mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests: Add more named pipe tests

Browse source 
Allow for the parent and child processes to change into separate hats to
verify named pipe communications between hats with varying permissions.

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Steve Beattie <steve@nxnw.org>
This commit is contained in:
Tyler Hicks 2014-06-10 17:29:40 -05:00
parent f32daf1e34
commit da7c856f5d
2 changed files with 80 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
tests/regression/apparmor/named_pipe.c
View file

@ -66,14 +66,6 @@ int do_parent (char * hat, char * file)
{
int fd;
fd=open(file, O_RDONLY, 0);
if (fd == -1){
fprintf(stderr, "FAIL: open read %s failed - %s\n",
file,
strerror(errno));
return 1;
}
/* change hat if hatname != nochange */
if (strcmp(hat, "nochange") != 0){
if (change_hat(hat, SD_ID_MAGIC+1) == -1){
@ -83,6 +75,21 @@ int do_parent (char * hat, char * file)
}
}
if (alarm(5) != 0) {
fprintf(stderr, "FAIL: alarm already set\n");
exit(1);
}
fd=open(file, O_RDONLY, 0);
if (fd == -1){
fprintf(stderr, "FAIL: open read %s failed - %s\n",
file,
strerror(errno));
return 1;
}
alarm(0);
return(do_read(fd));
}
@ -90,6 +97,15 @@ int do_child (char * hat, char * file)
{
int fd;
/* change hat if hatname != nochange */
if (strcmp(hat, "nochange") != 0){
if (change_hat(hat, SD_ID_MAGIC+1) == -1){
fprintf(stderr, "FAIL: changehat %s failed - %s\n",
hat, strerror(errno));
exit(1);
}
}
fd=open(file, O_WRONLY, 0);
if (fd == -1){
fprintf(stderr, "FAIL: open write %s failed - %s\n",
@ -98,31 +114,41 @@ int do_child (char * hat, char * file)
return 1;
}
/* change hat if hatname != nochange */
if (strcmp(hat, "nochange") != 0){
if (change_hat(hat, SD_ID_MAGIC+1) == -1){
fprintf(stderr, "FAIL: changehat %s failed - %s\n",
hat, strerror(errno));
exit(1);
}
}
return (do_write(fd));
}
pid_t pid = -1;
void kill_child(void)
{
if (pid > 0)
kill(pid, SIGKILL);
}
void sigalrm_handler(int sig)
{
fprintf(stderr, "FAIL: parent timed out waiting for child\n");
exit(1);
}
int main(int argc, char *argv[])
{
int rc;
pid_t pid;
int waitstatus;
int read_error = 0;
if (argc != 3){
fprintf(stderr, "usage: %s hatname filename\n",
if (argc != 4){
fprintf(stderr, "usage: %s parent_hatname child_hatname filename\n",
argv[0]);
return 1;
}
if (signal(SIGALRM, sigalrm_handler) == SIG_ERR) {
fprintf(stderr, "FAIL: signal failed - %s\n",
strerror(errno));
exit(1);
}
pid = fork();
if (pid == -1) {
fprintf(stderr, "FAIL: fork failed - %s\n",
@ -130,7 +156,8 @@ int main(int argc, char *argv[])
exit(1);
} else if (pid != 0) {
/* parent */
read_error = do_parent(argv[1], argv[2]);
atexit(kill_child);
read_error = do_parent(argv[1], argv[3]);
rc = wait(&waitstatus);
if (rc == -1){
fprintf(stderr, "FAIL: wait failed - %s\n",
@ -139,7 +166,7 @@ int main(int argc, char *argv[])
}
} else {
/* child */
exit(do_child(argv[1], argv[2]));
exit(do_child(argv[2], argv[3]));
}
if ((WIFEXITED(waitstatus) != 0) && (WEXITSTATUS(waitstatus) == 0)

37
tests/regression/apparmor/named_pipe.sh
View file

@ -22,38 +22,63 @@ bin=$pwd
. $bin/prologue.inc
subtest=sub
fifo=${tmpdir}/pipe
subtest=sub
okperm=rw
subparent=parent
okparent=r
subchild=child
okchild=w
mknod ${fifo} p
# NAMED PIPE - no confinement
runchecktest "NAMED PIPE (no confinement)" pass nochange ${fifo}
runchecktest "NAMED PIPE (no confinement)" pass nochange nochange ${fifo}
# PIPE - confined.
#rm -f ${fifo} && mknod ${fifo} p
genprofile $fifo:${okperm}
runchecktest "NAMED PIPE RW (confinement)" pass nochange ${fifo}
runchecktest "NAMED PIPE RW (confinement)" pass nochange nochange ${fifo}
# PIPE - confined - no access.
#rm -f ${fifo} && mknod ${fifo} p
genprofile
runchecktest "NAMED PIPE (confinement)" fail nochange ${fifo}
runchecktest "NAMED PIPE (confinement)" fail nochange nochange ${fifo}
# PIPE - in a subprofile.
#rm -f ${fifo} && mknod ${fifo} p
genprofile ${fifo}:${okperm} hat:$subtest ${fifo}:${okperm}
runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${fifo}
runchecktest "NAMED PIPE RW (subprofile)" pass ${subtest} ${subtest} ${fifo}
# PIPE - in a subprofile - no access
#rm -f ${fifo} && mknod ${fifo} p
genprofile ${fifo}:${okperm} hat:$subtest
runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${fifo}
runchecktest "NAMED PIPE (subprofile)" fail ${subtest} ${subtest} ${fifo}
# PIPE - in separate subprofiles
genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild ${fifo}:${okchild}
runchecktest "NAMED PIPE RW (parent & child subprofiles)" pass ${subparent} ${subchild} ${fifo}
# PIPE - in separate subprofiles - no access for child
genprofile hat:$subparent ${fifo}:${okparent} hat:$subchild
runchecktest "NAMED PIPE R (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}
# PIPE - in separate subprofiles - no access for parent
genprofile hat:$subparent hat:$subchild ${fifo}:${okchild}
runchecktest "NAMED PIPE W (parent & child subprofiles)" fail ${subparent} ${subchild} ${fifo}