6 uidrange="60000:100000"
7 gidrange="60000:100000"
10 gidinrange="nobody" # We expect $uidinrange in this group
11 gidoutrange="daemon" # We expect $uidinrange in this group
16 echo "ok $test_num # $@"
17 : $(( test_num += 1 ))
22 echo "not ok $test_num # $@"
23 : $(( test_num += 1 ))
31 if [ $(id -u) -ne 0 ]; then
32 echo "1..0 # SKIP test must be run as root"
35 if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36 echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
39 if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
40 echo "1..0 # SKIP failed to create temporary directory"
43 trap "rmdir $playground" EXIT INT TERM
44 if ! mdmfs -s 25m md $playground; then
45 echo "1..0 # SKIP failed to mount md device"
48 chmod a+rwx $playground
49 md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
50 trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
51 if [ -z "$md_device" ]; then
52 mount -p | grep $playground
53 echo "1..0 # SKIP md device not properly attached to the system"
58 file1=$playground/test-$uidinrange
59 file2=$playground/test-$uidoutrange
60 cat > $playground/test-script.sh <<'EOF'
65 echo "1..0 # SKIP failed to create test script"
70 command1="sh $playground/test-script.sh $file1"
71 command2="sh $playground/test-script.sh $file2"
73 desc="$uidinrange file"
74 if su -m $uidinrange -c "$command1"; then
80 chown "$uidinrange":"$gidinrange" $file1
83 desc="$uidoutrange file"
90 chown "$uidoutrange":"$gidoutrange" $file2
96 desc="no rules $uidinrange"
97 if su -fm $uidinrange -c "$command1"; then
103 desc="no rules $uidoutrange"
104 if su -fm $uidoutrange -c "$command1"; then
111 # Subject Match on uid
113 ugidfw set 1 subject uid $uidrange object mode rasx
114 desc="subject uid in range"
115 if su -fm $uidinrange -c "$command1"; then
121 desc="subject uid out range"
122 if su -fm $uidoutrange -c "$command1"; then
129 # Subject Match on gid
131 ugidfw set 1 subject gid $gidrange object mode rasx
133 desc="subject gid in range"
134 if su -fm $uidinrange -c "$command1"; then
140 desc="subject gid out range"
141 if su -fm $uidoutrange -c "$command1"; then
148 # Subject Match on jail
150 rm -f $playground/test-jail
152 desc="subject matching jailid"
153 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
154 ugidfw set 1 subject jailid $jailid object mode rasx
157 if [ -f $playground/test-jail ]; then
158 fail "TODO $desc: this testcase fails (see bug # 205481)"
163 rm -f $playground/test-jail
164 desc="subject nonmatching jailid"
165 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
167 if [ -f $playground/test-jail ]; then
176 ugidfw set 1 subject object uid $uidrange mode rasx
178 desc="object uid in range"
179 if su -fm $uidinrange -c "$command1"; then
185 desc="object uid out range"
186 if su -fm $uidinrange -c "$command2"; then
191 ugidfw set 1 subject object uid $uidrange mode rasx
193 desc="object uid in range (different subject)"
194 if su -fm $uidoutrange -c "$command1"; then
200 desc="object uid out range (different subject)"
201 if su -fm $uidoutrange -c "$command2"; then
210 ugidfw set 1 subject object gid $uidrange mode rasx
212 desc="object gid in range"
213 if su -fm $uidinrange -c "$command1"; then
219 desc="object gid out range"
220 if su -fm $uidinrange -c "$command2"; then
225 desc="object gid in range (different subject)"
226 if su -fm $uidoutrange -c "$command1"; then
232 desc="object gid out range (different subject)"
233 if su -fm $uidoutrange -c "$command2"; then
242 ugidfw set 1 subject uid $uidrange object filesys / mode rasx
243 desc="object out of filesys"
244 if su -fm $uidinrange -c "$command1"; then
250 ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
251 desc="object in filesys"
252 if su -fm $uidinrange -c "$command1"; then
261 ugidfw set 1 subject uid $uidrange object suid mode rasx
262 desc="object notsuid"
263 if su -fm $uidinrange -c "$command1"; then
271 if su -fm $uidinrange -c "$command1"; then
281 ugidfw set 1 subject uid $uidrange object sgid mode rasx
282 desc="object notsgid"
283 if su -fm $uidinrange -c "$command1"; then
291 if su -fm $uidinrange -c "$command1"; then
299 # Object uid matches subject
301 ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
303 desc="object uid notmatches subject"
304 if su -fm $uidinrange -c "$command2"; then
310 desc="object uid matches subject"
311 if su -fm $uidinrange -c "$command1"; then
318 # Object gid matches subject
320 ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
322 desc="object gid notmatches subject"
323 if su -fm $uidinrange -c "$command2"; then
329 desc="object gid matches subject"
330 if su -fm $uidinrange -c "$command1"; then
339 desc="object not type"
340 ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
341 if su -fm $uidinrange -c "$command1"; then
348 ugidfw set 1 subject uid $uidrange object type r mode rasx
349 if su -fm $uidinrange -c "$command1"; then