1#!/bin/sh 2# 3# $FreeBSD$ 4# 5 6uidrange="60000:100000" 7gidrange="60000:100000" 8uidinrange="nobody" 9uidoutrange="daemon" 10gidinrange="nobody" # We expect $uidinrange in this group 11gidoutrange="daemon" # We expect $uidinrange in this group 12 13test_num=1 14pass() 15{ 16 echo "ok $test_num # $@" 17 : $(( test_num += 1 )) 18} 19 20fail() 21{ 22 echo "not ok $test_num # $@" 23 : $(( test_num += 1 )) 24} 25 26# 27# Setup 28# 29 30: ${TMPDIR=/tmp} 31if [ $(id -u) -ne 0 ]; then 32 echo "1..0 # SKIP test must be run as root" 33 exit 0 34fi 35if ! sysctl -N security.mac.bsdextended >/dev/null 2>&1; then 36 echo "1..0 # SKIP mac_bsdextended(4) support isn't available" 37 exit 0 38fi 39if ! playground=$(mktemp -d $TMPDIR/tmp.XXXXXXX); then 40 echo "1..0 # SKIP failed to create temporary directory" 41 exit 0 42fi 43trap "rmdir $playground" EXIT INT TERM 44if ! mdmfs -s 25m md $playground; then 45 echo "1..0 # SKIP failed to mount md device" 46 exit 0 47fi 48chmod a+rwx $playground 49md_device=$(mount -p | grep "$playground" | awk '{ gsub(/^\/dev\//, "", $1); print $1 }') 50trap "umount -f $playground; mdconfig -d -u $md_device; rmdir $playground" EXIT INT TERM 51if [ -z "$md_device" ]; then 52 mount -p | grep $playground 53 echo "1..0 # SKIP md device not properly attached to the system" 54fi 55 56ugidfw remove 1 57 58file1=$playground/test-$uidinrange 59file2=$playground/test-$uidoutrange 60cat > $playground/test-script.sh <<'EOF' 61#!/bin/sh 62: > $1 63EOF 64if [ $? -ne 0 ]; then 65 echo "1..0 # SKIP failed to create test script" 66 exit 0 67fi 68echo "1..30" 69 70command1="sh $playground/test-script.sh $file1" 71command2="sh $playground/test-script.sh $file2" 72 73desc="$uidinrange file" 74if su -m $uidinrange -c "$command1"; then 75 pass $desc 76else 77 fail $desc 78fi 79 80chown "$uidinrange":"$gidinrange" $file1 81chmod a+w $file1 82 83desc="$uidoutrange file" 84if $command2; then 85 pass $desc 86else 87 fail $desc 88fi 89 90chown "$uidoutrange":"$gidoutrange" $file2 91chmod a+w $file2 92 93# 94# No rules 95# 96desc="no rules $uidinrange" 97if su -fm $uidinrange -c "$command1"; then 98 pass $desc 99else 100 fail $desc 101fi 102 103desc="no rules $uidoutrange" 104if su -fm $uidoutrange -c "$command1"; then 105 pass $desc 106else 107 fail $desc 108fi 109 110# 111# Subject Match on uid 112# 113ugidfw set 1 subject uid $uidrange object mode rasx 114desc="subject uid in range" 115if su -fm $uidinrange -c "$command1"; then 116 fail $desc 117else 118 pass $desc 119fi 120 121desc="subject uid out range" 122if su -fm $uidoutrange -c "$command1"; then 123 pass $desc 124else 125 fail $desc 126fi 127 128# 129# Subject Match on gid 130# 131ugidfw set 1 subject gid $gidrange object mode rasx 132 133desc="subject gid in range" 134if su -fm $uidinrange -c "$command1"; then 135 fail $desc 136else 137 pass $desc 138fi 139 140desc="subject gid out range" 141if su -fm $uidoutrange -c "$command1"; then 142 pass $desc 143else 144 fail $desc 145fi 146 147if which jail >/dev/null; then 148 # 149 # Subject Match on jail 150 # 151 rm -f $playground/test-jail 152 153 desc="subject matching jailid" 154 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 155 ugidfw set 1 subject jailid $jailid object mode rasx 156 sleep 10 157 158 if [ -f $playground/test-jail ]; then 159 fail "TODO $desc: this testcase fails (see bug # 205481)" 160 else 161 pass $desc 162 fi 163 164 rm -f $playground/test-jail 165 desc="subject nonmatching jailid" 166 jailid=`jail -i / localhost 127.0.0.1 /usr/sbin/daemon -f /bin/sh -c "(sleep 5; touch $playground/test-jail) &"` 167 sleep 10 168 if [ -f $playground/test-jail ]; then 169 pass $desc 170 else 171 fail $desc 172 fi 173else 174 # XXX: kyua is too dumb to parse skip ranges, still.. 175 pass "skip jail(8) not installed" 176 pass "skip jail(8) not installed" 177fi 178 179# 180# Object uid 181# 182ugidfw set 1 subject object uid $uidrange mode rasx 183 184desc="object uid in range" 185if su -fm $uidinrange -c "$command1"; then 186 fail $desc 187else 188 pass $desc 189fi 190 191desc="object uid out range" 192if su -fm $uidinrange -c "$command2"; then 193 pass $desc 194else 195 fail $desc 196fi 197ugidfw set 1 subject object uid $uidrange mode rasx 198 199desc="object uid in range (different subject)" 200if su -fm $uidoutrange -c "$command1"; then 201 fail $desc 202else 203 pass $desc 204fi 205 206desc="object uid out range (different subject)" 207if su -fm $uidoutrange -c "$command2"; then 208 pass $desc 209else 210 fail $desc 211fi 212 213# 214# Object gid 215# 216ugidfw set 1 subject object gid $uidrange mode rasx 217 218desc="object gid in range" 219if su -fm $uidinrange -c "$command1"; then 220 fail $desc 221else 222 pass $desc 223fi 224 225desc="object gid out range" 226if su -fm $uidinrange -c "$command2"; then 227 pass $desc 228else 229 fail $desc 230fi 231desc="object gid in range (different subject)" 232if su -fm $uidoutrange -c "$command1"; then 233 fail $desc 234else 235 pass $desc 236fi 237 238desc="object gid out range (different subject)" 239if su -fm $uidoutrange -c "$command2"; then 240 pass $desc 241else 242 fail $desc 243fi 244 245# 246# Object filesys 247# 248ugidfw set 1 subject uid $uidrange object filesys / mode rasx 249desc="object out of filesys" 250if su -fm $uidinrange -c "$command1"; then 251 pass $desc 252else 253 fail $desc 254fi 255 256ugidfw set 1 subject uid $uidrange object filesys $playground mode rasx 257desc="object in filesys" 258if su -fm $uidinrange -c "$command1"; then 259 fail $desc 260else 261 pass $desc 262fi 263 264# 265# Object suid 266# 267ugidfw set 1 subject uid $uidrange object suid mode rasx 268desc="object notsuid" 269if su -fm $uidinrange -c "$command1"; then 270 pass $desc 271else 272 fail $desc 273fi 274 275chmod u+s $file1 276desc="object suid" 277if su -fm $uidinrange -c "$command1"; then 278 fail $desc 279else 280 pass $desc 281fi 282chmod u-s $file1 283 284# 285# Object sgid 286# 287ugidfw set 1 subject uid $uidrange object sgid mode rasx 288desc="object notsgid" 289if su -fm $uidinrange -c "$command1"; then 290 pass $desc 291else 292 fail $desc 293fi 294 295chmod g+s $file1 296desc="object sgid" 297if su -fm $uidinrange -c "$command1"; then 298 fail $desc 299else 300 pass $desc 301fi 302chmod g-s $file1 303 304# 305# Object uid matches subject 306# 307ugidfw set 1 subject uid $uidrange object uid_of_subject mode rasx 308 309desc="object uid notmatches subject" 310if su -fm $uidinrange -c "$command2"; then 311 pass $desc 312else 313 fail $desc 314fi 315 316desc="object uid matches subject" 317if su -fm $uidinrange -c "$command1"; then 318 fail $desc 319else 320 pass $desc 321fi 322 323# 324# Object gid matches subject 325# 326ugidfw set 1 subject uid $uidrange object gid_of_subject mode rasx 327 328desc="object gid notmatches subject" 329if su -fm $uidinrange -c "$command2"; then 330 pass $desc 331else 332 fail $desc 333fi 334 335desc="object gid matches subject" 336if su -fm $uidinrange -c "$command1"; then 337 fail $desc 338else 339 pass $desc 340fi 341 342# 343# Object type 344# 345desc="object not type" 346ugidfw set 1 subject uid $uidrange object type dbclsp mode rasx 347if su -fm $uidinrange -c "$command1"; then 348 pass $desc 349else 350 fail $desc 351fi 352 353desc="object type" 354ugidfw set 1 subject uid $uidrange object type r mode rasx 355if su -fm $uidinrange -c "$command1"; then 356 fail $desc 357else 358 pass $desc 359fi 360