From 2f9e552de18fd5fe95c14203564eabfc6577412a Mon Sep 17 00:00:00 2001 From: Pawel Jakub Dawidek Date: Sat, 14 Mar 2009 21:54:19 +0000 Subject: [PATCH] Regression tests for mac_portacl(4). --- tools/regression/mac/mac_portacl/LICENSE | 27 +++++++ tools/regression/mac/mac_portacl/misc.sh | 97 +++++++++++++++++++++++ tools/regression/mac/mac_portacl/nobody.t | 67 ++++++++++++++++ tools/regression/mac/mac_portacl/root.t | 51 ++++++++++++ 4 files changed, 242 insertions(+) create mode 100644 tools/regression/mac/mac_portacl/LICENSE create mode 100755 tools/regression/mac/mac_portacl/misc.sh create mode 100755 tools/regression/mac/mac_portacl/nobody.t create mode 100755 tools/regression/mac/mac_portacl/root.t diff --git a/tools/regression/mac/mac_portacl/LICENSE b/tools/regression/mac/mac_portacl/LICENSE new file mode 100644 index 000000000000..1bc2da4bc51b --- /dev/null +++ b/tools/regression/mac/mac_portacl/LICENSE @@ -0,0 +1,27 @@ +$FreeBSD$ + +License for all regression tests available with fstest: + +Copyright (c) 2009 Pawel Jakub Dawidek +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. diff --git a/tools/regression/mac/mac_portacl/misc.sh b/tools/regression/mac/mac_portacl/misc.sh new file mode 100755 index 000000000000..0fabe15f013b --- /dev/null +++ b/tools/regression/mac/mac_portacl/misc.sh @@ -0,0 +1,97 @@ +#!/bin/sh +# $FreeBSD$ + +sysctl security.mac.portacl >/dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "1..1" + echo "not ok 1 # MAC_PORTACL is unavailable." + exit 0 +fi + +ntest=1 + +check_bind() { + idtype=${1} + name=${2} + proto=${3} + port=${4} + + [ "${proto}" = "udp" ] && udpflag="-u" + + out=`( + case "${idtype}" in + uid|gid) + ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) & + ;; + jail) + kill $$ + ;; + *) + kill $$ + esac + sleep 0.3 + echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1 + wait + )` + case "${out}" in + "nc: Permission denied"*|"nc: Operation not permitted"*) + echo fl + ;; + "") + echo ok + ;; + *) + echo ${out} + ;; + esac +} + +bind_test() { + expect_without_rule=${1} + expect_with_rule=${2} + idtype=${3} + name=${4} + proto=${5} + port=${6} + + sysctl security.mac.portacl.rules= >/dev/null + out=`check_bind ${idtype} ${name} ${proto} ${port}` + if [ "${out}" = "${expect_without_rule}" ]; then + echo "ok ${ntest}" + elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then + echo "not ok ${ntest}" + else + echo "not ok ${ntest} # ${out}" + fi + ntest=$((ntest+1)) + + if [ "${idtype}" = "uid" ]; then + idstr=`id -u ${name}` + elif [ "${idtype}" = "gid" ]; then + idstr=`id -g ${name}` + else + idstr=${name} + fi + sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null + out=`check_bind ${idtype} ${name} ${proto} ${port}` + if [ "${out}" = "${expect_with_rule}" ]; then + echo "ok ${ntest}" + elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then + echo "not ok ${ntest}" + else + echo "not ok ${ntest} # ${out}" + fi + ntest=$((ntest+1)) + + sysctl security.mac.portacl.rules= >/dev/null +} + +reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh` +suser_exempt=`sysctl -n security.mac.portacl.suser_exempt` +port_high=`sysctl -n security.mac.portacl.port_high` + +restore_settings() { + sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null + sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null + sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null +} diff --git a/tools/regression/mac/mac_portacl/nobody.t b/tools/regression/mac/mac_portacl/nobody.t new file mode 100755 index 000000000000..c0754eb214ad --- /dev/null +++ b/tools/regression/mac/mac_portacl/nobody.t @@ -0,0 +1,67 @@ +#!/bin/sh +# $FreeBSD$ + +dir=`dirname $0` +. ${dir}/misc.sh + +echo "1..64" + +# security.mac.portacl.suser_exempt value doesn't affect unprivileged users +# behaviour. +# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. + +sysctl security.mac.portacl.suser_exempt=1 >/dev/null +sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 + +sysctl security.mac.portacl.suser_exempt=0 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 + +# Verify if security.mac.portacl.port_high works. + +sysctl security.mac.portacl.port_high=7778 >/dev/null + +bind_test fl fl uid nobody tcp 77 +bind_test fl ok uid nobody tcp 7777 +bind_test fl fl uid nobody udp 77 +bind_test fl ok uid nobody udp 7777 + +bind_test fl fl gid nobody tcp 77 +bind_test fl ok gid nobody tcp 7777 +bind_test fl fl gid nobody udp 77 +bind_test fl ok gid nobody udp 7777 + +# Verify if mac_portacl rules work. + +sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null +sysctl security.mac.portacl.port_high=7776 >/dev/null + +bind_test fl ok uid nobody tcp 77 +bind_test ok ok uid nobody tcp 7777 +bind_test fl ok uid nobody udp 77 +bind_test ok ok uid nobody udp 7777 + +bind_test fl ok gid nobody tcp 77 +bind_test ok ok gid nobody tcp 7777 +bind_test fl ok gid nobody udp 77 +bind_test ok ok gid nobody udp 7777 + +restore_settings diff --git a/tools/regression/mac/mac_portacl/root.t b/tools/regression/mac/mac_portacl/root.t new file mode 100755 index 000000000000..626bdfa26d70 --- /dev/null +++ b/tools/regression/mac/mac_portacl/root.t @@ -0,0 +1,51 @@ +#!/bin/sh +# $FreeBSD$ + +dir=`dirname $0` +. ${dir}/misc.sh + +echo "1..48" + +# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user. + +sysctl security.mac.portacl.suser_exempt=1 >/dev/null + +bind_test ok ok uid root tcp 77 +bind_test ok ok uid root tcp 7777 +bind_test ok ok uid root udp 77 +bind_test ok ok uid root udp 7777 + +bind_test ok ok gid root tcp 77 +bind_test ok ok gid root tcp 7777 +bind_test ok ok gid root udp 77 +bind_test ok ok gid root udp 7777 + +# Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt super-user. + +sysctl security.mac.portacl.suser_exempt=0 >/dev/null + +bind_test fl ok uid root tcp 77 +bind_test ok ok uid root tcp 7777 +bind_test fl ok uid root udp 77 +bind_test ok ok uid root udp 7777 + +bind_test fl ok gid root tcp 77 +bind_test ok ok gid root tcp 7777 +bind_test fl ok gid root udp 77 +bind_test ok ok gid root udp 7777 + +# Verify if security.mac.portacl.port_high works for super-user. + +sysctl security.mac.portacl.port_high=7778 >/dev/null + +bind_test fl ok uid root tcp 77 +bind_test fl ok uid root tcp 7777 +bind_test fl ok uid root udp 77 +bind_test fl ok uid root udp 7777 + +bind_test fl ok gid root tcp 77 +bind_test fl ok gid root tcp 7777 +bind_test fl ok gid root udp 77 +bind_test fl ok gid root udp 7777 + +restore_settings