From: Simon McVittie <smcv@collabora.com>
Date: Wed, 17 Apr 2019 13:13:42 +0000 (+0100)
Subject: test-dbus-daemon: Say why we don't check the value of LinuxSecurityLabel
X-Git-Tag: dbus-1.13.10~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=812678e595592e33e444fb9c92dfbe645fd83980;p=thirdparty%2Fdbus.git

test-dbus-daemon: Say why we don't check the value of LinuxSecurityLabel

Suggested on !105 by Matthijs van Duin.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---

diff --git a/test/dbus-daemon.c b/test/dbus-daemon.c
index e4e11f16f..e29ae4540 100644
--- a/test/dbus-daemon.c
+++ b/test/dbus-daemon.c
@@ -516,6 +516,19 @@ test_creds (Fixture *f,
           g_test_message ("%s of this process is %s", name, label);
           g_assert_cmpuint (strlen (label) + 1, ==, len);
           seen |= SEEN_LINUX_SECURITY_LABEL;
+
+          /*
+           * At this point we would like to do something like:
+           *
+           * g_assert_cmpstr (label, ==, real_security_label);
+           *
+           * but there is no LSM-agnostic way to find out our real security
+           * label in a way that matches SO_PEERSEC. The closest thing
+           * available is reading /proc/self/attr/current, but that is only
+           * equal to SO_PEERSEC after applying LSM-specific
+           * canonicalization (for example for AppArmor you have to remove
+           * a trailing newline from /proc/self/attr/current).
+           */
 #else
           g_assert_not_reached ();
 #endif