1189832Spjd#!/bin/sh 2189832Spjd# $FreeBSD$ 3189832Spjd 4189832Spjddir=`dirname $0` 5189832Spjd. ${dir}/misc.sh 6189832Spjd 7189832Spjdecho "1..64" 8189832Spjd 9189832Spjd# security.mac.portacl.suser_exempt value doesn't affect unprivileged users 10189832Spjd# behaviour. 11189832Spjd# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. 12189832Spjd 13292569Sngietrap restore_settings EXIT INT TERM 14292569Sngie 15189832Spjdsysctl security.mac.portacl.suser_exempt=1 >/dev/null 16189832Spjdsysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null 17189832Spjd 18189832Spjdbind_test fl fl uid nobody tcp 77 19189832Spjdbind_test ok ok uid nobody tcp 7777 20189832Spjdbind_test fl fl uid nobody udp 77 21189832Spjdbind_test ok ok uid nobody udp 7777 22189832Spjd 23189832Spjdbind_test fl fl gid nobody tcp 77 24189832Spjdbind_test ok ok gid nobody tcp 7777 25189832Spjdbind_test fl fl gid nobody udp 77 26189832Spjdbind_test ok ok gid nobody udp 7777 27189832Spjd 28189832Spjdsysctl security.mac.portacl.suser_exempt=0 >/dev/null 29189832Spjd 30189832Spjdbind_test fl fl uid nobody tcp 77 31189832Spjdbind_test ok ok uid nobody tcp 7777 32189832Spjdbind_test fl fl uid nobody udp 77 33189832Spjdbind_test ok ok uid nobody udp 7777 34189832Spjd 35189832Spjdbind_test fl fl gid nobody tcp 77 36189832Spjdbind_test ok ok gid nobody tcp 7777 37189832Spjdbind_test fl fl gid nobody udp 77 38189832Spjdbind_test ok ok gid nobody udp 7777 39189832Spjd 40189832Spjd# Verify if security.mac.portacl.port_high works. 41189832Spjd 42189832Spjdsysctl security.mac.portacl.port_high=7778 >/dev/null 43189832Spjd 44189832Spjdbind_test fl fl uid nobody tcp 77 45189832Spjdbind_test fl ok uid nobody tcp 7777 46189832Spjdbind_test fl fl uid nobody udp 77 47189832Spjdbind_test fl ok uid nobody udp 7777 48189832Spjd 49189832Spjdbind_test fl fl gid nobody tcp 77 50189832Spjdbind_test fl ok gid nobody tcp 7777 51189832Spjdbind_test fl fl gid nobody udp 77 52189832Spjdbind_test fl ok gid nobody udp 7777 53189832Spjd 54189832Spjd# Verify if mac_portacl rules work. 55189832Spjd 56189832Spjdsysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null 57189832Spjdsysctl security.mac.portacl.port_high=7776 >/dev/null 58189832Spjd 59189832Spjdbind_test fl ok uid nobody tcp 77 60189832Spjdbind_test ok ok uid nobody tcp 7777 61189832Spjdbind_test fl ok uid nobody udp 77 62189832Spjdbind_test ok ok uid nobody udp 7777 63189832Spjd 64189832Spjdbind_test fl ok gid nobody tcp 77 65189832Spjdbind_test ok ok gid nobody tcp 7777 66189832Spjdbind_test fl ok gid nobody udp 77 67189832Spjdbind_test ok ok gid nobody udp 7777 68