Make the mac_portacl testcases work / more robust
- A trap(1) call has been added to the test scripts to better
ensure that the tests do a better job at trying to restore the
test host state at the end of the tests (if the test was
interrupted before it would leave the system in an odd state,
potentially making the test results for subsequent runs
non-deterministic).
- Add root user checks
- Fix nc(1) usage:
-- -o is deprecated
-- Using `-w 10` will make the call timeout after 10 seconds so it
doesn't block indefinitely
- Use local variables
- Be more terse in the error messages
- Parameterize out "127.0.0.1"
MFC after: 1 week
Sponsored by: EMC / Isilon Storage Division
This commit is contained in:
ngie
parent
bcce3a9a60
commit
08f67a93a9
@ -6,10 +6,18 @@ if [ $? -ne 0 ]; then
|
||||
echo "1..0 # SKIP MAC_PORTACL is unavailable."
|
||||
exit 0
|
||||
fi
|
||||
if [ $(id -u) -ne 0 ]; then
|
||||
echo "1..0 # SKIP testcases must be run as root"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
ntest=1
|
||||
|
||||
check_bind() {
|
||||
local host idtype name proto port udpflag
|
||||
|
||||
host="127.0.0.1"
|
||||
|
||||
idtype=${1}
|
||||
name=${2}
|
||||
proto=${3}
|
||||
@ -17,10 +25,10 @@ check_bind() {
|
||||
|
||||
[ "${proto}" = "udp" ] && udpflag="-u"
|
||||
|
||||
out=`(
|
||||
out=$(
|
||||
case "${idtype}" in
|
||||
uid|gid)
|
||||
( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
|
||||
( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) &
|
||||
;;
|
||||
jail)
|
||||
kill $$
|
||||
@ -29,9 +37,9 @@ check_bind() {
|
||||
kill $$
|
||||
esac
|
||||
sleep 0.3
|
||||
echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
|
||||
echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1
|
||||
wait
|
||||
)`
|
||||
)
|
||||
case "${out}" in
|
||||
"nc: Permission denied"*|"nc: Operation not permitted"*)
|
||||
echo fl
|
||||
@ -46,6 +54,8 @@ check_bind() {
|
||||
}
|
||||
|
||||
bind_test() {
|
||||
local expect_without_rule expect_with_rule idtype name proto port
|
||||
|
||||
expect_without_rule=${1}
|
||||
expect_with_rule=${2}
|
||||
idtype=${3}
|
||||
@ -54,40 +64,40 @@ bind_test() {
|
||||
port=${6}
|
||||
|
||||
sysctl security.mac.portacl.rules= >/dev/null
|
||||
out=`check_bind ${idtype} ${name} ${proto} ${port}`
|
||||
out=$(check_bind ${idtype} ${name} ${proto} ${port})
|
||||
if [ "${out}" = "${expect_without_rule}" ]; then
|
||||
echo "ok ${ntest}"
|
||||
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
|
||||
echo "not ok ${ntest}"
|
||||
echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
|
||||
else
|
||||
echo "not ok ${ntest} # ${out}"
|
||||
echo "not ok ${ntest} # unexpected output: '${out}'"
|
||||
fi
|
||||
ntest=$((ntest+1))
|
||||
: $(( ntest += 1 ))
|
||||
|
||||
if [ "${idtype}" = "uid" ]; then
|
||||
idstr=`id -u ${name}`
|
||||
idstr=$(id -u ${name})
|
||||
elif [ "${idtype}" = "gid" ]; then
|
||||
idstr=`id -g ${name}`
|
||||
idstr=$(id -g ${name})
|
||||
else
|
||||
idstr=${name}
|
||||
fi
|
||||
sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
|
||||
out=`check_bind ${idtype} ${name} ${proto} ${port}`
|
||||
out=$(check_bind ${idtype} ${name} ${proto} ${port})
|
||||
if [ "${out}" = "${expect_with_rule}" ]; then
|
||||
echo "ok ${ntest}"
|
||||
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
|
||||
echo "not ok ${ntest}"
|
||||
echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
|
||||
else
|
||||
echo "not ok ${ntest} # ${out}"
|
||||
echo "not ok ${ntest} # unexpected output: '${out}'"
|
||||
fi
|
||||
ntest=$((ntest+1))
|
||||
: $(( ntest += 1 ))
|
||||
|
||||
sysctl security.mac.portacl.rules= >/dev/null
|
||||
}
|
||||
|
||||
reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
|
||||
suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
|
||||
port_high=`sysctl -n security.mac.portacl.port_high`
|
||||
reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
|
||||
suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
|
||||
port_high=$(sysctl -n security.mac.portacl.port_high)
|
||||
|
||||
restore_settings() {
|
||||
sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
|
||||
|
||||
@ -10,6 +10,8 @@ echo "1..64"
|
||||
# behaviour.
|
||||
# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
|
||||
|
||||
trap restore_settings EXIT INT TERM
|
||||
|
||||
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
|
||||
sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
|
||||
|
||||
@ -63,5 +65,3 @@ bind_test fl ok gid nobody tcp 77
|
||||
bind_test ok ok gid nobody tcp 7777
|
||||
bind_test fl ok gid nobody udp 77
|
||||
bind_test ok ok gid nobody udp 7777
|
||||
|
||||
restore_settings
|
||||
|
||||
@ -8,6 +8,8 @@ echo "1..48"
|
||||
|
||||
# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
|
||||
|
||||
trap restore_settings EXIT INT TERM
|
||||
|
||||
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
|
||||
|
||||
bind_test ok ok uid root tcp 77
|
||||
@ -47,5 +49,3 @@ bind_test fl ok gid root tcp 77
|
||||
bind_test fl ok gid root tcp 7777
|
||||
bind_test fl ok gid root udp 77
|
||||
bind_test fl ok gid root udp 7777
|
||||
|
||||
restore_settings
|
||||
|
||||
Loading…
Reference in New Issue
Block a user