6 uidrange="60000:100000"
7 gidrange="60000:100000"
10 gidinrange="nobody" # We expect $uidinrange in this group
11 gidoutrange="daemon" # We expect $uidinrange in this group
16 echo "ok $test_num # $@"
17 : $(( test_num += 1 ))
22 echo "not ok $test_num # $@"
23 : $(( test_num += 1 ))
31 if [ $(id -u) -ne 0 ]; then
32 echo "1..0 # SKIP test must be run as root"
35 if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36 echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
39 if [ "$TMPDIR" != "/tmp" ]; then
40 if ! chmod -Rf 0755 $TMPDIR; then
41 echo "1..0 # SKIP failed to chmod $TMPDIR"
45 if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
46 echo "1..0 # SKIP failed to create temporary directory"
49 trap "rmdir $playground" EXIT INT TERM
50 if ! mdmfs -s 25m md $playground; then
51 echo "1..0 # SKIP failed to mount md device"
54 chmod a+rwx $playground
55 md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
56 trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
57 if [ -z "$md_device" ]; then
58 mount -p | grep $playground
59 echo "1..0 # SKIP md device not properly attached to the system"
64 file1=$playground/test-$uidinrange
65 file2=$playground/test-$uidoutrange
66 cat > $playground/test-script.sh <<'EOF'
71 echo "1..0 # SKIP failed to create test script"
76 command1="sh $playground/test-script.sh $file1"
77 command2="sh $playground/test-script.sh $file2"
79 desc="$uidinrange file"
80 if su -m $uidinrange -c "$command1"; then
86 chown "$uidinrange":"$gidinrange" $file1
89 desc="$uidoutrange file"
96 chown "$uidoutrange":"$gidoutrange" $file2
102 desc="no rules $uidinrange"
103 if su -fm $uidinrange -c "$command1"; then
109 desc="no rules $uidoutrange"
110 if su -fm $uidoutrange -c "$command1"; then
117 # Subject Match on uid
119 ugidfw set 1 subject uid $uidrange object mode rasx
120 desc="subject uid in range"
121 if su -fm $uidinrange -c "$command1"; then
127 desc="subject uid out range"
128 if su -fm $uidoutrange -c "$command1"; then
135 # Subject Match on gid
137 ugidfw set 1 subject gid $gidrange object mode rasx
139 desc="subject gid in range"
140 if su -fm $uidinrange -c "$command1"; then
146 desc="subject gid out range"
147 if su -fm $uidoutrange -c "$command1"; then
153 if which jail >/dev/null; then
155 # Subject Match on jail
157 rm -f $playground/test-jail
159 desc="subject matching jailid"
160 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
161 ugidfw set 1 subject jailid $jailid object mode rasx
164 if [ -f $playground/test-jail ]; then
165 fail "TODO $desc: this testcase fails (see bug # 205481)"
170 rm -f $playground/test-jail
171 desc="subject nonmatching jailid"
172 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
174 if [ -f $playground/test-jail ]; then
180 # XXX: kyua is too dumb to parse skip ranges, still..
181 pass "skip jail(8) not installed"
182 pass "skip jail(8) not installed"
188 ugidfw set 1 subject object uid $uidrange mode rasx
190 desc="object uid in range"
191 if su -fm $uidinrange -c "$command1"; then
197 desc="object uid out range"
198 if su -fm $uidinrange -c "$command2"; then
203 ugidfw set 1 subject object uid $uidrange mode rasx
205 desc="object uid in range (different subject)"
206 if su -fm $uidoutrange -c "$command1"; then
212 desc="object uid out range (different subject)"
213 if su -fm $uidoutrange -c "$command2"; then
222 ugidfw set 1 subject object gid $uidrange mode rasx
224 desc="object gid in range"
225 if su -fm $uidinrange -c "$command1"; then
231 desc="object gid out range"
232 if su -fm $uidinrange -c "$command2"; then
237 desc="object gid in range (different subject)"
238 if su -fm $uidoutrange -c "$command1"; then
244 desc="object gid out range (different subject)"
245 if su -fm $uidoutrange -c "$command2"; then
254 ugidfw set 1 subject uid $uidrange object filesys / mode rasx
255 desc="object out of filesys"
256 if su -fm $uidinrange -c "$command1"; then
262 ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
263 desc="object in filesys"
264 if su -fm $uidinrange -c "$command1"; then
273 ugidfw set 1 subject uid $uidrange object suid mode rasx
274 desc="object notsuid"
275 if su -fm $uidinrange -c "$command1"; then
283 if su -fm $uidinrange -c "$command1"; then
293 ugidfw set 1 subject uid $uidrange object sgid mode rasx
294 desc="object notsgid"
295 if su -fm $uidinrange -c "$command1"; then
303 if su -fm $uidinrange -c "$command1"; then
311 # Object uid matches subject
313 ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
315 desc="object uid notmatches subject"
316 if su -fm $uidinrange -c "$command2"; then
322 desc="object uid matches subject"
323 if su -fm $uidinrange -c "$command1"; then
330 # Object gid matches subject
332 ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
334 desc="object gid notmatches subject"
335 if su -fm $uidinrange -c "$command2"; then
341 desc="object gid matches subject"
342 if su -fm $uidinrange -c "$command1"; then
351 desc="object not type"
352 ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
353 if su -fm $uidinrange -c "$command1"; then
360 ugidfw set 1 subject uid $uidrange object type r mode rasx
361 if su -fm $uidinrange -c "$command1"; then