1#! /usr/bin/ksh 2# 3# 4# This file and its contents are supplied under the terms of the 5# Common Development and Distribution License ("CDDL"), version 1.0. 6# You may only use this file in accordance with the terms of version 7# 1.0 of the CDDL. 8# 9# A full copy of the text of the CDDL should have accompanied this 10# source. A copy of the CDDL is also available via the Internet at 11# http://www.illumos.org/license/CDDL. 12# 13 14# Copyright 2015, Richard Lowe. 15 16# Verify that zones can be configured with security-flags 17LC_ALL=C # Collation is important 18 19expect_success() { 20 name=$1 21 22 (echo "create -b"; 23 echo "set zonepath=/$name.$$"; 24 cat /dev/stdin; 25 echo "verify"; 26 echo "commit"; 27 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 28 29 r=$? 30 31 zonecfg -z $name.$$ delete -F 32 33 if (($r != 0)); then 34 printf "%s: FAIL\n" $name 35 cat out.$$ 36 rm out.$$ 37 return 1 38 else 39 rm out.$$ 40 printf "%s: PASS\n" $name 41 return 0 42 fi 43} 44 45expect_fail() { 46 name=$1 47 expect=$2 48 49 (echo "create -b"; 50 echo "set zonepath=/$name.$$"; 51 cat /dev/stdin; 52 echo "verify"; 53 echo "commit"; 54 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 55 56 r=$? 57 58 # Ideally will fail, since we don't want the create to have succeeded. 59 zonecfg -z $name.$$ delete -F >/dev/null 2>&1 60 61 62 if (($r == 0)); then 63 printf "%s: FAIL (succeeded)\n" $name 64 rm out.$$ 65 return 1 66 else 67 grep -q "$expect" out.$$ 68 if (( $? != 0 )); then 69 printf "%s: FAIL (error didn't match)\n" $name 70 echo "Wanted:" 71 echo " $expect" 72 echo "Got:" 73 sed -e 's/^/ /' out.$$ 74 rm out.$$ 75 return 1; 76 else 77 rm out.$$ 78 printf "%s: PASS\n" $name 79 return 0 80 fi 81 fi 82} 83 84ret=0 85 86expect_success valid-no-config <<EOF 87EOF 88(( $? != 0 )) && ret=1 89 90expect_success valid-full-config <<EOF 91add security-flags 92set lower=none 93set default=aslr 94set upper=all 95end 96EOF 97(( $? != 0 )) && ret=1 98 99expect_success valid-partial-config <<EOF 100add security-flags 101set default=aslr 102end 103EOF 104(( $? != 0 )) && ret=1 105 106expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF 107add security-flags 108set lower=aslr 109set default=none 110set upper=all 111end 112EOF 113(( $? != 0 )) && ret=1 114 115expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF 116add security-flags 117set lower=aslr 118set default=none 119end 120EOF 121(( $? != 0 )) && ret=1 122 123expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 124add security-flags 125set lower=none 126set default=all 127set upper=none 128end 129EOF 130(( $? != 0 )) && ret=1 131 132expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF 133add security-flags 134set default=all 135set upper=none 136end 137EOF 138(( $? != 0 )) && ret=1 139 140expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 141add security-flags 142set lower=none 143set default=all 144set upper=none 145end 146EOF 147(( $? != 0 )) && ret=1 148 149expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF 150add security-flags 151set lower=all 152set upper=none 153end 154EOF 155(( $? != 0 )) && ret=1 156 157expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF 158add security-flags 159set default=fail 160end 161EOF 162(( $? != 0 )) && ret=1 163 164expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF 165add security-flags 166set lower=fail 167end 168EOF 169(( $? != 0 )) && ret=1 170 171expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF 172add security-flags 173set upper=fail 174end 175EOF 176(( $? != 0 )) && ret=1 177 178exit $ret 179