xref: /freebsd/tests/sys/mac/ipacl/ipacl_test.sh (revision 63f537551380d2dab29fa402ad1269feae17e594)
1#-
2# Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org>
3#
4# This code was developed as a Google Summer of Code 2019 project
5# under the guidance of Bjoern A. Zeeb.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27#
28
29. $(atf_get_srcdir)/utils.subr
30
31atf_test_case "ipacl_v4" "cleanup"
32
33ipacl_v4_head()
34{
35	atf_set descr 'basic test for ipacl on IPv4 addresses'
36	atf_set require.user root
37}
38
39ipacl_v4_body()
40{
41	ipacl_test_init
42
43	epairA=$(vnet_mkepair)
44	epairB=$(vnet_mkepair)
45	epairC=$(vnet_mkepair)
46
47	vnet_mkjail A ${epairA}b
48	vnet_mkjail B ${epairB}b ${epairC}b
49
50	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
51	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
52
53	# The ipacl policy module is not enforced for IPv4.
54	sysctl security.mac.ipacl.ipv4=0
55
56	atf_check -s exit:0 -e ignore \
57	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
58	atf_check -s exit:0 -e ignore \
59	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
60
61	# The ipacl policy module is enforced for IPv4 and prevent all
62	# jails from setting their IPv4 address.
63	sysctl security.mac.ipacl.ipv4=1
64	sysctl security.mac.ipacl.rules=
65
66	atf_check -s not-exit:0 -e ignore \
67	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
68	atf_check -s not-exit:0 -e ignore \
69	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
70
71	rule="${jidA},1,${epairA}b,AF_INET,192.0.2.42/-1@"
72	rule="${rule}${jidB},1,${epairB}b,AF_INET,198.51.100.12/-1@"
73	rule="${rule}${jidB},1,,AF_INET,203.0.113.1/24@"
74	rule="${rule}${jidB},0,,AF_INET,203.0.113.9/-1"
75	sysctl security.mac.ipacl.rules="${rule}"
76
77	# Verify if it allows jail to set only certain IPv4 address.
78	atf_check -s exit:0 -e ignore \
79	    jexec A ifconfig ${epairA}b 192.0.2.42/24 up
80	atf_check -s not-exit:0 -e ignore \
81	    jexec A ifconfig ${epairA}b 192.0.2.43/24 up
82	atf_check -s exit:0 -e ignore \
83	    jexec B ifconfig ${epairB}b 198.51.100.12/24 up
84	atf_check -s not-exit:0 -e ignore \
85	    jexec B ifconfig ${epairC}b 198.51.100.12/24 up
86
87	# Verify if the module allow jail to set any address in subnet.
88	atf_check -s exit:0 -e ignore \
89	    jexec B ifconfig ${epairB}b 203.0.113.19/24 up
90	atf_check -s exit:0 -e ignore \
91	    jexec B ifconfig ${epairB}b 203.0.113.241/24 up
92	atf_check -s not-exit:0 -e ignore \
93	    jexec B ifconfig ${epairB}b 198.18.0.1/24 up
94	atf_check -s not-exit:0 -e ignore \
95	    jexec B ifconfig ${epairB}b 203.0.113.9/24 up
96
97	# Check wildcard for interfaces.
98	atf_check -s exit:0 -e ignore \
99	    jexec B ifconfig ${epairC}b 203.0.113.20/24 up
100	atf_check -s exit:0 -e ignore \
101	    jexec B ifconfig ${epairC}b 203.0.113.242/24 up
102	atf_check -s not-exit:0 -e ignore \
103	    jexec B ifconfig ${epairC}b 198.18.0.1/24 up
104	atf_check -s not-exit:0 -e ignore \
105	    jexec B ifconfig ${epairC}b 203.0.113.9/24 up
106
107	rule="${jidA},1,,AF_INET,198.18.0.0/15@"
108	rule="${rule}${jidA},0,,AF_INET,198.18.23.0/24@"
109	rule="${rule}${jidA},1,,AF_INET,198.18.23.1/-1@"
110	rule="${rule}${jidA},1,,AF_INET,198.51.100.0/24@"
111	rule="${rule}${jidA},0,,AF_INET,198.51.100.100/-1"
112	sysctl security.mac.ipacl.rules="${rule}"
113
114	# Tests from Benchamarking and Documentation(TEST-NET-3).
115	atf_check -s exit:0 -e ignore \
116	    jexec A ifconfig ${epairA}b 198.18.0.1/24 up
117	atf_check -s not-exit:0 -e ignore \
118	    jexec A ifconfig ${epairA}b 198.18.23.2/24 up
119	atf_check -s exit:0 -e ignore \
120	    jexec A ifconfig ${epairA}b 198.18.23.1/22 up
121	atf_check -s not-exit:0 -e ignore \
122	    jexec A ifconfig ${epairA}b 198.18.23.3/24 up
123
124	atf_check -s exit:0 -e ignore \
125	    jexec A ifconfig ${epairA}b 198.51.100.001/24 up
126	atf_check -s exit:0 -e ignore \
127	    jexec A ifconfig ${epairA}b 198.51.100.254/24 up
128	atf_check -s not-exit:0 -e ignore \
129	    jexec A ifconfig ${epairA}b 198.51.100.100/24 up
130	atf_check -s not-exit:0 -e ignore \
131	    jexec A ifconfig ${epairA}b 203.0.113.1/24 up
132
133	# Reset rules OID.
134	sysctl security.mac.ipacl.rules=
135}
136
137ipacl_v4_cleanup()
138{
139	ipacl_test_cleanup
140}
141
142atf_test_case "ipacl_v6" "cleanup"
143
144ipacl_v6_head()
145{
146	atf_set descr 'basic test for ipacl on IPv6 addresses'
147	atf_set require.user root
148}
149
150ipacl_v6_body()
151{
152	ipacl_test_init
153
154	epairA=$(vnet_mkepair)
155	epairB=$(vnet_mkepair)
156	epairC=$(vnet_mkepair)
157
158	vnet_mkjail A ${epairA}b
159	vnet_mkjail B ${epairB}b ${epairC}b
160
161	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
162	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
163
164	# The ipacl policy module is not enforced for IPv6.
165	sysctl security.mac.ipacl.ipv6=0
166
167	atf_check -s exit:0 -e ignore \
168	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
169	atf_check -s exit:0 -e ignore \
170	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
171
172	# The ipacl policy module is enforced for IPv6 and prevent all
173	# jails from setting their IPv6 address.
174	sysctl security.mac.ipacl.ipv6=1
175	sysctl security.mac.ipacl.rules=
176
177	atf_check -s not-exit:0 -e ignore \
178	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
179	atf_check -s not-exit:0 -e ignore \
180	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
181
182	rule="${jidA},1,${epairA}b,AF_INET6,2001:db8::1111/-1@"
183	rule="${rule}${jidB},1,${epairB}b,AF_INET6,2001:2::1234:1234/-1@"
184	rule="${rule}${jidB},1,,AF_INET6,fe80::/32@"
185	rule="${rule}${jidB},0,,AF_INET6,fe80::abcd/-1"
186	sysctl security.mac.ipacl.rules="${rule}"
187
188	# Verify if it allows jail to set only certain IPv6 address.
189	atf_check -s exit:0 -e ignore \
190	    jexec A ifconfig ${epairA}b inet6 2001:db8::1111/64 up
191	atf_check -s not-exit:0 -e ignore \
192	    jexec A ifconfig ${epairA}b inet6 2001:db8::1112/64 up
193	atf_check -s exit:0 -e ignore \
194	    jexec B ifconfig ${epairB}b inet6 2001:2::1234:1234/48 up
195	atf_check -s not-exit:0 -e ignore \
196	    jexec A ifconfig ${epairA}b inet6 2001:2::1234:1234/48 up
197
198	# Verify if the module allow jail set any address in subnet.
199	atf_check -s exit:0 -e ignore \
200	    jexec B ifconfig ${epairB}b inet6 FE80::1101:1221/15 up
201	atf_check -s exit:0 -e ignore \
202	    jexec B ifconfig ${epairB}b inet6 FE80::abab/15 up
203	atf_check -s exit:0 -e ignore \
204	    jexec B ifconfig ${epairB}b inet6 FE80::1/64 up
205	atf_check -s not-exit:0 -e ignore \
206	    jexec B ifconfig ${epairB}b inet6 FE80::abcd/15 up
207
208	# Check wildcard for interfaces.
209	atf_check -s exit:0 -e ignore \
210	    jexec B ifconfig ${epairC}b inet6 FE80::1101:1221/15 up
211	atf_check -s exit:0 -e ignore \
212	    jexec B ifconfig ${epairC}b inet6 FE80::abab/32 up
213	atf_check -s not-exit:0 -e ignore \
214	    jexec B ifconfig ${epairC}b inet6 FE81::1/64 up
215	atf_check -s not-exit:0 -e ignore \
216	    jexec B ifconfig ${epairC}b inet6 FE80::abcd/32 up
217
218	rule="${jidB},1,,AF_INET6,2001:2::/48@"
219	rule="${rule}${jidB},1,,AF_INET6,2001:3::/32"
220	sysctl security.mac.ipacl.rules="${rule}"
221
222	# Tests when subnet is allowed.
223	atf_check -s not-exit:0 -e ignore \
224	    jexec B ifconfig ${epairC}b inet6 2001:2:0001::1/64 up
225	atf_check -s not-exit:0 -e ignore \
226	    jexec B ifconfig ${epairC}b inet6 2001:2:1000::1/32 up
227	atf_check -s exit:0 -e ignore \
228	    jexec B ifconfig ${epairC}b inet6 2001:3:0001::1/64 up
229	atf_check -s not-exit:0 -e ignore \
230	    jexec B ifconfig ${epairC}b inet6 2001:4::1/64 up
231
232	# More tests of ULA address space.
233	rule="${jidA},1,,AF_INET6,fc00::/7@"
234	rule="${rule}${jidA},0,,AF_INET6,fc00::1111:2200/120@"
235	rule="${rule}${jidA},1,,AF_INET6,fc00::1111:2299/-1@"
236	rule="${rule}${jidA},1,,AF_INET6,2001:db8::/32@"
237	rule="${rule}${jidA},0,,AF_INET6,2001:db8::abcd/-1"
238	sysctl security.mac.ipacl.rules="${rule}"
239
240	atf_check -s exit:0 -e ignore \
241	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
242	atf_check -s exit:0 -e ignore \
243	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
244	atf_check -s not-exit:0 -e ignore \
245	    jexec A ifconfig ${epairA}b inet6 f800::2222:2200/48 up
246	atf_check -s not-exit:0 -e ignore \
247	    jexec A ifconfig ${epairA}b inet6 f800::2222:22ff/48 up
248
249	atf_check -s exit:0 -e ignore \
250	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2111/64 up
251	atf_check -s not-exit:0 -e ignore \
252	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2211/64 up
253	atf_check -s not-exit:0 -e ignore \
254	    jexec A ifconfig ${epairA}b inet6 fc00::1111:22aa/48 up
255	atf_check -s exit:0 -e ignore \
256	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2299/48 up
257
258	# More tests from IPv6 documentation range.
259	atf_check -s exit:0 -e ignore jexec A ifconfig \
260	    ${epairA}b inet6 2001:db8:abcd:bcde:cdef:def1:ef12:f123/32 up
261	atf_check -s exit:0 -e ignore jexec A ifconfig \
262	    ${epairA}b inet6 2001:db8:1111:2222:3333:4444:5555:6666/32 up
263	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
264	    ${epairA}b inet6 2001:ab9:1111:2222:3333:4444:5555:6666/32 up
265	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
266	    ${epairA}b inet6 2001:db8::abcd/32 up
267
268	# Reset rules OID.
269	sysctl security.mac.ipacl.rules=
270}
271
272ipacl_v6_cleanup()
273{
274	ipacl_test_cleanup
275}
276
277atf_init_test_cases()
278{
279	atf_add_test_case "ipacl_v4"
280	atf_add_test_case "ipacl_v6"
281}
282