← Back to team overview

kernel-packages team mailing list archive

[Bug 1375516] Re: unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails

 

Since this issue affects stream/seqpacket but not dgram, it seems likely
that it is a kernel issue and not a parser issue. But to be sure, I've
verified that the perms that the parser outputs for setopt, getopt, and
the combination of the two does look sane:

$ for p in getopt setopt getopt,setopt; do echo "/t { unix ($p), }" | ./apparmor_parser -qQD dfa-states 2>&1 | head -n7; done
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 100000/0/0/0)
{18} (0x 100000/0/0/0)
{19} (0x 100000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 80000/0/0/0)
{18} (0x 80000/0/0/0)
{19} (0x 80000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 180000/0/0/0)
{18} (0x 180000/0/0/0)
{19} (0x 180000/0/0/0)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1375516

Title:
  unix_socket_pathname.sh confined server stream/seqpacket missing
  getopt test fails

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  The AF_UNIX pathname stream and seqpacket tests are not failing when
  the server program is missing the getopt unix permission. Note that
  the dgram version of this test fails as expected. This suggests some
  type of difference in the mediation of getsockopt() between connected
  and connectionless sockets.

  Note that you'll need to be sure that these patches have been applied
  to a fresh checkout of lp:apparmor before running
  unix_socket_pathname.sh:

  https://lists.ubuntu.com/archives/apparmor/2014-September/006563.html
  https://lists.ubuntu.com/archives/apparmor/2014-September/006564.html

  * The test failures:

  Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'

  Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket);
  confined server w/ a missing af_unix access (getopt)' was expected to
  'fail'

  * The profile (note the missing getopt permission):

  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
    /etc/ld.so.cache r,
    /proc/*/attr/current w,
    /dev/urandom r,
    /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
    /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
    /lib/x86_64-linux-gnu/libc-2.19.so mr,
    /lib/x86_64-linux-gnu/ld-2.19.so rix,
    /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
    /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
    unix (create,,setopt),
    /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
  }

  I've attached the strace output of the test run to show that the
  unix_socket program does successfully call getsockopt().

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1375516/+subscriptions


References