Date: Thu, 3 Jan 2008 06:37:38 GMT From: Zhouyi ZHOU <zhouzhouyi@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 132373 for review Message-ID: <200801030637.m036bcmg018676@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=132373 Change 132373 by zhouzhouyi@zhouzhouyi_mactest on 2008/01/03 06:36:44 style modification Affected files ... .. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/open/02.t#5 edit Differences ... ==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/open/02.t#5 (text+ko) ==== @@ -1,80 +1,91 @@ #!/bin/sh -# $FreeBSD: src/tools/regression/mactest/tests/open/02.t,v 1.1 2007/06/04 01:42:08 zhouzhouyi Exp $ +# $FreeBSD$ -desc="open opens (and eventually creates) a file, checking the effects of MAC enforcement" +desc="open opens (and eventually creates) a file" - - dir=`dirname $0` . ${dir}/../misc.sh -echo "1..7" +case "${os}" in +FreeBSD) + + mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` + mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null` + mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null` -n0=`namegen` -n1=`namegen` + if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] && + [ "${mac_test_support}" != "" ]; then #turn off all the switches -for i in `sysctl security.mac | grep "\.enabled"| - sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do -sysctl ${i}=0 -done + for i in `sysctl security.mac | grep "\.enabled"| + sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do + sysctl ${i}=0 >/dev/null + done + + + if [ -f ${mactest_conf} ]; then + rm ${mactest_conf} + fi + touch ${mactest_conf} + setfmac "mls/equal,biba/equal" ${mactest_conf} + + echo "1..7" + + n0=`namegen` + n1=`namegen` + -mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null` -#following test case is to show, when subject's effective mls level does not dominate -#object's effective mls level, a ESRCH is returned when signaling -if [ "${mac_mls_support}" != "" ] ; then + dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`; - dvplabel=`getfmac "."| sed 's/\(\.:\ \)\([a-z\,\/]*\)/\2/` - + sysctl security.mac.mls.enabled=1 > /dev/null +#case 1 unsucessful create #examine the label of its parent directory - echo -n "pid = -1 mac_test_check_vnode_lookup:" > ${mactest_conf} - echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf} + echo -n "pid = -1 vnode_check_lookup:" > ${mactest_conf} + echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf} #check the label of its parent directory - echo -n "pid = -1 mac_test_check_vnode_create:" >> ${mactest_conf} - echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf} + echo -n "pid = -1 vnode_check_create:" >> ${mactest_conf} + echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf} #since the mac_mls forbid the vnode create, there are no vnode label initialization -#and vnode extattr creating. +#BLP: no write down + mactestexpect "" EACCES -m "mls/10(low-high)" -f ${mactest_conf} mkdir ${n1} 0755 + truncate -s 0 ${mactest_conf} - t=`sysctl security.mac.mls.enabled=1` - echo "enforcing mac/mls!" - -#BLP: no write down - mactestexpect "" EACCES -m "mls/10(low-high)" -f ${mactest_conf} mkdir ${n1} 0755 - - rm ${mactest_conf} - touch ${mactest_conf} #the mac hook checking is already done in previous test cases! - mactestexpect "" 0 -m ${dvplabel} -f ${mactest_conf} mkdir ${n1} 0755 - mactestexpect "" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/10" ${n1} +#case 2 create the directory + mactestexpect "" 0 -m ${dvplabel} -f ${mactest_conf} mkdir ${n1} 0755 +#case 3 label the directory + mactestexpect "" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/10" ${n1} -#BLP: no read high - echo -n "pid = -1 mac_test_check_vnode_open#VREAD:" > ${mactest_conf} - echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf} - mactestexpect "" EACCES -m ${dvplabel} -f ${mactest_conf} open ${n1} O_RDONLY +#case 4 BLP: no read high + echo -n "pid = -1 vnode_check_open#VREAD:" > ${mactest_conf} + echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf} + mactestexpect "" EACCES -m ${dvplabel} -f ${mactest_conf} open ${n1} O_RDONLY +#case 5 #there will be mac_check_vnode_stat in setfmac - echo -n "pid = -2 mac_test_check_vnode_stat:" > ${mactest_conf} - echo "biba/high(low-high),mls/low(low-high) NULL biba/high,mls/10" >> ${mactest_conf} - mactestexpect "setfmac:.traversing.${n1}:.Permission.denied" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/low" ${n1} + echo -n "pid = -2 vnode_check_stat:" > ${mactest_conf} + echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf} + mactestexpect "setfmac:.traversing.${n1}:.Permission.denied" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/low" ${n1} -#relabel the vnode to mls/low - rm ${mactest_conf} - touch ${mactest_conf} - mactestexpect "" "" -m mls/10 -f ${mactest_conf} system setfmac "mls/low" ${n1} +#case 6 relabel the vnode to mls/low + truncate -s 0 ${mactest_conf} + mactestexpect "" "" -m mls/10 -f ${mactest_conf} system setfmac "mls/low" ${n1} +#case 7 BLP: ok read low + mactestexpect "" 0 -m mls/10 -f ${mactest_conf} open ${n1} O_RDONLY -#BLP: ok read low - mactestexpect "" 0 -m mls/10 -f ${mactest_conf} open ${n1} O_RDONLY - - - t=`sysctl security.mac.mls.enabled=0` - echo "disabling mac/mls!" - #cleanup: -# cd .. - rm -fr ${n1} - rm ${mactest_conf} - -fi+ sysctl security.mac.mls.enabled=0 >/dev/null + sysctl security.mac.biba.enabled=0 > /dev/null + cd .. + rm -fr ${n1} + rm ${mactest_conf} +#mac_mls mac_biba and mac_test support + fi + ;; +*) + quick_exit + ;; +esac
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801030637.m036bcmg018676>