xref: /freebsd/tests/sys/mac/bsdextended/matches_test.sh (revision b9f654b163bce26de79705e77b872427c9f2afa1) 
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6uidrange="60000:100000"
7gidrange="60000:100000"
8uidinrange="nobody"
9uidoutrange="daemon"
10gidinrange="nobody" # We expect $uidinrange in this group
11gidoutrange="daemon" # We expect $uidinrange in this group
12
13test_num=1
14pass()
15{
16	echo "ok $test_num # $@"
17	: $(( test_num += 1 ))
18}
19
20fail()
21{
22	echo "not ok $test_num # $@"
23	: $(( test_num += 1 ))
24}
25
26#
27# Setup
28#
29
30: ${TMPDIR=/tmp}
31if [ $(id -u) -ne 0 ]; then
32	echo "1..0 # SKIP test must be run as root"
33	exit 0
34fi
35if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36	echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
37	exit 0
38fi
39if [ "$TMPDIR" != "/tmp" ]; then
40	if ! chmod -Rf 0755 $TMPDIR; then
41		echo "1..0 # SKIP failed to chmod $TMPDIR"
42		exit 0
43	fi
44fi
45if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
46	echo "1..0 # SKIP failed to create temporary directory"
47	exit 0
48fi
49trap "rmdir $playground" EXIT INT TERM
50if ! mdmfs -s 25m md $playground; then
51	echo "1..0 # SKIP failed to mount md device"
52	exit 0
53fi
54chmod a+rwx $playground
55md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
56trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
57if [ -z "$md_device" ]; then
58	mount -p | grep $playground
59	echo "1..0 # SKIP md device not properly attached to the system"
60fi
61
62ugidfw remove 1
63
64file1=$playground/test-$uidinrange
65file2=$playground/test-$uidoutrange
66cat > $playground/test-script.sh <<'EOF'
67#!/bin/sh
68: > $1
69EOF
70if [ $? -ne 0 ]; then
71	echo "1..0 # SKIP failed to create test script"
72	exit 0
73fi
74echo "1..30"
75
76command1="sh $playground/test-script.sh $file1"
77command2="sh $playground/test-script.sh $file2"
78
79desc="$uidinrange file"
80if su -m $uidinrange -c "$command1"; then
81	pass $desc
82else
83	fail $desc
84fi
85
86chown "$uidinrange":"$gidinrange" $file1
87chmod a+w $file1
88
89desc="$uidoutrange file"
90if $command2; then
91	pass $desc
92else
93	fail $desc
94fi
95
96chown "$uidoutrange":"$gidoutrange" $file2
97chmod a+w $file2
98
99#
100# No rules
101#
102desc="no rules $uidinrange"
103if su -fm $uidinrange -c "$command1"; then
104	pass $desc
105else
106	fail $desc
107fi
108
109desc="no rules $uidoutrange"
110if su -fm $uidoutrange -c "$command1"; then
111	pass $desc
112else
113	fail $desc
114fi
115
116#
117# Subject Match on uid
118#
119ugidfw set 1 subject uid $uidrange object mode rasx
120desc="subject uid in range"
121if su -fm $uidinrange -c "$command1"; then
122	fail $desc
123else
124	pass $desc
125fi
126
127desc="subject uid out range"
128if su -fm $uidoutrange -c "$command1"; then
129	pass $desc
130else
131	fail $desc
132fi
133
134#
135# Subject Match on gid
136#
137ugidfw set 1 subject gid $gidrange object mode rasx
138
139desc="subject gid in range"
140if su -fm $uidinrange -c "$command1"; then
141	fail $desc
142else
143	pass $desc
144fi
145
146desc="subject gid out range"
147if su -fm $uidoutrange -c "$command1"; then
148	pass $desc
149else
150	fail $desc
151fi
152
153if which jail >/dev/null; then
154	#
155	# Subject Match on jail
156	#
157	rm -f $playground/test-jail
158
159	desc="subject matching jailid"
160	jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
161	ugidfw set 1 subject jailid $jailid object mode rasx
162	sleep 10
163
164	if [ -f $playground/test-jail ]; then
165		fail "TODO $desc: this testcase fails (see bug # 205481)"
166	else
167		pass $desc
168	fi
169
170	rm -f $playground/test-jail
171	desc="subject nonmatching jailid"
172	jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
173	sleep 10
174	if [ -f $playground/test-jail ]; then
175		pass $desc
176	else
177		fail $desc
178	fi
179else
180	# XXX: kyua is too dumb to parse skip ranges, still..
181	pass "skip jail(8) not installed"
182	pass "skip jail(8) not installed"
183fi
184
185#
186# Object uid
187#
188ugidfw set 1 subject object uid $uidrange mode rasx
189
190desc="object uid in range"
191if su -fm $uidinrange -c "$command1"; then
192	fail $desc
193else
194	pass $desc
195fi
196
197desc="object uid out range"
198if su -fm $uidinrange -c "$command2"; then
199	pass $desc
200else
201	fail $desc
202fi
203ugidfw set 1 subject object uid $uidrange mode rasx
204
205desc="object uid in range (different subject)"
206if su -fm $uidoutrange -c "$command1"; then
207	fail $desc
208else
209	pass $desc
210fi
211
212desc="object uid out range (different subject)"
213if su -fm $uidoutrange -c "$command2"; then
214	pass $desc
215else
216	fail $desc
217fi
218
219#
220# Object gid
221#
222ugidfw set 1 subject object gid $uidrange mode rasx
223
224desc="object gid in range"
225if su -fm $uidinrange -c "$command1"; then
226	fail $desc
227else
228	pass $desc
229fi
230
231desc="object gid out range"
232if su -fm $uidinrange -c "$command2"; then
233	pass $desc
234else
235	fail $desc
236fi
237desc="object gid in range (different subject)"
238if su -fm $uidoutrange -c "$command1"; then
239	fail $desc
240else
241	pass $desc
242fi
243
244desc="object gid out range (different subject)"
245if su -fm $uidoutrange -c "$command2"; then
246	pass $desc
247else
248	fail $desc
249fi
250
251#
252# Object filesys
253#
254ugidfw set 1 subject uid $uidrange object filesys / mode rasx
255desc="object out of filesys"
256if su -fm $uidinrange -c "$command1"; then
257	pass $desc
258else
259	fail $desc
260fi
261
262ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
263desc="object in filesys"
264if su -fm $uidinrange -c "$command1"; then
265	fail $desc
266else
267	pass $desc
268fi
269
270#
271# Object suid
272#
273ugidfw set 1 subject uid $uidrange object suid mode rasx
274desc="object notsuid"
275if su -fm $uidinrange -c "$command1"; then
276	pass $desc
277else
278	fail $desc
279fi
280
281chmod u+s $file1
282desc="object suid"
283if su -fm $uidinrange -c "$command1"; then
284	fail $desc
285else
286	pass $desc
287fi
288chmod u-s $file1
289
290#
291# Object sgid
292#
293ugidfw set 1 subject uid $uidrange object sgid mode rasx
294desc="object notsgid"
295if su -fm $uidinrange -c "$command1"; then
296	pass $desc
297else
298	fail $desc
299fi
300
301chmod g+s $file1
302desc="object sgid"
303if su -fm $uidinrange -c "$command1"; then
304	fail $desc
305else
306	pass $desc
307fi
308chmod g-s $file1
309
310#
311# Object uid matches subject
312#
313ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
314
315desc="object uid notmatches subject"
316if su -fm $uidinrange -c "$command2"; then
317	pass $desc
318else
319	fail $desc
320fi
321
322desc="object uid matches subject"
323if su -fm $uidinrange -c "$command1"; then
324	fail $desc
325else
326	pass $desc
327fi
328
329#
330# Object gid matches subject
331#
332ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
333
334desc="object gid notmatches subject"
335if su -fm $uidinrange -c "$command2"; then
336	pass $desc
337else
338	fail $desc
339fi
340
341desc="object gid matches subject"
342if su -fm $uidinrange -c "$command1"; then
343	fail $desc
344else
345	pass $desc
346fi
347
348#
349# Object type
350#
351desc="object not type"
352ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
353if su -fm $uidinrange -c "$command1"; then
354	pass $desc
355else
356	fail $desc
357fi
358
359desc="object type"
360ugidfw set 1 subject uid $uidrange object type r mode rasx
361if su -fm $uidinrange -c "$command1"; then
362	fail $desc
363else
364	pass $desc
365fi
366