From a66c5911c69872fab8e0475916756312fbc35da2 Mon Sep 17 00:00:00 2001 From: ngie Date: Mon, 4 Jan 2016 06:58:39 +0000 Subject: [PATCH] MFstable/10 r293138: MFC r292531,r292532,r292533,r292545: r292531: Make test_matches.sh into a series of TAP testcases Use temporary filesystems / memory disks instead of a hardcoded path which doesn't exist on test systems r292532: Mark `subject matching jailid` testcase as an unexpected failure with TODO to ensure that the testcase isn't marked as a failure PR: 205481 r292533: Skip the testcases if mac_bsdextended(4) isn't detected on the system r292545: Redo the TAP integration so it works with Kyua Kyua needs numbers in the TAP results :/, but prove doesn't git-svn-id: svn://svn.freebsd.org/base/stable/9@293139 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- .../mac/mac_bsdextended/test_matches.sh | 328 ++++++++++++++---- 1 file changed, 257 insertions(+), 71 deletions(-) diff --git a/tools/regression/mac/mac_bsdextended/test_matches.sh b/tools/regression/mac/mac_bsdextended/test_matches.sh index 99d6b621c..5aff41396 100644 --- a/tools/regression/mac/mac_bsdextended/test_matches.sh +++ b/tools/regression/mac/mac_bsdextended/test_matches.sh @@ -10,158 +10,344 @@ uidoutrange="daemon" gidinrange="nobody" # We expect $uidinrange in this group gidoutrange="daemon" # We expect $uidinrange in this group -playground="/stuff/nobody/" # Must not be on root fs +test_num=1 +pass() +{ + echo "ok $test_num # $@" + : $(( test_num += 1 )) +} + +fail() +{ + echo "not ok $test_num # $@" + : $(( test_num += 1 )) +} # # Setup # -rm -f $playground/test* + +: ${TMPDIR=/tmp} +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP test must be run as root" + exit 0 +fi +if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then + echo "1..0 # SKIP mac_bsdextended(4) support isn't available" + exit 0 +fi +if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then + echo "1..0 # SKIP failed to create temporary directory" + exit 0 +fi +trap "rmdir $playground" EXIT INT TERM +if ! mdmfs -s 25m md $playground; then + echo "1..0 # SKIP failed to mount md device" + exit 0 +fi +chmod a+rwx $playground +md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }') +trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM +if [ -z "$md_device" ]; then + mount -p | grep $playground + echo "1..0 # SKIP md device not properly attached to the system" +fi + ugidfw remove 1 file1=$playground/test-$uidinrange file2=$playground/test-$uidoutrange -cat < $playground/test-script.pl -if (open(F, ">" . shift)) { exit 0; } else { exit 1; } +cat > $playground/test-script.sh <<'EOF' +#!/bin/sh +: > $1 EOF -command1="perl $playground/test-script.pl $file1" -command2="perl $playground/test-script.pl $file2" +if [ $? -ne 0 ]; then + echo "1..0 # SKIP failed to create test script" + exit 0 +fi +echo "1..30" + +command1="sh $playground/test-script.sh $file1" +command2="sh $playground/test-script.sh $file2" + +desc="$uidinrange file" +if su -m $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi -echo -n "$uidinrange file: " -su -m $uidinrange -c "$command1 && echo good" chown "$uidinrange":"$gidinrange" $file1 chmod a+w $file1 -echo -n "$uidoutrange file: " -$command2 && echo good +desc="$uidoutrange file" +if $command2; then + pass $desc +else + fail $desc +fi + chown "$uidoutrange":"$gidoutrange" $file2 chmod a+w $file2 # # No rules # -echo -n "no rules $uidinrange: " -su -fm $uidinrange -c "$command1 && echo good" -echo -n "no rules $uidoutrange: " -su -fm $uidoutrange -c "$command1 && echo good" +desc="no rules $uidinrange" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + +desc="no rules $uidoutrange" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi # # Subject Match on uid # ugidfw set 1 subject uid $uidrange object mode rasx -echo -n "subject uid in range: " -su -fm $uidinrange -c "$command1 || echo good" -echo -n "subject uid out range: " -su -fm $uidoutrange -c "$command1 && echo good" +desc="subject uid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="subject uid out range" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi # # Subject Match on gid # ugidfw set 1 subject gid $gidrange object mode rasx -echo -n "subject gid in range: " -su -fm $uidinrange -c "$command1 || echo good" -echo -n "subject gid out range: " -su -fm $uidoutrange -c "$command1 && echo good" + +desc="subject gid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="subject gid out range" +if su -fm $uidoutrange -c "$command1"; then + pass $desc +else + fail $desc +fi # # Subject Match on jail # -echo -n "subject matching jailid: " rm -f $playground/test-jail -jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"` + +desc="subject matching jailid" +jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` ugidfw set 1 subject jailid $jailid object mode rasx -sleep 6 -if [ ! -f $playground/test-jail ] ; then echo good ; fi +sleep 10 + +if [ -f $playground/test-jail ]; then + fail "TODO $desc: this testcase fails (see bug # 205481)" +else + pass $desc +fi -echo -n "subject nonmatching jailid: " rm -f $playground/test-jail -jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 3; touch $playground/test-jail) &"` -sleep 6 -if [ -f $playground/test-jail ] ; then echo good ; fi +desc="subject nonmatching jailid" +jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` +sleep 10 +if [ -f $playground/test-jail ]; then + pass $desc +else + fail $desc +fi # # Object uid # ugidfw set 1 subject object uid $uidrange mode rasx -echo -n "object uid in range: " -su -fm $uidinrange -c "$command1 || echo good" -echo -n "object uid out range: " -su -fm $uidinrange -c "$command2 && echo good" + +desc="object uid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object uid out range" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi ugidfw set 1 subject object uid $uidrange mode rasx -echo -n "object uid in range (differennt subject): " -su -fm $uidoutrange -c "$command1 || echo good" -echo -n "object uid out range (differennt subject): " -su -fm $uidoutrange -c "$command2 && echo good" + +desc="object uid in range (different subject)" +if su -fm $uidoutrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object uid out range (different subject)" +if su -fm $uidoutrange -c "$command2"; then + pass $desc +else + fail $desc +fi # # Object gid # ugidfw set 1 subject object gid $uidrange mode rasx -echo -n "object gid in range: " -su -fm $uidinrange -c "$command1 || echo good" -echo -n "object gid out range: " -su -fm $uidinrange -c "$command2 && echo good" -echo -n "object gid in range (differennt subject): " -su -fm $uidoutrange -c "$command1 || echo good" -echo -n "object gid out range (differennt subject): " -su -fm $uidoutrange -c "$command2 && echo good" + +desc="object gid in range" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object gid out range" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi +desc="object gid in range (different subject)" +if su -fm $uidoutrange -c "$command1"; then + fail $desc +else + pass $desc +fi + +desc="object gid out range (different subject)" +if su -fm $uidoutrange -c "$command2"; then + pass $desc +else + fail $desc +fi # # Object filesys # ugidfw set 1 subject uid $uidrange object filesys / mode rasx -echo -n "object out of filesys: " -su -fm $uidinrange -c "$command1 && echo good" +desc="object out of filesys" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx -echo -n "object in filesys: " -su -fm $uidinrange -c "$command1 || echo good" +desc="object in filesys" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi # # Object suid # ugidfw set 1 subject uid $uidrange object suid mode rasx -echo -n "object notsuid: " -su -fm $uidinrange -c "$command1 && echo good" +desc="object notsuid" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + chmod u+s $file1 -echo -n "object suid: " -su -fm $uidinrange -c "$command1 || echo good" +desc="object suid" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi chmod u-s $file1 # # Object sgid # ugidfw set 1 subject uid $uidrange object sgid mode rasx -echo -n "object notsgid: " -su -fm $uidinrange -c "$command1 && echo good" +desc="object notsgid" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi + chmod g+s $file1 -echo -n "object sgid: " -su -fm $uidinrange -c "$command1 || echo good" +desc="object sgid" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi chmod g-s $file1 # # Object uid matches subject # ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx -echo -n "object uid notmatches subject: " -su -fm $uidinrange -c "$command2 && echo good" -echo -n "object uid matches subject: " -su -fm $uidinrange -c "$command1 || echo good" + +desc="object uid notmatches subject" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +desc="object uid matches subject" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi # # Object gid matches subject # ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx -echo -n "object gid notmatches subject: " -su -fm $uidinrange -c "$command2 && echo good" -echo -n "object gid matches subject: " -su -fm $uidinrange -c "$command1 || echo good" + +desc="object gid notmatches subject" +if su -fm $uidinrange -c "$command2"; then + pass $desc +else + fail $desc +fi + +desc="object gid matches subject" +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi # # Object type # +desc="object not type" ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx -echo -n "object not type: " -su -fm $uidinrange -c "$command1 && echo good" -ugidfw set 1 subject uid $uidrange object type r mode rasx -echo -n "object type: " -su -fm $uidinrange -c "$command1 || echo good" +if su -fm $uidinrange -c "$command1"; then + pass $desc +else + fail $desc +fi +desc="object type" +ugidfw set 1 subject uid $uidrange object type r mode rasx +if su -fm $uidinrange -c "$command1"; then + fail $desc +else + pass $desc +fi -- 2.45.0