xref: /freebsd/tests/sys/mac/bsdextended/matches_test.sh (revision e3d9ae4c56e15404846e4cb3360394a0a36cec23)
1#!/bin/sh
2#
3# $FreeBSD$
4#
5
6uidrange="60000:100000"
7gidrange="60000:100000"
8uidinrange="nobody"
9uidoutrange="daemon"
10gidinrange="nobody" # We expect $uidinrange in this group
11gidoutrange="daemon" # We expect $uidinrange in this group
12
13test_num=1
14pass()
15{
16	echo "ok $test_num # $@"
17	: $(( test_num += 1 ))
18}
19
20fail()
21{
22	echo "not ok $test_num # $@"
23	: $(( test_num += 1 ))
24}
25
26#
27# Setup
28#
29
30: ${TMPDIR=/tmp}
31if [ $(id -u) -ne 0 ]; then
32	echo "1..0 # SKIP test must be run as root"
33	exit 0
34fi
35if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then
36	echo "1..0 # SKIP mac_bsdextended(4) support isn't available"
37	exit 0
38fi
39if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then
40	echo "1..0 # SKIP failed to create temporary directory"
41	exit 0
42fi
43trap "rmdir $playground" EXIT INT TERM
44if ! mdmfs -s 25m md $playground; then
45	echo "1..0 # SKIP failed to mount md device"
46	exit 0
47fi
48chmod a+rwx $playground
49md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }')
50trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM
51if [ -z "$md_device" ]; then
52	mount -p | grep $playground
53	echo "1..0 # SKIP md device not properly attached to the system"
54fi
55
56ugidfw remove 1
57
58file1=$playground/test-$uidinrange
59file2=$playground/test-$uidoutrange
60cat > $playground/test-script.sh <<'EOF'
61#!/bin/sh
62: > $1
63EOF
64if [ $? -ne 0 ]; then
65	echo "1..0 # SKIP failed to create test script"
66	exit 0
67fi
68echo "1..30"
69
70command1="sh $playground/test-script.sh $file1"
71command2="sh $playground/test-script.sh $file2"
72
73desc="$uidinrange file"
74if su -m $uidinrange -c "$command1"; then
75	pass $desc
76else
77	fail $desc
78fi
79
80chown "$uidinrange":"$gidinrange" $file1
81chmod a+w $file1
82
83desc="$uidoutrange file"
84if $command2; then
85	pass $desc
86else
87	fail $desc
88fi
89
90chown "$uidoutrange":"$gidoutrange" $file2
91chmod a+w $file2
92
93#
94# No rules
95#
96desc="no rules $uidinrange"
97if su -fm $uidinrange -c "$command1"; then
98	pass $desc
99else
100	fail $desc
101fi
102
103desc="no rules $uidoutrange"
104if su -fm $uidoutrange -c "$command1"; then
105	pass $desc
106else
107	fail $desc
108fi
109
110#
111# Subject Match on uid
112#
113ugidfw set 1 subject uid $uidrange object mode rasx
114desc="subject uid in range"
115if su -fm $uidinrange -c "$command1"; then
116	fail $desc
117else
118	pass $desc
119fi
120
121desc="subject uid out range"
122if su -fm $uidoutrange -c "$command1"; then
123	pass $desc
124else
125	fail $desc
126fi
127
128#
129# Subject Match on gid
130#
131ugidfw set 1 subject gid $gidrange object mode rasx
132
133desc="subject gid in range"
134if su -fm $uidinrange -c "$command1"; then
135	fail $desc
136else
137	pass $desc
138fi
139
140desc="subject gid out range"
141if su -fm $uidoutrange -c "$command1"; then
142	pass $desc
143else
144	fail $desc
145fi
146
147if which jail >/dev/null; then
148	#
149	# Subject Match on jail
150	#
151	rm -f $playground/test-jail
152
153	desc="subject matching jailid"
154	jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
155	ugidfw set 1 subject jailid $jailid object mode rasx
156	sleep 10
157
158	if [ -f $playground/test-jail ]; then
159		fail "TODO $desc: this testcase fails (see bug # 205481)"
160	else
161		pass $desc
162	fi
163
164	rm -f $playground/test-jail
165	desc="subject nonmatching jailid"
166	jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"`
167	sleep 10
168	if [ -f $playground/test-jail ]; then
169		pass $desc
170	else
171		fail $desc
172	fi
173else
174	# XXX: kyua is too dumb to parse skip ranges, still..
175	pass "skip jail(8) not installed"
176	pass "skip jail(8) not installed"
177fi
178
179#
180# Object uid
181#
182ugidfw set 1 subject object uid $uidrange mode rasx
183
184desc="object uid in range"
185if su -fm $uidinrange -c "$command1"; then
186	fail $desc
187else
188	pass $desc
189fi
190
191desc="object uid out range"
192if su -fm $uidinrange -c "$command2"; then
193	pass $desc
194else
195	fail $desc
196fi
197ugidfw set 1 subject object uid $uidrange mode rasx
198
199desc="object uid in range (different subject)"
200if su -fm $uidoutrange -c "$command1"; then
201	fail $desc
202else
203	pass $desc
204fi
205
206desc="object uid out range (different subject)"
207if su -fm $uidoutrange -c "$command2"; then
208	pass $desc
209else
210	fail $desc
211fi
212
213#
214# Object gid
215#
216ugidfw set 1 subject object gid $uidrange mode rasx
217
218desc="object gid in range"
219if su -fm $uidinrange -c "$command1"; then
220	fail $desc
221else
222	pass $desc
223fi
224
225desc="object gid out range"
226if su -fm $uidinrange -c "$command2"; then
227	pass $desc
228else
229	fail $desc
230fi
231desc="object gid in range (different subject)"
232if su -fm $uidoutrange -c "$command1"; then
233	fail $desc
234else
235	pass $desc
236fi
237
238desc="object gid out range (different subject)"
239if su -fm $uidoutrange -c "$command2"; then
240	pass $desc
241else
242	fail $desc
243fi
244
245#
246# Object filesys
247#
248ugidfw set 1 subject uid $uidrange object filesys / mode rasx
249desc="object out of filesys"
250if su -fm $uidinrange -c "$command1"; then
251	pass $desc
252else
253	fail $desc
254fi
255
256ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx
257desc="object in filesys"
258if su -fm $uidinrange -c "$command1"; then
259	fail $desc
260else
261	pass $desc
262fi
263
264#
265# Object suid
266#
267ugidfw set 1 subject uid $uidrange object suid mode rasx
268desc="object notsuid"
269if su -fm $uidinrange -c "$command1"; then
270	pass $desc
271else
272	fail $desc
273fi
274
275chmod u+s $file1
276desc="object suid"
277if su -fm $uidinrange -c "$command1"; then
278	fail $desc
279else
280	pass $desc
281fi
282chmod u-s $file1
283
284#
285# Object sgid
286#
287ugidfw set 1 subject uid $uidrange object sgid mode rasx
288desc="object notsgid"
289if su -fm $uidinrange -c "$command1"; then
290	pass $desc
291else
292	fail $desc
293fi
294
295chmod g+s $file1
296desc="object sgid"
297if su -fm $uidinrange -c "$command1"; then
298	fail $desc
299else
300	pass $desc
301fi
302chmod g-s $file1
303
304#
305# Object uid matches subject
306#
307ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx
308
309desc="object uid notmatches subject"
310if su -fm $uidinrange -c "$command2"; then
311	pass $desc
312else
313	fail $desc
314fi
315
316desc="object uid matches subject"
317if su -fm $uidinrange -c "$command1"; then
318	fail $desc
319else
320	pass $desc
321fi
322
323#
324# Object gid matches subject
325#
326ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx
327
328desc="object gid notmatches subject"
329if su -fm $uidinrange -c "$command2"; then
330	pass $desc
331else
332	fail $desc
333fi
334
335desc="object gid matches subject"
336if su -fm $uidinrange -c "$command1"; then
337	fail $desc
338else
339	pass $desc
340fi
341
342#
343# Object type
344#
345desc="object not type"
346ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx
347if su -fm $uidinrange -c "$command1"; then
348	pass $desc
349else
350	fail $desc
351fi
352
353desc="object type"
354ugidfw set 1 subject uid $uidrange object type r mode rasx
355if su -fm $uidinrange -c "$command1"; then
356	fail $desc
357else
358	pass $desc
359fi
360