Skip to content
Snippets Groups Projects
Commit 3353b316 authored by Simon Ruderich's avatar Simon Ruderich
Browse files

slsm: t: check reading from slsm/profiles 

Also change $CAT to $HEAD in / tests, as test_cmp seems to use $CAT.

Reorders were necessary in a few cases to match the generated output.
parent 951f41ad
Branches
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
security/slsm/t/slsm-tests.sh
+ 100
97
View file @ 3353b316
......@@ -22,7 +22,7 @@ setup() {
mount -t securityfs securityfs /tmp/slsm-security || exit 1
}
cleanup() {
rules 'p=/' 'm=7' # allow everything
rules 'p=/' 'a=' 'm=7' 'f=0' # allow everything
umount /tmp/slsm-security
rm -rf /tmp/slsm /tmp/slsm-security
}
......@@ -32,7 +32,10 @@ rules() {
printf '%s\0' "$arg"
done
printf '\0'
} >/tmp/slsm-security/slsm/profiles
} >tmp-rules &&
cat tmp-rules >/tmp/slsm-security/slsm/profiles &&
cat /tmp/slsm-security/slsm/profiles >tmp-result &&
test_cmp tmp-rules tmp-result
}
......@@ -53,28 +56,28 @@ TOUCH="$(absolute_path touch)"
test_expect_success 'disallow all access to /' "
test_when_finished cleanup && setup &&
\
rules p=/ a=$CAT m=0 &&
! $CAT /dev/null # test_must_fail does not work here as the binary can't start
rules p=/ a=$HEAD m=0 f=0 &&
! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow read access to /' "
test_when_finished cleanup && setup &&
\
rules p=/ a=$CAT m=3 &&
! $CAT /dev/null # test_must_fail does not work here as the binary can't start
rules p=/ a=$HEAD m=3 f=0 &&
! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow write access to /' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/ a=$RM m=5 '' \
p=/ a=$LN m=5 &&
rules p=/ a=$RM m=5 f=0 '' \
p=/ a=$LN m=5 f=0 &&
test_must_fail $RM /tmp/slsm/test-me &&
test_must_fail $LN -s y /tmp/slsm/x
"
test_expect_success 'disallow exec access to /' "
test_when_finished cleanup && setup &&
\
rules p=/ a=$PERL m=6 &&
rules p=/ a=$PERL m=6 f=0 &&
test_must_fail $PERL -e 'system(\"true\") == 0 or exit 1'
"
......@@ -82,7 +85,7 @@ test_expect_success 'disallow all access to /tmp/slsm' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/tmp/slsm a=$CAT m=0 &&
rules p=/tmp/slsm a=$CAT m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
$CAT /dev/null
"
......@@ -90,15 +93,15 @@ test_expect_success 'disallow read access to /tmp/slsm' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/tmp/slsm a=$CAT m=3 &&
rules p=/tmp/slsm a=$CAT m=3 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
$CAT /dev/null
"
test_expect_success 'disallow write access to /tmp/slsm' "
test_when_finished cleanup && setup &&
\
rules p=/tmp/slsm a=$TOUCH m=5 '' \
p=/tmp/slsm a=$LN m=5 &&
rules p=/tmp/slsm a=$TOUCH m=5 f=0 '' \
p=/tmp/slsm a=$LN m=5 f=0 &&
test_must_fail $TOUCH /tmp/slsm/test-me &&
test_must_fail $LN -s y /tmp/slsm/x &&
$TOUCH /var/tmp/test-me &&
......@@ -116,7 +119,7 @@ test_expect_success 'disallow exec access to /tmp/slsm' "
/tmp/slsm/test-me2 >actual &&
test_cmp expected actual &&
\
rules p=/tmp/slsm a=$BASH m=6 &&
rules p=/tmp/slsm a=$BASH m=6 f=0 &&
test_must_fail $BASH /tmp/slsm/test-me
"
......@@ -125,7 +128,7 @@ test_expect_success 'correct matching for prefixes' "
touch /tmp/slsm/test-me &&
touch /tmp/slsm/test-me2 &&
\
rules p=/tmp/slsm/test-me2 m=0 &&
rules p=/tmp/slsm/test-me2 a= m=0 f=0 &&
test_must_fail cat /tmp/slsm/test-me2 &&
cat /tmp/slsm/test-me
"
......@@ -134,8 +137,8 @@ test_expect_success 'no circumvention via hardlinks' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/tmp/slsm/test-me m=4 '' \
p=/tmp/slsm/test-me2 m=0 &&
rules p=/tmp/slsm/test-me a= m=4 f=0 '' \
p=/tmp/slsm/test-me2 a= m=0 f=0 &&
ln /tmp/slsm/test-me /tmp/slsm/test-me2 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me3
"
......@@ -143,8 +146,8 @@ test_expect_success 'no circumvention via hardlinks (inherit)' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/tmp/slsm/test-me m=5 f=1 '' \
p=/tmp/slsm/test-me2 m=5 &&
rules p=/tmp/slsm/test-me a= m=5 f=1 '' \
p=/tmp/slsm/test-me2 a= m=5 f=0 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"
......@@ -152,8 +155,8 @@ test_expect_success 'no circumvention via hardlinks (confine)' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
rules p=/tmp/slsm/test-me m=5 f=2 '' \
p=/tmp/slsm/test-me2 m=5 &&
rules p=/tmp/slsm/test-me a= m=5 f=2 '' \
p=/tmp/slsm/test-me2 a= m=5 f=0 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"
......@@ -162,7 +165,7 @@ test_expect_success 'disallow all access to file' "
echo test-me >/tmp/slsm/test-me &&
echo test-me2 >/tmp/slsm/test-me2 &&
\
rules p=/tmp/slsm/test-me m=0 &&
rules p=/tmp/slsm/test-me a= m=0 f=0 &&
test_must_fail cat /tmp/slsm/test-me &&
test_must_fail sh -c 'echo >/tmp/slsm/test-me' &&
rm /tmp/slsm/test-me &&
......@@ -174,8 +177,8 @@ test_expect_success 'disallow delete of file' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
rules p=/tmp/slsm m=0 '' \
p=/tmp/slsm/test-me m=7 &&
rules p=/tmp/slsm a= m=0 f=0 '' \
p=/tmp/slsm/test-me a= m=7 f=0 &&
test_must_fail rm /tmp/slsm/test-me &&
echo test-me >expected &&
test_cmp expected /tmp/slsm/test-me &&
......@@ -191,8 +194,8 @@ test_expect_success 'confine process' "
echo 'exec cat /tmp/slsm/private' >>/tmp/slsm/script &&
chmod +x /tmp/slsm/script &&
\
rules a=/tmp/slsm/script p=/tmp/slsm/private m=0 '' \
p=/tmp/slsm/script m=5 f=2 &&
rules p=/tmp/slsm/private a=/tmp/slsm/script m=0 f=0 '' \
p=/tmp/slsm/script a= m=5 f=2 &&
test_must_fail /tmp/slsm/script &&
echo data >expected &&
test_cmp expected /tmp/slsm/private
......@@ -203,33 +206,33 @@ test_expect_success 'last matching rule for a node is used' "
echo test-me >/tmp/slsm/test-me &&
echo test-me2 >/tmp/slsm/test-me2 &&
\
rules p=/tmp/slsm/test-me a=$CAT m=7 '' \
p=/tmp/slsm/test-me a=$CAT m=7 '' \
p=/tmp/slsm/test-me a=$CAT m=7 '' \
p=/tmp/slsm/test-me a=$CAT m=6 '' \
p=/tmp/slsm/test-me a=$CAT m=6 '' \
p=/tmp/slsm/test-me a=$CAT m=6 '' \
p=/tmp/slsm/test-me a=$CAT m=5 '' \
p=/tmp/slsm/test-me a=$CAT m=5 '' \
p=/tmp/slsm/test-me a=$CAT m=5 '' \
p=/tmp/slsm/test-me a=$CAT m=4 '' \
p=/tmp/slsm/test-me a=$CAT m=4 '' \
p=/tmp/slsm/test-me a=$CAT m=4 '' \
p=/tmp/slsm/test-me a=$CAT m=3 '' \
p=/tmp/slsm/test-me a=$CAT m=3 '' \
p=/tmp/slsm/test-me a=$CAT m=3 '' \
p=/tmp/slsm/test-me a=$CAT m=2 '' \
p=/tmp/slsm/test-me a=$CAT m=2 '' \
p=/tmp/slsm/test-me a=$CAT m=2 '' \
p=/tmp/slsm/test-me a=$CAT m=1 '' \
p=/tmp/slsm/test-me a=$CAT m=1 '' \
p=/tmp/slsm/test-me a=$CAT m=1 '' \
p=/tmp/slsm/test-me a=$CAT m=0 '' \
p=/tmp/slsm/test-me a=$CAT m=0 '' \
p=/tmp/slsm/test-me a=$CAT m=0 '' \
p=/tmp/slsm/test-me2 a=$CAT m=0 '' \
p=/tmp/slsm/test-me2 a=$CAT m=2 '' \
p=/tmp/slsm/test-me2 a=$CAT m=4 &&
rules p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me2 a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me2 a=$CAT m=2 f=0 '' \
p=/tmp/slsm/test-me2 a=$CAT m=4 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
echo test-me2 >expected &&
$CAT /tmp/slsm/test-me2 >actual &&
......@@ -251,14 +254,14 @@ test_expect_success 'most specific path is used' "
done &&
find /tmp/slsm | sort &&
\
rules p=/tmp/slsm m=0 '' \
p=/tmp/slsm/a m=1 '' \
p=/tmp/slsm/a/b m=2 '' \
p=/tmp/slsm/a/b/c m=3 '' \
p=/tmp/slsm/a/b/c/d m=4 '' \
p=/tmp/slsm/a/b/c/d/e m=5 '' \
p=/tmp/slsm/a/b/c/d/e/f m=6 '' \
p=/tmp/slsm/a/b/c/d/e/f/g m=7 &&
rules p=/tmp/slsm a= m=0 f=0 '' \
p=/tmp/slsm/a a= m=1 f=0 '' \
p=/tmp/slsm/a/b a= m=2 f=0 '' \
p=/tmp/slsm/a/b/c a= m=3 f=0 '' \
p=/tmp/slsm/a/b/c/d a= m=4 f=0 '' \
p=/tmp/slsm/a/b/c/d/e a= m=5 f=0 '' \
p=/tmp/slsm/a/b/c/d/e/f a= m=6 f=0 '' \
p=/tmp/slsm/a/b/c/d/e/f/g a= m=7 f=0 &&
\
test_must_fail cat /tmp/slsm/x &&
test_must_fail /tmp/slsm/y &&
......@@ -299,11 +302,11 @@ test_expect_success 'multiple rules per file' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
rules p=/tmp/slsm/test-me a=$CAT m=0 '' \
p=/tmp/slsm/test-me a=$HEAD m=0 '' \
p=/tmp/slsm/test-me a=$TAIL m=0 '' \
p=/tmp/slsm/test-me a=$PERL m=2 '' \
p=/tmp/slsm/test-me a=$BASH m=0 &&
rules p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
test_must_fail $HEAD /tmp/slsm/test-me &&
test_must_fail $TAIL /tmp/slsm/test-me &&
......@@ -315,11 +318,11 @@ test_expect_success 'multiple rules per file (argument order reversed)' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
rules p=/tmp/slsm/test-me m=0 a=$CAT '' \
p=/tmp/slsm/test-me m=0 a=$HEAD '' \
p=/tmp/slsm/test-me m=0 a=$TAIL '' \
p=/tmp/slsm/test-me m=2 a=$PERL '' \
p=/tmp/slsm/test-me m=0 a=$BASH &&
rules p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
test_must_fail $HEAD /tmp/slsm/test-me &&
test_must_fail $TAIL /tmp/slsm/test-me &&
......@@ -337,15 +340,15 @@ test_expect_success 'multiple files per node' "
echo e >/tmp/slsm/e &&
echo f >/tmp/slsm/f &&
\
rules p=/tmp/slsm/c a=$CAT m=0 '' \
p=/tmp/slsm/b a=$CAT m=0 '' \
p=/tmp/slsm/a a=$CAT m=0 '' \
p=/tmp/slsm/f a=$HEAD m=0 '' \
p=/tmp/slsm/e a=$HEAD m=0 '' \
p=/tmp/slsm/d a=$HEAD m=0 '' \
p=/tmp/slsm/e a=$PERL m=2 '' \
p=/tmp/slsm/d a=$PERL m=0 '' \
p=/tmp/slsm/f a=$PERL m=0 &&
rules p=/tmp/slsm/c a=$CAT m=0 f=0 '' \
p=/tmp/slsm/b a=$CAT m=0 f=0 '' \
p=/tmp/slsm/a a=$CAT m=0 f=0 '' \
p=/tmp/slsm/f a=$HEAD m=0 f=0 '' \
p=/tmp/slsm/f a=$PERL m=0 f=0 '' \
p=/tmp/slsm/e a=$HEAD m=0 f=0 '' \
p=/tmp/slsm/e a=$PERL m=2 f=0 '' \
p=/tmp/slsm/d a=$HEAD m=0 f=0 '' \
p=/tmp/slsm/d a=$PERL m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/a &&
test_must_fail $CAT /tmp/slsm/b &&
test_must_fail $CAT /tmp/slsm/c &&
......@@ -364,7 +367,7 @@ test_expect_success 'symlinks and hardlinks' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/x &&
\
rules p=/tmp/slsm a=$LN m=5 &&
rules p=/tmp/slsm a=$LN m=5 f=0 &&
test_must_fail $LN -s y /tmp/slsm/y &&
test_must_fail $LN /tmp/slsm/x /tmp/slsm/y
"
......@@ -381,9 +384,9 @@ test_expect_success 'example SSH private key setup' "
echo pub >/tmp/slsm/home/user/.ssh/id_rsa.pub &&
echo cfg >/tmp/slsm/home/user/.ssh/config &&
\
rules p=/tmp/slsm/home/user/.ssh/private m=0 '' \
p=/tmp/slsm/home/user/.ssh/private f=4 m=4 '' \
p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 &&
rules p=/tmp/slsm/home/user/.ssh/private a= m=0 f=0 '' \
p=/tmp/slsm/home/user/.ssh/private a= m=4 f=4 '' \
p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 f=0 &&
echo cfg >expected &&
test_cmp expected /tmp/slsm/home/user/.ssh/config &&
rm /tmp/slsm/home/user/.ssh/config &&
......@@ -413,20 +416,20 @@ test_expect_success 'example mpv setup' "
echo movie >/tmp/slsm/home/user/Movies/movie &&
echo cfg >/tmp/slsm/home/user/.config/mpv/mpv.conf &&
\
rules p=/ a=$PERL m=0 '' \
p=/etc a=$PERL m=4 '' \
p=/lib a=$PERL m=4 '' \
p=/proc a=$PERL m=4 '' \
p=/sys a=$PERL m=4 '' \
p=/usr a=$PERL m=4 '' \
p=/dev a=$PERL m=6 '' \
rules p=/ a=$PERL m=0 f=0 '' \
p=/etc a=$PERL m=4 f=0 '' \
p=/lib a=$PERL m=4 f=0 '' \
p=/proc a=$PERL m=4 f=0 '' \
p=/sys a=$PERL m=4 f=0 '' \
p=/usr a=$PERL m=4 f=0 '' \
p=/usr/bin/head a=$PERL m=5 f=1 '' \
p=/tmp/slsm/home/ a=$PERL m=0 '' \
p=/tmp/slsm/home/user/Downloads a=$PERL m=4 '' \
p=/tmp/slsm/home/user/Music a=$PERL m=4 '' \
p=/tmp/slsm/home/user/Movies a=$PERL m=4 '' \
p=/tmp/slsm/home/user/.config/mpv a=$PERL m=4 '' \
p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 &&
p=/dev a=$PERL m=6 f=0 '' \
p=/tmp/slsm/home/ a=$PERL m=0 f=0 '' \
p=/tmp/slsm/home/user/Downloads a=$PERL m=4 f=0 '' \
p=/tmp/slsm/home/user/Music a=$PERL m=4 f=0 '' \
p=/tmp/slsm/home/user/Movies a=$PERL m=4 f=0 '' \
p=/tmp/slsm/home/user/.config/mpv a=$PERL m=4 f=0 '' \
p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 f=0 &&
echo file >expected &&
$PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Downloads/file >actual &&
test_cmp expected actual &&
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment