[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
Apparmor 2.9.0 has been released; closing.
** Changed in: apparmor
Status: Fix Committed = Fix Released
** Changed in: linux (Ubuntu)
Status: Invalid = Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Released
Status in “linux” package in Ubuntu:
Fix Released
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
** Branch linked: lp:ubuntu/utopic-proposed/apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
** Description changed:
The AF_UNIX pathname stream and seqpacket tests are not failing when the
server program is missing the getopt unix permission. Note that the
dgram version of this test fails as expected. This suggests some type of
difference in the mediation of getsockopt() between connected and
connectionless sockets.
-
- Note that you'll need to be sure that these patches have been applied to
- a fresh checkout of lp:apparmor before running unix_socket_pathname.sh:
-
- https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
- https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
** Description changed:
The AF_UNIX pathname stream and seqpacket tests are not failing when the
server program is missing the getopt unix permission. Note that the
dgram version of this test fails as expected. This suggests some type of
difference in the mediation of getsockopt() between connected and
connectionless sockets.
+
+ Note that you need a branch of lp:apparmor at r2715 or newer to
+ reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
After discussions in IRC, it was determined that this is expected
behavior and that the test should be modified to remove the getopt
permission from the list of server permissions.
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path and, as it turns
out, the getopt permission is one of those socket operations.
In the future, AppArmor plans to support specifying filesystem pathnames
in the addr conditional of unix rules. This would allow the unix rule
type to be used with pathname, abstract, and unnamed AF_UNIX sockets. At
that time, getopt and other socket operations could be mediated even for
bound pathname AF_UNIX sockets.
** Changed in: linux (Ubuntu)
Status: Confirmed = Invalid
** Changed in: linux (Ubuntu)
Assignee: John Johansen (jjohansen) = (unassigned)
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New = In Progress
** Changed in: apparmor
Importance: Undecided = Medium
** Changed in: apparmor
Assignee: (unassigned) = Tyler Hicks (tyhicks)
** Changed in: apparmor
Milestone: None = 2.9.0
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
Patch tested and set to the list:
https://lists.ubuntu.com/archives/apparmor/2014-September/006572.html
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
** Changed in: apparmor
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
** Branch linked: lp:apparmor
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
Committed to lp:apparmor as r2717.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in AppArmor Linux application security framework:
Fix Committed
Status in “linux” package in Ubuntu:
Invalid
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you need a branch of lp:apparmor at r2715 or newer to
reproduce this failure.
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails
Since this issue affects stream/seqpacket but not dgram, it seems likely
that it is a kernel issue and not a parser issue. But to be sure, I've
verified that the perms that the parser outputs for setopt, getopt, and
the combination of the two does look sane:
$ for p in getopt setopt getopt,setopt; do echo /t { unix ($p), } |
./apparmor_parser -qQD dfa-states 21 | head -n7; done
{1} == (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 10/0/0/0)
{18} (0x 10/0/0/0)
{19} (0x 10/0/0/0)
{1} == (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 8/0/0/0)
{18} (0x 8/0/0/0)
{19} (0x 8/0/0/0)
{1} == (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 18/0/0/0)
{18} (0x 18/0/0/0)
{19} (0x 18/0/0/0)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516
Title:
unix_socket_pathname.sh confined server stream/seqpacket missing
getopt test fails
Status in “linux” package in Ubuntu:
Confirmed
Bug description:
The AF_UNIX pathname stream and seqpacket tests are not failing when
the server program is missing the getopt unix permission. Note that
the dgram version of this test fails as expected. This suggests some
type of difference in the mediation of getsockopt() between connected
and connectionless sockets.
Note that you'll need to be sure that these patches have been applied
to a fresh checkout of lp:apparmor before running
unix_socket_pathname.sh:
https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html
* The test failures:
Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'
* The profile (note the missing getopt permission):
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
/etc/ld.so.cache r,
/proc/*/attr/current w,
/dev/urandom r,
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
/lib/x86_64-linux-gnu/libpthread-2.19.so mr,
/lib/x86_64-linux-gnu/libc-2.19.so mr,
/lib/x86_64-linux-gnu/ld-2.19.so rix,
/tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
/tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
unix (create,,setopt),
/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}
I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1375516/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
