matches_test.sh revision 292533 
1#!/bin/sh
2#
3# $FreeBSD: head/tools/regression/mac/mac_bsdextended/test_matches.sh 292533 2015-12-21 08:58:14Z ngie $
4#
5
6uidrange="60000:100000"
7gidrange="60000:100000"
8uidinrange="nobody"
9uidoutrange="daemon"
10gidinrange="nobody" # We expect $uidinrange in this group
11gidoutrange="daemon" # We expect $uidinrange in this group
12
13#
14# Setup
15#
16
17: ${TMPDIR=/tmp}
18if [ $(id -u) -ne 0 ]; then
19	echo "1..0 # SKIP test must be run as root"
20	exit 0
21fi
22if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
23	echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
24	exit 0
25fi
26if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
27	echo "1..0 # SKIP failed to create temporary directory"
28	exit 0
29fi
30trap "rmdir $playground" EXIT INT TERM
31if ! mdmfs -s 25m md $playground; then
32	echo "1..0 # SKIP failed to mount md device"
33	exit 0
34fi
35chmod a+rwx $playground
36md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
37trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
38if [ -z "$md_device" ]; then
39	mount -p | grep $playground
40	echo "1..0 # md device not properly attached to the system"
41fi
42
43ugidfw remove 1
44
45file1=$playground/test-$uidinrange
46file2=$playground/test-$uidoutrange
47cat > $playground/test-script.sh <<'EOF'
48#!/bin/sh
49: > $1
50EOF
51if [ $? -ne 0 ]; then
52	echo "1..0 # SKIP failed to create test script"
53	exit 0
54fi
55echo "1..30"
56
57command1="sh $playground/test-script.sh $file1"
58command2="sh $playground/test-script.sh $file2"
59
60echo "# $uidinrange file:"
61su -m $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
62chown "$uidinrange":"$gidinrange" $file1
63chmod a+w $file1
64
65echo "# $uidoutrange file:"
66if $command2; then echo ok; else echo not ok; fi
67chown "$uidoutrange":"$gidoutrange" $file2
68chmod a+w $file2
69
70#
71# No rules
72#
73echo "# no rules $uidinrange:"
74su -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
75echo "# no rules $uidoutrange:"
76su -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi"
77
78#
79# Subject Match on uid
80#
81ugidfw set 1 subject uid $uidrange object mode rasx
82echo "# subject uid in range:"
83su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
84echo "# subject uid out range:"
85su -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi"
86
87#
88# Subject Match on gid
89#
90ugidfw set 1 subject gid $gidrange object mode rasx
91echo "# subject gid in range:"
92su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
93echo "# subject gid out range:"
94su -fm $uidoutrange -c "if $command1; then echo ok; else echo not ok; fi"
95
96#
97# Subject Match on jail
98#
99rm -f $playground/test-jail
100echo "# subject matching jailid:"
101jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
102ugidfw set 1 subject jailid $jailid object mode rasx
103sleep 10
104if [ -f $playground/test-jail ]; then echo "not ok # TODO this testcase is buggy (see bug # 205481)"; else echo ok; fi
105
106rm -f $playground/test-jail
107echo "# subject nonmatching jailid:"
108jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
109sleep 10
110if [ -f $playground/test-jail ]; then echo ok; else echo not ok; fi
111
112#
113# Object uid
114#
115ugidfw set 1 subject object uid $uidrange mode rasx
116echo "# object uid in range:"
117su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
118echo "# object uid out range:"
119su -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi"
120ugidfw set 1 subject object uid $uidrange mode rasx
121echo "# object uid in range (differennt subject):"
122su -fm $uidoutrange -c "if $command1; then echo not ok; else echo ok; fi"
123echo "# object uid out range (differennt subject):"
124su -fm $uidoutrange -c "if $command2; then echo ok; else echo not ok; fi"
125
126#
127# Object gid
128#
129ugidfw set 1 subject object gid $uidrange mode rasx
130echo "# object gid in range:"
131su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
132echo "# object gid out range:"
133su -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi"
134echo "# object gid in range (different subject):"
135su -fm $uidoutrange -c "if $command1; then echo not ok; else echo ok; fi"
136echo "# object gid out range (different subject):"
137su -fm $uidoutrange -c "if $command2; then echo ok; else echo not ok; fi"
138
139#
140# Object filesys
141#
142ugidfw set 1 subject uid $uidrange object filesys / mode rasx
143echo "# object out of filesys:"
144su -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
145ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
146echo "# object in filesys:"
147su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
148
149#
150# Object suid
151#
152ugidfw set 1 subject uid $uidrange object suid mode rasx
153echo "# object notsuid:"
154su -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
155chmod u+s $file1
156echo "# object suid:"
157su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
158chmod u-s $file1
159
160#
161# Object sgid
162#
163ugidfw set 1 subject uid $uidrange object sgid mode rasx
164echo "# object notsgid:"
165su -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
166chmod g+s $file1
167echo "# object sgid:"
168su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
169chmod g-s $file1
170
171#
172# Object uid matches subject
173#
174ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
175echo "# object uid notmatches subject:"
176su -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi"
177echo "# object uid matches subject:"
178su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
179
180#
181# Object gid matches subject
182#
183ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
184echo "# object gid notmatches subject:"
185su -fm $uidinrange -c "if $command2; then echo ok; else echo not ok; fi"
186echo "# object gid matches subject:"
187su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
188
189#
190# Object type
191#
192ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
193echo "# object not type:"
194su -fm $uidinrange -c "if $command1; then echo ok; else echo not ok; fi"
195ugidfw set 1 subject uid $uidrange object type r mode rasx
196echo "# object type:"
197su -fm $uidinrange -c "if $command1; then echo not ok; else echo ok; fi"
198
199