xref: /freebsd/tests/sys/mac/portacl/misc.sh (revision d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf) 
1870c2f7aSEnji Cooper#!/bin/sh
2870c2f7aSEnji Cooper
3870c2f7aSEnji Coopersysctl security.mac.portacl >/dev/null 2>&1
4870c2f7aSEnji Cooperif [ $? -ne 0 ]; then
5870c2f7aSEnji Cooper	echo "1..0 # SKIP MAC_PORTACL is unavailable."
6870c2f7aSEnji Cooper	exit 0
7870c2f7aSEnji Cooperfi
8870c2f7aSEnji Cooperif [ $(id -u) -ne 0 ]; then
9870c2f7aSEnji Cooper	echo "1..0 # SKIP testcases must be run as root"
10870c2f7aSEnji Cooper	exit 0
11870c2f7aSEnji Cooperfi
12870c2f7aSEnji Cooper
13870c2f7aSEnji Cooperntest=1
14870c2f7aSEnji Cooper
15870c2f7aSEnji Coopercheck_bind() {
16870c2f7aSEnji Cooper	local host idtype name proto port udpflag
17870c2f7aSEnji Cooper
18870c2f7aSEnji Cooper	host="127.0.0.1"
19*ec5fd095SLi-Wen Hsu	timeout=1
20870c2f7aSEnji Cooper
21870c2f7aSEnji Cooper	idtype=${1}
22870c2f7aSEnji Cooper	name=${2}
23870c2f7aSEnji Cooper	proto=${3}
24870c2f7aSEnji Cooper	port=${4}
25870c2f7aSEnji Cooper
26870c2f7aSEnji Cooper	[ "${proto}" = "udp" ] && udpflag="-u"
27870c2f7aSEnji Cooper
28870c2f7aSEnji Cooper	out=$(
29870c2f7aSEnji Cooper		case "${idtype}" in
30870c2f7aSEnji Cooper		uid|gid)
31*ec5fd095SLi-Wen Hsu			( echo -n | su -m ${name} -c "nc ${udpflag} -l -w ${timeout} $host $port" 2>&1 ) &
32870c2f7aSEnji Cooper			;;
33870c2f7aSEnji Cooper		jail)
34870c2f7aSEnji Cooper			kill $$
35870c2f7aSEnji Cooper			;;
36870c2f7aSEnji Cooper		*)
37870c2f7aSEnji Cooper			kill $$
38870c2f7aSEnji Cooper		esac
39870c2f7aSEnji Cooper		sleep 0.3
40*ec5fd095SLi-Wen Hsu		echo | nc ${udpflag} -w ${timeout} $host $port >/dev/null 2>&1
41870c2f7aSEnji Cooper		wait
42870c2f7aSEnji Cooper	)
43870c2f7aSEnji Cooper	case "${out}" in
44870c2f7aSEnji Cooper	"nc: Permission denied"*|"nc: Operation not permitted"*)
45870c2f7aSEnji Cooper		echo fl
46870c2f7aSEnji Cooper		;;
47870c2f7aSEnji Cooper	"")
48870c2f7aSEnji Cooper		echo ok
49870c2f7aSEnji Cooper		;;
50870c2f7aSEnji Cooper	*)
51870c2f7aSEnji Cooper		echo ${out}
52870c2f7aSEnji Cooper		;;
53870c2f7aSEnji Cooper	esac
54870c2f7aSEnji Cooper}
55870c2f7aSEnji Cooper
56870c2f7aSEnji Cooperbind_test() {
57870c2f7aSEnji Cooper	local expect_without_rule expect_with_rule idtype name proto port
58870c2f7aSEnji Cooper
59870c2f7aSEnji Cooper	expect_without_rule=${1}
60870c2f7aSEnji Cooper	expect_with_rule=${2}
61870c2f7aSEnji Cooper	idtype=${3}
62870c2f7aSEnji Cooper	name=${4}
63870c2f7aSEnji Cooper	proto=${5}
64870c2f7aSEnji Cooper	port=${6}
65870c2f7aSEnji Cooper
66870c2f7aSEnji Cooper	sysctl security.mac.portacl.rules= >/dev/null
67870c2f7aSEnji Cooper	out=$(check_bind ${idtype} ${name} ${proto} ${port})
68870c2f7aSEnji Cooper	if [ "${out}" = "${expect_without_rule}" ]; then
69870c2f7aSEnji Cooper		echo "ok ${ntest}"
70870c2f7aSEnji Cooper	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
71870c2f7aSEnji Cooper		echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
72870c2f7aSEnji Cooper	else
73870c2f7aSEnji Cooper		echo "not ok ${ntest} # unexpected output: '${out}'"
74870c2f7aSEnji Cooper	fi
75870c2f7aSEnji Cooper	: $(( ntest += 1 ))
76870c2f7aSEnji Cooper
77870c2f7aSEnji Cooper	if [ "${idtype}" = "uid" ]; then
78870c2f7aSEnji Cooper		idstr=$(id -u ${name})
79870c2f7aSEnji Cooper	elif [ "${idtype}" = "gid" ]; then
80870c2f7aSEnji Cooper		idstr=$(id -g ${name})
81870c2f7aSEnji Cooper	else
82870c2f7aSEnji Cooper		idstr=${name}
83870c2f7aSEnji Cooper	fi
84870c2f7aSEnji Cooper	sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
85870c2f7aSEnji Cooper	out=$(check_bind ${idtype} ${name} ${proto} ${port})
86870c2f7aSEnji Cooper	if [ "${out}" = "${expect_with_rule}" ]; then
87870c2f7aSEnji Cooper		echo "ok ${ntest}"
88870c2f7aSEnji Cooper	elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
89870c2f7aSEnji Cooper		echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
90870c2f7aSEnji Cooper	else
91870c2f7aSEnji Cooper		echo "not ok ${ntest} # unexpected output: '${out}'"
92870c2f7aSEnji Cooper	fi
93870c2f7aSEnji Cooper	: $(( ntest += 1 ))
94870c2f7aSEnji Cooper
95870c2f7aSEnji Cooper	sysctl security.mac.portacl.rules= >/dev/null
96870c2f7aSEnji Cooper}
97870c2f7aSEnji Cooper
98870c2f7aSEnji Cooperreserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
99870c2f7aSEnji Coopersuser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
100870c2f7aSEnji Cooperport_high=$(sysctl -n security.mac.portacl.port_high)
101870c2f7aSEnji Cooper
102870c2f7aSEnji Cooperrestore_settings() {
103870c2f7aSEnji Cooper	sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
104870c2f7aSEnji Cooper	sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
105870c2f7aSEnji Cooper	sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
106870c2f7aSEnji Cooper}
107