Date: Thu, 27 Dec 2007 07:57:48 GMT From: Zhouyi ZHOU <zhouzhouyi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 131757 for review Message-ID: <200712270757.lBR7vmhi034359@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=131757 Change 131757 by zhouzhouyi@zhouzhouyi_mactest on 2007/12/27 07:57:39 style modification Affected files ... .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/macping.c#4 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/misc.sh#25 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/00.t#4 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/01.t#3 edit Differences ... ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/macping.c#4 (text+ko) ==== @@ -60,7 +60,7 @@ #include "mactest.h" - +const char *macconf_file = NULL; struct tv32 { int32_t tv32_sec; int32_t tv32_usec; @@ -181,6 +181,7 @@ if (i < 0) { warn("sendto"); close(logfd); + machookmatch(macconf_file, getpid()); exit(1); } else { warn("%s: partial write: %d of %d bytes", @@ -210,7 +211,6 @@ const char *label_string = NULL; const char *socket_label = NULL; char *target = NULL; - const char *macconf_file = NULL; int pid; char buf[10]; int flags; ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/misc.sh#25 (text+ko) ==== ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/00.t#4 (text+ko) ==== @@ -1,62 +1,76 @@ #!/bin/sh -# $FreeBSD: src/tools/regression/mactest/tests/netinet/00.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $ +# $FreeBSD$ -desc="manipulate fifo files" +desc="test mandatory access control hooks for the interface relabelling" dir=`dirname $0` . ${dir}/../misc.sh -echo "1..3" + +dir=`dirname $0` +. ${dir}/../misc.sh +case "${os}" in +FreeBSD) -#turn off all the switches -for i in `sysctl security.mac | grep "\.enabled"| - sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do -sysctl ${i}=0 -done + mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` + mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` + mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` -mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` -mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` -mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` + if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && + [ "${mac_test_support}" != "" ]; then +#turn off all the switches + for i in `sysctl security.mac | grep "\.enabled"| + sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do + sysctl ${i}=0 >/dev/null + done -if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && - [ "${mac_test_support}" != "" ]; then - dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`; + if [ -f ${mactest_conf} ]; then + rm ${mactest_conf} + fi + touch ${mactest_conf} + + timewait=`netstat -p tcp|grep 1234|grep TIME_WAIT` + if [ "${#timewait}" -eq 0 ]; then - if [ -f ${mactest_conf} ]; then - rm ${mactest_conf} - fi - touch ${mactest_conf} + echo "1..3" + sysctl security.mac.mls.enabled=1 > /dev/null + sysctl security.mac.mls.revocation_enabled=1 > /dev/null + sysctl security.mac.test.pseudoinit=1 > /dev/null + ifconfig mac_test0 192.167.0.33 + ifconfig mac_test1 192.167.1.34 -############################################################# - t=`sysctl security.mac.mls.enabled=1` - echo "enforcing mac/mls!" - t=`sysctl security.mac.mls.revocation_enabled=1` - echo "enabling revoking" - t=`sysctl security.mac.test.pseudoinit=1` - t=`ifconfig mac_test0 192.167.0.33` - t=`ifconfig mac_test1 192.167.1.34` - echo "enabling mactest pseudo interface" #case 1,2,3: set the maclabel of the interface, effective, range or both is allowed, while # the subject should be priviledeged. - - mactestexpect "setifmac:.Operation.not.permitted" "" -m "biba/high(high-high)" \ - -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)" - mactestexpect "setifmac:.Operation.not.permitted" "" -m "mls/low(low-low)" \ - -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)" - echo -n "pid = -2 mac_test_check_ifnet_relabel:" > ${mactest_conf} - echo "biba/high(low-high),mls/low(low-high) mls/low(low-high) biba/,mls/low(low-high)" >> ${mactest_conf} - mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ - -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)" - +#case 1 + mactestexpect "setifmac:.Operation.not.permitted" "" \ + -m "biba/high(high-high)" \ + -f ${mactest_conf} system ifconfig mac_test0 \ + maclabel "mls/low\(low-high\)" +#case 2 + mactestexpect "setifmac:.Operation.not.permitted" "" \ + -m "mls/low(low-low)" \ + -f ${mactest_conf} system ifconfig mac_test0 \ + maclabel "mls/low\(low-high\)" +#case 3 + echo -n "pid = -2 ifnet_check_relabel:" > ${mactest_conf} + echo "biba/high(low-high),mls/low(low-high) mls/low(low-high) biba/,mls/low(low-high)" >> ${mactest_conf} + mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ + -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)" #cleanup: - t=`sysctl security.mac.mls.enabled=0` - echo "disabling mac/mls!" - - - rm ${mactest_conf} -fi + sysctl security.mac.mls.enabled=0 >/dev/null + sysctl security.mac.biba.enabled=0 > /dev/null + rm ${mactest_conf} +#ping received, no firewall + fi +#mac_mls mac_biba and mac_test support + fi + ;; +*) + quick_exit + ;; +esac ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/01.t#3 (text+ko) ==== @@ -1,84 +1,81 @@ #!/bin/sh -# $FreeBSD: src/tools/regression/mactest/tests/netinet/01.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $ +# $FreeBSD$ -desc="test the ifnet transmit" +desc="test mandatory access control for the ifnet transmit" - dir=`dirname $0` . ${dir}/../misc.sh -echo "1..5" +case "${os}" in +FreeBSD) + + mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` + mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` + mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` + if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && + [ "${mac_test_support}" != "" ]; then #turn off all the switches -for i in `sysctl security.mac | grep "\.enabled"| - sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do -sysctl ${i}=0 -done + for i in `sysctl security.mac | grep "\.enabled"| + sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do + sysctl ${i}=0 >/dev/null + done -mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` -mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` -mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` + if [ -f ${mactest_conf} ]; then + rm ${mactest_conf} + fi + touch ${mactest_conf} + setfmac "mls/equal,biba/equal" ${mactest_conf} -if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && - [ "${mac_test_support}" != "" ]; then - dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`; + sysctl security.mac.test.pseudoinit=1 > /dev/null + ifconfig mac_test0 192.167.0.33 > /dev/null + ifconfig mac_test1 192.167.1.34 > /dev/null - - if [ -f ${mactest_conf} ]; then - rm ${mactest_conf} - fi - touch ${mactest_conf} - - t=`sysctl security.mac.test.pseudoinit=1` - t=`ifconfig mac_test0 192.167.0.33` - t=`ifconfig mac_test1 192.167.1.34` - echo "enabling mactest pseudo interface" - #ensuring there is no firewall thing - notreceived=`${macping} -f ${mactest_conf} -t 2 192.167.0.34` - if [ "${#notreceived}" -eq 0 ]; then + notreceived=`${macping} -f ${mactest_conf} -t 2 192.167.0.34` + + if [ "${#notreceived}" -eq 0 ]; then + echo "1..5" - + sysctl security.mac.mls.enabled=1 > /dev/null + sysctl security.mac.biba.enabled=1 > /dev/null - -############################################################# - t=`sysctl security.mac.mls.enabled=1` - echo "enforcing mac/mls!" - t=`sysctl security.mac.biba.enabled=1` - echo "enforcing mac/biba!" - - #case 1: set the maclabel of the interface # the subject should be priviledeged. - mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ - -f ${mactest_conf} system ifconfig mac_test0 maclabel \ - "mls/5\(4-6\),biba/low\(low-low\)" + mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ + -f ${mactest_conf} system ifconfig mac_test0 maclabel \ + "mls/5\(4-6\),biba/low\(low-low\)" + #case 2: the packet's level must between the range of the interface - bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \ - "" -m "mls/9(low-high)" -f ${mactest_conf} -t 1 192.167.0.34 + bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \ + "" -m "mls/9(low-high)" -f ${mactest_conf} -t 1 192.167.0.34 + #case 3: the packet's level is between the range of the interface - bizarretestexpect ${macping} "" \ - "" -m "mls/5,biba/low" -f ${mactest_conf} -t 1 192.167.0.34 + bizarretestexpect ${macping} "" \ + "" -m "mls/5,biba/low" -f ${mactest_conf} -t 1 192.167.0.34 + #case 4: also do check for biba - mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ - -f ${mactest_conf} system ifconfig mac_test0 maclabel "biba/5\(4-6\)" + mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \ + -f ${mactest_conf} system ifconfig mac_test0 maclabel "biba/5\(4-6\)" + #case 5: - echo -n "pid = -2 mac_test_check_ifnet_transmit:" > ${mactest_conf} - echo "biba/5(4-6),mls/5(4-6) biba/9,mls/low" >> ${mactest_conf} - bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \ - "" -m "biba/9" -f ${mactest_conf} -t 1 192.167.0.34 + echo -n "pid = -2 ifnet_check_transmit:" > ${mactest_conf} + echo "biba/5(4-6),mls/5(4-6) biba/9,mls/low" >> ${mactest_conf} + bizarretestexpect ${macping} "macping:.sendto:.Permission.denied"\ + "" -m "biba/9" -f ${mactest_conf} -t 1 192.167.0.34 #cleanup: - t=`sysctl security.mac.mls.enabled=0` - echo "disabling mac/mls!" - t=`sysctl security.mac.biba.enabled=0` - echo "disabling mac/biba!" - - - rm ${mactest_conf} - fi - -fi - + sysctl security.mac.mls.enabled=0 >/dev/null + sysctl security.mac.biba.enabled=0 > /dev/null + rm ${mactest_conf} +#ping received, no firewall + fi +#mac_mls mac_biba and mac_test support + fi + ;; +*) + quick_exit + ;; +esac
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712270757.lBR7vmhi034359>