3
# Copyright (C) 2002-2005 Novell/SUSE
4
# Copyright (C) 2010 Canonical, Ltd
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of the GNU General Public License as
8
# published by the Free Software Foundation, version 2 of the
13
# Test AppArmor is properly working around a kernel in which the kernel
14
# appends (deleted) to deleted files verifies that the d_path appending
15
# (deleted) fix is working
19
pwd=`cd $pwd ; /bin/pwd`
26
file2="$tmpdir/file (deleted)"
27
file3="$tmpdir/unavailable"
37
runchecktest "NO PROFILE (access file)" pass nochange $file
38
runchecktest "NO PROFILE (access file (deleted))" pass nochange "$file2"
41
# NO CHANGEHAT TEST - doesn't force revalidation
43
genprofile $file:$okperm
44
runchecktest "NO CHANGEHAT (access file)" pass nochange $file
45
runchecktest "NO CHANGEHAT (cannot access unavailable)" fail nochange $file3
47
genprofile "$file2":$okperm
48
runchecktest "NO CHANGEHAT (access file (delete))" pass nochange "$file2"
50
# CHANGEHAT TEST - force revalidation using changehat
51
genprofile $file:$okperm hat:$subtest $file:$okperm
52
runchecktest "CHANGEHAT (access file)" pass $subtest $file
53
runchecktest "CHANGEHAT (cannot access unavailable)" fail $subtest $file3
55
genprofile "$file2":$okperm hat:$subtest "$file2":$okperm
56
runchecktest "CHANGEHAT (access file (deleted))" pass $subtest "$file2"
58
# EXEC TEST - force revalidation using a fork exec that inherits the open file
59
# but uses a different profile
60
settest unix_fd_server
62
socket=${tmpdir}/unix_fd_test
63
fd_client=$PWD/unix_fd_client
66
# Content generated with:
67
# dd if=/dev/urandom bs=32 count=4 2> /dev/null | od -x | head -8 | sed -e 's/^[[:xdigit:]]\{7\}//g' -e 's/ //g'
69
aabcc2739c621194a00b6cb7875dcdeb
70
72f485a783219817c81c65f3e1b2bc80
71
4366ba09e881286c834e67b34ae6f186
72
ccc2c402fcc6e66d5cfaa0c68b94211c
73
163f7beeb9a320ab859189a82d695713
74
175797a8cf2e2435dd98551385e96d8f
75
05f82e8e0e146be0d4655d4681cb08b6
76
ed15ad1d4fb9959008589e589206ee13
79
# lets just be on the safe side
82
# PASS - unconfined client
84
genprofile $file:$okperm $socket:rw $fd_client:ux
86
runchecktest "fd passing; unconfined client" pass $file $socket $fd_client "delete_file"
90
aabcc2739c621194a00b6cb7875dcdeb
91
72f485a783219817c81c65f3e1b2bc80
92
4366ba09e881286c834e67b34ae6f186
93
ccc2c402fcc6e66d5cfaa0c68b94211c
94
163f7beeb9a320ab859189a82d695713
95
175797a8cf2e2435dd98551385e96d8f
96
05f82e8e0e146be0d4655d4681cb08b6
97
ed15ad1d4fb9959008589e589206ee13
101
# PASS - confined client, rw access to the file
102
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$okperm $socket:rw
103
runchecktest "fd passing; confined client w/ rw" pass $file $socket $fd_client "delete_file"
107
aabcc2739c621194a00b6cb7875dcdeb
108
72f485a783219817c81c65f3e1b2bc80
109
4366ba09e881286c834e67b34ae6f186
110
ccc2c402fcc6e66d5cfaa0c68b94211c
111
163f7beeb9a320ab859189a82d695713
112
175797a8cf2e2435dd98551385e96d8f
113
05f82e8e0e146be0d4655d4681cb08b6
114
ed15ad1d4fb9959008589e589206ee13
117
# FAIL - confined client, w access to the file
119
genprofile $file:$okperm $socket:rw $fd_client:px -- image=$fd_client $file:$badperm $socket:rw
120
runchecktest "fd passing; confined client w/ w only" fail $file $socket $fd_client "delete_file"