On Mon, Sep 15, 2014 at 02:55:57PM -0500, Tyler Hicks wrote: > The AppArmor kernel ABI v7 requires that a 'unix create,' rule be > granted to confined processes that call socket(AF_UNIX, type, 0). This > is true for pathname, abstract, and unnamed UNIX domain sockets since > the address type of a socket is not yet known when socket(2) is called. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > --- > tests/regression/apparmor/unix_socket_pathname.sh | 40 > ++++++++++++++++++----- > 1 file changed, 32 insertions(+), 8 deletions(-) > > diff --git a/tests/regression/apparmor/unix_socket_pathname.sh > b/tests/regression/apparmor/unix_socket_pathname.sh > index b6f6b69..45d74b9 100755 > --- a/tests/regression/apparmor/unix_socket_pathname.sh > +++ b/tests/regression/apparmor/unix_socket_pathname.sh > @@ -92,35 +98,53 @@ testsocktype() > if [ -n "$badserver2" ] ; then > # FAIL - server w/ bad access to the file > > - genprofile $sockpath:$badserver2 $client:Ux > + genprofile $sockpath:$badserver2 $af_unix $client:Ux > runchecktest "$testdesc; confined server w/ bad access > ($badserver2)" fail $args > removesocket $sockpath > fi > > + if [ -n "$af_unix" ] ; then > + # FAIL - server w/o af_unix access > + > + genprofile $sockpath:$okserver $client:Ux > + runchecktest "$testdesc; confined server w/o af_unix" fail $args > + removesockets $sockpath
s/removesockets/removesocket/ here. With that, Acked-by: Steve Beattie <st...@nxnw.org> > + fi > + > + server="$sockpath:$okserver $af_unix $client:px" > + > # PASS - client w/ access to the file > > - genprofile $sockpath:$okserver $client:px -- image=$client > $sockpath:$okclient > + genprofile $server -- image=$client $sockpath:$okclient $af_unix > runchecktest "$testdesc; confined client w/ access ($okclient)" pass > $args > removesocket $sockpath > > # FAIL - client w/o access to the file > > - genprofile $sockpath:$okserver $client:px -- image=$client > + genprofile $server -- image=$client $af_unix > runchecktest "$testdesc; confined client w/o access" fail $args > removesocket $sockpath > > # FAIL - client w/ bad access to the file > > - genprofile $sockpath:$okserver $client:px -- image=$client > $sockpath:$badclient1 > + genprofile $server -- image=$client $sockpath:$badclient1 $af_unix > runchecktest "$testdesc; confined client w/ bad access ($badclient1)" > fail $args > removesocket $sockpath > > # FAIL - client w/ bad access to the file > > - genprofile $sockpath:$okserver $client:px -- image=$client > $sockpath:$badclient2 > + genprofile $server -- image=$client $sockpath:$badclient2 > runchecktest "$testdesc; confined client w/ bad access ($badclient2)" > fail $args > removesocket $sockpath > > + if [ -n "$af_unix" ] ; then > + # FAIL - client w/o af_unix access > + > + genprofile $server -- image=$client $sockpath:$okclient > + runchecktest "$testdesc; confined client w/o af_unix" fail $args > + removesocket $sockpath > + fi > + > removeprofile > } -- Steve Beattie <sbeat...@ubuntu.com> http://NxNW.org/~steve/
signature.asc
Description: Digital signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
