1157986Sdwmalone#!/bin/sh 2157986Sdwmalone# 3157986Sdwmalone# $FreeBSD: stable/11/tests/sys/mac/bsdextended/matches_test.sh 307715 2016-10-21 08:22:39Z ngie $ 4157986Sdwmalone# 5157986Sdwmalone 6157986Sdwmaloneuidrange="60000:100000" 7157986Sdwmalonegidrange="60000:100000" 8157986Sdwmaloneuidinrange="nobody" 9157986Sdwmaloneuidoutrange="daemon" 10157986Sdwmalonegidinrange="nobody" # We expect $uidinrange in this group 11157986Sdwmalonegidoutrange="daemon" # We expect $uidinrange in this group 12157986Sdwmalone 13292545Sngietest_num=1 14292545Sngiepass() 15292545Sngie{ 16292545Sngie echo "ok $test_num # $@" 17292545Sngie : $(( test_num += 1 )) 18292545Sngie} 19292545Sngie 20292545Sngiefail() 21292545Sngie{ 22292545Sngie echo "not ok $test_num # $@" 23292545Sngie : $(( test_num += 1 )) 24292545Sngie} 25292545Sngie 26157986Sdwmalone# 27157986Sdwmalone# Setup 28157986Sdwmalone# 29292531Sngie 30292531Sngie: ${TMPDIR=/tmp} 31292531Sngieif [ $(id -u) -ne 0 ]; then 32292531Sngie echo "1..0 # SKIP test must be run as root" 33292531Sngie exit 0 34292531Sngiefi 35292533Sngieif ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then 36292533Sngie echo "1..0 # SKIP mac_bsdextended(4) support isn't available" 37292533Sngie exit 0 38292533Sngiefi 39307715Sngieif [ "$TMPDIR" != "/tmp" ]; then 40307715Sngie if ! chmod -Rf 0755 $TMPDIR; then 41307715Sngie echo "1..0 # SKIP failed to chmod $TMPDIR" 42307715Sngie exit 0 43307715Sngie fi 44307715Sngiefi 45292531Sngieif ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then 46292531Sngie echo "1..0 # SKIP failed to create temporary directory" 47292531Sngie exit 0 48292531Sngiefi 49292531Sngietrap "rmdir $playground" EXIT INT TERM 50292531Sngieif ! mdmfs -s 25m md $playground; then 51292531Sngie echo "1..0 # SKIP failed to mount md device" 52292531Sngie exit 0 53292531Sngiefi 54292531Sngiechmod a+rwx $playground 55292531Sngiemd_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }') 56292531Sngietrap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM 57292531Sngieif [ -z "$md_device" ]; then 58292531Sngie mount -p | grep $playground 59292545Sngie echo "1..0 # SKIP md device not properly attached to the system" 60292531Sngiefi 61292531Sngie 62157986Sdwmaloneugidfw remove 1 63157986Sdwmalone 64157986Sdwmalonefile1=$playground/test-$uidinrange 65157986Sdwmalonefile2=$playground/test-$uidoutrange 66292531Sngiecat > $playground/test-script.sh <<'EOF' 67292531Sngie#!/bin/sh 68292531Sngie: > $1 69157986SdwmaloneEOF 70292531Sngieif [ $? -ne 0 ]; then 71292531Sngie echo "1..0 # SKIP failed to create test script" 72292531Sngie exit 0 73292531Sngiefi 74292531Sngieecho "1..30" 75157986Sdwmalone 76292531Sngiecommand1="sh $playground/test-script.sh $file1" 77292531Sngiecommand2="sh $playground/test-script.sh $file2" 78292531Sngie 79292545Sngiedesc="$uidinrange file" 80292545Sngieif su -m $uidinrange -c "$command1"; then 81292545Sngie pass $desc 82292545Sngieelse 83292545Sngie fail $desc 84292545Sngiefi 85292545Sngie 86157986Sdwmalonechown "$uidinrange":"$gidinrange" $file1 87157986Sdwmalonechmod a+w $file1 88157986Sdwmalone 89292545Sngiedesc="$uidoutrange file" 90292545Sngieif $command2; then 91292545Sngie pass $desc 92292545Sngieelse 93292545Sngie fail $desc 94292545Sngiefi 95292545Sngie 96157986Sdwmalonechown "$uidoutrange":"$gidoutrange" $file2 97157986Sdwmalonechmod a+w $file2 98157986Sdwmalone 99157986Sdwmalone# 100157986Sdwmalone# No rules 101157986Sdwmalone# 102292545Sngiedesc="no rules $uidinrange" 103292545Sngieif su -fm $uidinrange -c "$command1"; then 104292545Sngie pass $desc 105292545Sngieelse 106292545Sngie fail $desc 107292545Sngiefi 108157986Sdwmalone 109292545Sngiedesc="no rules $uidoutrange" 110292545Sngieif su -fm $uidoutrange -c "$command1"; then 111292545Sngie pass $desc 112292545Sngieelse 113292545Sngie fail $desc 114292545Sngiefi 115292545Sngie 116157986Sdwmalone# 117157986Sdwmalone# Subject Match on uid 118157986Sdwmalone# 119157986Sdwmaloneugidfw set 1 subject uid $uidrange object mode rasx 120292545Sngiedesc="subject uid in range" 121292545Sngieif su -fm $uidinrange -c "$command1"; then 122292545Sngie fail $desc 123292545Sngieelse 124292545Sngie pass $desc 125292545Sngiefi 126157986Sdwmalone 127292545Sngiedesc="subject uid out range" 128292545Sngieif su -fm $uidoutrange -c "$command1"; then 129292545Sngie pass $desc 130292545Sngieelse 131292545Sngie fail $desc 132292545Sngiefi 133292545Sngie 134157986Sdwmalone# 135157986Sdwmalone# Subject Match on gid 136157986Sdwmalone# 137157986Sdwmaloneugidfw set 1 subject gid $gidrange object mode rasx 138157986Sdwmalone 139292545Sngiedesc="subject gid in range" 140292545Sngieif su -fm $uidinrange -c "$command1"; then 141292545Sngie fail $desc 142292545Sngieelse 143292545Sngie pass $desc 144292545Sngiefi 145292545Sngie 146292545Sngiedesc="subject gid out range" 147292545Sngieif su -fm $uidoutrange -c "$command1"; then 148292545Sngie pass $desc 149292545Sngieelse 150292545Sngie fail $desc 151292545Sngiefi 152292545Sngie 153305914Sngieif which jail >/dev/null; then 154305914Sngie # 155305914Sngie # Subject Match on jail 156305914Sngie # 157305914Sngie rm -f $playground/test-jail 158292545Sngie 159305914Sngie desc="subject matching jailid" 160305914Sngie jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 161305914Sngie ugidfw set 1 subject jailid $jailid object mode rasx 162305914Sngie sleep 10 163157986Sdwmalone 164305914Sngie if [ -f $playground/test-jail ]; then 165305914Sngie fail "TODO $desc: this testcase fails (see bug # 205481)" 166305914Sngie else 167305914Sngie pass $desc 168305914Sngie fi 169292545Sngie 170305914Sngie rm -f $playground/test-jail 171305914Sngie desc="subject nonmatching jailid" 172305914Sngie jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 173305914Sngie sleep 10 174305914Sngie if [ -f $playground/test-jail ]; then 175305914Sngie pass $desc 176305914Sngie else 177305914Sngie fail $desc 178305914Sngie fi 179292545Sngieelse 180305914Sngie # XXX: kyua is too dumb to parse skip ranges, still.. 181305914Sngie pass "skip jail(8) not installed" 182305914Sngie pass "skip jail(8) not installed" 183292545Sngiefi 184157986Sdwmalone 185157986Sdwmalone# 186157986Sdwmalone# Object uid 187157986Sdwmalone# 188157986Sdwmaloneugidfw set 1 subject object uid $uidrange mode rasx 189292545Sngie 190292545Sngiedesc="object uid in range" 191292545Sngieif su -fm $uidinrange -c "$command1"; then 192292545Sngie fail $desc 193292545Sngieelse 194292545Sngie pass $desc 195292545Sngiefi 196292545Sngie 197292545Sngiedesc="object uid out range" 198292545Sngieif su -fm $uidinrange -c "$command2"; then 199292545Sngie pass $desc 200292545Sngieelse 201292545Sngie fail $desc 202292545Sngiefi 203157986Sdwmaloneugidfw set 1 subject object uid $uidrange mode rasx 204157986Sdwmalone 205292545Sngiedesc="object uid in range (different subject)" 206292545Sngieif su -fm $uidoutrange -c "$command1"; then 207292545Sngie fail $desc 208292545Sngieelse 209292545Sngie pass $desc 210292545Sngiefi 211292545Sngie 212292545Sngiedesc="object uid out range (different subject)" 213292545Sngieif su -fm $uidoutrange -c "$command2"; then 214292545Sngie pass $desc 215292545Sngieelse 216292545Sngie fail $desc 217292545Sngiefi 218292545Sngie 219157986Sdwmalone# 220157986Sdwmalone# Object gid 221157986Sdwmalone# 222157986Sdwmaloneugidfw set 1 subject object gid $uidrange mode rasx 223157986Sdwmalone 224292545Sngiedesc="object gid in range" 225292545Sngieif su -fm $uidinrange -c "$command1"; then 226292545Sngie fail $desc 227292545Sngieelse 228292545Sngie pass $desc 229292545Sngiefi 230292545Sngie 231292545Sngiedesc="object gid out range" 232292545Sngieif su -fm $uidinrange -c "$command2"; then 233292545Sngie pass $desc 234292545Sngieelse 235292545Sngie fail $desc 236292545Sngiefi 237292545Sngiedesc="object gid in range (different subject)" 238292545Sngieif su -fm $uidoutrange -c "$command1"; then 239292545Sngie fail $desc 240292545Sngieelse 241292545Sngie pass $desc 242292545Sngiefi 243292545Sngie 244292545Sngiedesc="object gid out range (different subject)" 245292545Sngieif su -fm $uidoutrange -c "$command2"; then 246292545Sngie pass $desc 247292545Sngieelse 248292545Sngie fail $desc 249292545Sngiefi 250292545Sngie 251157986Sdwmalone# 252157986Sdwmalone# Object filesys 253157986Sdwmalone# 254157986Sdwmaloneugidfw set 1 subject uid $uidrange object filesys / mode rasx 255292545Sngiedesc="object out of filesys" 256292545Sngieif su -fm $uidinrange -c "$command1"; then 257292545Sngie pass $desc 258292545Sngieelse 259292545Sngie fail $desc 260292545Sngiefi 261292545Sngie 262157986Sdwmaloneugidfw set 1 subject uid $uidrange object filesys $playground mode rasx 263292545Sngiedesc="object in filesys" 264292545Sngieif su -fm $uidinrange -c "$command1"; then 265292545Sngie fail $desc 266292545Sngieelse 267292545Sngie pass $desc 268292545Sngiefi 269157986Sdwmalone 270157986Sdwmalone# 271157986Sdwmalone# Object suid 272157986Sdwmalone# 273157986Sdwmaloneugidfw set 1 subject uid $uidrange object suid mode rasx 274292545Sngiedesc="object notsuid" 275292545Sngieif su -fm $uidinrange -c "$command1"; then 276292545Sngie pass $desc 277292545Sngieelse 278292545Sngie fail $desc 279292545Sngiefi 280292545Sngie 281157986Sdwmalonechmod u+s $file1 282292545Sngiedesc="object suid" 283292545Sngieif su -fm $uidinrange -c "$command1"; then 284292545Sngie fail $desc 285292545Sngieelse 286292545Sngie pass $desc 287292545Sngiefi 288157986Sdwmalonechmod u-s $file1 289157986Sdwmalone 290157986Sdwmalone# 291157986Sdwmalone# Object sgid 292157986Sdwmalone# 293157986Sdwmaloneugidfw set 1 subject uid $uidrange object sgid mode rasx 294292545Sngiedesc="object notsgid" 295292545Sngieif su -fm $uidinrange -c "$command1"; then 296292545Sngie pass $desc 297292545Sngieelse 298292545Sngie fail $desc 299292545Sngiefi 300292545Sngie 301157986Sdwmalonechmod g+s $file1 302292545Sngiedesc="object sgid" 303292545Sngieif su -fm $uidinrange -c "$command1"; then 304292545Sngie fail $desc 305292545Sngieelse 306292545Sngie pass $desc 307292545Sngiefi 308157986Sdwmalonechmod g-s $file1 309157986Sdwmalone 310157986Sdwmalone# 311157986Sdwmalone# Object uid matches subject 312157986Sdwmalone# 313157986Sdwmaloneugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx 314157986Sdwmalone 315292545Sngiedesc="object uid notmatches subject" 316292545Sngieif su -fm $uidinrange -c "$command2"; then 317292545Sngie pass $desc 318292545Sngieelse 319292545Sngie fail $desc 320292545Sngiefi 321292545Sngie 322292545Sngiedesc="object uid matches subject" 323292545Sngieif su -fm $uidinrange -c "$command1"; then 324292545Sngie fail $desc 325292545Sngieelse 326292545Sngie pass $desc 327292545Sngiefi 328292545Sngie 329157986Sdwmalone# 330157986Sdwmalone# Object gid matches subject 331157986Sdwmalone# 332157986Sdwmaloneugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx 333157986Sdwmalone 334292545Sngiedesc="object gid notmatches subject" 335292545Sngieif su -fm $uidinrange -c "$command2"; then 336292545Sngie pass $desc 337292545Sngieelse 338292545Sngie fail $desc 339292545Sngiefi 340292545Sngie 341292545Sngiedesc="object gid matches subject" 342292545Sngieif su -fm $uidinrange -c "$command1"; then 343292545Sngie fail $desc 344292545Sngieelse 345292545Sngie pass $desc 346292545Sngiefi 347292545Sngie 348157986Sdwmalone# 349157986Sdwmalone# Object type 350157986Sdwmalone# 351292545Sngiedesc="object not type" 352157986Sdwmaloneugidfw set 1 subject uid $uidrange object type dbclsp mode rasx 353292545Sngieif su -fm $uidinrange -c "$command1"; then 354292545Sngie pass $desc 355292545Sngieelse 356292545Sngie fail $desc 357292545Sngiefi 358292545Sngie 359292545Sngiedesc="object type" 360157986Sdwmaloneugidfw set 1 subject uid $uidrange object type r mode rasx 361292545Sngieif su -fm $uidinrange -c "$command1"; then 362292545Sngie fail $desc 363292545Sngieelse 364292545Sngie pass $desc 365292545Sngiefi 366