Commit Graph

5 Commits

Author SHA1 Message Date
Bjoern A. Zeeb
e7fba5c772 Start respecting WITHOUT_INET6.
Make regression/priv compile again after the multi-IP jail
changes.  Note that we are still using the legacy jail(2)
rather than the jail_set(2)/jail(3) syscall.
Add an IPv4,  and an IPv6 loopback address in case we compile
with INET6 enabled.

Make the priv_vfs_extattr_system compile on amd64 as well using the
proper length modifier to printf(3) for ssize_t.

Reviewed by:	rwatson
Approved by:	re (kib)
2009-08-13 09:11:47 +00:00
Bjoern A. Zeeb
f3d220fb9e Remove empty setup and cleanup functions for the pfkey test.
Add regression tests for privileged and supposedly unprivileged
IP_IPSEC_POLICY,IPV6_IPSEC_POLICY setsockopt cases.

We may need to review the current 'good' results to make
sure they reflect what we really want.

Discussed with:	rwatson
Reviewed by:	rwatson
2007-11-16 21:24:45 +00:00
Bjoern A. Zeeb
6007da5f92 In sys/netipsec/keysock.c rev. 1.19 a missing priv check was added.
Before that non-su users were able to open pfkey sockets as well.

Add a regression test so we can detect such problems in an automated way
in the future.
2007-11-13 08:59:29 +00:00
Robert Watson
d903306a26 Enhance and expand kernel privilege regression tests in support of
work present in FreeBSD 7.0 to refine the kernel privilege model:

- Introduce support for jail as a testing variable, in order to
  confirm that privileges are properly restricted in the jail
  environment.

- Restructure overall testing approach so that privilege and jail
  conditions are set in the testing infrastructure before tests
  are invoked, and done so in a custom-created process to isolate
  the impact of tests from each other in a more consistent way.

- Tests now provide setup and cleanup hooks that occur before and
  after the test runs.

- New privilege tests are now present for several audit
  privileges, several credential management privileges, dmesg
  buffer reading privilege, and netinet raw socket creation.

- Other existing tests are restructured and generally improved as
  a result of better framework structure and jail as a variable.
  For exampe, we now test that certain sysctls are writable only
  outside jail, while others are writable within jail.  On a
  similar note, privileges relating to setting UFS file flags are
  now better exercised, as with the right to chmod and utimes
  files.

Approved by:	re (bmah)
Obtained from:	TrustedBSD Project
2007-09-09 23:08:39 +00:00
Robert Watson
9fa5f6b4b9 dd a series of regression tests to validate that privilege requirements are
implemented properly for a number of kernel subsystems.  In general, they
try to exercise the privilege first as the root user, then as a test user,
in order to determine when privilege is being checked.

Currently, these tests do not compare inside/outside jail, and probably
should be enhanced to do that.

Sponsored by:	nCircle Network Security, Inc.
Obtained from:	TrustedBSD Project
2006-09-13 09:05:39 +00:00