xref: /freebsd/tests/sys/mac/ipacl/ipacl_test.sh (revision df21a004be237a1dccd03c7b47254625eea62fa9) 
1#-
2# Copyright (c) 2019, 2023 Shivank Garg <shivank@FreeBSD.org>
3#
4# This code was developed as a Google Summer of Code 2019 project
5# under the guidance of Bjoern A. Zeeb.
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted provided that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26# SUCH DAMAGE.
27#
28
29. $(atf_get_srcdir)/utils.subr
30
31atf_test_case "ipacl_v4" "cleanup"
32
33ipacl_v4_head()
34{
35	atf_set descr 'basic test for ipacl on IPv4 addresses'
36	atf_set require.user root
37}
38
39ipacl_v4_body()
40{
41	ipacl_test_init
42
43	prev_ipacl_ipv4="$(sysctl -n security.mac.ipacl.ipv4)"
44	prev_ipacl_rules="$(sysctl -n security.mac.ipacl.rules)"
45
46	epairA=$(vnet_mkepair)
47	epairB=$(vnet_mkepair)
48	epairC=$(vnet_mkepair)
49
50	vnet_mkjail A ${epairA}b
51	vnet_mkjail B ${epairB}b ${epairC}b
52
53	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
54	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
55
56	# The ipacl policy module is not enforced for IPv4.
57	sysctl security.mac.ipacl.ipv4=0
58
59	atf_check -s exit:0 -e ignore \
60	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
61	atf_check -s exit:0 -e ignore \
62	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
63
64	# The ipacl policy module is enforced for IPv4 and prevent all
65	# jails from setting their IPv4 address.
66	sysctl security.mac.ipacl.ipv4=1
67	sysctl security.mac.ipacl.rules=
68
69	atf_check -s not-exit:0 -e ignore \
70	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
71	atf_check -s not-exit:0 -e ignore \
72	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
73
74	rule="${jidA},1,${epairA}b,AF_INET,192.0.2.42/-1@"
75	rule="${rule}${jidB},1,${epairB}b,AF_INET,198.51.100.12/-1@"
76	rule="${rule}${jidB},1,,AF_INET,203.0.113.1/24@"
77	rule="${rule}${jidB},0,,AF_INET,203.0.113.9/-1"
78	sysctl security.mac.ipacl.rules="${rule}"
79
80	# Verify if it allows jail to set only certain IPv4 address.
81	atf_check -s exit:0 -e ignore \
82	    jexec A ifconfig ${epairA}b 192.0.2.42/24 up
83	atf_check -s not-exit:0 -e ignore \
84	    jexec A ifconfig ${epairA}b 192.0.2.43/24 up
85	atf_check -s exit:0 -e ignore \
86	    jexec B ifconfig ${epairB}b 198.51.100.12/24 up
87	atf_check -s not-exit:0 -e ignore \
88	    jexec B ifconfig ${epairC}b 198.51.100.12/24 up
89
90	# Verify if the module allow jail to set any address in subnet.
91	atf_check -s exit:0 -e ignore \
92	    jexec B ifconfig ${epairB}b 203.0.113.19/24 up
93	atf_check -s exit:0 -e ignore \
94	    jexec B ifconfig ${epairB}b 203.0.113.241/24 up
95	atf_check -s not-exit:0 -e ignore \
96	    jexec B ifconfig ${epairB}b 198.18.0.1/24 up
97	atf_check -s not-exit:0 -e ignore \
98	    jexec B ifconfig ${epairB}b 203.0.113.9/24 up
99
100	# Check wildcard for interfaces.
101	atf_check -s exit:0 -e ignore \
102	    jexec B ifconfig ${epairC}b 203.0.113.20/24 up
103	atf_check -s exit:0 -e ignore \
104	    jexec B ifconfig ${epairC}b 203.0.113.242/24 up
105	atf_check -s not-exit:0 -e ignore \
106	    jexec B ifconfig ${epairC}b 198.18.0.1/24 up
107	atf_check -s not-exit:0 -e ignore \
108	    jexec B ifconfig ${epairC}b 203.0.113.9/24 up
109
110	rule="${jidA},1,,AF_INET,198.18.0.0/15@"
111	rule="${rule}${jidA},0,,AF_INET,198.18.23.0/24@"
112	rule="${rule}${jidA},1,,AF_INET,198.18.23.1/-1@"
113	rule="${rule}${jidA},1,,AF_INET,198.51.100.0/24@"
114	rule="${rule}${jidA},0,,AF_INET,198.51.100.100/-1"
115	sysctl security.mac.ipacl.rules="${rule}"
116
117	# Tests from Benchamarking and Documentation(TEST-NET-3).
118	atf_check -s exit:0 -e ignore \
119	    jexec A ifconfig ${epairA}b 198.18.0.1/24 up
120	atf_check -s not-exit:0 -e ignore \
121	    jexec A ifconfig ${epairA}b 198.18.23.2/24 up
122	atf_check -s exit:0 -e ignore \
123	    jexec A ifconfig ${epairA}b 198.18.23.1/22 up
124	atf_check -s not-exit:0 -e ignore \
125	    jexec A ifconfig ${epairA}b 198.18.23.3/24 up
126
127	atf_check -s exit:0 -e ignore \
128	    jexec A ifconfig ${epairA}b 198.51.100.001/24 up
129	atf_check -s exit:0 -e ignore \
130	    jexec A ifconfig ${epairA}b 198.51.100.254/24 up
131	atf_check -s not-exit:0 -e ignore \
132	    jexec A ifconfig ${epairA}b 198.51.100.100/24 up
133	atf_check -s not-exit:0 -e ignore \
134	    jexec A ifconfig ${epairA}b 203.0.113.1/24 up
135
136	# Reset sysctls.
137	sysctl security.mac.ipacl.rules="${prev_ipacl_rules}"
138	sysctl security.mac.ipacl.ipv4="${prev_ipacl_ipv4}"
139}
140
141ipacl_v4_cleanup()
142{
143	ipacl_test_cleanup
144}
145
146atf_test_case "ipacl_v6" "cleanup"
147
148ipacl_v6_head()
149{
150	atf_set descr 'basic test for ipacl on IPv6 addresses'
151	atf_set require.user root
152}
153
154ipacl_v6_body()
155{
156	ipacl_test_init
157
158	prev_ipacl_ipv6="$(sysctl -n security.mac.ipacl.ipv6)"
159	prev_ipacl_rules="$(sysctl -n security.mac.ipacl.rules)"
160
161	epairA=$(vnet_mkepair)
162	epairB=$(vnet_mkepair)
163	epairC=$(vnet_mkepair)
164
165	vnet_mkjail A ${epairA}b
166	vnet_mkjail B ${epairB}b ${epairC}b
167
168	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
169	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
170
171	# The ipacl policy module is not enforced for IPv6.
172	sysctl security.mac.ipacl.ipv6=0
173
174	atf_check -s exit:0 -e ignore \
175	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
176	atf_check -s exit:0 -e ignore \
177	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
178
179	# The ipacl policy module is enforced for IPv6 and prevent all
180	# jails from setting their IPv6 address.
181	sysctl security.mac.ipacl.ipv6=1
182	sysctl security.mac.ipacl.rules=
183
184	atf_check -s not-exit:0 -e ignore \
185	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
186	atf_check -s not-exit:0 -e ignore \
187	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
188
189	rule="${jidA},1,${epairA}b,AF_INET6,2001:db8::1111/-1@"
190	rule="${rule}${jidB},1,${epairB}b,AF_INET6,2001:2::1234:1234/-1@"
191	rule="${rule}${jidB},1,,AF_INET6,fe80::/32@"
192	rule="${rule}${jidB},0,,AF_INET6,fe80::abcd/-1"
193	sysctl security.mac.ipacl.rules="${rule}"
194
195	# Verify if it allows jail to set only certain IPv6 address.
196	atf_check -s exit:0 -e ignore \
197	    jexec A ifconfig ${epairA}b inet6 2001:db8::1111/64 up
198	atf_check -s not-exit:0 -e ignore \
199	    jexec A ifconfig ${epairA}b inet6 2001:db8::1112/64 up
200	atf_check -s exit:0 -e ignore \
201	    jexec B ifconfig ${epairB}b inet6 2001:2::1234:1234/48 up
202	atf_check -s not-exit:0 -e ignore \
203	    jexec A ifconfig ${epairA}b inet6 2001:2::1234:1234/48 up
204
205	# Verify if the module allow jail set any address in subnet.
206	atf_check -s exit:0 -e ignore \
207	    jexec B ifconfig ${epairB}b inet6 FE80::1101:1221/15 up
208	atf_check -s exit:0 -e ignore \
209	    jexec B ifconfig ${epairB}b inet6 FE80::abab/15 up
210	atf_check -s exit:0 -e ignore \
211	    jexec B ifconfig ${epairB}b inet6 FE80::1/64 up
212	atf_check -s not-exit:0 -e ignore \
213	    jexec B ifconfig ${epairB}b inet6 FE80::abcd/15 up
214
215	# Check wildcard for interfaces.
216	atf_check -s exit:0 -e ignore \
217	    jexec B ifconfig ${epairC}b inet6 FE80::1101:1221/15 up
218	atf_check -s exit:0 -e ignore \
219	    jexec B ifconfig ${epairC}b inet6 FE80::abab/32 up
220	atf_check -s not-exit:0 -e ignore \
221	    jexec B ifconfig ${epairC}b inet6 FE81::1/64 up
222	atf_check -s not-exit:0 -e ignore \
223	    jexec B ifconfig ${epairC}b inet6 FE80::abcd/32 up
224
225	rule="${jidB},1,,AF_INET6,2001:2::/48@"
226	rule="${rule}${jidB},1,,AF_INET6,2001:3::/32"
227	sysctl security.mac.ipacl.rules="${rule}"
228
229	# Tests when subnet is allowed.
230	atf_check -s not-exit:0 -e ignore \
231	    jexec B ifconfig ${epairC}b inet6 2001:2:0001::1/64 up
232	atf_check -s not-exit:0 -e ignore \
233	    jexec B ifconfig ${epairC}b inet6 2001:2:1000::1/32 up
234	atf_check -s exit:0 -e ignore \
235	    jexec B ifconfig ${epairC}b inet6 2001:3:0001::1/64 up
236	atf_check -s not-exit:0 -e ignore \
237	    jexec B ifconfig ${epairC}b inet6 2001:4::1/64 up
238
239	# More tests of ULA address space.
240	rule="${jidA},1,,AF_INET6,fc00::/7@"
241	rule="${rule}${jidA},0,,AF_INET6,fc00::1111:2200/120@"
242	rule="${rule}${jidA},1,,AF_INET6,fc00::1111:2299/-1@"
243	rule="${rule}${jidA},1,,AF_INET6,2001:db8::/32@"
244	rule="${rule}${jidA},0,,AF_INET6,2001:db8::abcd/-1"
245	sysctl security.mac.ipacl.rules="${rule}"
246
247	atf_check -s exit:0 -e ignore \
248	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
249	atf_check -s exit:0 -e ignore \
250	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
251	atf_check -s not-exit:0 -e ignore \
252	    jexec A ifconfig ${epairA}b inet6 f800::2222:2200/48 up
253	atf_check -s not-exit:0 -e ignore \
254	    jexec A ifconfig ${epairA}b inet6 f800::2222:22ff/48 up
255
256	atf_check -s exit:0 -e ignore \
257	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2111/64 up
258	atf_check -s not-exit:0 -e ignore \
259	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2211/64 up
260	atf_check -s not-exit:0 -e ignore \
261	    jexec A ifconfig ${epairA}b inet6 fc00::1111:22aa/48 up
262	atf_check -s exit:0 -e ignore \
263	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2299/48 up
264
265	# More tests from IPv6 documentation range.
266	atf_check -s exit:0 -e ignore jexec A ifconfig \
267	    ${epairA}b inet6 2001:db8:abcd:bcde:cdef:def1:ef12:f123/32 up
268	atf_check -s exit:0 -e ignore jexec A ifconfig \
269	    ${epairA}b inet6 2001:db8:1111:2222:3333:4444:5555:6666/32 up
270	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
271	    ${epairA}b inet6 2001:ab9:1111:2222:3333:4444:5555:6666/32 up
272	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
273	    ${epairA}b inet6 2001:db8::abcd/32 up
274
275	# Reset sysctls.
276	sysctl security.mac.ipacl.rules="${prev_ipacl_rules}"
277	sysctl security.mac.ipacl.ipv6="${prev_ipacl_ipv6}"
278}
279
280ipacl_v6_cleanup()
281{
282	ipacl_test_cleanup
283}
284
285atf_init_test_cases()
286{
287	atf_add_test_case "ipacl_v4"
288	atf_add_test_case "ipacl_v6"
289}
290