mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-06 17:31:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/tests/regression/subdomain/setattr.sh
Steve Beattie b0733fb3a4 Based on a patch from jjohansen@suse.de, does s/constrained/confined/ in 
comments and descriptions. A later patch will fix it for the few
testcases that actually check the value in /proc/pid/attr/current.
2007-03-08 21:23:17 +00:00

206 lines
5.1 KiB
Bash
Raw Blame History

#! /bin/bash
# $Id$
# Copyright (C) 2002-2005 Novell/SUSE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the
# License.
#=NAME setattr
#=DESCRIPTION
# Write permission is required in a confined processes profile in order to
# change the mode (chmod, chgrp, chown) of a file. This test verifies these
# system calls for unconfined and confined processes. It also includes
# the fxxx version of the tests.
#=END
checkfile()
{
_file=$1
_str=$2
_newfileperm=$3
_newuser=$4
_newgroup=$5
set -- `ls -l $_file`
if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ]
then
echo "Error: ($_str)"
echo "Error: ls -l $file output does not look correct"
echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup"
fi
}
resettest()
{
rm -f $file
touch $file
chmod $origfileperm $file
}
pwd=`dirname $0`
pwd=`cd $pwd ; /bin/pwd`
bin=$pwd
. $bin/prologue.inc
file=$tmpdir/file
okperm=rw
badperm=r
pwfiles="/etc/passwd:r /etc/group:r"
origfileperm=644
origfilepermstr="-rw-r--r--"
newfileperm=400
newfilepermstr="-r--------"
origuser=`id -un`
newuser=nobody
newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd)
origgroup=`id -gn`
# Sigh, debian uses group nogroup instead of nobody
# XXX - not sure what to do if neither exist.
if [ $(grep -c nobody /etc/group) -gt 0 ] ; then
newgroup=nobody
elif [ $(grep -c nogroup /etc/group) -gt 0 ] ; then
newgroup=nogroup
else
newgroup=bin
fi
newgid=$(awk -F: "/^${newgroup}:/ {print \$3}" /etc/group)
#echo newuser=${newuser} newuid=${newuid}
#echo newgroup=${newgroup} newgid=${newgid}
# NOTE on the ordering of tests: XFS requires the FOWNER capability
# to chgrp a file that you are not the owner of; linux's vfs layer will
# allow you to do it if you are in the group of the file without FOWNER.
# Therefore, we should do the chgrp test BEFORE changing the owner of
# the file.
# PASS TEST (UNCONFINED)
resettest
settest chmod
runchecktest "CHMOD (unconfined)" pass $file $newfileperm
settest chgrp
runchecktest "CHGRP (unconfined)" pass $file $newgid
settest chown
runchecktest "CHOWN (unconfined)" pass $file $newuid
checkfile $file "unconfined" $newfilepermstr $newuser $newgroup
# PASS TEST (UNCONFINED w/FOPS)
resettest
settest fchmod
runchecktest "FCHMOD (unconfined)" pass $file $newfileperm
settest fchgrp
runchecktest "FCHGRP (unconfined)" pass $file $newgid
settest fchown
runchecktest "FCHOWN (unconfined)" pass $file $newuid
checkfile $file "unconfined" $newfilepermstr $newuser $newgroup
# PASS TEST (CONFINED)
resettest
settest chmod
genprofile $file:$okperm
runchecktest "CHMOD (confined $okperm)" pass $file $newfileperm
settest chgrp
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "CHGRP (confined $okperm)" pass $file $newgid
settest chown
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "CHOWN (confined $okperm)" pass $file $newuid
checkfile $file "confined $okperm" $newfilepermstr $newuser $newgroup
# PASS TEST (CONFINED w/FOPS)
resettest
settest fchmod
genprofile $file:$okperm
runchecktest "FCHMOD (confined $okperm)" pass $file $newfileperm
settest fchgrp
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "FCHGRP (confined $okperm)" pass $file $newgid
settest fchown
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "FCHOWN (confined $okperm)" pass $file $newuid
checkfile $file "confined $okperm" $newfilepermstr $newuser $newgroup
# FAIL TEST (CONFINED)
resettest
settest chmod
genprofile $file:$badperm $pwfiles
runchecktest "CHMOD (confined $badperm)" fail $file $newfileperm
settest chgrp
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "CHGRP (confined $badperm)" fail $file $newgid
settest chown
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "CHOWN (confined $badperm)" fail $file $newuid
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONFINED/LACKING CAPS)
resettest
settest chgrp
genprofile $file:$okperm $pwfiles
runchecktest "CHGRP (confined $okperm/no capabilities)" fail $file $newgid
settest chown
genprofile $file:$okperm $pwfiles
runchecktest "CHOWN (confined $okperm/no capabilities)" fail $file $newuid
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONFINED w/FOPS)
resettest
settest fchmod
genprofile $file:$badperm $pwfiles
runchecktest "FCHMOD (confined $badperm)" fail $file $newfileperm
settest fchgrp
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "FCHGRP (confined $badperm)" fail $file $newgid
settest fchown
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "FCHOWN (confined $badperm)" fail $file $newuid
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONFINED w/FOPS/LACKING CAPS)
resettest
settest fchgrp
genprofile $file:$okperm $pwfiles
runchecktest "FCHGRP (confined $okperm/no capabilities)" fail $file $newgid
settest fchown
genprofile $file:$okperm $pwfiles
runchecktest "FCHOWN (confined $okperm/no capabilities)" fail $file $newuid
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
Reference in a new issue View git blame Copy permalink