tools/regression/mac/mac_portacl/misc.sh

   1 #!/bin/sh
   2 # $FreeBSD$
   3
   4 sysctl security.mac.portacl >/dev/null 2>&1
   5 if [ $? -ne 0 ]; then
   6         echo "1..0 # SKIP MAC_PORTACL is unavailable."
   7         exit 0
   8 fi
   9
  10 ntest=1
  11
  12 check_bind() {
  13         idtype=${1}
  14         name=${2}
  15         proto=${3}
  16         port=${4}
  17
  18         [ "${proto}" = "udp" ] && udpflag="-u"
  19
  20         out=`(
  21                 case "${idtype}" in
  22                 uid|gid)
  23                         ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
  24                         ;;
  25                 jail)
  26                         kill $$
  27                         ;;
  28                 *)
  29                         kill $$
  30                 esac
  31                 sleep 0.3
  32                 echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
  33                 wait
  34         )`
  35         case "${out}" in
  36         "nc: Permission denied"*|"nc: Operation not permitted"*)
  37                 echo fl
  38                 ;;
  39         "")
  40                 echo ok
  41                 ;;
  42         *)
  43                 echo ${out}
  44                 ;;
  45         esac
  46 }
  47
  48 bind_test() {
  49         expect_without_rule=${1}
  50         expect_with_rule=${2}
  51         idtype=${3}
  52         name=${4}
  53         proto=${5}
  54         port=${6}
  55
  56         sysctl security.mac.portacl.rules= >/dev/null
  57         out=`check_bind ${idtype} ${name} ${proto} ${port}`
  58         if [ "${out}" = "${expect_without_rule}" ]; then
  59                 echo "ok ${ntest}"
  60         elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
  61                 echo "not ok ${ntest}"
  62         else
  63                 echo "not ok ${ntest} # ${out}"
  64         fi
  65         ntest=$((ntest+1))
  66
  67         if [ "${idtype}" = "uid" ]; then
  68                 idstr=`id -u ${name}`
  69         elif [ "${idtype}" = "gid" ]; then
  70                 idstr=`id -g ${name}`
  71         else
  72                 idstr=${name}
  73         fi
  74         sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
  75         out=`check_bind ${idtype} ${name} ${proto} ${port}`
  76         if [ "${out}" = "${expect_with_rule}" ]; then
  77                 echo "ok ${ntest}"
  78         elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
  79                 echo "not ok ${ntest}"
  80         else
  81                 echo "not ok ${ntest} # ${out}"
  82         fi
  83         ntest=$((ntest+1))
  84
  85         sysctl security.mac.portacl.rules= >/dev/null
  86 }
  87
  88 reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
  89 suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
  90 port_high=`sysctl -n security.mac.portacl.port_high`
  91
  92 restore_settings() {
  93         sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
  94         sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
  95         sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
  96 }