mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 09:21:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/tests/regression/subdomain/capabilities.sh
John Johansen 477e460858 net-raw.patch
2007-12-23 01:06:09 +00:00

130 lines
4.3 KiB
Bash
Raw Blame History

#!/bin/bash
# $Id$
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
#=NAME capabilities
#=DESCRIPTION
# The capabilities test is an attempt to determine that for a variety of
# syscalls, the expected capability (especially since Immunix intercepts
# capability processing for confined processes) and no others allows successful
# access. For every syscall in the test, we iterate over each capability
# individually (plus no capabilities) in order to verify that only the expected
# capability grants access to the priviledged operation. The same is repeated
# for capabilities within hats.
#=END
# An attempt to verify what subdomain/posix capabilities actually grant
# access to. This overlaps _a lot_ with the syscall test.
# this now verifies that a capability functions within a changehat().
# FIXME: should test for a cap in the parent, but the need for the cap
# within the subprofile. Wow. oogly.
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
. $bin/prologue.inc
TESTS="syscall_ptrace syscall_sethostname \
syscall_setdomainname syscall_setpriority syscall_setscheduler \
syscall_reboot syscall_chroot \
syscall_mlockall net_raw"
# FIXME/XXX - need a test case for syscall_mknod
#only do the ioperm/iopl tests for x86 derived architectures
case `uname -i` in
i386 | i486 | i586 | i686 | x86 | x86_64)
TESTS="$TESTS syscall_ioperm syscall_iopl"
;;
esac
CAPABILITIES="chown dac_override dac_read_search fowner fsetid kill \
setgid setuid setpcap linux_immutable net_bind_service \
net_broadcast net_admin net_raw ipc_lock ipc_owner \
sys_module sys_rawio sys_chroot sys_ptrace sys_pacct \
sys_admin sys_boot sys_nice sys_resource sys_time \
sys_tty_config mknod lease audit_write audit_control"
# defines which test+capability pairs should succeed.
syscall_reboot_sys_boot=TRUE
syscall_sethostname_sys_admin=TRUE
syscall_setdomainname_sys_admin=TRUE
syscall_setpriority_sys_nice=TRUE
syscall_setscheduler_sys_nice=TRUE
syscall_ioperm_sys_rawio=TRUE
syscall_iopl_sys_rawio=TRUE
syscall_chroot_sys_chroot=TRUE
syscall_mlockall_ipc_lock=TRUE
syscall_sysctl_sys_admin=TRUE
net_raw_net_raw=TRUE
# we completely disable ptrace(), but it's not clear if we should allow it
# when the sys_ptrace cap is specified.
syscall_ptrace_sys_ptrace=TRUE
# if a test case requires arguments, add them here.
syscall_reboot_args=off
syscall_sethostname_args=a.dumb.example.com
syscall_setdomainname_args=dumb.example.com
syscall_ioperm_args="0 0x3ff"
syscall_iopl_args=3
syscall_chroot_args=${tmpdir}/
syscall_ptrace_args=sub
# if a testcase requires extra subdomain rules, add them here
syscall_chroot_extra_entries="/:r ${tmpdir}/:r"
syscall_ptrace_extra_entries="hat:sub"
net_raw_extra_entries="network:"
testwrapper=changehat_wrapper
# needed for modern linux kernels
ulimit -l 0
for TEST in ${TESTS} ; do
echo " (${TEST#syscall_})"
my_arg=$(eval echo \${${TEST}_args})
my_entries=$(eval echo \${${TEST}_extra_entries})
settest ${TEST}
runchecktest "${TEST} -- unconfined" pass ${my_arg}
genprofile ${my_entries}
runchecktest "${TEST} -- no caps" fail ${my_arg}
# iterate through each of the capabilities
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
else
expected_result=fail
fi
genprofile cap:${cap} ${my_entries}
runchecktest "${TEST} -- capability ${cap}" ${expected_result} ${my_arg}
done
# okay, now check to see if the capability functions from within
# a subprofile.
# Eww, this is ugly. subprofile tests depend on the internal
# variable dynlibs defined by prologue.inc::settest
test_dynlibs=${dynlibs}
settest ${testwrapper}
genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix ${my_entries}
runchecktest "${TEST} changehat -- no caps" fail ${TEST} ${my_arg}
for cap in ${CAPABILITIES} ; do
if [ "X$(eval echo \${${TEST}_${cap}})" == "XTRUE" ] ; then
expected_result=pass
else
expected_result=fail
fi
genprofile hat:${TEST} ${test_dynlibs} ${bin}/${TEST}:rix cap:${cap} ${my_entries}
runchecktest "${TEST} changehat -- capability ${cap}" ${expected_result} ${TEST} ${my_arg}
done
done
Reference in a new issue View git blame Copy permalink