mac_portacl

Pawel Jakub Dawidek Sat, 14 Mar 2009 14:54:43 -0700

Author: pjd
Date: Sat Mar 14 21:54:19 2009
New Revision: 189832
URL: http://svn.freebsd.org/changeset/base/189832


Log:
  Regression tests for mac_portacl(4).

Added:
  head/tools/regression/mac/mac_portacl/
  head/tools/regression/mac/mac_portacl/LICENSE   (contents, props changed)
  head/tools/regression/mac/mac_portacl/misc.sh   (contents, props changed)
  head/tools/regression/mac/mac_portacl/nobody.t   (contents, props changed)
  head/tools/regression/mac/mac_portacl/root.t   (contents, props changed)

Added: head/tools/regression/mac/mac_portacl/LICENSE
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/regression/mac/mac_portacl/LICENSE       Sat Mar 14 21:54:19 
2009        (r189832)
@@ -0,0 +1,27 @@
+$FreeBSD$
+
+License for all regression tests available with fstest:
+
+Copyright (c) 2009 Pawel Jakub Dawidek <p...@freebsd.org>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGE.

Added: head/tools/regression/mac/mac_portacl/misc.sh
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/regression/mac/mac_portacl/misc.sh       Sat Mar 14 21:54:19 
2009        (r189832)
@@ -0,0 +1,97 @@
+#!/bin/sh
+# $FreeBSD$
+
+sysctl security.mac.portacl >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+       echo "1..1"
+       echo "not ok 1 # MAC_PORTACL is unavailable."
+       exit 0
+fi
+
+ntest=1
+
+check_bind() {
+       idtype=${1}
+       name=${2}
+       proto=${3}
+       port=${4}
+
+       [ "${proto}" = "udp" ] && udpflag="-u"
+
+       out=`(
+               case "${idtype}" in
+               uid|gid)
+                       ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 
127.0.0.1 $port" 2>&1 ) &
+                       ;;
+               jail)
+                       kill $$
+                       ;;
+               *)
+                       kill $$
+               esac
+               sleep 0.3
+               echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
+               wait
+       )`
+       case "${out}" in
+       "nc: Permission denied"*|"nc: Operation not permitted"*)
+               echo fl
+               ;;
+       "")
+               echo ok
+               ;;
+       *)
+               echo ${out}
+               ;;
+       esac
+}
+
+bind_test() {
+       expect_without_rule=${1}
+       expect_with_rule=${2}
+       idtype=${3}
+       name=${4}
+       proto=${5}
+       port=${6}
+
+       sysctl security.mac.portacl.rules= >/dev/null
+       out=`check_bind ${idtype} ${name} ${proto} ${port}`
+       if [ "${out}" = "${expect_without_rule}" ]; then
+               echo "ok ${ntest}"
+       elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
+               echo "not ok ${ntest}"
+       else
+               echo "not ok ${ntest} # ${out}"
+       fi
+       ntest=$((ntest+1))
+
+       if [ "${idtype}" = "uid" ]; then
+               idstr=`id -u ${name}`
+       elif [ "${idtype}" = "gid" ]; then
+               idstr=`id -g ${name}`
+       else
+               idstr=${name}
+       fi
+       sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} 
>/dev/null
+       out=`check_bind ${idtype} ${name} ${proto} ${port}`
+       if [ "${out}" = "${expect_with_rule}" ]; then
+               echo "ok ${ntest}"
+       elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
+               echo "not ok ${ntest}"
+       else
+               echo "not ok ${ntest} # ${out}"
+       fi
+       ntest=$((ntest+1))
+
+       sysctl security.mac.portacl.rules= >/dev/null
+}
+
+reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
+suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
+port_high=`sysctl -n security.mac.portacl.port_high`
+
+restore_settings() {
+       sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
+       sysctl -n security.mac.portacl.suser_exempt=${suser_exempt} >/dev/null
+       sysctl -n security.mac.portacl.port_high=${port_high} >/dev/null
+}

Added: head/tools/regression/mac/mac_portacl/nobody.t
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/regression/mac/mac_portacl/nobody.t      Sat Mar 14 21:54:19 
2009        (r189832)
@@ -0,0 +1,67 @@
+#!/bin/sh
+# $FreeBSD$
+
+dir=`dirname $0`
+. ${dir}/misc.sh
+
+echo "1..64"
+
+# security.mac.portacl.suser_exempt value doesn't affect unprivileged users
+# behaviour.
+# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
+
+sysctl security.mac.portacl.suser_exempt=1 >/dev/null
+sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+sysctl security.mac.portacl.suser_exempt=0 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+# Verify if security.mac.portacl.port_high works.
+
+sysctl security.mac.portacl.port_high=7778 >/dev/null
+
+bind_test fl fl uid nobody tcp 77
+bind_test fl ok uid nobody tcp 7777
+bind_test fl fl uid nobody udp 77
+bind_test fl ok uid nobody udp 7777
+
+bind_test fl fl gid nobody tcp 77
+bind_test fl ok gid nobody tcp 7777
+bind_test fl fl gid nobody udp 77
+bind_test fl ok gid nobody udp 7777
+
+# Verify if mac_portacl rules work.
+
+sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null
+sysctl security.mac.portacl.port_high=7776 >/dev/null
+
+bind_test fl ok uid nobody tcp 77
+bind_test ok ok uid nobody tcp 7777
+bind_test fl ok uid nobody udp 77
+bind_test ok ok uid nobody udp 7777
+
+bind_test fl ok gid nobody tcp 77
+bind_test ok ok gid nobody tcp 7777
+bind_test fl ok gid nobody udp 77
+bind_test ok ok gid nobody udp 7777
+
+restore_settings

Added: head/tools/regression/mac/mac_portacl/root.t
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ head/tools/regression/mac/mac_portacl/root.t        Sat Mar 14 21:54:19 
2009        (r189832)
@@ -0,0 +1,51 @@
+#!/bin/sh
+# $FreeBSD$
+
+dir=`dirname $0`
+. ${dir}/misc.sh
+
+echo "1..48"
+
+# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
+
+sysctl security.mac.portacl.suser_exempt=1 >/dev/null
+
+bind_test ok ok uid root tcp 77
+bind_test ok ok uid root tcp 7777
+bind_test ok ok uid root udp 77
+bind_test ok ok uid root udp 7777
+
+bind_test ok ok gid root tcp 77
+bind_test ok ok gid root tcp 7777
+bind_test ok ok gid root udp 77
+bind_test ok ok gid root udp 7777
+
+# Verify if security.mac.portacl.suser_exempt=0 really doesn't exempt 
super-user.
+
+sysctl security.mac.portacl.suser_exempt=0 >/dev/null
+
+bind_test fl ok uid root tcp 77
+bind_test ok ok uid root tcp 7777
+bind_test fl ok uid root udp 77
+bind_test ok ok uid root udp 7777
+
+bind_test fl ok gid root tcp 77
+bind_test ok ok gid root tcp 7777
+bind_test fl ok gid root udp 77
+bind_test ok ok gid root udp 7777
+
+# Verify if security.mac.portacl.port_high works for super-user.
+
+sysctl security.mac.portacl.port_high=7778 >/dev/null
+
+bind_test fl ok uid root tcp 77
+bind_test fl ok uid root tcp 7777
+bind_test fl ok uid root udp 77
+bind_test fl ok uid root udp 7777
+
+bind_test fl ok gid root tcp 77
+bind_test fl ok gid root tcp 7777
+bind_test fl ok gid root udp 77
+bind_test fl ok gid root udp 7777
+
+restore_settings
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

svn commit: r189832 - head/tools/regression/mac/mac_portacl

Reply via email to