matches_test.sh revision 292533
1157986Sdwmalone#!/bin/sh 2157986Sdwmalone# 3157986Sdwmalone# $FreeBSD: head/tools/regression/mac/mac_bsdextended/test_matches.sh 292533 2015-12-21 08:58:14Z ngie $ 4157986Sdwmalone# 5157986Sdwmalone 6157986Sdwmaloneuidrange="60000:100000" 7157986Sdwmalonegidrange="60000:100000" 8157986Sdwmaloneuidinrange="nobody" 9157986Sdwmaloneuidoutrange="daemon" 10157986Sdwmalonegidinrange="nobody" # We expect $uidinrange in this group 11157986Sdwmalonegidoutrange="daemon" # We expect $uidinrange in this group 12157986Sdwmalone 13157986Sdwmalone# 14157986Sdwmalone# Setup 15157986Sdwmalone# 16292531Sngie 17292531Sngie: ${TMPDIR=/tmp} 18292531Sngieif [ $(id -u) -ne 0 ]; then 19292531Sngie echo "1..0 # SKIP test must be run as root" 20292531Sngie exit 0 21292531Sngiefi 22292533Sngieif ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then 23292533Sngie echo "1..0 # SKIP mac_bsdextended(4) support isn't available" 24292533Sngie exit 0 25292533Sngiefi 26292531Sngieif ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then 27292531Sngie echo "1..0 # SKIP failed to create temporary directory" 28292531Sngie exit 0 29292531Sngiefi 30292531Sngietrap "rmdir $playground" EXIT INT TERM 31292531Sngieif ! mdmfs -s 25m md $playground; then 32292531Sngie echo "1..0 # SKIP failed to mount md device" 33292531Sngie exit 0 34292531Sngiefi 35292531Sngiechmod a+rwx $playground 36292531Sngiemd_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }') 37292531Sngietrap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM 38292531Sngieif [ -z "$md_device" ]; then 39292531Sngie mount -p | grep $playground 40292531Sngie echo "1..0 # md device not properly attached to the system" 41292531Sngiefi 42292531Sngie 43157986Sdwmaloneugidfw remove 1 44157986Sdwmalone 45157986Sdwmalonefile1=$playground/test-$uidinrange 46157986Sdwmalonefile2=$playground/test-$uidoutrange 47292531Sngiecat > $playground/test-script.sh <<'EOF' 48292531Sngie#!/bin/sh 49292531Sngie: > $1 50157986SdwmaloneEOF 51292531Sngieif [ $? -ne 0 ]; then 52292531Sngie echo "1..0 # SKIP failed to create test script" 53292531Sngie exit 0 54292531Sngiefi 55292531Sngieecho "1..30" 56157986Sdwmalone 57292531Sngiecommand1="sh $playground/test-script.sh $file1" 58292531Sngiecommand2="sh $playground/test-script.sh $file2" 59292531Sngie 60292531Sngieecho "# $uidinrange file:" 61292531Sngiesu -m $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 62157986Sdwmalonechown "$uidinrange":"$gidinrange" $file1 63157986Sdwmalonechmod a+w $file1 64157986Sdwmalone 65292531Sngieecho "# $uidoutrange file:" 66292531Sngieif $command2; then echo ok; else echo not ok; fi 67157986Sdwmalonechown "$uidoutrange":"$gidoutrange" $file2 68157986Sdwmalonechmod a+w $file2 69157986Sdwmalone 70157986Sdwmalone# 71157986Sdwmalone# No rules 72157986Sdwmalone# 73292531Sngieecho "# no rules $uidinrange:" 74292531Sngiesu -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 75292531Sngieecho "# no rules $uidoutrange:" 76292531Sngiesu -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi" 77157986Sdwmalone 78157986Sdwmalone# 79157986Sdwmalone# Subject Match on uid 80157986Sdwmalone# 81157986Sdwmaloneugidfw set 1 subject uid $uidrange object mode rasx 82292531Sngieecho "# subject uid in range:" 83292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 84292531Sngieecho "# subject uid out range:" 85292531Sngiesu -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi" 86157986Sdwmalone 87157986Sdwmalone# 88157986Sdwmalone# Subject Match on gid 89157986Sdwmalone# 90157986Sdwmaloneugidfw set 1 subject gid $gidrange object mode rasx 91292531Sngieecho "# subject gid in range:" 92292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 93292531Sngieecho "# subject gid out range:" 94292531Sngiesu -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi" 95157986Sdwmalone 96157986Sdwmalone# 97157986Sdwmalone# Subject Match on jail 98157986Sdwmalone# 99157986Sdwmalonerm -f $playground/test-jail 100292531Sngieecho "# subject matching jailid:" 101292531Sngiejailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 102157986Sdwmaloneugidfw set 1 subject jailid $jailid object mode rasx 103292531Sngiesleep 10 104292532Sngieif [ -f $playground/test-jail ]; then echo "not ok # TODO this testcase is buggy (see bug # 205481)"; else echo ok; fi 105157986Sdwmalone 106157986Sdwmalonerm -f $playground/test-jail 107292531Sngieecho "# subject nonmatching jailid:" 108292531Sngiejailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 109292531Sngiesleep 10 110292531Sngieif [ -f $playground/test-jail ]; then echo ok; else echo not ok; fi 111157986Sdwmalone 112157986Sdwmalone# 113157986Sdwmalone# Object uid 114157986Sdwmalone# 115157986Sdwmaloneugidfw set 1 subject object uid $uidrange mode rasx 116292531Sngieecho "# object uid in range:" 117292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 118292531Sngieecho "# object uid out range:" 119292531Sngiesu -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi" 120157986Sdwmaloneugidfw set 1 subject object uid $uidrange mode rasx 121292531Sngieecho "# object uid in range (differennt subject):" 122292531Sngiesu -fm $uidoutrange -c "if $command1; then echo not ok; else echo ok; fi" 123292531Sngieecho "# object uid out range (differennt subject):" 124292531Sngiesu -fm $uidoutrange -c "if $command2; then echo ok; else echo not ok; fi" 125157986Sdwmalone 126157986Sdwmalone# 127157986Sdwmalone# Object gid 128157986Sdwmalone# 129157986Sdwmaloneugidfw set 1 subject object gid $uidrange mode rasx 130292531Sngieecho "# object gid in range:" 131292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 132292531Sngieecho "# object gid out range:" 133292531Sngiesu -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi" 134292531Sngieecho "# object gid in range (different subject):" 135292531Sngiesu -fm $uidoutrange -c "if $command1; then echo not ok; else echo ok; fi" 136292531Sngieecho "# object gid out range (different subject):" 137292531Sngiesu -fm $uidoutrange -c "if $command2; then echo ok; else echo not ok; fi" 138157986Sdwmalone 139157986Sdwmalone# 140157986Sdwmalone# Object filesys 141157986Sdwmalone# 142157986Sdwmaloneugidfw set 1 subject uid $uidrange object filesys / mode rasx 143292531Sngieecho "# object out of filesys:" 144292531Sngiesu -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 145157986Sdwmaloneugidfw set 1 subject uid $uidrange object filesys $playground mode rasx 146292531Sngieecho "# object in filesys:" 147292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 148157986Sdwmalone 149157986Sdwmalone# 150157986Sdwmalone# Object suid 151157986Sdwmalone# 152157986Sdwmaloneugidfw set 1 subject uid $uidrange object suid mode rasx 153292531Sngieecho "# object notsuid:" 154292531Sngiesu -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 155157986Sdwmalonechmod u+s $file1 156292531Sngieecho "# object suid:" 157292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 158157986Sdwmalonechmod u-s $file1 159157986Sdwmalone 160157986Sdwmalone# 161157986Sdwmalone# Object sgid 162157986Sdwmalone# 163157986Sdwmaloneugidfw set 1 subject uid $uidrange object sgid mode rasx 164292531Sngieecho "# object notsgid:" 165292531Sngiesu -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 166157986Sdwmalonechmod g+s $file1 167292531Sngieecho "# object sgid:" 168292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 169157986Sdwmalonechmod g-s $file1 170157986Sdwmalone 171157986Sdwmalone# 172157986Sdwmalone# Object uid matches subject 173157986Sdwmalone# 174157986Sdwmaloneugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx 175292531Sngieecho "# object uid notmatches subject:" 176292531Sngiesu -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi" 177292531Sngieecho "# object uid matches subject:" 178292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 179157986Sdwmalone 180157986Sdwmalone# 181157986Sdwmalone# Object gid matches subject 182157986Sdwmalone# 183157986Sdwmaloneugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx 184292531Sngieecho "# object gid notmatches subject:" 185292531Sngiesu -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi" 186292531Sngieecho "# object gid matches subject:" 187292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 188157986Sdwmalone 189157986Sdwmalone# 190157986Sdwmalone# Object type 191157986Sdwmalone# 192157986Sdwmaloneugidfw set 1 subject uid $uidrange object type dbclsp mode rasx 193292531Sngieecho "# object not type:" 194292531Sngiesu -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi" 195157986Sdwmaloneugidfw set 1 subject uid $uidrange object type r mode rasx 196292531Sngieecho "# object type:" 197292531Sngiesu -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi" 198157986Sdwmalone 199