mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-07 01:41:00 +01:00
111 lines
4.1 KiB
Bash
Executable file
111 lines
4.1 KiB
Bash
Executable file
#! /bin/bash
|
|
# $Id: changehat_misc.sh 6285 2006-02-24 22:24:47Z steve $
|
|
|
|
# Copyright (C) 2002-2005 Novell/SUSE
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation, version 2 of the
|
|
# License.
|
|
|
|
#=NAME changehat_misc
|
|
#=DESCRIPTION
|
|
# Variety of tests verifying entry to subprofiles and return back to parent.
|
|
# AppArmor has rigid requirements around the correct use of the magic# token
|
|
# passed to changehat.
|
|
#=END
|
|
|
|
pwd=`dirname $0`
|
|
pwd=`cd $pwd ; /bin/pwd`
|
|
|
|
bin=$pwd
|
|
|
|
. $bin/prologue.inc
|
|
|
|
file=$tmpdir/file
|
|
subfile=$tmpdir/file2
|
|
okperm=rw
|
|
|
|
subtest=sub
|
|
subtest2=sub2
|
|
|
|
touch $file $subfile
|
|
|
|
# NO CHANGEHAT TEST
|
|
|
|
genprofile $file:$okperm
|
|
|
|
runchecktest "NO CHANGEHAT (access parent file)" pass nochange $file
|
|
runchecktest "NO CHANGEHAT (access sub file)" fail nochange $subfile
|
|
|
|
# CHANGEHAT TEST - test if can enter and exit a subprofile
|
|
|
|
genprofile $file:$okperm hat:$subtest $subfile:$okperm
|
|
|
|
runchecktest "CHANGEHAT (access parent file)" pass $subtest $file
|
|
runchecktest "CHANGEHAT (access sub file)" fail $subtest $subfile
|
|
|
|
# CHANGEHAT - test enter subprofile -> fork -> exit subprofile
|
|
settest changehat_misc2
|
|
|
|
genprofile $file:$okperm hat:$subtest $subfile:$okperm
|
|
|
|
runchecktest "FORK BETWEEN CHANGEHATS (access parent file)" pass $subtest $file
|
|
runchecktest "FORK BETWEEN CHANGEHATS (access sub file)" fail $subtest $subfile
|
|
|
|
# CHANGEHAT FROM ONE SUBPROFILE TO ANOTHER
|
|
settest changehat_twice
|
|
|
|
genprofile hat:$subtest $subfile:$okperm hat:$subtest2 $file:$okperm
|
|
|
|
runchecktest "CHANGEHAT (subprofile->subprofile)" pass $subtest $subtest2 goodmagic $file
|
|
|
|
echo
|
|
echo "*** A 'Killed' message from bash is expected for the following test"
|
|
runchecktest "CHANGEHAT (subprofile->subprofile w/ bad magic)" signal9 $subtest $subtest2 badmagic $file
|
|
|
|
# 1. ATTEMPT TO CHANGEGAT TO AN INVALUD PROFILE, SHOULD PUT US INTO A NULL
|
|
# PROFILE
|
|
# 2. ATTEMPT TO CHANGEHAT OUT WITH BAD TOKEN
|
|
settest changehat_fail
|
|
|
|
genprofile hat:$subtest
|
|
|
|
runchecktest "CHANGEHAT (bad subprofile)" fail ${subtest2}
|
|
|
|
echo
|
|
echo "*** A 'Killed' message from bash is expected for the following test"
|
|
runchecktest "CHANGEHAT (bad token)" signal9 ${subtest}
|
|
|
|
# Attempt to changehat out of a profile when the magic token is 0
|
|
# ugh, need dynlibs from open test
|
|
settest open
|
|
open_dynlibs=${dynlibs}
|
|
settest changehat_wrapper
|
|
|
|
genprofile hat:open ${dynlibs} ${bin}/open:rix ${file}:${okperm}
|
|
|
|
runchecktest "CHANGEHAT (noexit subprofile (token=0))" pass --token=0 open ${file}
|
|
runchecktest "CHANGEHAT (exit noexit subprofile (token=0))" fail --token=0 --exit_hat open ${file}
|
|
|
|
if [ -f /proc/self/attr/current ] ; then
|
|
# do some tests of writing directly to /proc/self/attr/current, skipping
|
|
# libimmunx. Only do these tests if the extended attribute exists.
|
|
runchecktest "CHANGEHAT (subprofile/write to /proc/attr/current)" pass --manual=123456 open ${file}
|
|
runchecktest "CHANGEHAT (exit subprofile/write to /proc/attr/current)" pass --manual=123456 --exit_hat open ${file}
|
|
runchecktest "CHANGEHAT (noexit subprofile/write 0 to /proc/attr/current)" pass --manual=0 open ${file}
|
|
runchecktest "CHANGEHAT (noexit subprofile/write 00000000 to /proc/attr/current)" pass --manual=00000000 open ${file}
|
|
# verify that the kernel accepts the command "changehat ^hat\0" and
|
|
# treats an empty token as 0.
|
|
runchecktest "CHANGEHAT (noexit subprofile/write \"\" to /proc/attr/current)" fail --manual="" open ${file}
|
|
runchecktest "CHANGEHAT (exit of noexit subprofile/write 0 to /proc/attr/current)" fail --manual=0 --exit_hat open ${file}
|
|
runchecktest "CHANGEHAT (exit of noexit subprofile/write 00000000 to /proc/attr/current)" fail --manual=00000000 --exit_hat open ${file}
|
|
runchecktest "CHANGEHAT (exit of noexit subprofile/write \"\" to /proc/attr/current)" fail --manual="" --exit_hat open ${file}
|
|
fi
|
|
|
|
# CHANGEHAT and PTHREADS: test that change_hat functions correctly in
|
|
# the presence of threads
|
|
settest changehat_pthread
|
|
genprofile $file:$okperm "/proc/**:w" hat:fez $subfile:$okperm "/proc/**:w"
|
|
runchecktest "CHANGEHAT PTHREAD (access parent file)" fail $file
|
|
runchecktest "CHANGEHAT PTHREAD (access sub file)" pass $subfile
|