apparmor/tests/regression/subdomain/for-mainline/link_perms.patch

Index: subdomain/link.sh
===================================================================
--- subdomain.orig/link.sh
+++ subdomain/link.sh
@@ -9,9 +9,11 @@
 #	License.
 
 #=NAME link
-#=DESCRIPTION 
-# Link requires 'l' permission and that permissions on the src and target 
-# must match.  This test verifies matching, non-matching and missing link 
+#=DESCRIPTION
+# Link requires 'l' permission on the link and that permissions on the
+#links rwmx perms are a subset of the targets perms, and if x is present
+#that the link and target have the same x qualifiers.
+# This test verifies matching, non-matching and missing link
 # permissions in a profile.
 #=END
 
@@ -22,50 +24,88 @@ bin=$pwd
 
 . $bin/prologue.inc
 
-src=$tmpdir/src
 target=$tmpdir/target
+linkfile=$tmpdir/linkfile
 okperm=rwixl
 badperm=rwl
 nolinkperm=rwix
 
-touch $src 
+touch $target
 
-# PASS TEST
+#test for $1 in $2
+function perm_is_subset () {
+	# zero length substring always matches
+	if [ -z $1 ] ; then
+		echo $2;
+		return 0;
+	fi
+
+	case "$2" in
+	*$1*) echo ${2##${2/$1*/}}; return 0;;
+	esac
+
+	#handle the special cases
+	#ix implies mix
+	local target=${2/ix/mix}
+
+	case "$target" in
+	*$1*) echo ${target##${target/$1*/}}; return 0;;
+        esac
+
+	# permute rw to do string match of rm rwm
+	target=${target/rw/wr}
+	case "$target" in
+        *$1*) echo ${target##${target/$1*/}}; return 0;;
+	esac
+}
+
+PERMS="r w m ix px ux Px Ux l rw rm rix rpx rux rPx rUx rl wm wix wpx wux \
+	wPx wUx wl mix mpx mux mPx mUx ml ixl pxl uxl Pxl Uxl rwm rwix rwpx \
+	rwux rwPx rwUx rwl rmix rmpx rmux rmPx rmUx rml wmix wmpx wmux wmPx \
+	wmUx wml mixl mpxl muxl mPxl mUxl rwmix rwmpx rwmux rwmPx rwmUx \
+	rwml wmixl wmpxl wmuxl wmPxl wmUxl rwmixl rwmpxl rwmuxl rwmPxl \
+	rwmUxl"
+
+
+# unconfined test
+runchecktest "unconfined" pass $target $linkfile
+
+# Link no perms on link or target
+genprofile
+runchecktest "link (no perms) -> target (no perms)" fail $target $linkfile
+rm -rf $linkfile
+
+# link no perms
+for TARGET_PERM in ${PERMS} ; do
+	genprofile $target:$TARGET_PERM
+	runchecktest "link (no perms) -> target ($TARGET_PERM)" fail $target $linkfile
+	rm -rf $linkfile
+done
+
+# target no perms
+for LINK_PERM in ${PERMS} ; do
+	genprofile $linkfile:$LINK_PERM
+	runchecktest "link ($LINK_PERM) -> target (no perms)" fail $target $linkfile
+	rm -rf $linkfile
+done
+
+# all other combination of perms
+for LINK_PERM in ${PERMS} ; do
+	for TARGET_PERM in ${PERMS} ; do
+		l_in_perms=${LINK_PERM/*l/l}
+		perms_no_link=${LINK_PERM/l/}
+		link_subset=`perm_is_subset ${perms_no_link} ${TARGET_PERM}`
+		if [ "$l_in_perms" == "l" -a -n "$perms_no_link" -a -n "$link_subset" ]
+		then
+			expected_result=pass
+		else
+			expected_result=fail
+		fi
+#echo "testing $LINK_PERM -> $TARGET_PERM = $l_in_perms, $perms_no_link, $link_subset $expected_result"
+		genprofile $linkfile:$LINK_PERM $target:$TARGET_PERM
+		runchecktest "link ($LINK_PERM) -> target ($TARGET_PERM)" ${expected_result} $target $linkfile
+		rm -rf $linkfile
 
-genprofile $src:$okperm $target:$okperm
-runchecktest "MATCHING PERM (rwixl)" pass $src $target
+	done
+done
 
-# PASS TEST
-
-rm -f $target
-
-genprofile $src:$nolinkperm $target:$okperm
-runchecktest "MATCHING PERM (rwix)" pass $src $target
-
-# PASS TEST
-
-rm -f $target
-
-genprofile $src:r $target:rl
-runchecktest "MATCHING PERM (r)" pass $src $target
-
-# PASS TEST
-
-rm -f $target
-
-genprofile $src:w $target:wl
-runchecktest "MATCHING PERM (w)" pass $src $target
-
-# FAILURE TEST
-
-rm -f $target
-
-genprofile $src:$okperm $target:$badperm
-runchecktest "NONMATCHING PERM" fail $src $target
-
-# NOLINK TEST
-
-rm -f $target
-
-genprofile $src:$okperm $target:$nolinkperm
-runchecktest "NOLINK PERM" fail $src $target