mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-07 01:41:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/tests/regression/subdomain/for-mainline/sysctl.patch
John Johansen 789c323bfe Update patches for mainline branch of AppArmor 
- includes patches to handle access to change_hat /proc/<pid>/attr/current
  being a parser rule
- the working updated ptrace patches
- update for the change in sysctl behavior from cap_sys_admin to profile
  entries
2007-04-18 21:00:11 +00:00

312 lines
8.8 KiB
Diff
Raw Blame History

Index: subdomain/capabilities.sh
===================================================================
--- subdomain.orig/capabilities.sh
+++ subdomain/capabilities.sh
@@ -31,7 +31,7 @@ bin=$pwd
. ./prologue.inc
-TESTS="syscall_ptrace syscall_sysctl syscall_sethostname \
+TESTS="syscall_ptrace syscall_sethostname \
syscall_setdomainname syscall_setpriority syscall_setscheduler \
syscall_reboot syscall_chroot \
syscall_mlockall net_raw"
Index: subdomain/syscall.sh
===================================================================
--- subdomain.orig/syscall.sh
+++ subdomain/syscall.sh
@@ -114,24 +114,9 @@ rm -f $mknod_file
runchecktest "MKNOD sock (permissions)" fail s $mknod_file
##
-## C. SYSCTL
+## D. SETHOSTNAME
##
-settest syscall_sysctl
-
-# TEST C1
-runchecktest "SYSCTL (no confinement)" pass
-
-# TEST C2
-genprofile
-runchecktest "SYSCTL (confinement/read only)" pass ro
-
-# TEST C3. sysctl will fail
-genprofile
-runchecktest "SYSCTL (confinement/write access)" fail
-
-# TEST C3. sysctl write will pass with cap_sys_admin
-genprofile cap:sys_admin
-runchecktest "SYSCTL (confinement/write access/CAP_SYS_ADMIN)" pass
+sh syscall_sysctl.sh
##
## D. SETHOSTNAME
Index: subdomain/syscall_sysctl.sh
===================================================================
--- /dev/null
+++ subdomain/syscall_sysctl.sh
@@ -0,0 +1,145 @@
+#! /bin/bash
+# $Id: syscall.sh 61 2006-05-19 18:32:14Z steve-beattie $
+
+# Copyright (C) 2002-2005 Novell/SUSE
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, version 2 of the
+# License.
+
+#=NAME syscall_sysctl
+#=DESCRIPTION
+# Confined processes are prohibited from executing certain system calls.
+# This test checks sysctl which is mediated like filesystem accesses
+#=END
+
+pwd=`dirname $0`
+pwd=`cd $pwd ; /bin/pwd`
+
+sysctlgood=/proc/sys/kernel/threads-max
+sysctlbad=/proc/sys/kernel/sysrq
+
+bin=$pwd
+
+. $bin/prologue.inc
+
+##
+## C. SYSCTL
+##
+settest syscall_sysctl
+
+runchecktest "SYSCTL (no confinement read only)" pass ro
+
+runchecktest "SYSCTL (no confinement rw)" pass
+
+genprofile $sysctlgood:r
+runchecktest "SYSCTL (confinement/good r w/ r perm)" pass ro
+
+genprofile $sysctlgood:r
+runchecktest "SYSCTL (confinement/good rw w/ r perm)" fail
+
+genprofile $sysctlgood:w
+runchecktest "SYSCTL (confinement/good r w/ w perm)" fail ro
+
+genprofile $sysctlgood:w
+runchecktest "SYSCTL (confinement/good rw w/ w perm)" fail
+
+genprofile $sysctlgood:rw
+runchecktest "SYSCTL (confinement/good r w/ rw perm)" pass ro
+
+genprofile $sysctlgood:rw
+runchecktest "SYSCTL (confinement/good rw w/ rw perm)" pass
+
+genprofile $sysctlbad:r
+runchecktest "SYSCTL (confinement/bad r w/ r perm)" fail ro
+
+genprofile $sysctlbad:r
+runchecktest "SYSCTL (confinement/bad rw w/ r perm)" fail ro
+
+genprofile $sysctlbad:w
+runchecktest "SYSCTL (confinement/bad r w/ w perm)" fail ro
+
+genprofile $sysctlbad:w
+runchecktest "SYSCTL (confinement/bad rw w/ w perm)" fail
+
+genprofile $sysctlbad:rw
+runchecktest "SYSCTL (confinement/bad r w/ rw perm)" fail ro
+
+genprofile $sysctlbad:rw
+runchecktest "SYSCTL (confinement/bad rw w/ rw perm)" fail
+
+# now test /proc/sys/ paths
+
+settest sysctl_proc
+
+#unconfined
+runchecktest "SYSCTL /proc (read no confinement)" pass $sysctlgood r
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (write no confinement)" pass $sysctlgood w $value
+runchecktest "SYSCTL /proc (rw no confinement)" pass $sysctlgood rw
+
+#test with profile giving access to sysctlgood
+genprofile $sysctlgood:r
+runchecktest "SYSCTL /proc (confinement/good r w/ r perm)" pass $sysctlgood r
+
+genprofile $sysctlgood:w
+runchecktest "SYSCTL /proc (confinement/good r w/ w perm)" fail $sysctlgood r
+
+genprofile $sysctlgood:rw
+runchecktest "SYSCTL /proc (confinement/good r w/ rw perm)" pass $sysctlgood r
+
+genprofile $sysctlgood:r
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/good w w/ r perm)" fail $sysctlgood w $value
+
+genprofile $sysctlgood:w
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/good w w/ w perm)" pass $sysctlgood w $value
+
+genprofile $sysctlgood:rw
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/good w w/ rw perm)" pass $sysctlgood w $value
+
+genprofile $sysctlgood:r
+runchecktest "SYSCTL /proc (confinement/good rw w/ r perm)" fail $sysctlgood rw
+
+genprofile $sysctlgood:w
+runchecktest "SYSCTL /proc (confinement/good rw w/ w perm)" fail $sysctlgood rw
+
+genprofile $sysctlgood:rw
+runchecktest "SYSCTL /proc (confinement/good rw w/ rw perm)" pass $sysctlgood rw
+
+#test with profile giving access to sysctlbad but access to sysctlgood
+genprofile $sysctlbad:r
+runchecktest "SYSCTL /proc (confinement/bad r w/ r perm)" fail $sysctlgood r
+
+genprofile $sysctlbad:w
+runchecktest "SYSCTL /proc (confinement/bad r w/ w perm)" fail $sysctlgood r
+
+genprofile $sysctlbad:rw
+runchecktest "SYSCTL /proc (confinement/bad r w/ rw perm)" fail $sysctlgood r
+
+genprofile $sysctlbad:r
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/bad w w/ r perm)" fail $sysctlgood w $value
+
+genprofile $sysctlbad:w
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/bad w w/ w perm)" fail $sysctlgood w $value
+
+genprofile $sysctlbad:rw
+value=`cat $sysctlgood`
+runchecktest "SYSCTL /proc (confinement/bad w w/ rw perm)" fail $sysctlgood w $value
+
+genprofile $sysctlbad:r
+runchecktest "SYSCTL /proc (confinement/bad rw w/ r perm)" fail $sysctlgood rw
+
+genprofile $sysctlbad:w
+runchecktest "SYSCTL /proc (confinement/bad rw w/ w perm)" fail $sysctlgood rw
+
+genprofile $sysctlbad:rw
+runchecktest "SYSCTL /proc (confinement/bad rw w/ rw perm)" fail $sysctlgood rw
+
+
+
Index: subdomain/Makefile
===================================================================
--- subdomain.orig/Makefile
+++ subdomain/Makefile
@@ -56,6 +56,7 @@ SRC=access.c \
syscall_setdomainname.c \
syscall_setscheduler.c \
syscall_sysctl.c \
+ sysctl_proc.c \
tcp.c \
unix_fd_client.c \
unix_fd_server.c \
Index: subdomain/sysctl_proc.c
===================================================================
--- /dev/null
+++ subdomain/sysctl_proc.c
@@ -0,0 +1,101 @@
+/* $Id: sysctl_proc.c 61 2006-05-19 18:32:14Z steve-beattie $ */
+
+/*
+ * Copyright (C) 2002-2005 Novell/SUSE
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+
+#define BUFSIZE 4096
+int main(int argc, char *argv[])
+{
+ char read_buffer[BUFSIZE], verify_buffer[BUFSIZE];
+ ssize_t read_size, write_size;
+ int fd;
+
+ if ((argc < 3) || (argc == 4 && strcmp(argv[2],"w")) || argc > 4) {
+ fprintf(stderr, "Usage: %s sysctl_path {r,w,rw} [value]\n", argv[0]);
+ return 1;
+ }
+
+ if (strcmp(argv[2],"r") == 0) {
+ fd = open(argv[1], O_RDONLY);
+ if (fd == -1) {
+ fprintf(stderr, "FAIL: proc sysctl open r failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ read_size = read(fd, &read_buffer, sizeof(read_buffer));
+ if (read_size == -1) {
+ fprintf(stderr, "FAIL: proc sysctl read failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ }
+
+ if (strcmp(argv[2], "w") == 0) {
+ fd = open(argv[1], O_WRONLY);
+ if (fd == -1) {
+ fprintf(stderr, "FAIL: proc sysctl open w failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ write_size = write(fd, argv[3], strlen(argv[3]));
+ if (write_size == -1) {
+ fprintf(stderr, "FAIL: proc sysctl write failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+
+ }
+
+ if (strcmp(argv[2], "rw") == 0) {
+ fd = open(argv[1], O_RDWR);
+ if (fd == -1) {
+ fprintf(stderr, "FAIL: proc sysctl open rw failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ read_size = read(fd, &read_buffer, sizeof(read_buffer));
+ if (read_size == -1) {
+ fprintf(stderr, "FAIL: proc sysctl read(rw) failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ lseek(fd, 0, SEEK_SET);
+ write_size = write(fd, &read_buffer, read_size);
+ if (write_size == -1 || write_size != read_size) {
+ fprintf(stderr, "FAIL: proc sysctl write(rw) failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+
+ lseek(fd, 0, SEEK_SET);
+ read_size = read(fd, &verify_buffer, sizeof(verify_buffer));
+ if (read_size == -1 || read_size != write_size) {
+ fprintf(stderr, "FAIL: proc sysctl verify(rw) failed || %d != %d - %s\n", read_size, write_size,
+ strerror(errno));
+ return 1;
+ }
+ if (memcmp(read_buffer, verify_buffer, read_size) != 0) {
+ fprintf(stderr, "FAIL: proc sysctl verify failed - %s\n",
+ strerror(errno));
+ return 1;
+ }
+ }
+
+ printf("PASS\n");
+
+ return 0;
+}
Reference in a new issue View git blame Copy permalink