6 uidrange="60000:100000"
7 gidrange="60000:100000"
10 gidinrange="nobody" # We expect $uidinrange in this group
11 gidoutrange="daemon" # We expect $uidinrange in this group
16 echo "ok $test_num # $@"
17 : $(( test_num += 1 ))
22 echo "not ok $test_num # $@"
23 : $(( test_num += 1 ))
31 if [ $(id -u) -ne 0 ]; then
32 echo "1..0 # SKIP test must be run as root"
35 if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36 echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
39 if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
40 echo "1..0 # SKIP failed to create temporary directory"
43 trap "rmdir $playground" EXIT INT TERM
44 if ! mdmfs -s 25m md $playground; then
45 echo "1..0 # SKIP failed to mount md device"
48 chmod a+rwx $playground
49 md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
50 trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
51 if [ -z "$md_device" ]; then
52 mount -p | grep $playground
53 echo "1..0 # SKIP md device not properly attached to the system"
58 file1=$playground/test-$uidinrange
59 file2=$playground/test-$uidoutrange
60 cat > $playground/test-script.sh <<'EOF'
65 echo "1..0 # SKIP failed to create test script"
70 command1="sh $playground/test-script.sh $file1"
71 command2="sh $playground/test-script.sh $file2"
73 desc="$uidinrange file"
74 if su -m $uidinrange -c "$command1"; then
80 chown "$uidinrange":"$gidinrange" $file1
83 desc="$uidoutrange file"
90 chown "$uidoutrange":"$gidoutrange" $file2
96 desc="no rules $uidinrange"
97 if su -fm $uidinrange -c "$command1"; then
103 desc="no rules $uidoutrange"
104 if su -fm $uidoutrange -c "$command1"; then
111 # Subject Match on uid
113 ugidfw set 1 subject uid $uidrange object mode rasx
114 desc="subject uid in range"
115 if su -fm $uidinrange -c "$command1"; then
121 desc="subject uid out range"
122 if su -fm $uidoutrange -c "$command1"; then
129 # Subject Match on gid
131 ugidfw set 1 subject gid $gidrange object mode rasx
133 desc="subject gid in range"
134 if su -fm $uidinrange -c "$command1"; then
140 desc="subject gid out range"
141 if su -fm $uidoutrange -c "$command1"; then
147 if which jail >/dev/null; then
149 # Subject Match on jail
151 rm -f $playground/test-jail
153 desc="subject matching jailid"
154 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
155 ugidfw set 1 subject jailid $jailid object mode rasx
158 if [ -f $playground/test-jail ]; then
159 fail "TODO $desc: this testcase fails (see bug # 205481)"
164 rm -f $playground/test-jail
165 desc="subject nonmatching jailid"
166 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
168 if [ -f $playground/test-jail ]; then
174 # XXX: kyua is too dumb to parse skip ranges, still..
175 pass "skip jail(8) not installed"
176 pass "skip jail(8) not installed"
182 ugidfw set 1 subject object uid $uidrange mode rasx
184 desc="object uid in range"
185 if su -fm $uidinrange -c "$command1"; then
191 desc="object uid out range"
192 if su -fm $uidinrange -c "$command2"; then
197 ugidfw set 1 subject object uid $uidrange mode rasx
199 desc="object uid in range (different subject)"
200 if su -fm $uidoutrange -c "$command1"; then
206 desc="object uid out range (different subject)"
207 if su -fm $uidoutrange -c "$command2"; then
216 ugidfw set 1 subject object gid $uidrange mode rasx
218 desc="object gid in range"
219 if su -fm $uidinrange -c "$command1"; then
225 desc="object gid out range"
226 if su -fm $uidinrange -c "$command2"; then
231 desc="object gid in range (different subject)"
232 if su -fm $uidoutrange -c "$command1"; then
238 desc="object gid out range (different subject)"
239 if su -fm $uidoutrange -c "$command2"; then
248 ugidfw set 1 subject uid $uidrange object filesys / mode rasx
249 desc="object out of filesys"
250 if su -fm $uidinrange -c "$command1"; then
256 ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
257 desc="object in filesys"
258 if su -fm $uidinrange -c "$command1"; then
267 ugidfw set 1 subject uid $uidrange object suid mode rasx
268 desc="object notsuid"
269 if su -fm $uidinrange -c "$command1"; then
277 if su -fm $uidinrange -c "$command1"; then
287 ugidfw set 1 subject uid $uidrange object sgid mode rasx
288 desc="object notsgid"
289 if su -fm $uidinrange -c "$command1"; then
297 if su -fm $uidinrange -c "$command1"; then
305 # Object uid matches subject
307 ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
309 desc="object uid notmatches subject"
310 if su -fm $uidinrange -c "$command2"; then
316 desc="object uid matches subject"
317 if su -fm $uidinrange -c "$command1"; then
324 # Object gid matches subject
326 ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
328 desc="object gid notmatches subject"
329 if su -fm $uidinrange -c "$command2"; then
335 desc="object gid matches subject"
336 if su -fm $uidinrange -c "$command1"; then
345 desc="object not type"
346 ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
347 if su -fm $uidinrange -c "$command1"; then
354 ugidfw set 1 subject uid $uidrange object type r mode rasx
355 if su -fm $uidinrange -c "$command1"; then