224989 |
18-Aug-2011 |
jonathan |
Test process descriptors.
Ensure that process descriptors work as expected. We should be able to: - pdfork(), like regular fork(), but producing a process descriptor - pdgetpid() to convert a PD into a PID - pdkill() to send signals to a process identified by a PD
Approved by: re (kib), mentor (rwatson) Sponsored by: Google Inc
|
224793 |
12-Aug-2011 |
jonathan |
Test *at(2) calls with capability-mode lookup.
This commit adds regression testing for openat(), fstatat(), etc. with capability scoping ("strict relative" lookup), which applies: - in capability mode - when performing any *at() lookup relative to a capability
These tests will fail until the *at() code is committed; on my local instance, with the *at() changes, they all pass.
Approved by: re (kib), mentor (rwatson) Sponsored by: Google Inc
|
224784 |
11-Aug-2011 |
jonathan |
Use the right printf() format string without a cast to maxint_t.
As per kib's suggestion, we also change test_count from a size_t to an int; its value at the moment is 4, and we only expect it to go up to 7.
Approved by: re (kib), mentor (rwatson) Sponsored by: Google Inc
|
224778 |
11-Aug-2011 |
rwatson |
Second-to-last commit implementing Capsicum capabilities in the FreeBSD kernel for FreeBSD 9.0:
Add a new capability mask argument to fget(9) and friends, allowing system call code to declare what capabilities are required when an integer file descriptor is converted into an in-kernel struct file *. With options CAPABILITIES compiled into the kernel, this enforces capability protection; without, this change is effectively a no-op.
Some cases require special handling, such as mmap(2), which must preserve information about the maximum rights at the time of mapping in the memory map so that they can later be enforced in mprotect(2) -- this is done by narrowing the rights in the existing max_protection field used for similar purposes with file permissions.
In namei(9), we assert that the code is not reached from within capability mode, as we're not yet ready to enforce namespace capabilities there. This will follow in a later commit.
Update two capability names: CAP_EVENT and CAP_KEVENT become CAP_POST_KEVENT and CAP_POLL_KEVENT to more accurately indicate what they represent.
Approved by: re (bz) Submitted by: jonathan Sponsored by: Google Inc
|
224660 |
05-Aug-2011 |
jonathan |
Expect fchflags(2) to fail with EOPNOTSUPP on NFS.
Even if we have CAP_FCHFLAGS, fchflags(2) fails on NFS. This is normal and expected, so don't fail the test because of it.
Note that, whether or not we are on NFS, fchflags(2) should always fail with ENOTCAPABLE if we are using a capability that does not have the CAP_FCHFLAGS right.
Approved by: re (kib), mentor (rwatson) Sponsored by: Google Inc
|
221431 |
04-May-2011 |
jonathan |
Regression tests for Capsicum capability mode.
Ensure that system calls that access global namespaces, e.g. open(2), are not permitted, and that whitelisted sysctls like kern.osreldate are.
Approved by: rwatson Sponsored by: Google, Inc.
|
176294 |
14-Feb-2008 |
rwatson |
Add open_to_operation, a security regression test that opens files with various open flags and then tests various operations to make sure that they are properly constrained by open flags. Various I/O mechansms are tried, including aio if compiled into the kernel or loaded as a module. There's more to be done here but it's a useful start, running about 220 individual tests.
This is in support of FreeBSD-SA-08:03.sendfile.
|
83794 |
21-Sep-2001 |
rwatson |
o Fix two eaccess() checks -- in one case, the wrong test file was used, resulting in a regression failure, and in the other, the test on an error return was inverted.
Obtained from: TrustedBSD Project
|
75422 |
11-Apr-2001 |
rwatson |
o First pass at an inter-process authorization regression testing suite. This test utility attempts to evaluate the current kernel policy for authorization inter-process activities, currently ptrace(), kill(, SIGHUP), getpriority(), and setpriority(). The utility creates pairs of processes, initializes their credential sets to useful cases, and reports on whether the results are in keeping with hard-coded safety expectations.
o Currently, this utility relies on the availability of __setugid(), an uncomitted system call used for managing the P_SUGID bit. Due to continuing discussion of optional regression testing kernel components ("options REGRESSION") I'll hold off on committing that until the discussion has reached its natural termination.
o A number of additional testing factors should be taken into account in the testing, including tests for different classes of signals, interactions with process session characteristics, I/O signalling, broadcast activities such as broadcast signalling, mass priority setting, and to take into group-related aspects of credentials. Additional operations should also be taken into account, such as ktrace, debugging attach using procfs, and so on.
o This testing suite is intended to prevent the introduction of bugs in the upcoming sets of authorization changes associated with the introduction of process capabilities and mandatory access control.
Obtained from: TrustedBSD Project
|