Bug: https://bugs.launchpad.net/bugs/1375516
The unix_socket test program calls getsockopt() after calling bind().
Because AppArmor continues to use traditional file rules for sockets
bound to a filesystem path, it does not mediate some socket operations
after the socket has been bound to the filesystem path. The getopt
permission is one of those socket operations.
To account for this lack of mediation, the getopt permission should be
removed from the server permissions list.
Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
---
tests/regression/apparmor/unix_socket_pathname.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/regression/apparmor/unix_socket_pathname.sh
b/tests/regression/apparmor/unix_socket_pathname.sh
index 344c86d..2fefcc9 100755
--- a/tests/regression/apparmor/unix_socket_pathname.sh
+++ b/tests/regression/apparmor/unix_socket_pathname.sh
@@ -53,7 +53,7 @@ fi
af_unix_okserver=
af_unix_okclient=
if [ "$(have_features network/af_unix)" == "true" ] ; then
- af_unix_okserver="create,getopt,setopt"
+ af_unix_okserver="create,setopt"
af_unix_okclient="create,getopt,setopt,getattr"
fi
--
2.1.0
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
