Tests abstract UNIX domain sockets with various combinations of implied permissions, explicit permissions, and conditionals. It also tests with bad permissions and conditionals.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/apparmor/unix_socket.inc | 179 ++++++++++++++++++++++ tests/regression/apparmor/unix_socket_abstract.sh | 109 +++++++++++++ 2 files changed, 288 insertions(+) create mode 100755 tests/regression/apparmor/unix_socket.inc create mode 100755 tests/regression/apparmor/unix_socket_abstract.sh diff --git a/tests/regression/apparmor/unix_socket.inc b/tests/regression/apparmor/unix_socket.inc new file mode 100755 index 0000000..3131293 --- /dev/null +++ b/tests/regression/apparmor/unix_socket.inc @@ -0,0 +1,179 @@ +# Copyright (C) 2014 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Canonical Ltd. + +client=$bin/unix_socket_client +message=4a0c83d87aaa7afa2baab5df3ee4df630f0046d5bfb7a3080c550b721f401b3b\ +8a738e1435a3b77aa6482a70fb51c44f20007221b85541b0184de66344d46a4c + +test_server() +{ + local addr_type="$1" # abstract or unnamed + local l_access="$2" # local perms + local type="$3" # stream, dgram, or seqpacket + local addr="$4" # socket address + local p_access="$5" # peer perms + local p_label="$6" # client socket label + local p_addr="$7" # optional peer socket address + local bad_type="$8" + local bad_addr="$9" + local bad_p_label="${10}" + local bad_p_addr="${11}" # optional + + local desc="AF_UNIX $addr_type socket ($type);" + local s_access="${l_access},${p_access}" # combined server perms + local access # used as an iterator + local args="$addr $type $message $client" + + runchecktest "$desc unconfined server" pass $args + + desc+=" confined server" + + genprofile "unix:ALL" $client:Ux + runchecktest "$desc (implicit perms)" pass $args + + genprofile "unix:($s_access)" $client:Ux + runchecktest "$desc (explicit perms)" pass $args + + genprofile "unix:($s_access):addr=$addr" $client:Ux + runchecktest "$desc (addr)" pass $args + + genprofile "unix:($s_access):type=$type" $client:Ux + runchecktest "$desc (type)" pass $args + + genprofile "unix:($l_access)" "unix:peer=(label=$p_label)" $client:Ux + runchecktest "$desc (peer label w/ implicit perms)" pass $args + + genprofile "unix:($l_access)" "unix:($p_access):peer=(label=$p_label)" $client:Ux + runchecktest "$desc (peer label w/ explicit perms)" pass $args + + if [ -n "$p_addr" ]; then + genprofile "unix:($l_access)" "unix:($p_access):peer=(addr=$p_addr)" $client:Ux + runchecktest "$desc (peer addr)" pass $args + fi + + genprofile "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):addr=$addr:peer=(label=$p_label)" $client:Ux + runchecktest "$desc (type, addr, peer label)" pass $args + + if [ -n "$p_addr" ]; then + genprofile "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label addr=$p_addr)" $client:Ux + runchecktest "$desc (type, addr, peer label, peer addr)" pass $args + fi + + genprofile $client:Ux + runchecktest "$desc (no unix rule)" fail $args + + for access in ${s_access//,/ }; do + genprofile "unix:(${s_access//$access/})" $client:Ux + runchecktest "$desc (missing perm: $access)" fail $args + done + + genprofile "unix:($s_access):addr=$bad_addr" $client:Ux + runchecktest "$desc (bad addr)" fail $args + + genprofile "unix:($s_access):type=$bad_type" $client:Ux + runchecktest "$desc (bad type)" fail $args + + genprofile "unix:($l_access)" "unix:($p_access):peer=(label=$bad_p_label)" $client:Ux + runchecktest "$desc (bad peer label)" fail $args + + if [ -n "$bad_p_addr" ]; then + genprofile "unix:($l_access)" "unix:($p_access):peer=(addr=$bad_p_addr)" $client:Ux + runchecktest "$desc (bad peer addr)" fail $args + fi + + removeprofile +} + +test_client() +{ + local addr_type="$1" # abstract or unnamed + local l_access="$2" # local perms + local type="$3" # stream, dgram, or seqpacket + local addr="$4" # optional socket address + local p_access="$5" # peer perms + local p_label="$6" # client socket label + local p_addr="$7" # peer socket address + local bad_type="$8" + local bad_addr="$9" # optional + local bad_p_label="${10}" + local bad_p_addr="${11}" + + local desc="AF_UNIX $addr_type socket ($type);" + local c_access="${l_access},${p_access}" # combined client perms + local access # used as an iterator + local server="unix:ALL $client:px" + local args="$p_addr $type $message $client" + + runchecktest "$desc unconfined client" pass $args + + desc+=" confined client" + + genprofile $server -- image=$client "unix:ALL" + runchecktest "$desc (implicit perms)" pass $args + + genprofile $server -- image=$client "unix:($c_access)" + runchecktest "$desc (explicit perms)" pass $args + + genprofile $server -- image=$client "unix:($c_access):type=$type" + runchecktest "$desc (type)" pass $args + + if [ -n "$addr" ]; then + genprofile $server -- image=$client "unix:($c_access):addr=$addr" + runchecktest "$desc (addr)" pass $args + fi + + genprofile $server -- image=$client "unix:($l_access)" "unix::peer=(label=$p_label)" + runchecktest "$desc (peer label w/ implicit perms)" pass $args + + genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$p_label)" + runchecktest "$desc (peer label w/ explicit perms)" pass $args + + genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(addr=$p_addr)" + runchecktest "$desc (peer addr)" pass $args + + genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (peer label, peer addr)" pass $args + + genprofile $server -- image=$client "unix:($l_access):type=$type" "unix:($p_access):type=$type:peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (type, peer label, peer addr)" pass $args + + if [ -n "$addr" ]; then + genprofile $server -- image=$client "unix:($l_access):type=$type:addr=$addr" "unix:($p_access):type=$type:addr=$addr:peer=(label=$p_label addr=$p_addr)" + runchecktest "$desc (type, addr, peer label, peer addr)" pass $args + fi + + genprofile $server -- image=$client + runchecktest "$desc (no unix rule)" fail $args + + for access in ${c_access//,/ }; do + genprofile $server -- image=$client "unix:(${c_access//$access/})" + runchecktest "$desc (missing perm: $access)" fail $args + done + + genprofile $server -- image=$client "unix:($s_access):type=$bad_type" + runchecktest "$desc (bad type)" fail $args + + if [ -n "$bad_addr" ]; then + genprofile $server -- image=$client "unix:($s_access):addr=$bad_addr" + runchecktest "$desc (bad addr)" fail $args + fi + + genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(label=$bad_p_label)" + runchecktest "$desc (bad peer label)" fail $args + + genprofile $server -- image=$client "unix:($l_access)" "unix:($p_access):peer=(addr=$bad_p_addr)" + runchecktest "$desc (bad peer addr)" fail $args + + removeprofile +} diff --git a/tests/regression/apparmor/unix_socket_abstract.sh b/tests/regression/apparmor/unix_socket_abstract.sh new file mode 100755 index 0000000..32ed888 --- /dev/null +++ b/tests/regression/apparmor/unix_socket_abstract.sh @@ -0,0 +1,109 @@ +#! /bin/bash +# +# Copyright (C) 2014 Canonical, Ltd. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, contact Canonical Ltd. + +#=NAME unix_socket_pathname +#=DESCRIPTION +# This tests access to pathname unix domain sockets. The server opens a socket, +# forks a client with it's own profile, sends a message to the client over the +# socket, and sees what happens. +#=END + +pwd=`dirname $0` +pwd=`cd $pwd ; /bin/pwd` + +bin=$pwd + +. $bin/prologue.inc +. $bin/unix_socket.inc +requires_features policy/versions/v7 +requires_features network/af_unix + +settest unix_socket + +addr=@aa_sock +client_addr=${addr}.client + +# Test abstract stream server and client +test_server "abstract" \ + "create,bind,listen,getopt,setopt,shutdown" \ + stream \ + "$addr" \ + "accept,read,write" \ + "unconfined" \ + "" \ + dgram \ + "${addr}XXX" \ + "XXX" \ + "" +test_client "abstract" \ + "create,getopt,setopt,getattr" \ + stream \ + "" \ + "connect,write,read" \ + "$test" \ + "$addr" \ + seqpacket \ + "" \ + "${test}XXX" \ + "${addr}XXX" + +# Test abstract dgram server and client +test_server "abstract" \ + "create,bind,getopt,setopt,shutdown" \ + dgram \ + "$addr" \ + "read,write" \ + "unconfined" \ + "$client_addr" \ + seqpacket \ + "${addr}XXX" \ + "XXX" \ + "${client_addr}XXX" +test_client "abstract" \ + "create,bind,getopt,setopt,getattr" \ + dgram \ + "$client_addr" \ + "write,read" \ + "$test" \ + "$addr" \ + stream \ + "${client_addr}XXX" \ + "${test}XXX" \ + "${addr}XXX" + +# Test abstract seqpacket server and client +test_server "abstract" \ + "create,bind,listen,getopt,setopt,shutdown" \ + seqpacket \ + "$addr" \ + "accept,read,write" \ + "unconfined" \ + "" \ + stream \ + "${addr}XXX" \ + "XXX" \ + "" +test_client "abstract" \ + "create,getopt,setopt,getattr" \ + seqpacket \ + "" \ + "connect,write,read" \ + "$test" \ + "$addr" \ + dgram \ + "" \ + "${test}XXX" \ + "${addr}XXX" -- 2.1.0 -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor