09-25 03:19:08, Steve Beattie wrote: > On Mon, Sep 22, 2014 at 07:09:14PM -0500, Tyler Hicks wrote: > > The client will now do a getsockname() on its socket in order to test > > the AppArmor 'getattr' unix rule permission. > > > > Signed-off-by: Tyler Hicks <[email protected]> > > Acked-by: Steve Beattie <[email protected]> > > Though I'd like to see a couple of future changes: > > 1) only the client needs the getattr permission, would be better to only > grant it there.
I've sent out the following patch to address #1: [PATCH v3 8/7] tests: Separate client and server AF_UNIX pathname permissions > > 2) negative test for the getattr permission on the client. I've sent out the following patch to address #2: [PATCH v3 9/7] tests: Add negative tests for missing individual AF_UNIX pathname perms It turns out that these new tests caught a bug. Good suggestion! :) > > Thanks. Thanks for your reviews and the feedback. Tyler > > > diff --git a/tests/regression/apparmor/unix_socket_pathname.sh > > b/tests/regression/apparmor/unix_socket_pathname.sh > > index af73593..78f62b4 100755 > > --- a/tests/regression/apparmor/unix_socket_pathname.sh > > +++ b/tests/regression/apparmor/unix_socket_pathname.sh > > @@ -49,9 +49,10 @@ fi > > # af_unix support requires 'unix create' to call socket() > > # af_unix support requires 'unix getopt' to call getsockopt() > > # af_unix support requires 'unix setopt' to call setsockopt() > > +# af_unix support requires 'unix getattr' to call getsockname() > > af_unix= > > if [ "$(have_features network/af_unix)" == "true" ] ; then > > - af_unix="unix:(create,getopt,setopt)" > > + af_unix="unix:(create,getopt,setopt,getattr)" > > fi > > > > okclient=rw > > > > -- > Steve Beattie > <[email protected]> > http://NxNW.org/~steve/ > -- > AppArmor mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/apparmor
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
