Date: Wed, 28 Nov 2007 07:00:57 GMT From: Zhouyi ZHOU <zhouzhouyi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 129682 for review Message-ID: <200711280700.lAS70va8054700@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=129682 Change 129682 by zhouzhouyi@zhouzhouyi_mactest on 2007/11/28 07:00:06 modify sysv semaphore test for mandatory access control Affected files ... .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/posix_sem.c#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/sysvsem/00.t#2 edit .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#15 edit Differences ... ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/posix_sem.c#2 (text+ko) ==== @@ -34,7 +34,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $FreeBSD + * $FreeBSD$ */ #include <semaphore.h> #include <unistd.h> @@ -50,7 +50,7 @@ sem_t *sem; int val; -int logfd; + const char *macconf_file = NULL; const char *creator_label = NULL; const char *write_label = NULL; @@ -109,7 +109,7 @@ if (sigaction(SIGSYS, &sa, NULL) == -1) err(1, "sigaction SIGSYS"); - logfd = open("/dev/mactest", O_RDWR); + logfd = open(LOGDEV, O_RDWR); ioctl(logfd, BEGINLOG, NULL); switch ((child_pid = fork())) { ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/sysvsem/00.t#2 (text+ko) ==== @@ -1,75 +1,75 @@ #!/bin/sh -# $FreeBSD: src/tools/regression/mactest/tests/sysvsem/00.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $ +# $FreeBSD$ -desc="manipulate sysv share memory" +desc="manipulate sysv semaphore" dir=`dirname $0` . ${dir}/../misc.sh -echo "1..4" +case "${os}" in +FreeBSD) -#turn off all the switches -for i in `sysctl security.mac | grep "\.enabled"| - sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do -sysctl ${i}=0 -done + mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` + mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` + mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` -mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` -mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` -mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` + if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && + [ "${mac_test_support}" != "" ]; then +#turn off all the switches + for i in `sysctl security.mac | grep "\.enabled"| + sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do + sysctl ${i}=0 >/dev/null + done -if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && - [ "${mac_test_support}" != "" ] ; then + if [ -f ${mactest_conf} ]; then + rm ${mactest_conf} + fi + touch ${mactest_conf} + setfmac "mls/equal,biba/equal" ${mactest_conf} - - - if [ -f ${mactest_conf} ]; then - rm ${mactest_conf} - fi - touch ${mactest_conf} + echo "1..4" ############################################################# - t=`sysctl security.mac.mls.enabled=1` - echo "enforcing mac/mls!" - t=`sysctl security.mac.biba.enabled=1` - echo "enforcing mac/biba!" - t=`sysctl security.mac.mls.revocation_enabled=1` - t=`sysctl security.mac.biba.revocation_enabled=1` - echo "enabling revoking" -#option -c creator's label, option -u undo label + sysctl security.mac.mls.enabled=1 >/dev/null + sysctl security.mac.biba.enabled=1 > /dev/null +#semtest option -c creator's label, option -u undo label #option -s ipc_stat label, -e ipc_set label -f macconf_file #case 1: check mls no ipc_stat high, will be intercepted by semget at the first place instead #of semctl - echo -n "pid = -2 mac_test_check_sysv_semget with cr_label and semaklabel:" > ${mactest_conf} - echo "biba/high(low-high),mls/4(low-high) biba/high,mls/5" >> ${mactest_conf} - bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "mls/5" -s "mls/4" \ - -u "mls/5" -e "mls/5" -f ${mactest_conf} + echo -n "pid = -2 sysvsem_check_semget:" > ${mactest_conf} + echo "biba/high(low-high),mls/4(low-high) biba/high,mls/5" >> ${mactest_conf} + bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "mls/5" -s "mls/4" \ + -u "mls/5" -e "mls/5" -f ${mactest_conf} + #case 2: biba no ipc_stat low - truncate -s 0 ${mactest_conf} - bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "biba/5" -s "biba/6" \ - -u "biba/5" -e "biba/5" -f ${mactest_conf} + truncate -s 0 ${mactest_conf} + bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "biba/5" -s "biba/6" \ + -u "biba/5" -e "biba/5" -f ${mactest_conf} + #case 3: check mls no write down by means of semop UNDO - echo -n "pid = -2 mac_test_check_sysv_semop#SEM_A:" > ${mactest_conf} - echo "biba/high(low-high),mls/6(low-high) biba/high,mls/5" >> ${mactest_conf} - bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "mls/5" -s "mls/5" \ - -u "mls/6" -e "mls/5" -f ${mactest_conf} + echo -n "pid = -2 sysvsem_check_semop#SEM_A:" > ${mactest_conf} + echo "biba/high(low-high),mls/6(low-high) biba/high,mls/5" >> ${mactest_conf} + bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "mls/5" -s "mls/5" \ + -u "mls/6" -e "mls/5" -f ${mactest_conf} + #case 4: biba no write high by means of semop UNDO - truncate -s 0 ${mactest_conf} - bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "biba/5" -s "biba/5" \ - -u "biba/4" -e "biba/5" -f ${mactest_conf} - - + truncate -s 0 ${mactest_conf} + bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "biba/5" -s "biba/5" \ + -u "biba/4" -e "biba/5" -f ${mactest_conf} #cleanup: - t=`sysctl security.mac.mls.enabled=0` - echo "disabling mac/mls!" - t=`sysctl security.mac.biba.enabled=0` - echo "disabling mac/biba!" + sysctl security.mac.mls.enabled=0 >/dev/null + sysctl security.mac.biba.enabled=0 > /dev/null + rm ${mactest_conf} + fi + ;; +*) + quick_exit + ;; +esac - rm ${mactest_conf} -fi ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#15 (text+ko) ==== @@ -2222,6 +2222,10 @@ LOG_DECL LABEL_CHECK(cred->cr_label, MAGIC_CRED); LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM); + if (accesstype & SEM_A) + APPEND_FLAG("SEM_A"); + if (accesstype & SEM_R) + APPEND_FLAG("SEM_R"); COUNTER_INC(sysvsem_check_semop); return (0);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711280700.lAS70va8054700>