From 812678e595592e33e444fb9c92dfbe645fd83980 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@collabora.com>
Date: Wed, 17 Apr 2019 14:13:42 +0100
Subject: test-dbus-daemon: Say why we don't check the value of
 LinuxSecurityLabel

Suggested on !105 by Matthijs van Duin.

Signed-off-by: Simon McVittie <smcv@collabora.com>
---
 test/dbus-daemon.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/test/dbus-daemon.c b/test/dbus-daemon.c
index e4e11f16..e29ae454 100644
--- a/test/dbus-daemon.c
+++ b/test/dbus-daemon.c
@@ -516,6 +516,19 @@ test_creds (Fixture *f,
           g_test_message ("%s of this process is %s", name, label);
           g_assert_cmpuint (strlen (label) + 1, ==, len);
           seen |= SEEN_LINUX_SECURITY_LABEL;
+
+          /*
+           * At this point we would like to do something like:
+           *
+           * g_assert_cmpstr (label, ==, real_security_label);
+           *
+           * but there is no LSM-agnostic way to find out our real security
+           * label in a way that matches SO_PEERSEC. The closest thing
+           * available is reading /proc/self/attr/current, but that is only
+           * equal to SO_PEERSEC after applying LSM-specific
+           * canonicalization (for example for AppArmor you have to remove
+           * a trailing newline from /proc/self/attr/current).
+           */
 #else
           g_assert_not_reached ();
 #endif
-- 
cgit v1.2.1