1189832Spjd#!/bin/sh 2189832Spjd# $FreeBSD$ 3189832Spjd 4189832Spjdsysctl security.mac.portacl >/dev/null 2>&1 5189832Spjdif [ $? -ne 0 ]; then 6189832Spjd echo "1..1" 7189832Spjd echo "not ok 1 # MAC_PORTACL is unavailable." 8189832Spjd exit 0 9189832Spjdfi 10189832Spjd 11189832Spjdntest=1 12189832Spjd 13189832Spjdcheck_bind() { 14189832Spjd idtype=${1} 15189832Spjd name=${2} 16189832Spjd proto=${3} 17189832Spjd port=${4} 18189832Spjd 19189832Spjd [ "${proto}" = "udp" ] && udpflag="-u" 20189832Spjd 21189832Spjd out=`( 22189832Spjd case "${idtype}" in 23189832Spjd uid|gid) 24189832Spjd ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) & 25189832Spjd ;; 26189832Spjd jail) 27189832Spjd kill $$ 28189832Spjd ;; 29189832Spjd *) 30189832Spjd kill $$ 31189832Spjd esac 32189832Spjd sleep 0.3 33189832Spjd echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1 34189832Spjd wait 35189832Spjd )` 36189832Spjd case "${out}" in 37189832Spjd "nc: Permission denied"*|"nc: Operation not permitted"*) 38189832Spjd echo fl 39189832Spjd ;; 40189832Spjd "") 41189832Spjd echo ok 42189832Spjd ;; 43189832Spjd *) 44189832Spjd echo ${out} 45189832Spjd ;; 46189832Spjd esac 47189832Spjd} 48189832Spjd 49189832Spjdbind_test() { 50189832Spjd expect_without_rule=${1} 51189832Spjd expect_with_rule=${2} 52189832Spjd idtype=${3} 53189832Spjd name=${4} 54189832Spjd proto=${5} 55189832Spjd port=${6} 56189832Spjd 57189832Spjd sysctl security.mac.portacl.rules= >/dev/null 58189832Spjd out=`check_bind ${idtype} ${name} ${proto} ${port}` 59189832Spjd if [ "${out}" = "${expect_without_rule}" ]; then 60189832Spjd echo "ok ${ntest}" 61189832Spjd elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then 62189832Spjd echo "not ok ${ntest}" 63189832Spjd else 64189832Spjd echo "not ok ${ntest} # ${out}" 65189832Spjd fi 66189832Spjd ntest=$((ntest+1)) 67189832Spjd 68189832Spjd if [ "${idtype}" = "uid" ]; then 69189832Spjd idstr=`id -u ${name}` 70189832Spjd elif [ "${idtype}" = "gid" ]; then 71189832Spjd idstr=`id -g ${name}` 72189832Spjd else 73189832Spjd idstr=${name} 74189832Spjd fi 75189832Spjd sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null 76189832Spjd out=`check_bind ${idtype} ${name} ${proto} ${port}` 77189832Spjd if [ "${out}" = "${expect_with_rule}" ]; then 78189832Spjd echo "ok ${ntest}" 79189832Spjd elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then 80189832Spjd echo "not ok ${ntest}" 81189832Spjd else 82189832Spjd echo "not ok ${ntest} # ${out}" 83189832Spjd fi 84189832Spjd ntest=$((ntest+1)) 85189832Spjd 86189832Spjd sysctl security.mac.portacl.rules= >/dev/null 87189832Spjd} 88189832Spjd 89189832Spjdreserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh` 90189832Spjdsuser_exempt=`sysctl -n security.mac.portacl.suser_exempt` 91189832Spjdport_high=`sysctl -n security.mac.portacl.port_high` 92189832Spjd 93189832Spjdrestore_settings() { 94189832Spjd sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null 95189832Spjd sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null 96189832Spjd sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null 97189832Spjd} 98