kernel-packages team mailing list archive

[Tyler Hicks <tyhicks@xxxxxxxxxxxxx>]

Public bug reported:

The AF_UNIX pathname stream and seqpacket tests are not failing when the
server program is missing the getopt unix permission. Note that the
dgram version of this test fails as expected. This suggests some type of
difference in the mediation of getsockopt() between connected and
connectionless sockets.

Note that you'll need to be sure that these patches have been applied to
a fresh checkout of lp:apparmor before running unix_socket_pathname.sh:

https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html

* The test failures:

Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'

Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
confined server w/ a missing af_unix access (getopt)' was expected to
'fail'

* The profile (note the missing getopt permission):

/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
  /etc/ld.so.cache r,
  /proc/*/attr/current w,
  /dev/urandom r,
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
  /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
  /lib/x86_64-linux-gnu/libc-2.19.so mr,
  /lib/x86_64-linux-gnu/ld-2.19.so rix,
  /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
  /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
  unix (create,,setopt),
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}

I've attached the strace output of the test run to show that the
unix_socket program does successfully call getsockopt().

** Affects: linux (Ubuntu)
     Importance: High
     Assignee: John Johansen (jjohansen)
         Status: Confirmed


** Tags: apparmor

** Attachment added: "strace"
   https://bugs.launchpad.net/bugs/1375516/+attachment/4219738/+files/strace

** Description changed:

  The AF_UNIX pathname stream and seqpacket tests are not failing when the
  server program is missing the getopt unix permission. Note that the
  dgram version of this test fails as expected. This suggests some type of
  difference in the mediation of getsockopt() between connected and
  connectionless sockets.
+ 
+ Note that you'll need to be sure that these patches have been applied to
+ a fresh checkout of lp:apparmor before running unix_socket_pathname.sh:
+ 
+ https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
+ https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html
  
  * The test failures:
  
  Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'
  
  Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'
  
  * The profile (note the missing getopt permission):
  
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
-   /etc/ld.so.cache r,
-   /proc/*/attr/current w,
-   /dev/urandom r,
-   /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
-   /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
-   /lib/x86_64-linux-gnu/libc-2.19.so mr,
-   /lib/x86_64-linux-gnu/ld-2.19.so rix,
-   /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
-   /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
-   unix (create,,setopt),
-   /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
+   /etc/ld.so.cache r,
+   /proc/*/attr/current w,
+   /dev/urandom r,
+   /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
+   /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
+   /lib/x86_64-linux-gnu/libc-2.19.so mr,
+   /lib/x86_64-linux-gnu/ld-2.19.so rix,
+   /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
+   /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
+   unix (create,,setopt),
+   /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
  }
  
  I've attached the strace output of the test run to show that the
  unix_socket program does successfully call getsockopt().

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516

Title:
  unix_socket_pathname.sh confined server stream/seqpacket missing
  getopt test fails

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  The AF_UNIX pathname stream and seqpacket tests are not failing when
  the server program is missing the getopt unix permission. Note that
  the dgram version of this test fails as expected. This suggests some
  type of difference in the mediation of getsockopt() between connected
  and connectionless sockets.

  Note that you'll need to be sure that these patches have been applied
  to a fresh checkout of lp:apparmor before running
  unix_socket_pathname.sh:

  https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
  https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html

  * The test failures:

  Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'

  Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'

  * The profile (note the missing getopt permission):

  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
    /etc/ld.so.cache r,
    /proc/*/attr/current w,
    /dev/urandom r,
    /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
    /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
    /lib/x86_64-linux-gnu/libc-2.19.so mr,
    /lib/x86_64-linux-gnu/ld-2.19.so rix,
    /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
    /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
    unix (create,,setopt),
    /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
  }

  I've attached the strace output of the test run to show that the
  unix_socket program does successfully call getsockopt().

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1375516/+subscriptions