xref: /freebsd/tests/sys/mac/ipacl/ipacl_test.sh (revision 28f6c2f292806bf31230a959bc4b19d7081669a7)
1#-
2# Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org>
3#
4# This code was developed as a Google Summer of Code 2019 project
5# under the guidance of Bjoern A. Zeeb.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27#
28# $FreeBSD$
29
30. $(atf_get_srcdir)/utils.subr
31
32atf_test_case "ipacl_v4" "cleanup"
33
34ipacl_v4_head()
35{
36	atf_set descr 'basic test for ipacl on IPv4 addresses'
37	atf_set require.user root
38}
39
40ipacl_v4_body()
41{
42	ipacl_test_init
43
44	epairA=$(vnet_mkepair)
45	epairB=$(vnet_mkepair)
46	epairC=$(vnet_mkepair)
47
48	vnet_mkjail A ${epairA}b
49	vnet_mkjail B ${epairB}b ${epairC}b
50
51	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
52	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
53
54	# The ipacl policy module is not enforced for IPv4.
55	sysctl security.mac.ipacl.ipv4=0
56
57	atf_check -s exit:0 -e ignore \
58	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
59	atf_check -s exit:0 -e ignore \
60	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
61
62	# The ipacl policy module is enforced for IPv4 and prevent all
63	# jails from setting their IPv4 address.
64	sysctl security.mac.ipacl.ipv4=1
65	sysctl security.mac.ipacl.rules=
66
67	atf_check -s not-exit:0 -e ignore \
68	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
69	atf_check -s not-exit:0 -e ignore \
70	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
71
72	rule="${jidA},1,${epairA}b,AF_INET,192.0.2.42/-1@"
73	rule="${rule}${jidB},1,${epairB}b,AF_INET,198.51.100.12/-1@"
74	rule="${rule}${jidB},1,,AF_INET,203.0.113.1/24@"
75	rule="${rule}${jidB},0,,AF_INET,203.0.113.9/-1"
76	sysctl security.mac.ipacl.rules="${rule}"
77
78	# Verify if it allows jail to set only certain IPv4 address.
79	atf_check -s exit:0 -e ignore \
80	    jexec A ifconfig ${epairA}b 192.0.2.42/24 up
81	atf_check -s not-exit:0 -e ignore \
82	    jexec A ifconfig ${epairA}b 192.0.2.43/24 up
83	atf_check -s exit:0 -e ignore \
84	    jexec B ifconfig ${epairB}b 198.51.100.12/24 up
85	atf_check -s not-exit:0 -e ignore \
86	    jexec B ifconfig ${epairC}b 198.51.100.12/24 up
87
88	# Verify if the module allow jail to set any address in subnet.
89	atf_check -s exit:0 -e ignore \
90	    jexec B ifconfig ${epairB}b 203.0.113.19/24 up
91	atf_check -s exit:0 -e ignore \
92	    jexec B ifconfig ${epairB}b 203.0.113.241/24 up
93	atf_check -s not-exit:0 -e ignore \
94	    jexec B ifconfig ${epairB}b 198.18.0.1/24 up
95	atf_check -s not-exit:0 -e ignore \
96	    jexec B ifconfig ${epairB}b 203.0.113.9/24 up
97
98	# Check wildcard for interfaces.
99	atf_check -s exit:0 -e ignore \
100	    jexec B ifconfig ${epairC}b 203.0.113.20/24 up
101	atf_check -s exit:0 -e ignore \
102	    jexec B ifconfig ${epairC}b 203.0.113.242/24 up
103	atf_check -s not-exit:0 -e ignore \
104	    jexec B ifconfig ${epairC}b 198.18.0.1/24 up
105	atf_check -s not-exit:0 -e ignore \
106	    jexec B ifconfig ${epairC}b 203.0.113.9/24 up
107
108	rule="${jidA},1,,AF_INET,198.18.0.0/15@"
109	rule="${rule}${jidA},0,,AF_INET,198.18.23.0/24@"
110	rule="${rule}${jidA},1,,AF_INET,198.18.23.1/-1@"
111	rule="${rule}${jidA},1,,AF_INET,198.51.100.0/24@"
112	rule="${rule}${jidA},0,,AF_INET,198.51.100.100/-1"
113	sysctl security.mac.ipacl.rules="${rule}"
114
115	# Tests from Benchamarking and Documentation(TEST-NET-3).
116	atf_check -s exit:0 -e ignore \
117	    jexec A ifconfig ${epairA}b 198.18.0.1/24 up
118	atf_check -s not-exit:0 -e ignore \
119	    jexec A ifconfig ${epairA}b 198.18.23.2/24 up
120	atf_check -s exit:0 -e ignore \
121	    jexec A ifconfig ${epairA}b 198.18.23.1/22 up
122	atf_check -s not-exit:0 -e ignore \
123	    jexec A ifconfig ${epairA}b 198.18.23.3/24 up
124
125	atf_check -s exit:0 -e ignore \
126	    jexec A ifconfig ${epairA}b 198.51.100.001/24 up
127	atf_check -s exit:0 -e ignore \
128	    jexec A ifconfig ${epairA}b 198.51.100.254/24 up
129	atf_check -s not-exit:0 -e ignore \
130	    jexec A ifconfig ${epairA}b 198.51.100.100/24 up
131	atf_check -s not-exit:0 -e ignore \
132	    jexec A ifconfig ${epairA}b 203.0.113.1/24 up
133
134	# Reset rules OID.
135	sysctl security.mac.ipacl.rules=
136}
137
138ipacl_v4_cleanup()
139{
140	ipacl_test_cleanup
141}
142
143atf_test_case "ipacl_v6" "cleanup"
144
145ipacl_v6_head()
146{
147	atf_set descr 'basic test for ipacl on IPv6 addresses'
148	atf_set require.user root
149}
150
151ipacl_v6_body()
152{
153	ipacl_test_init
154
155	epairA=$(vnet_mkepair)
156	epairB=$(vnet_mkepair)
157	epairC=$(vnet_mkepair)
158
159	vnet_mkjail A ${epairA}b
160	vnet_mkjail B ${epairB}b ${epairC}b
161
162	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
163	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
164
165	# The ipacl policy module is not enforced for IPv6.
166	sysctl security.mac.ipacl.ipv6=0
167
168	atf_check -s exit:0 -e ignore \
169	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
170	atf_check -s exit:0 -e ignore \
171	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
172
173	# The ipacl policy module is enforced for IPv6 and prevent all
174	# jails from setting their IPv6 address.
175	sysctl security.mac.ipacl.ipv6=1
176	sysctl security.mac.ipacl.rules=
177
178	atf_check -s not-exit:0 -e ignore \
179	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
180	atf_check -s not-exit:0 -e ignore \
181	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
182
183	rule="${jidA},1,${epairA}b,AF_INET6,2001:db8::1111/-1@"
184	rule="${rule}${jidB},1,${epairB}b,AF_INET6,2001:2::1234:1234/-1@"
185	rule="${rule}${jidB},1,,AF_INET6,fe80::/32@"
186	rule="${rule}${jidB},0,,AF_INET6,fe80::abcd/-1"
187	sysctl security.mac.ipacl.rules="${rule}"
188
189	# Verify if it allows jail to set only certain IPv6 address.
190	atf_check -s exit:0 -e ignore \
191	    jexec A ifconfig ${epairA}b inet6 2001:db8::1111/64 up
192	atf_check -s not-exit:0 -e ignore \
193	    jexec A ifconfig ${epairA}b inet6 2001:db8::1112/64 up
194	atf_check -s exit:0 -e ignore \
195	    jexec B ifconfig ${epairB}b inet6 2001:2::1234:1234/48 up
196	atf_check -s not-exit:0 -e ignore \
197	    jexec A ifconfig ${epairA}b inet6 2001:2::1234:1234/48 up
198
199	# Verify if the module allow jail set any address in subnet.
200	atf_check -s exit:0 -e ignore \
201	    jexec B ifconfig ${epairB}b inet6 FE80::1101:1221/15 up
202	atf_check -s exit:0 -e ignore \
203	    jexec B ifconfig ${epairB}b inet6 FE80::abab/15 up
204	atf_check -s exit:0 -e ignore \
205	    jexec B ifconfig ${epairB}b inet6 FE80::1/64 up
206	atf_check -s not-exit:0 -e ignore \
207	    jexec B ifconfig ${epairB}b inet6 FE80::abcd/15 up
208
209	# Check wildcard for interfaces.
210	atf_check -s exit:0 -e ignore \
211	    jexec B ifconfig ${epairC}b inet6 FE80::1101:1221/15 up
212	atf_check -s exit:0 -e ignore \
213	    jexec B ifconfig ${epairC}b inet6 FE80::abab/32 up
214	atf_check -s not-exit:0 -e ignore \
215	    jexec B ifconfig ${epairC}b inet6 FE81::1/64 up
216	atf_check -s not-exit:0 -e ignore \
217	    jexec B ifconfig ${epairC}b inet6 FE80::abcd/32 up
218
219	rule="${jidB},1,,AF_INET6,2001:2::/48@"
220	rule="${rule}${jidB},1,,AF_INET6,2001:3::/32"
221	sysctl security.mac.ipacl.rules="${rule}"
222
223	# Tests when subnet is allowed.
224	atf_check -s not-exit:0 -e ignore \
225	    jexec B ifconfig ${epairC}b inet6 2001:2:0001::1/64 up
226	atf_check -s not-exit:0 -e ignore \
227	    jexec B ifconfig ${epairC}b inet6 2001:2:1000::1/32 up
228	atf_check -s exit:0 -e ignore \
229	    jexec B ifconfig ${epairC}b inet6 2001:3:0001::1/64 up
230	atf_check -s not-exit:0 -e ignore \
231	    jexec B ifconfig ${epairC}b inet6 2001:4::1/64 up
232
233	# More tests of ULA address space.
234	rule="${jidA},1,,AF_INET6,fc00::/7@"
235	rule="${rule}${jidA},0,,AF_INET6,fc00::1111:2200/120@"
236	rule="${rule}${jidA},1,,AF_INET6,fc00::1111:2299/-1@"
237	rule="${rule}${jidA},1,,AF_INET6,2001:db8::/32@"
238	rule="${rule}${jidA},0,,AF_INET6,2001:db8::abcd/-1"
239	sysctl security.mac.ipacl.rules="${rule}"
240
241	atf_check -s exit:0 -e ignore \
242	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
243	atf_check -s exit:0 -e ignore \
244	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
245	atf_check -s not-exit:0 -e ignore \
246	    jexec A ifconfig ${epairA}b inet6 f800::2222:2200/48 up
247	atf_check -s not-exit:0 -e ignore \
248	    jexec A ifconfig ${epairA}b inet6 f800::2222:22ff/48 up
249
250	atf_check -s exit:0 -e ignore \
251	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2111/64 up
252	atf_check -s not-exit:0 -e ignore \
253	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2211/64 up
254	atf_check -s not-exit:0 -e ignore \
255	    jexec A ifconfig ${epairA}b inet6 fc00::1111:22aa/48 up
256	atf_check -s exit:0 -e ignore \
257	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2299/48 up
258
259	# More tests from IPv6 documentation range.
260	atf_check -s exit:0 -e ignore jexec A ifconfig \
261	    ${epairA}b inet6 2001:db8:abcd:bcde:cdef:def1:ef12:f123/32 up
262	atf_check -s exit:0 -e ignore jexec A ifconfig \
263	    ${epairA}b inet6 2001:db8:1111:2222:3333:4444:5555:6666/32 up
264	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
265	    ${epairA}b inet6 2001:ab9:1111:2222:3333:4444:5555:6666/32 up
266	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
267	    ${epairA}b inet6 2001:db8::abcd/32 up
268
269	# Reset rules OID.
270	sysctl security.mac.ipacl.rules=
271}
272
273ipacl_v6_cleanup()
274{
275	ipacl_test_cleanup
276}
277
278atf_init_test_cases()
279{
280	atf_add_test_case "ipacl_v4"
281	atf_add_test_case "ipacl_v6"
282}
283