Regression tests for mac_portacl(4).

svn path=/head/; revision=189832
2009-03-14 21:54:19 +00:00 · 2009-03-14 21:54:19 +00:00 · 2f9e552de1 · 2020-12-20 02:59:44 +00:00
commit 2f9e552de1
parent a3ce3b6d35
4 changed files with 242 additions and 0 deletions
--- a/tools/regression/mac/mac_portacl/LICENSE
+++ b/tools/regression/mac/mac_portacl/LICENSE
@ -0,0 +1,27 @@
+$FreeBSD$
+
+License for all regression tests available with fstest:
+
+Copyright (c) 2009 Pawel Jakub Dawidek <pjd@FreeBSD.org>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.
--- a/tools/regression/mac/mac_portacl/misc.sh
+++ b/tools/regression/mac/mac_portacl/misc.sh
@ -0,0 +1,97 @@
+#!/bin/sh
+# $FreeBSD$
+
+sysctl security.mac.portacl >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	echo "1..1"
+	echo "not ok 1 # MAC_PORTACL is unavailable."
+	exit 0
+fi
+
+ntest=1
+
+check_bind() {
+	idtype=${1}
+	name=${2}
+	proto=${3}
+	port=${4}
+
+	[ "${proto}" = "udp" ] && udpflag="-u"
+
+	out=`(
+		case "${idtype}" in
+		uid|gid)
+			( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
+			;;
+		jail)
+			kill $$
+			;;
+		*)
+			kill $$
+		esac
+		sleep 0.3
+		echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
+		wait
+	)`
+	case "${out}" in
+	"nc: Permission denied"*|"nc: Operation not permitted"*)
+		echo fl
+		;;
+	"")
+		echo ok
+		;;
+	*)
+		echo ${out}
+		;;
+	esac
+}
+
+bind_test() {
+	expect_without_rule=${1}
+	expect_with_rule=${2}
+	idtype=${3}
+	name=${4}
+	proto=${5}
+	port=${6}
+
+	sysctl security.mac.portacl.rules= >/dev/null
+	out=`check_bind ${idtype} ${name} ${proto} ${port}`
+	if [ "${out}" = "${expect_without_rule}" ]; then
+		echo "ok ${ntest}"
+	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
+		echo "not ok ${ntest}"
+	else
+		echo "not ok ${ntest} # ${out}"
+	fi
+	ntest=$((ntest+1))
+
+	if [ "${idtype}" = "uid" ]; then
+		idstr=`id -u ${name}`
+	elif [ "${idtype}" = "gid" ]; then
+		idstr=`id -g ${name}`
+	else
+		idstr=${name}
+	fi
+	sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
+	out=`check_bind ${idtype} ${name} ${proto} ${port}`
+	if [ "${out}" = "${expect_with_rule}" ]; then
+		echo "ok ${ntest}"
+	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
+		echo "not ok ${ntest}"
+	else
+		echo "not ok ${ntest} # ${out}"
+	fi
+	ntest=$((ntest+1))
+
+	sysctl security.mac.portacl.rules= >/dev/null
+}
+
+reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
+suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
+port_high=`sysctl -n security.mac.portacl.port_high`
+
+restore_settings() {
+	sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
+	sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
+	sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
+}
--- a/tools/regression/mac/mac_portacl/nobody.t
+++ b/tools/regression/mac/mac_portacl/nobody.t
@ -0,0 +1,67 @@
+#!/bin/sh
+# $FreeBSD$
+
+dir=`dirname $0`
+. ${dir}/misc.sh
+
+echo "1..64"
+
+# security.mac.portacl.suser_exempt value doesn't affect unprivileged users
+# behaviour.
+# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
+
+sysctl security.mac.portacl.suser_exempt=1 >/dev/null
+sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+sysctl security.mac.portacl.suser_exempt=0 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+# Verify if security.mac.portacl.port_high works.
+
+sysctl security.mac.portacl.port_high=7778 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test fl ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test fl ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test fl ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test fl ok gid nobody udp 7777
+
+# Verify if mac_portacl rules work.
+
+sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null
+sysctl security.mac.portacl.port_high=7776 >/dev/null
+
+bind_test fl ok uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl ok uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl ok gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl ok gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+restore_settings
--- a/tools/regression/mac/mac_portacl/root.t
+++ b/tools/regression/mac/mac_portacl/root.t
@ -0,0 +1,51 @@
+#!/bin/sh
+# $FreeBSD$
+
+dir=`dirname $0`
+. ${dir}/misc.sh
+
+echo "1..48"
+
+# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
+
+sysctl security.mac.portacl.suser_exempt=1 >/dev/null
+
+bind_test ok ok uid root tcp 77
+bind_test ok ok uid root tcp 7777
+bind_test ok ok uid root udp 77
+bind_test ok ok uid root udp 7777
+
+bind_test ok ok gid root tcp 77
+bind_test ok ok gid root tcp 7777
+bind_test ok ok gid root udp 77
+bind_test ok ok gid root udp 7777
+
+# Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt super-user.
+
+sysctl security.mac.portacl.suser_exempt=0 >/dev/null
+
+bind_test fl ok uid root tcp 77
+bind_test ok ok uid root tcp 7777
+bind_test fl ok uid root udp 77
+bind_test ok ok uid root udp 7777
+
+bind_test fl ok gid root tcp 77
+bind_test ok ok gid root tcp 7777
+bind_test fl ok gid root udp 77
+bind_test ok ok gid root udp 7777
+
+# Verify if security.mac.portacl.port_high works for super-user.
+
+sysctl security.mac.portacl.port_high=7778 >/dev/null
+
+bind_test fl ok uid root tcp 77
+bind_test fl ok uid root tcp 7777
+bind_test fl ok uid root udp 77
+bind_test fl ok uid root udp 7777
+
+bind_test fl ok gid root tcp 77
+bind_test fl ok gid root tcp 7777
+bind_test fl ok gid root udp 77
+bind_test fl ok gid root udp 7777
+
+restore_settings