mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
a0efe08a97
which doesn't automatically mask of MAY_WRITE in inode_permission.
openat.patch - comment of o_creat bug, remove exit before last test
chdir.patch - add trailing /, give profile read permission to the directory
access.patch - give profile dir read permissions, update test rwx (r) to
fail since w - perm is no longer masked off.
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
Index: subdomain/openat.sh
|
|
===================================================================
|
|
--- subdomain.orig/openat.sh
|
|
+++ subdomain/openat.sh
|
|
@@ -40,59 +40,59 @@ runchecktest "OPENAT unconfined RW (crea
|
|
|
|
# PASS TEST (the file shouldn't exist, so open should create it
|
|
resettest
|
|
-genprofile ${dir}:r ${filepath}:$okperm
|
|
+genprofile ${dir}/:r ${filepath}:$okperm
|
|
runchecktest "OPENAT RW (create) " pass $dir $file
|
|
|
|
# PASS TEST
|
|
resettest
|
|
touch ${filepath}
|
|
-genprofile ${dir}:r ${filepath}:$okperm
|
|
+genprofile ${dir}/:r ${filepath}:$okperm
|
|
runchecktest "OPENAT RW (exists)" pass $dir $file
|
|
|
|
# FAILURE TEST (1)
|
|
resettest
|
|
touch ${filepath}
|
|
-genprofile ${dir}:r ${filepath}:$badperm1
|
|
+genprofile ${dir}/:r ${filepath}:$badperm1
|
|
runchecktest "OPENAT R" fail $dir $file
|
|
|
|
# FAILURE TEST (2)
|
|
resettest
|
|
touch ${filepath}
|
|
-genprofile ${dir}:r ${filepath}:$badperm2
|
|
+genprofile ${dir}/:r ${filepath}:$badperm2
|
|
runchecktest "OPENAT W (exists)" fail $dir $file
|
|
|
|
# FAILURE TEST (3)
|
|
resettest
|
|
-genprofile ${dir}:r ${filepath}:$badperm1 cap:dac_override
|
|
+genprofile ${dir}/:r ${filepath}:$badperm1 cap:dac_override
|
|
runchecktest "OPENAT R+dac_override" fail $dir $file
|
|
|
|
# FAILURE TEST (4)
|
|
# This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885
|
|
# When we open O_CREAT|O_RDWR, we are (were?) allowing only write access
|
|
# to be required.
|
|
+# This test currently passes when it should fail because of the o_creat bug
|
|
resettest
|
|
-genprofile ${dir}:r ${filepath}:$badperm2
|
|
+genprofile ${dir}/:r ${filepath}:$badperm2
|
|
runchecktest "OPENAT W (create)" fail $dir $file
|
|
|
|
# PASS rename of directory in between opendir/openat
|
|
resettest
|
|
-genprofile ${dir}/${subdir}:rw ${dir}/otherdir:w ${dir}/otherdir/file:rw
|
|
+genprofile ${dir}/${subdir}/:rw ${dir}/otherdir/:w ${dir}/otherdir/file:rw
|
|
runchecktest "OPENAT RW (rename/newpath)" pass --rename ${dir}/otherdir ${dir}/${subdir} file
|
|
|
|
# PASS rename of directory in between opendir/openat - file exists
|
|
resettest
|
|
touch ${filepath}
|
|
-genprofile ${dir}/${subdir}:rw ${dir}/otherdir:w ${dir}/otherdir/file:rw
|
|
+genprofile ${dir}/${subdir}/:rw ${dir}/otherdir/:w ${dir}/otherdir/file:rw
|
|
runchecktest "OPENAT RW (rename/newpath)" pass --rename ${dir}/otherdir ${dir}/${subdir} file
|
|
|
|
# FAIL rename of directory in between opendir/openat - use old name
|
|
resettest
|
|
-genprofile ${dir}/${subdir}:rw ${dir}/otherdir:w ${dir}/${subdir}/file:rw
|
|
+genprofile ${dir}/${subdir}/:rw ${dir}/otherdir/:w ${dir}/${subdir}/file:rw
|
|
runchecktest "OPENAT RW (rename/newpath)" fail --rename ${dir}/otherdir ${dir}/${subdir} file
|
|
-exit
|
|
|
|
# FAIL rename of directory in between opendir/openat - use old name, file exists
|
|
resettest
|
|
touch ${filepath}
|
|
-genprofile ${dir}/${subdir}:rw ${dir}/otherdir:w ${dir}/${subdir}/file:rw
|
|
+genprofile ${dir}/${subdir}/:rw ${dir}/otherdir/:w ${dir}/${subdir}/file:rw
|
|
runchecktest "OPENAT RW (rename/newpath)" fail --rename ${dir}/otherdir ${dir}/${subdir} file
|