1189832Spjd#!/bin/sh 2189832Spjd# $FreeBSD$ 3189832Spjd 4189832Spjdsysctl security.mac.portacl >/dev/null 2>&1 5189832Spjdif [ $? -ne 0 ]; then 6292251Sngie echo "1..0 # SKIP MAC_PORTACL is unavailable." 7189832Spjd exit 0 8189832Spjdfi 9292845Sngieif [ $(id -u) -ne 0 ]; then 10292845Sngie echo "1..0 # SKIP testcases must be run as root" 11292845Sngie exit 0 12292845Sngiefi 13189832Spjd 14189832Spjdntest=1 15189832Spjd 16189832Spjdcheck_bind() { 17292845Sngie local host idtype name proto port udpflag 18292845Sngie 19292845Sngie host="127.0.0.1" 20292845Sngie 21189832Spjd idtype=${1} 22189832Spjd name=${2} 23189832Spjd proto=${3} 24189832Spjd port=${4} 25189832Spjd 26189832Spjd [ "${proto}" = "udp" ] && udpflag="-u" 27189832Spjd 28292845Sngie out=$( 29189832Spjd case "${idtype}" in 30189832Spjd uid|gid) 31292845Sngie ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) & 32189832Spjd ;; 33189832Spjd jail) 34189832Spjd kill $$ 35189832Spjd ;; 36189832Spjd *) 37189832Spjd kill $$ 38189832Spjd esac 39189832Spjd sleep 0.3 40292845Sngie echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1 41189832Spjd wait 42292845Sngie ) 43189832Spjd case "${out}" in 44189832Spjd "nc: Permission denied"*|"nc: Operation not permitted"*) 45189832Spjd echo fl 46189832Spjd ;; 47189832Spjd "") 48189832Spjd echo ok 49189832Spjd ;; 50189832Spjd *) 51189832Spjd echo ${out} 52189832Spjd ;; 53189832Spjd esac 54189832Spjd} 55189832Spjd 56189832Spjdbind_test() { 57292845Sngie local expect_without_rule expect_with_rule idtype name proto port 58292845Sngie 59189832Spjd expect_without_rule=${1} 60189832Spjd expect_with_rule=${2} 61189832Spjd idtype=${3} 62189832Spjd name=${4} 63189832Spjd proto=${5} 64189832Spjd port=${6} 65189832Spjd 66189832Spjd sysctl security.mac.portacl.rules= >/dev/null 67292845Sngie out=$(check_bind ${idtype} ${name} ${proto} ${port}) 68189832Spjd if [ "${out}" = "${expect_without_rule}" ]; then 69189832Spjd echo "ok ${ntest}" 70189832Spjd elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then 71292845Sngie echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'" 72189832Spjd else 73292845Sngie echo "not ok ${ntest} # unexpected output: '${out}'" 74189832Spjd fi 75292845Sngie : $(( ntest += 1 )) 76189832Spjd 77189832Spjd if [ "${idtype}" = "uid" ]; then 78292845Sngie idstr=$(id -u ${name}) 79189832Spjd elif [ "${idtype}" = "gid" ]; then 80292845Sngie idstr=$(id -g ${name}) 81189832Spjd else 82189832Spjd idstr=${name} 83189832Spjd fi 84189832Spjd sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null 85292845Sngie out=$(check_bind ${idtype} ${name} ${proto} ${port}) 86189832Spjd if [ "${out}" = "${expect_with_rule}" ]; then 87189832Spjd echo "ok ${ntest}" 88189832Spjd elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then 89292845Sngie echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'" 90189832Spjd else 91292845Sngie echo "not ok ${ntest} # unexpected output: '${out}'" 92189832Spjd fi 93292845Sngie : $(( ntest += 1 )) 94189832Spjd 95189832Spjd sysctl security.mac.portacl.rules= >/dev/null 96189832Spjd} 97189832Spjd 98292845Sngiereserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh) 99292845Sngiesuser_exempt=$(sysctl -n security.mac.portacl.suser_exempt) 100292845Sngieport_high=$(sysctl -n security.mac.portacl.port_high) 101189832Spjd 102189832Spjdrestore_settings() { 103189832Spjd sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null 104189832Spjd sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null 105189832Spjd sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null 106189832Spjd} 107