xref: /freebsd/tests/sys/mac/bsdextended/matches_test.sh (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6uidrange="60000:100000"
7gidrange="60000:100000"
8uidinrange="nobody"
9uidoutrange="daemon"
10gidinrange="nobody" # We expect $uidinrange in this group
11gidoutrange="daemon" # We expect $uidinrange in this group
12
13test_num=1
14pass()
15{
16	echo "ok $test_num # $@"
17	: $(( test_num += 1 ))
18}
19
20fail()
21{
22	echo "not ok $test_num # $@"
23	: $(( test_num += 1 ))
24}
25
26#
27# Setup
28#
29
30: ${TMPDIR=/tmp}
31if [ $(id -u) -ne 0 ]; then
32	echo "1..0 # SKIP test must be run as root"
33	exit 0
34fi
35if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36	echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
37	exit 0
38fi
39if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
40	echo "1..0 # SKIP failed to create temporary directory"
41	exit 0
42fi
43trap "rmdir $playground" EXIT INT TERM
44if ! mdmfs -s 25m md $playground; then
45	echo "1..0 # SKIP failed to mount md device"
46	exit 0
47fi
48chmod a+rwx $playground
49md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
50trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
51if [ -z "$md_device" ]; then
52	mount -p | grep $playground
53	echo "1..0 # SKIP md device not properly attached to the system"
54fi
55
56ugidfw remove 1
57
58file1=$playground/test-$uidinrange
59file2=$playground/test-$uidoutrange
60cat > $playground/test-script.sh <<'EOF'
61#!/bin/sh
62: > $1
63EOF
64if [ $? -ne 0 ]; then
65	echo "1..0 # SKIP failed to create test script"
66	exit 0
67fi
68echo "1..30"
69
70command1="sh $playground/test-script.sh $file1"
71command2="sh $playground/test-script.sh $file2"
72
73desc="$uidinrange file"
74if su -m $uidinrange -c "$command1"; then
75	pass $desc
76else
77	fail $desc
78fi
79
80chown "$uidinrange":"$gidinrange" $file1
81chmod a+w $file1
82
83desc="$uidoutrange file"
84if $command2; then
85	pass $desc
86else
87	fail $desc
88fi
89
90chown "$uidoutrange":"$gidoutrange" $file2
91chmod a+w $file2
92
93#
94# No rules
95#
96desc="no rules $uidinrange"
97if su -fm $uidinrange -c "$command1"; then
98	pass $desc
99else
100	fail $desc
101fi
102
103desc="no rules $uidoutrange"
104if su -fm $uidoutrange -c "$command1"; then
105	pass $desc
106else
107	fail $desc
108fi
109
110#
111# Subject Match on uid
112#
113ugidfw set 1 subject uid $uidrange object mode rasx
114desc="subject uid in range"
115if su -fm $uidinrange -c "$command1"; then
116	fail $desc
117else
118	pass $desc
119fi
120
121desc="subject uid out range"
122if su -fm $uidoutrange -c "$command1"; then
123	pass $desc
124else
125	fail $desc
126fi
127
128#
129# Subject Match on gid
130#
131ugidfw set 1 subject gid $gidrange object mode rasx
132
133desc="subject gid in range"
134if su -fm $uidinrange -c "$command1"; then
135	fail $desc
136else
137	pass $desc
138fi
139
140desc="subject gid out range"
141if su -fm $uidoutrange -c "$command1"; then
142	pass $desc
143else
144	fail $desc
145fi
146
147#
148# Subject Match on jail
149#
150rm -f $playground/test-jail
151
152desc="subject matching jailid"
153jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
154ugidfw set 1 subject jailid $jailid object mode rasx
155sleep 10
156
157if [ -f $playground/test-jail ]; then
158	fail "TODO $desc: this testcase fails (see bug # 205481)"
159else
160	pass $desc
161fi
162
163rm -f $playground/test-jail
164desc="subject nonmatching jailid"
165jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
166sleep 10
167if [ -f $playground/test-jail ]; then
168	pass $desc
169else
170	fail $desc
171fi
172
173#
174# Object uid
175#
176ugidfw set 1 subject object uid $uidrange mode rasx
177
178desc="object uid in range"
179if su -fm $uidinrange -c "$command1"; then
180	fail $desc
181else
182	pass $desc
183fi
184
185desc="object uid out range"
186if su -fm $uidinrange -c "$command2"; then
187	pass $desc
188else
189	fail $desc
190fi
191ugidfw set 1 subject object uid $uidrange mode rasx
192
193desc="object uid in range (different subject)"
194if su -fm $uidoutrange -c "$command1"; then
195	fail $desc
196else
197	pass $desc
198fi
199
200desc="object uid out range (different subject)"
201if su -fm $uidoutrange -c "$command2"; then
202	pass $desc
203else
204	fail $desc
205fi
206
207#
208# Object gid
209#
210ugidfw set 1 subject object gid $uidrange mode rasx
211
212desc="object gid in range"
213if su -fm $uidinrange -c "$command1"; then
214	fail $desc
215else
216	pass $desc
217fi
218
219desc="object gid out range"
220if su -fm $uidinrange -c "$command2"; then
221	pass $desc
222else
223	fail $desc
224fi
225desc="object gid in range (different subject)"
226if su -fm $uidoutrange -c "$command1"; then
227	fail $desc
228else
229	pass $desc
230fi
231
232desc="object gid out range (different subject)"
233if su -fm $uidoutrange -c "$command2"; then
234	pass $desc
235else
236	fail $desc
237fi
238
239#
240# Object filesys
241#
242ugidfw set 1 subject uid $uidrange object filesys / mode rasx
243desc="object out of filesys"
244if su -fm $uidinrange -c "$command1"; then
245	pass $desc
246else
247	fail $desc
248fi
249
250ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
251desc="object in filesys"
252if su -fm $uidinrange -c "$command1"; then
253	fail $desc
254else
255	pass $desc
256fi
257
258#
259# Object suid
260#
261ugidfw set 1 subject uid $uidrange object suid mode rasx
262desc="object notsuid"
263if su -fm $uidinrange -c "$command1"; then
264	pass $desc
265else
266	fail $desc
267fi
268
269chmod u+s $file1
270desc="object suid"
271if su -fm $uidinrange -c "$command1"; then
272	fail $desc
273else
274	pass $desc
275fi
276chmod u-s $file1
277
278#
279# Object sgid
280#
281ugidfw set 1 subject uid $uidrange object sgid mode rasx
282desc="object notsgid"
283if su -fm $uidinrange -c "$command1"; then
284	pass $desc
285else
286	fail $desc
287fi
288
289chmod g+s $file1
290desc="object sgid"
291if su -fm $uidinrange -c "$command1"; then
292	fail $desc
293else
294	pass $desc
295fi
296chmod g-s $file1
297
298#
299# Object uid matches subject
300#
301ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
302
303desc="object uid notmatches subject"
304if su -fm $uidinrange -c "$command2"; then
305	pass $desc
306else
307	fail $desc
308fi
309
310desc="object uid matches subject"
311if su -fm $uidinrange -c "$command1"; then
312	fail $desc
313else
314	pass $desc
315fi
316
317#
318# Object gid matches subject
319#
320ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
321
322desc="object gid notmatches subject"
323if su -fm $uidinrange -c "$command2"; then
324	pass $desc
325else
326	fail $desc
327fi
328
329desc="object gid matches subject"
330if su -fm $uidinrange -c "$command1"; then
331	fail $desc
332else
333	pass $desc
334fi
335
336#
337# Object type
338#
339desc="object not type"
340ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
341if su -fm $uidinrange -c "$command1"; then
342	pass $desc
343else
344	fail $desc
345fi
346
347desc="object type"
348ugidfw set 1 subject uid $uidrange object type r mode rasx
349if su -fm $uidinrange -c "$command1"; then
350	fail $desc
351else
352	pass $desc
353fi
354