lp://staging/~tyhicks/apparmor/abstract-socket-tests

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

2586. By Tyler Hicks on 2014-08-14

WIP: abstract rules

2585. By Tyler Hicks on 2014-08-12

tests: TODO

Signed-off-by: Tyler Hicks <email address hidden>

2584. By Tyler Hicks on 2014-08-12

tests: Update mkprofile.pl to accept unix rules

Example gen_unix() inputs and outputs:

  "unix:ALL" -> " unix,\n"

  "unix:(create,bind,listen,accept) peer=foo" ->
    " unix (create,bind,listen accept) peer=foo,\n"

Signed-off-by: Tyler Hicks <email address hidden>

2583. By Tyler Hicks on 2014-08-12

tests: Update unix_socket.sh for kernel ABI v7

Kernel ABI v6 only required 'w' permissions for the parent process that
creates the socket, accepts a connection, writes to the socket, and
reads from the socket.

Kernel ABI v7 will require 'rw' permissions for the parent process. This
change detects the current kernel ABI version and adjusts the parent
process's confinement appropriately. It also performs a negative test to
make sure that 'w' is not sufficient.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

2582. By Tyler Hicks on 2014-08-12

tests: Minimal update to make unix_socket.sh aware of abstract sockets

This change only sets up unix_socket.sh to test abstract sockets.
Unconfined processes are tested while using an abstract socket but
the test function returns before testing with confinement.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

2581. By Tyler Hicks on 2014-08-12

tests: Modify unix_socket/unix_socket_client to accept abstract names

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

2580. By Tyler Hicks on 2014-08-12

tests: Rename the unix_socket_file test to unix_socket

Rename the test in preparation for expanding its capabilities to cover
all UNIX domain socket address format types.

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

2579. By Tyler Hicks on 2014-08-12

tests: Don't leak socket fd to child process

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Seth Arnold <email address hidden>

2578. By Christian Boltz on 2014-08-11

smbd: changed cachedir in openSUSE

openSUSE now compiles samba --with-cachedir=/var/lib/samba (instead of
the default /var/cache/samba). This patch updates the smbd profile to
match this change.

Acked by: Seth Arnold <email address hidden>

2577. By Christian Boltz on 2014-08-11

dovecot/auth needs read access to /etc/dovecot/* when using plaintext
user/password files (everybody will use a different filename for the
user/password list - and when you allow reading the password list,
allowing to read the config doesn't add any harm ;-)

References: https://bugzilla.novell.com/show_bug.cgi?id=874094

Acked-by: Seth Arnold <email address hidden>