mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 00:41:03 +01:00
1519d46325
The new af_unix apparmor kernel patches include the first step towards implicit labeling. As a result, when a file descriptor is inherited across one profile boundary to another, both labels' policies are checked for valid access to the file descriptor. However, due to a quirk in the linux kernel, when a socket is opened, the file descriptor is marked as having read and write (aka send and receive) access. When the crosscheck revalidation occurs, this means that the policy being inherited from requires read/write access to the socket descriptor, even if the process never reads or writes to it. This resulted in a few failures in the socketpair tests. The following patch adjusts the failing tests to include the neccessary send and receive permissions, as well as adding additional tests that are expected to fail when they are not present, to try to ensure that if our crosscheck behavior changes, we catch it. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Tyler Hicks <tyhicks@canonical.com> |
||
|---|---|---|
| .. | ||
| apparmor | ||
| distro | ||
| Makefile | ||