From f4164a2eb51b1f993a1b5539392de06b71d7b7c6 Mon Sep 17 00:00:00 2001 From: ngie Date: Wed, 6 Jan 2016 20:02:49 +0000 Subject: [PATCH] MFC r292570: Integrate tools/regression/mac/mac_bsdextended and tools/regression/mac/mac_portacl into the FreeBSD test suite as tests/sys/mac/bsdextended and tests/sys/mac/portacl, respectively git-svn-id: svn://svn.freebsd.org/base/stable/10@293251 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- etc/mtree/BSD.tests.dist | 6 + tests/sys/Makefile | 1 + tests/sys/mac/Makefile | 8 + tests/sys/mac/bsdextended/Makefile | 14 + tests/sys/mac/bsdextended/matches_test.sh | 353 ++++++++++++++++++++++ tests/sys/mac/bsdextended/ugidfw_test.c | 257 ++++++++++++++++ tests/sys/mac/portacl/LICENSE | 27 ++ tests/sys/mac/portacl/Makefile | 16 + tests/sys/mac/portacl/misc.sh | 106 +++++++ tests/sys/mac/portacl/nobody_test.sh | 67 ++++ tests/sys/mac/portacl/root_test.sh | 51 ++++ 11 files changed, 906 insertions(+) create mode 100644 tests/sys/mac/Makefile create mode 100644 tests/sys/mac/bsdextended/Makefile create mode 100644 tests/sys/mac/bsdextended/matches_test.sh create mode 100644 tests/sys/mac/bsdextended/ugidfw_test.c create mode 100644 tests/sys/mac/portacl/LICENSE create mode 100644 tests/sys/mac/portacl/Makefile create mode 100755 tests/sys/mac/portacl/misc.sh create mode 100755 tests/sys/mac/portacl/nobody_test.sh create mode 100755 tests/sys/mac/portacl/root_test.sh diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index fa92e4b18..3e470d5ee 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -214,6 +214,12 @@ .. kqueue .. + mac + bsdextended + .. + portacl + .. + .. mqueue .. netinet diff --git a/tests/sys/Makefile b/tests/sys/Makefile index feef2c706..f69012b07 100644 --- a/tests/sys/Makefile +++ b/tests/sys/Makefile @@ -10,6 +10,7 @@ TESTS_SUBDIRS+= fifo TESTS_SUBDIRS+= file TESTS_SUBDIRS+= kern TESTS_SUBDIRS+= kqueue +TESTS_SUBDIRS+= mac TESTS_SUBDIRS+= mqueue TESTS_SUBDIRS+= netinet TESTS_SUBDIRS+= posixshm diff --git a/tests/sys/mac/Makefile b/tests/sys/mac/Makefile new file mode 100644 index 000000000..ae2c4917b --- /dev/null +++ b/tests/sys/mac/Makefile @@ -0,0 +1,8 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/mac + +TESTS_SUBDIRS+= bsdextended +TESTS_SUBDIRS+= portacl + +.include diff --git a/tests/sys/mac/bsdextended/Makefile b/tests/sys/mac/bsdextended/Makefile new file mode 100644 index 000000000..39a778bd6 --- /dev/null +++ b/tests/sys/mac/bsdextended/Makefile @@ -0,0 +1,14 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/mac/bsdextended + +TAP_TESTS_C+= ugidfw_test +TAP_TESTS_SH+= matches_test + +DPADD.ugidfw_test+= ${LIBUGIDFW} +LDADD.ugidfw_test+= -lugidfw + +TEST_METADATA.matches_test+= required_user="root" +TEST_METADATA.ugidfw_test+= required_user="root" + +.include diff --git a/tests/sys/mac/bsdextended/matches_test.sh b/tests/sys/mac/bsdextended/matches_test.sh new file mode 100644 index 000000000..5aff41396 --- /dev/null +++ b/tests/sys/mac/bsdextended/matches_test.sh @@ -0,0 +1,353 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +uidrange="60000:100000" +gidrange="60000:100000" +uidinrange="nobody" +uidoutrange="daemon" +gidinrange="nobody" # We expect $uidinrange in this group +gidoutrange="daemon" # We expect $uidinrange in this group + +test_num=1 +pass() +{ + echo "ok $test_num # $@" + : $(( test_num += 1 )) +} + +fail() +{ + echo "not ok $test_num # $@" + : $(( test_num += 1 )) +} + +# +# Setup +# + +: ${TMPDIR=/tmp} +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP test must be run as root" + exit 0 +fi +if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then + echo "1..0 # SKIP mac_bsdextended(4) support isn't available" + exit 0 +fi +if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then + echo "1..0 # SKIP failed to create temporary directory" + exit 0 +fi +trap "rmdir $playground" EXIT INT TERM +if ! mdmfs -s 25m md $playground; then + echo "1..0 # SKIP failed to mount md device" + exit 0 +fi +chmod a+rwx $playground +md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }') +trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM +if [ -z "$md_device" ]; then + mount -p | grep $playground + echo "1..0 # SKIP md device not properly attached to the system" +fi + +ugidfw remove 1 + +file1=$playground/test-$uidinrange +file2=$playground/test-$uidoutrange +cat > $playground/test-script.sh <<'EOF' +#!/bin/sh +: > $1 +EOF +if [ $? -ne 0 ]; then + echo "1..0 # SKIP failed to create test script" + exit 0 +fi +echo "1..30" + +command1="sh $playground/test-script.sh $file1" +command2="sh $playground/test-script.sh $file2" + +desc="$uidinrange file" +if su -m $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +chown "$uidinrange":"$gidinrange" $file1 +chmod a+w $file1 + +desc="$uidoutrange file" +if $command2; then + pass $desc +else + fail $desc +fi + +chown "$uidoutrange":"$gidoutrange" $file2 +chmod a+w $file2 + +# +# No rules +# +desc="no rules $uidinrange" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +desc="no rules $uidoutrange" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +# +# Subject Match on uid +# +ugidfw set 1 subject uid $uidrange object mode rasx +desc="subject uid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="subject uid out range" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +# +# Subject Match on gid +# +ugidfw set 1 subject gid $gidrange object mode rasx + +desc="subject gid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="subject gid out range" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +# +# Subject Match on jail +# +rm -f $playground/test-jail + +desc="subject matching jailid" +jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` +ugidfw set 1 subject jailid $jailid object mode rasx +sleep 10 + +if [ -f $playground/test-jail ]; then + fail "TODO $desc: this testcase fails (see bug # 205481)" +else + pass $desc +fi + +rm -f $playground/test-jail +desc="subject nonmatching jailid" +jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` +sleep 10 +if [ -f $playground/test-jail ]; then + pass $desc +else + fail $desc +fi + +# +# Object uid +# +ugidfw set 1 subject object uid $uidrange mode rasx + +desc="object uid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object uid out range" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi +ugidfw set 1 subject object uid $uidrange mode rasx + +desc="object uid in range (different subject)" +if su -fm $uidoutrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object uid out range (different subject)" +if su -fm $uidoutrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +# +# Object gid +# +ugidfw set 1 subject object gid $uidrange mode rasx + +desc="object gid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object gid out range" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi +desc="object gid in range (different subject)" +if su -fm $uidoutrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object gid out range (different subject)" +if su -fm $uidoutrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +# +# Object filesys +# +ugidfw set 1 subject uid $uidrange object filesys / mode rasx +desc="object out of filesys" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx +desc="object in filesys" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +# +# Object suid +# +ugidfw set 1 subject uid $uidrange object suid mode rasx +desc="object notsuid" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +chmod u+s $file1 +desc="object suid" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi +chmod u-s $file1 + +# +# Object sgid +# +ugidfw set 1 subject uid $uidrange object sgid mode rasx +desc="object notsgid" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +chmod g+s $file1 +desc="object sgid" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi +chmod g-s $file1 + +# +# Object uid matches subject +# +ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx + +desc="object uid notmatches subject" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +desc="object uid matches subject" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +# +# Object gid matches subject +# +ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx + +desc="object gid notmatches subject" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +desc="object gid matches subject" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +# +# Object type +# +desc="object not type" +ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +desc="object type" +ugidfw set 1 subject uid $uidrange object type r mode rasx +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi diff --git a/tests/sys/mac/bsdextended/ugidfw_test.c b/tests/sys/mac/bsdextended/ugidfw_test.c new file mode 100644 index 000000000..7c1dc2a67 --- /dev/null +++ b/tests/sys/mac/bsdextended/ugidfw_test.c @@ -0,0 +1,257 @@ +/*- + * Copyright (c) 2005 McAfee, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * Starting point for a regression test for mac_bsdextended(4) and the + * supporting libugidfw(3). + */ + +/* + * This section of the regression test passes some test cases through the + * rule<->string routines to confirm they work approximately as desired. + */ + +/* + * List of users and groups we must check exists before we can begin, since + * they are used in the string test rules. We use users and groups that will + * always exist in a default install used for regression testing. + */ +static const char *test_users[] = { + "root", + "daemon", + "operator", + "bin", +}; + +static const char *test_groups[] = { + "wheel", + "daemon", + "operator", + "bin", +}; + +int test_num; + +/* + * List of test strings that must go in (and come out) of libugidfw intact. + */ +static const char *test_strings[] = { + /* Variations on subject and object uids. */ + "subject uid root object uid root mode n", + "subject uid root object uid daemon mode n", + "subject uid daemon object uid root mode n", + "subject uid daemon object uid daemon mode n", + /* Variations on mode. */ + "subject uid root object uid root mode a", + "subject uid root object uid root mode r", + "subject uid root object uid root mode s", + "subject uid root object uid root mode w", + "subject uid root object uid root mode x", + "subject uid root object uid root mode arswx", + /* Variations on subject and object gids. */ + "subject gid wheel object gid wheel mode n", + "subject gid wheel object gid daemon mode n", + "subject gid daemon object gid wheel mode n", + "subject gid daemon object gid daemon mode n", + /* Subject uids and subject gids. */ + "subject uid bin gid daemon object uid operator gid wheel mode n", + /* Not */ + "subject not uid operator object uid bin mode n", + "subject uid bin object not uid operator mode n", + "subject not uid daemon object not uid operator mode n", + /* Ranges */ + "subject uid root:operator object gid wheel:bin mode n", + /* Jail ID */ + "subject jailid 1 object uid root mode n", + /* Filesys */ + "subject uid root object filesys / mode n", + "subject uid root object filesys /dev mode n", + /* S/UGID */ + "subject not uid root object sgid mode n", + "subject not uid root object sgid mode n", + /* Matching uid/gid */ + "subject not uid root:operator object not uid_of_subject mode n", + "subject not gid wheel:bin object not gid_of_subject mode n", + /* Object types */ + "subject uid root object type a mode a", + "subject uid root object type r mode a", + "subject uid root object type d mode a", + "subject uid root object type b mode a", + "subject uid root object type c mode a", + "subject uid root object type l mode a", + "subject uid root object type s mode a", + "subject uid root object type rbc mode a", + "subject uid root object type dls mode a", + /* Empty rules always match */ + "subject object mode a", + /* Partial negations */ + "subject ! uid root object mode n", + "subject ! gid wheel object mode n", + "subject ! jailid 2 object mode n", + "subject object ! uid root mode n", + "subject object ! gid wheel mode n", + "subject object ! filesys / mode n", + "subject object ! suid mode n", + "subject object ! sgid mode n", + "subject object ! uid_of_subject mode n", + "subject object ! gid_of_subject mode n", + "subject object ! type d mode n", + /* All out nonsense */ + "subject uid root ! gid wheel:bin ! jailid 1 " + "object ! uid root:daemon gid daemon filesys / suid sgid uid_of_subject gid_of_subject ! type r " + "mode rsx", +}; + +static void +test_libugidfw_strings(void) +{ + struct mac_bsdextended_rule rule; + char errorstr[256]; + char rulestr[256]; + int error, i; + + for (i = 0; i < nitems(test_users); i++, test_num++) { + if (getpwnam(test_users[i]) == NULL) + printf("not ok %d # test_libugidfw_strings: getpwnam(%s) " + "failed: %s\n", test_num, test_users[i], strerror(errno)); + else + printf("ok %d\n", test_num); + } + + for (i = 0; i < nitems(test_groups); i++, test_num++) { + if (getgrnam(test_groups[i]) == NULL) + printf("not ok %d # test_libugidfw_strings: getgrnam(%s) " + "failed: %s\n", test_num, test_groups[i], strerror(errno)); + else + printf("ok %d\n", test_num); + } + + for (i = 0; i < nitems(test_strings); i++) { + error = bsde_parse_rule_string(test_strings[i], &rule, + sizeof(errorstr), errorstr); + if (error == -1) + printf("not ok %d # bsde_parse_rule_string: '%s' (%d) " + "failed: %s\n", test_num, test_strings[i], i, errorstr); + else + printf("ok %d\n", test_num); + test_num++; + + error = bsde_rule_to_string(&rule, rulestr, sizeof(rulestr)); + if (error < 0) + printf("not ok %d # bsde_rule_to_string: rule for '%s' " + "returned %d\n", test_num, test_strings[i], error); + else + printf("ok %d\n", test_num); + test_num++; + + if (strcmp(test_strings[i], rulestr) != 0) + printf("not ok %d # test_libugidfw: '%s' in, '%s' " + "out\n", test_num, test_strings[i], rulestr); + else + printf("ok %d\n", test_num); + test_num++; + } +} + +int +main(void) +{ + char errorstr[256]; + int count, slots; + + test_num = 1; + + /* Print an error if a non-root user attemps to run the tests. */ + if (getuid() != 0) { + printf("1..0 # SKIP you must be root\n"); + return (0); + } + + printf("1..%lu\n", nitems(test_users) + nitems(test_groups) + + 3 * nitems(test_strings) + 2); + + /* + * We can test some parts of the library without the MAC Framework + * and policy loaded, so run those tests before calling + * mac_is_present(). + */ + test_libugidfw_strings(); + + switch (mac_is_present("bsdextended")) { + case -1: + printf("1..0 # SKIP mac_is_present failed: %s\n", + strerror(errno)); + return (0); + case 1: + break; + case 0: + default: + printf("1..0 # SKIP mac_bsdextended not loaded\n"); + return (0); + } + + /* + * Some simple up-front checks to see if we're able to query the + * policy for basic state. We want the rule count to be 0 before + * starting, but "slots" is a property of prior runs and so we ignore + * the return value. + */ + count = bsde_get_rule_count(sizeof(errorstr), errorstr); + if (count == -1) + printf("not ok %d # bsde_get_rule_count: %s\n", test_num, + errorstr); + else + printf("ok %d\n", test_num); + + test_num++; + + slots = bsde_get_rule_slots(sizeof(errorstr), errorstr); + if (slots == -1) + printf("not ok %d # bsde_get_rule_slots: %s\n", test_num, + errorstr); + else + printf("ok %d\n", test_num); + + return (0); +} diff --git a/tests/sys/mac/portacl/LICENSE b/tests/sys/mac/portacl/LICENSE new file mode 100644 index 000000000..c95c14930 --- /dev/null +++ b/tests/sys/mac/portacl/LICENSE @@ -0,0 +1,27 @@ +$FreeBSD$ + +License for all mac_portacl regression tests: + +Copyright (c) 2009 Pawel Jakub Dawidek +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. diff --git a/tests/sys/mac/portacl/Makefile b/tests/sys/mac/portacl/Makefile new file mode 100644 index 000000000..129d4867c --- /dev/null +++ b/tests/sys/mac/portacl/Makefile @@ -0,0 +1,16 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/mac/portacl +BINDIR= ${TESTSDIR} + +FILES+= misc.sh + +TAP_TESTS_SH+= nobody_test +TAP_TESTS_SH+= root_test + +.for t in ${TAP_TESTS_SH} +TEST_METADATA.$t+= required_user="root" +TEST_METADATA.$t+= timeout="450" +.endfor + +.include diff --git a/tests/sys/mac/portacl/misc.sh b/tests/sys/mac/portacl/misc.sh new file mode 100755 index 000000000..5a9e67bae --- /dev/null +++ b/tests/sys/mac/portacl/misc.sh @@ -0,0 +1,106 @@ +#!/bin/sh +# $FreeBSD$ + +sysctl security.mac.portacl >/dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "1..0 # SKIP MAC_PORTACL is unavailable." + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP testcases must be run as root" + exit 0 +fi + +ntest=1 + +check_bind() { + local host idtype name proto port udpflag + + host="127.0.0.1" + + idtype=${1} + name=${2} + proto=${3} + port=${4} + + [ "${proto}" = "udp" ] && udpflag="-u" + + out=$( + case "${idtype}" in + uid|gid) + ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) & + ;; + jail) + kill $$ + ;; + *) + kill $$ + esac + sleep 0.3 + echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1 + wait + ) + case "${out}" in + "nc: Permission denied"*|"nc: Operation not permitted"*) + echo fl + ;; + "") + echo ok + ;; + *) + echo ${out} + ;; + esac +} + +bind_test() { + local expect_without_rule expect_with_rule idtype name proto port + + expect_without_rule=${1} + expect_with_rule=${2} + idtype=${3} + name=${4} + proto=${5} + port=${6} + + sysctl security.mac.portacl.rules= >/dev/null + out=$(check_bind ${idtype} ${name} ${proto} ${port}) + if [ "${out}" = "${expect_without_rule}" ]; then + echo "ok ${ntest}" + elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then + echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'" + else + echo "not ok ${ntest} # unexpected output: '${out}'" + fi + : $(( ntest += 1 )) + + if [ "${idtype}" = "uid" ]; then + idstr=$(id -u ${name}) + elif [ "${idtype}" = "gid" ]; then + idstr=$(id -g ${name}) + else + idstr=${name} + fi + sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null + out=$(check_bind ${idtype} ${name} ${proto} ${port}) + if [ "${out}" = "${expect_with_rule}" ]; then + echo "ok ${ntest}" + elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then + echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'" + else + echo "not ok ${ntest} # unexpected output: '${out}'" + fi + : $(( ntest += 1 )) + + sysctl security.mac.portacl.rules= >/dev/null +} + +reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh) +suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt) +port_high=$(sysctl -n security.mac.portacl.port_high) + +restore_settings() { + sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null + sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null + sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null +} diff --git a/tests/sys/mac/portacl/nobody_test.sh b/tests/sys/mac/portacl/nobody_test.sh new file mode 100755 index 000000000..7d8dbd6b7 --- /dev/null +++ b/tests/sys/mac/portacl/nobody_test.sh @@ -0,0 +1,67 @@ +#!/bin/sh +# $FreeBSD$ + +dir=`dirname $0` +. ${dir}/misc.sh + +echo "1..64" + +# security.mac.portacl.suser_exempt value doesn't affect unprivileged users +# behaviour. +# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. + +trap restore_settings EXIT INT TERM + +sysctl security.mac.portacl.suser_exempt=1 >/dev/null +sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 + +sysctl security.mac.portacl.suser_exempt=0 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 + +# Verify if security.mac.portacl.port_high works. + +sysctl security.mac.portacl.port_high=7778 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test fl ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test fl ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test fl ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test fl ok gid nobody udp 7777 + +# Verify if mac_portacl rules work. + +sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null +sysctl security.mac.portacl.port_high=7776 >/dev/null + +bind_test fl ok uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl ok uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl ok gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl ok gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 diff --git a/tests/sys/mac/portacl/root_test.sh b/tests/sys/mac/portacl/root_test.sh new file mode 100755 index 000000000..9ed452fd1 --- /dev/null +++ b/tests/sys/mac/portacl/root_test.sh @@ -0,0 +1,51 @@ +#!/bin/sh +# $FreeBSD$ + +dir=`dirname $0` +. ${dir}/misc.sh + +echo "1..48" + +# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user. + +trap restore_settings EXIT INT TERM + +sysctl security.mac.portacl.suser_exempt=1 >/dev/null + +bind_test ok ok uid root tcp 77 +bind_test ok ok uid root tcp 7777 +bind_test ok ok uid root udp 77 +bind_test ok ok uid root udp 7777 + +bind_test ok ok gid root tcp 77 +bind_test ok ok gid root tcp 7777 +bind_test ok ok gid root udp 77 +bind_test ok ok gid root udp 7777 + +# Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt super-user. + +sysctl security.mac.portacl.suser_exempt=0 >/dev/null + +bind_test fl ok uid root tcp 77 +bind_test ok ok uid root tcp 7777 +bind_test fl ok uid root udp 77 +bind_test ok ok uid root udp 7777 + +bind_test fl ok gid root tcp 77 +bind_test ok ok gid root tcp 7777 +bind_test fl ok gid root udp 77 +bind_test ok ok gid root udp 7777 + +# Verify if security.mac.portacl.port_high works for super-user. + +sysctl security.mac.portacl.port_high=7778 >/dev/null + +bind_test fl ok uid root tcp 77 +bind_test fl ok uid root tcp 7777 +bind_test fl ok uid root udp 77 +bind_test fl ok uid root udp 7777 + +bind_test fl ok gid root tcp 77 +bind_test fl ok gid root tcp 7777 +bind_test fl ok gid root udp 77 +bind_test fl ok gid root udp 7777 -- 2.45.0