On Thu, Jun 05, 2014 at 06:21:31PM -0500, Tyler Hicks wrote: > Allow for the parent and child processes to change into separate hats to > verify named pipe communications between hats with varying permissions. > > Signed-off-by: Tyler Hicks <[email protected]> Acked-by: Steve Beattie <[email protected]>
Some additional test dimensions to consider:
1) parent or child in a hat, but not the other
2) wrong access to the named pipe in one hat (e.g. requires read, given
write access)
Thanks!
> ---
> tests/regression/apparmor/named_pipe.c | 69
> +++++++++++++++++++++++----------
> tests/regression/apparmor/named_pipe.sh | 37 +++++++++++++++---
> 2 files changed, 79 insertions(+), 27 deletions(-)
>
> diff --git a/tests/regression/apparmor/named_pipe.c
> b/tests/regression/apparmor/named_pipe.c
> index 382f779..8e1d1ad 100644
> --- a/tests/regression/apparmor/named_pipe.c
> +++ b/tests/regression/apparmor/named_pipe.c
> @@ -66,14 +66,6 @@ int do_parent (char * hat, char * file)
> {
> int fd;
>
> - fd=open(file, O_RDONLY, 0);
> - if (fd == -1){
> - fprintf(stderr, "FAIL: open read %s failed - %s\n",
> - file,
> - strerror(errno));
> - return 1;
> - }
> -
> /* change hat if hatname != nochange */
> if (strcmp(hat, "nochange") != 0){
> if (change_hat(hat, SD_ID_MAGIC+1) == -1){
> @@ -83,21 +75,28 @@ int do_parent (char * hat, char * file)
> }
> }
>
> - return(do_read(fd));
> -}
> -
> -int do_child (char * hat, char * file)
> -{
> - int fd;
> + if (alarm(5) != 0) {
> + fprintf(stderr, "FAIL: alarm already set\n");
> + exit(1);
> + }
>
> - fd=open(file, O_WRONLY, 0);
> + fd=open(file, O_RDONLY, 0);
> if (fd == -1){
> - fprintf(stderr, "FAIL: open write %s failed - %s\n",
> + fprintf(stderr, "FAIL: open read %s failed - %s\n",
> file,
> strerror(errno));
> return 1;
> }
>
> + alarm(0);
> +
> + return(do_read(fd));
> +}
> +
> +int do_child (char * hat, char * file)
> +{
> + int fd;
> +
> /* change hat if hatname != nochange */
> if (strcmp(hat, "nochange") != 0){
> if (change_hat(hat, SD_ID_MAGIC+1) == -1){
> @@ -107,22 +106,49 @@ int do_child (char * hat, char * file)
> }
> }
>
> + fd=open(file, O_WRONLY, 0);
> + if (fd == -1){
> + fprintf(stderr, "FAIL: open write %s failed - %s\n",
> + file,
> + strerror(errno));
> + return 1;
> + }
> +
> return (do_write(fd));
> }
>
> +pid_t pid = -1;
> +
> +void kill_child(void)
> +{
> + if (pid > 0)
> + kill(pid, SIGKILL);
> +}
> +
> +void sigalrm_handler(int sig)
> +{
> + fprintf(stderr, "FAIL: parent timed out waiting for child\n");
> + exit(1);
> +}
> +
> int main(int argc, char *argv[])
> {
> int rc;
> - pid_t pid;
> int waitstatus;
> int read_error = 0;
>
> - if (argc != 3){
> - fprintf(stderr, "usage: %s hatname filename\n",
> + if (argc != 4){
> + fprintf(stderr, "usage: %s parent_hatname child_hatname
> filename\n",
> argv[0]);
> return 1;
> }
>
> + if (signal(SIGALRM, sigalrm_handler) == SIG_ERR) {
> + fprintf(stderr, "FAIL: signal failed - %s\n",
> + strerror(errno));
> + exit(1);
> + }
> +
> pid = fork();
> if (pid == -1) {
> fprintf(stderr, "FAIL: fork failed - %s\n",
> @@ -130,7 +156,8 @@ int main(int argc, char *argv[])
> exit(1);
> } else if (pid != 0) {
> /* parent */
> - read_error = do_parent(argv[1], argv[2]);
> + atexit(kill_child);
> + read_error = do_parent(argv[1], argv[3]);
> rc = wait(&waitstatus);
> if (rc == -1){
> fprintf(stderr, "FAIL: wait failed - %s\n",
> @@ -139,7 +166,7 @@ int main(int argc, char *argv[])
> }
> } else {
> /* child */
> - exit(do_child(argv[1], argv[2]));
> + exit(do_child(argv[2], argv[3]));
> }
>
> if ((WIFEXITED(waitstatus) != 0) && (WEXITSTATUS(waitstatus) == 0)
> diff --git a/tests/regression/apparmor/named_pipe.sh
> b/tests/regression/apparmor/named_pipe.sh
> index 9253bd4..0b09daf 100755
> --- a/tests/regression/apparmor/named_pipe.sh
> +++ b/tests/regression/apparmor/named_pipe.sh
> @@ -22,38 +22,63 @@ bin=$pwd
>
> . $bin/prologue.inc
>
> -subtest=sub
> fifo=${tmpdir}/pipe
> +
> +subtest=sub
> okperm=rw
>
> +subparent=parent
> +okparent=r
> +
> +subchild=child
> +okchild=w
> +
> mknod ${fifo} p
>
> # NAMED PIPE - no confinement
>
> -runchecktest "NAMED PIPE (no confinement)" pass nochange ${fifo}
> +runchecktest "NAMED PIPE (no confinement)" pass nochange nochange ${fifo}
>
> # PIPE - confined.
>
> #rm -f ${fifo} && mknod ${fifo} p
> genprofile $fifo:${okperm}
> -runchecktest "NAMED PIPE RW (confinement)" pass nochange ${fifo}
> +runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
>
> # PIPE - confined - no access.
>
> #rm -f ${fifo} && mknod ${fifo} p
> genprofile
> -runchecktest "NAMED PIPE (confinement)" fail nochange ${fifo}
> +runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
>
> # PIPE - in a subprofile.
>
> #rm -f ${fifo} && mknod ${fifo} p
> genprofile ${fifo}:${okperm} hat:$subtest ${fifo}:${okperm}
>
> -runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${fifo}
> +runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
>
> # PIPE - in a subprofile - no access
>
> #rm -f ${fifo} && mknod ${fifo} p
> genprofile ${fifo}:${okperm} hat:$subtest
>
> -runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${fifo}
> +runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${subtest} ${fifo}
> +
> +# PIPE - in separate subprofiles
> +
> +genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
> ${fifo}:${okchild}
> +
> +runchecktest "NAMED PIPE RW (parent & child subprofiles)" pass ${subparent}
> ${subchild} ${fifo}
> +
> +# PIPE - in separate subprofiles - no access for child
> +
> +genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
> +
> +runchecktest "NAMED PIPE R (parent & child subprofiles)" fail ${subparent}
> ${subchild} ${fifo}
> +
> +# PIPE - in separate subprofiles - no access for parent
> +
> +genprofile hat:$subparent hat:$subchild ${fifo}:${okchild}
> +
> +runchecktest "NAMED PIPE W (parent & child subprofiles)" fail ${subparent}
> ${subchild} ${fifo}
--
Steve Beattie
<[email protected]>
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
