implemented properly for a number of kernel subsystems. In general, they
try to exercise the privilege first as the root user, then as a test user,
in order to determine when privilege is being checked.
Currently, these tests do not compare inside/outside jail, and probably
should be enhanced to do that.
Sponsored by: nCircle Network Security, Inc.
Obtained from: TrustedBSD Project
It is by no means expected to perform a complete test of the library
for correctness, but is meant to test the API to make sure libmp (or
libcrypto) updates don't totally break the library.
o If something is wrong with options, then output short usage help message.
o Output errstr returned from strtonum(3).
PR: bin/98141
Submitted by: Andrey Simonenko
subject: ranges of uid, ranges of gid, jail id
objects: ranges of uid, ranges of gid, filesystem,
object is suid, object is sgid, object matches subject uid/gid
object type
We can also negate individual conditions. The ruleset language is
a superset of the previous language, so old rules should continue
to work.
These changes require a change to the API between libugidfw and the
mac_bsdextended module. Add a version number, so we can tell if
we're running mismatched versions.
Update man pages to reflect changes, add extra test cases to
test_ugidfw.c and add a shell script that checks that the the
module seems to do what we expect.
Suggestions from: rwatson, trhodes
Reviewed by: trhodes
MFC after: 2 months
o Add mount and umount actions so that partitions can be in use.
o Extend the testing of the add verb to include overlapping
partitions.
o Add tests for the remove verb. this includes tests to remove
a partition when in use (i.e. is mounted).
o Add a MD5 checksum to the output of the conf action so that
it can be tested. Make sure the MD5 doesn't vary based on
certain dynamic behaviour that is irrelevant to the output.
o Add MD5 checksums to the expected result of conf actions.
Add support for read-write parameters. Allow an optional initializer
for read-write parameters. Print the value of those parameters on
success following the PASS.
the first part before starting, or the TCP port we want to bind may be in
use still. Sleep for a short period between tests.
Use SIGTERM instead of SIGKILL.
pru_abort() by closing a listen socket while completed connections are
presenting in its listen queue. Unfortunately, it's difficult to
trigger the other two pru_abort() cases using user APIs, so they are
not covered by this test.
mode. Support both connection via connect() and sendto(), but don't
compile in sendto() for now, since netipx doesn't appear to actually
implement that (doh).
times, with variable length sleeps between socket() and close(). This
will help to ensure that IPX/SPX timers fire while the sockets are
open, and hence have PCB's on the IPX pcb list, so that if timers are
going to stumble over PCB types they don't expect, it will happen as
part of this test.
o Change the result of gctl(001) now that a bogus verb still requires
a valid geom,
o Insert gctl(024) to test for an appropriate error when a bogus verb
is given that does have a proper geom parameter.
whole name. This does not unnecessarily close the door that in some
future we want to test on something other than md(4) devices.
Also add a "conf" action so that we can check whether a gctl actually
did the right thing or not. It's one thing to check that the result
strings are as expected, but it doesn't tell us if the end result is
correct. This needs a bit more fleshing out, but for now a visual
(i.e. manual) check suffices.
mdconfig(8), because we need a disk to work on.
o Extend the number of tests now that we have a disk.
o Simplify the driver. All parameters are ASCII strings now.
The testsuite is based on a simple driver program that builds a
request from the arguments passed to it and issues the request to
Geom. The driver emits FAIL with the error string or PASS depending
on whether the request completed with an error or not. A -v option
has been added to the driver and causes the request to be dumped.
The -v option to prove(1) controls the -v option to the driver.
The testsuite itself contains a hash of which the key constitutes
the arguments and the value is the expected result.
creation and at time of update using an additional call to listen().
This test also exercises SO_LISTENQLIMIT, a forthcoming socket option
that allows the retrieval (but not setting) of the queue limit.
Discussed with: andre
relating to O_RDWR file descriptors, which while not defined in POSIX,
are in fact used:
(1) Revise assumption that we have two file descriptors when testing I/O
operations on a fifo. Provide cleanup routines that handle either
two or three file descriptors (including a kqueue descriptor).
(2) Add an openfifo_rw() routine to supplement openfifo().
(3) kqueue_setup() now configures an existing kqueue to monitor a new
file descriptor, rather than allocating a new kqueue to monitor two
existing file descriptors.
(4) Wrap all direct poll/select/kqueue/FIONREAD interactions in a single
function, assert_status(), which takes a file descriptor, kqueue
descriptor, assertion of read/writable/exception states, and
test description, then tests the assertion. This reduces the bulk
of calls in many of the tests, making them shorter, more readable,
and easier to determine correct.
(5) Add a new test_events_rdwr() function, which performs a basic create/
write/read event test on a O_RDWR fifo file descriptor. This is
currently failed by our fifo code in HEAD due to a bug in FIONREAD
handling. Fix to be merged shortly.
Add test_kqueue(), which registers and unregisters various kqueue filter
types on a fifo in order to make sure that EVFILT_READ, EVFILT_WRITE can
be registered, and that EVFILT_NETDEV can't be registered. For now, we
don't test that EVFILT_VNODE can be registered on fifos, as that has been
broken at some point.
- Teach fifo_io about kqueue monitoring of fifo file descriptor status,
and add test cases for kqueue to match existing case for poll and
select. Add a new cleanup routine, cleanfifokq(), for use in tests that
use kqueues. kqueue_setup() sets up kqueue sessions, and kqueue_status()
returns file descriptor status.
- Correct a bug in select handling relating to the nfds argument, which
was incorrect so resulted in select occuring on the wrong file descriptor,
and possible false positive/negative results.
- Clarify error reporting in one byte write+read tests to distinguish
errors in the after case from the before case.
that don't obviously fit into create, open, and io. For now, add only a
regression test to make sure that lseek() fails with ESPIPE (which it
doesn't).
multicast group using a raw socket, then removing the interface on which
the group is found, and joining a multicast group using a udp socket,
then removing the interface on which the group is found. An if_disc
interface is used as the interface on which to attach.
NB: A panic currently results from running this regression test, so do
so with caution.
PR: 77665
Reported by: Gavin Atkinson <gavin dot atkinson at ury dot york dot ac dot uk>
Reported by: Brooks Davis <brooks at FreeBSD dot org>
