1#!/bin/sh 2# 3# $FreeBSD$ 4# 5 6uidrange="60000:100000" 7gidrange="60000:100000" 8uidinrange="nobody" 9uidoutrange="daemon" 10gidinrange="nobody" # We expect $uidinrange in this group 11gidoutrange="daemon" # We expect $uidinrange in this group 12 13playground="/stuff/nobody/" # Must not be on root fs 14 15# 16# Setup 17# 18rm -f $playground/test* 19ugidfw remove 1 20 21file1=$playground/test-$uidinrange 22file2=$playground/test-$uidoutrange 23cat <<EOF> $playground/test-script.pl 24if (open(F, ">" . shift)) { exit 0; } else { exit 1; } 25EOF 26command1="perl $playground/test-script.pl $file1" 27command2="perl $playground/test-script.pl $file2" 28 29echo -n "$uidinrange file: " 30su -m $uidinrange -c "$command1 && echo good" 31chown "$uidinrange":"$gidinrange" $file1 32chmod a+w $file1 33 34echo -n "$uidoutrange file: " 35$command2 && echo good 36chown "$uidoutrange":"$gidoutrange" $file2 37chmod a+w $file2 38 39# 40# No rules 41# 42echo -n "no rules $uidinrange: " 43su -fm $uidinrange -c "$command1 && echo good" 44echo -n "no rules $uidoutrange: " 45su -fm $uidoutrange -c "$command1 && echo good" 46 47# 48# Subject Match on uid 49# 50ugidfw set 1 subject uid $uidrange object mode rasx 51echo -n "subject uid in range: " 52su -fm $uidinrange -c "$command1 || echo good" 53echo -n "subject uid out range: " 54su -fm $uidoutrange -c "$command1 && echo good" 55 56# 57# Subject Match on gid 58# 59ugidfw set 1 subject gid $gidrange object mode rasx 60echo -n "subject gid in range: " 61su -fm $uidinrange -c "$command1 || echo good" 62echo -n "subject gid out range: " 63su -fm $uidoutrange -c "$command1 && echo good" 64 65# 66# Subject Match on jail 67# 68echo -n "subject matching jailid: " 69rm -f $playground/test-jail 70jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"` 71ugidfw set 1 subject jailid $jailid object mode rasx 72sleep 6 73if [ ! -f $playground/test-jail ] ; then echo good ; fi 74 75echo -n "subject nonmatching jailid: " 76rm -f $playground/test-jail 77jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"` 78sleep 6 79if [ -f $playground/test-jail ] ; then echo good ; fi 80 81# 82# Object uid 83# 84ugidfw set 1 subject object uid $uidrange mode rasx 85echo -n "object uid in range: " 86su -fm $uidinrange -c "$command1 || echo good" 87echo -n "object uid out range: " 88su -fm $uidinrange -c "$command2 && echo good" 89ugidfw set 1 subject object uid $uidrange mode rasx 90echo -n "object uid in range (differennt subject): " 91su -fm $uidoutrange -c "$command1 || echo good" 92echo -n "object uid out range (differennt subject): " 93su -fm $uidoutrange -c "$command2 && echo good" 94 95# 96# Object gid 97# 98ugidfw set 1 subject object gid $uidrange mode rasx 99echo -n "object gid in range: " 100su -fm $uidinrange -c "$command1 || echo good" 101echo -n "object gid out range: " 102su -fm $uidinrange -c "$command2 && echo good" 103echo -n "object gid in range (differennt subject): " 104su -fm $uidoutrange -c "$command1 || echo good" 105echo -n "object gid out range (differennt subject): " 106su -fm $uidoutrange -c "$command2 && echo good" 107 108# 109# Object filesys 110# 111ugidfw set 1 subject uid $uidrange object filesys / mode rasx 112echo -n "object out of filesys: " 113su -fm $uidinrange -c "$command1 && echo good" 114ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx 115echo -n "object in filesys: " 116su -fm $uidinrange -c "$command1 || echo good" 117 118# 119# Object suid 120# 121ugidfw set 1 subject uid $uidrange object suid mode rasx 122echo -n "object notsuid: " 123su -fm $uidinrange -c "$command1 && echo good" 124chmod u+s $file1 125echo -n "object suid: " 126su -fm $uidinrange -c "$command1 || echo good" 127chmod u-s $file1 128 129# 130# Object sgid 131# 132ugidfw set 1 subject uid $uidrange object sgid mode rasx 133echo -n "object notsgid: " 134su -fm $uidinrange -c "$command1 && echo good" 135chmod g+s $file1 136echo -n "object sgid: " 137su -fm $uidinrange -c "$command1 || echo good" 138chmod g-s $file1 139 140# 141# Object uid matches subject 142# 143ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx 144echo -n "object uid notmatches subject: " 145su -fm $uidinrange -c "$command2 && echo good" 146echo -n "object uid matches subject: " 147su -fm $uidinrange -c "$command1 || echo good" 148 149# 150# Object gid matches subject 151# 152ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx 153echo -n "object gid notmatches subject: " 154su -fm $uidinrange -c "$command2 && echo good" 155echo -n "object gid matches subject: " 156su -fm $uidinrange -c "$command1 || echo good" 157 158# 159# Object type 160# 161ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx 162echo -n "object not type: " 163su -fm $uidinrange -c "$command1 && echo good" 164ugidfw set 1 subject uid $uidrange object type r mode rasx 165echo -n "object type: " 166su -fm $uidinrange -c "$command1 || echo good" 167 168