diff --git a/security/slsm/t/slsm-tests.sh b/security/slsm/t/slsm-tests.sh
index 29538f8446daaaca764844ac0a39b59412b286f1..15bee8238172941455e8689e021471da3fcc42ab 100755
--- a/security/slsm/t/slsm-tests.sh
+++ b/security/slsm/t/slsm-tests.sh
@@ -22,7 +22,7 @@ setup() {
mount -t securityfs securityfs /tmp/slsm-security || exit 1
}
cleanup() {
- rules 'p=/' 'm=7' # allow everything
+ rules 'p=/' 'a=' 'm=7' 'f=0' # allow everything
umount /tmp/slsm-security
rm -rf /tmp/slsm /tmp/slsm-security
}
@@ -32,7 +32,10 @@ rules() {
printf '%s\0' "$arg"
done
printf '\0'
- } >/tmp/slsm-security/slsm/profiles
+ } >tmp-rules &&
+ cat tmp-rules >/tmp/slsm-security/slsm/profiles &&
+ cat /tmp/slsm-security/slsm/profiles >tmp-result &&
+ test_cmp tmp-rules tmp-result
}
@@ -53,28 +56,28 @@ TOUCH="$(absolute_path touch)"
test_expect_success 'disallow all access to /' "
test_when_finished cleanup && setup &&
\
- rules p=/ a=$CAT m=0 &&
- ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
+ rules p=/ a=$HEAD m=0 f=0 &&
+ ! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow read access to /' "
test_when_finished cleanup && setup &&
\
- rules p=/ a=$CAT m=3 &&
- ! $CAT /dev/null # test_must_fail does not work here as the binary can't start
+ rules p=/ a=$HEAD m=3 f=0 &&
+ ! $HEAD /dev/null # test_must_fail does not work here as the binary can't start
"
test_expect_success 'disallow write access to /' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/ a=$RM m=5 '' \
- p=/ a=$LN m=5 &&
+ rules p=/ a=$RM m=5 f=0 '' \
+ p=/ a=$LN m=5 f=0 &&
test_must_fail $RM /tmp/slsm/test-me &&
test_must_fail $LN -s y /tmp/slsm/x
"
test_expect_success 'disallow exec access to /' "
test_when_finished cleanup && setup &&
\
- rules p=/ a=$PERL m=6 &&
+ rules p=/ a=$PERL m=6 f=0 &&
test_must_fail $PERL -e 'system(\"true\") == 0 or exit 1'
"
@@ -82,7 +85,7 @@ test_expect_success 'disallow all access to /tmp/slsm' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/tmp/slsm a=$CAT m=0 &&
+ rules p=/tmp/slsm a=$CAT m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
$CAT /dev/null
"
@@ -90,15 +93,15 @@ test_expect_success 'disallow read access to /tmp/slsm' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/tmp/slsm a=$CAT m=3 &&
+ rules p=/tmp/slsm a=$CAT m=3 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
$CAT /dev/null
"
test_expect_success 'disallow write access to /tmp/slsm' "
test_when_finished cleanup && setup &&
\
- rules p=/tmp/slsm a=$TOUCH m=5 '' \
- p=/tmp/slsm a=$LN m=5 &&
+ rules p=/tmp/slsm a=$TOUCH m=5 f=0 '' \
+ p=/tmp/slsm a=$LN m=5 f=0 &&
test_must_fail $TOUCH /tmp/slsm/test-me &&
test_must_fail $LN -s y /tmp/slsm/x &&
$TOUCH /var/tmp/test-me &&
@@ -116,7 +119,7 @@ test_expect_success 'disallow exec access to /tmp/slsm' "
/tmp/slsm/test-me2 >actual &&
test_cmp expected actual &&
\
- rules p=/tmp/slsm a=$BASH m=6 &&
+ rules p=/tmp/slsm a=$BASH m=6 f=0 &&
test_must_fail $BASH /tmp/slsm/test-me
"
@@ -125,7 +128,7 @@ test_expect_success 'correct matching for prefixes' "
touch /tmp/slsm/test-me &&
touch /tmp/slsm/test-me2 &&
\
- rules p=/tmp/slsm/test-me2 m=0 &&
+ rules p=/tmp/slsm/test-me2 a= m=0 f=0 &&
test_must_fail cat /tmp/slsm/test-me2 &&
cat /tmp/slsm/test-me
"
@@ -134,8 +137,8 @@ test_expect_success 'no circumvention via hardlinks' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/tmp/slsm/test-me m=4 '' \
- p=/tmp/slsm/test-me2 m=0 &&
+ rules p=/tmp/slsm/test-me a= m=4 f=0 '' \
+ p=/tmp/slsm/test-me2 a= m=0 f=0 &&
ln /tmp/slsm/test-me /tmp/slsm/test-me2 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me3
"
@@ -143,8 +146,8 @@ test_expect_success 'no circumvention via hardlinks (inherit)' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/tmp/slsm/test-me m=5 f=1 '' \
- p=/tmp/slsm/test-me2 m=5 &&
+ rules p=/tmp/slsm/test-me a= m=5 f=1 '' \
+ p=/tmp/slsm/test-me2 a= m=5 f=0 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"
@@ -152,8 +155,8 @@ test_expect_success 'no circumvention via hardlinks (confine)' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/test-me &&
\
- rules p=/tmp/slsm/test-me m=5 f=2 '' \
- p=/tmp/slsm/test-me2 m=5 &&
+ rules p=/tmp/slsm/test-me a= m=5 f=2 '' \
+ p=/tmp/slsm/test-me2 a= m=5 f=0 &&
test_must_fail ln /tmp/slsm/test-me /tmp/slsm/test-me2
"
@@ -162,7 +165,7 @@ test_expect_success 'disallow all access to file' "
echo test-me >/tmp/slsm/test-me &&
echo test-me2 >/tmp/slsm/test-me2 &&
\
- rules p=/tmp/slsm/test-me m=0 &&
+ rules p=/tmp/slsm/test-me a= m=0 f=0 &&
test_must_fail cat /tmp/slsm/test-me &&
test_must_fail sh -c 'echo >/tmp/slsm/test-me' &&
rm /tmp/slsm/test-me &&
@@ -174,8 +177,8 @@ test_expect_success 'disallow delete of file' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
- rules p=/tmp/slsm m=0 '' \
- p=/tmp/slsm/test-me m=7 &&
+ rules p=/tmp/slsm a= m=0 f=0 '' \
+ p=/tmp/slsm/test-me a= m=7 f=0 &&
test_must_fail rm /tmp/slsm/test-me &&
echo test-me >expected &&
test_cmp expected /tmp/slsm/test-me &&
@@ -191,8 +194,8 @@ test_expect_success 'confine process' "
echo 'exec cat /tmp/slsm/private' >>/tmp/slsm/script &&
chmod +x /tmp/slsm/script &&
\
- rules a=/tmp/slsm/script p=/tmp/slsm/private m=0 '' \
- p=/tmp/slsm/script m=5 f=2 &&
+ rules p=/tmp/slsm/private a=/tmp/slsm/script m=0 f=0 '' \
+ p=/tmp/slsm/script a= m=5 f=2 &&
test_must_fail /tmp/slsm/script &&
echo data >expected &&
test_cmp expected /tmp/slsm/private
@@ -203,33 +206,33 @@ test_expect_success 'last matching rule for a node is used' "
echo test-me >/tmp/slsm/test-me &&
echo test-me2 >/tmp/slsm/test-me2 &&
\
- rules p=/tmp/slsm/test-me a=$CAT m=7 '' \
- p=/tmp/slsm/test-me a=$CAT m=7 '' \
- p=/tmp/slsm/test-me a=$CAT m=7 '' \
- p=/tmp/slsm/test-me a=$CAT m=6 '' \
- p=/tmp/slsm/test-me a=$CAT m=6 '' \
- p=/tmp/slsm/test-me a=$CAT m=6 '' \
- p=/tmp/slsm/test-me a=$CAT m=5 '' \
- p=/tmp/slsm/test-me a=$CAT m=5 '' \
- p=/tmp/slsm/test-me a=$CAT m=5 '' \
- p=/tmp/slsm/test-me a=$CAT m=4 '' \
- p=/tmp/slsm/test-me a=$CAT m=4 '' \
- p=/tmp/slsm/test-me a=$CAT m=4 '' \
- p=/tmp/slsm/test-me a=$CAT m=3 '' \
- p=/tmp/slsm/test-me a=$CAT m=3 '' \
- p=/tmp/slsm/test-me a=$CAT m=3 '' \
- p=/tmp/slsm/test-me a=$CAT m=2 '' \
- p=/tmp/slsm/test-me a=$CAT m=2 '' \
- p=/tmp/slsm/test-me a=$CAT m=2 '' \
- p=/tmp/slsm/test-me a=$CAT m=1 '' \
- p=/tmp/slsm/test-me a=$CAT m=1 '' \
- p=/tmp/slsm/test-me a=$CAT m=1 '' \
- p=/tmp/slsm/test-me a=$CAT m=0 '' \
- p=/tmp/slsm/test-me a=$CAT m=0 '' \
- p=/tmp/slsm/test-me a=$CAT m=0 '' \
- p=/tmp/slsm/test-me2 a=$CAT m=0 '' \
- p=/tmp/slsm/test-me2 a=$CAT m=2 '' \
- p=/tmp/slsm/test-me2 a=$CAT m=4 &&
+ rules p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=7 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=6 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=5 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=4 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=3 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=2 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=1 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me2 a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me2 a=$CAT m=2 f=0 '' \
+ p=/tmp/slsm/test-me2 a=$CAT m=4 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
echo test-me2 >expected &&
$CAT /tmp/slsm/test-me2 >actual &&
@@ -251,14 +254,14 @@ test_expect_success 'most specific path is used' "
done &&
find /tmp/slsm | sort &&
\
- rules p=/tmp/slsm m=0 '' \
- p=/tmp/slsm/a m=1 '' \
- p=/tmp/slsm/a/b m=2 '' \
- p=/tmp/slsm/a/b/c m=3 '' \
- p=/tmp/slsm/a/b/c/d m=4 '' \
- p=/tmp/slsm/a/b/c/d/e m=5 '' \
- p=/tmp/slsm/a/b/c/d/e/f m=6 '' \
- p=/tmp/slsm/a/b/c/d/e/f/g m=7 &&
+ rules p=/tmp/slsm a= m=0 f=0 '' \
+ p=/tmp/slsm/a a= m=1 f=0 '' \
+ p=/tmp/slsm/a/b a= m=2 f=0 '' \
+ p=/tmp/slsm/a/b/c a= m=3 f=0 '' \
+ p=/tmp/slsm/a/b/c/d a= m=4 f=0 '' \
+ p=/tmp/slsm/a/b/c/d/e a= m=5 f=0 '' \
+ p=/tmp/slsm/a/b/c/d/e/f a= m=6 f=0 '' \
+ p=/tmp/slsm/a/b/c/d/e/f/g a= m=7 f=0 &&
\
test_must_fail cat /tmp/slsm/x &&
test_must_fail /tmp/slsm/y &&
@@ -299,11 +302,11 @@ test_expect_success 'multiple rules per file' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
- rules p=/tmp/slsm/test-me a=$CAT m=0 '' \
- p=/tmp/slsm/test-me a=$HEAD m=0 '' \
- p=/tmp/slsm/test-me a=$TAIL m=0 '' \
- p=/tmp/slsm/test-me a=$PERL m=2 '' \
- p=/tmp/slsm/test-me a=$BASH m=0 &&
+ rules p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
+ p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
test_must_fail $HEAD /tmp/slsm/test-me &&
test_must_fail $TAIL /tmp/slsm/test-me &&
@@ -315,11 +318,11 @@ test_expect_success 'multiple rules per file (argument order reversed)' "
test_when_finished cleanup && setup &&
echo test-me >/tmp/slsm/test-me &&
\
- rules p=/tmp/slsm/test-me m=0 a=$CAT '' \
- p=/tmp/slsm/test-me m=0 a=$HEAD '' \
- p=/tmp/slsm/test-me m=0 a=$TAIL '' \
- p=/tmp/slsm/test-me m=2 a=$PERL '' \
- p=/tmp/slsm/test-me m=0 a=$BASH &&
+ rules p=/tmp/slsm/test-me a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$HEAD m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$TAIL m=0 f=0 '' \
+ p=/tmp/slsm/test-me a=$PERL m=2 f=0 '' \
+ p=/tmp/slsm/test-me a=$BASH m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/test-me &&
test_must_fail $HEAD /tmp/slsm/test-me &&
test_must_fail $TAIL /tmp/slsm/test-me &&
@@ -337,15 +340,15 @@ test_expect_success 'multiple files per node' "
echo e >/tmp/slsm/e &&
echo f >/tmp/slsm/f &&
\
- rules p=/tmp/slsm/c a=$CAT m=0 '' \
- p=/tmp/slsm/b a=$CAT m=0 '' \
- p=/tmp/slsm/a a=$CAT m=0 '' \
- p=/tmp/slsm/f a=$HEAD m=0 '' \
- p=/tmp/slsm/e a=$HEAD m=0 '' \
- p=/tmp/slsm/d a=$HEAD m=0 '' \
- p=/tmp/slsm/e a=$PERL m=2 '' \
- p=/tmp/slsm/d a=$PERL m=0 '' \
- p=/tmp/slsm/f a=$PERL m=0 &&
+ rules p=/tmp/slsm/c a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/b a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/a a=$CAT m=0 f=0 '' \
+ p=/tmp/slsm/f a=$HEAD m=0 f=0 '' \
+ p=/tmp/slsm/f a=$PERL m=0 f=0 '' \
+ p=/tmp/slsm/e a=$HEAD m=0 f=0 '' \
+ p=/tmp/slsm/e a=$PERL m=2 f=0 '' \
+ p=/tmp/slsm/d a=$HEAD m=0 f=0 '' \
+ p=/tmp/slsm/d a=$PERL m=0 f=0 &&
test_must_fail $CAT /tmp/slsm/a &&
test_must_fail $CAT /tmp/slsm/b &&
test_must_fail $CAT /tmp/slsm/c &&
@@ -364,7 +367,7 @@ test_expect_success 'symlinks and hardlinks' "
test_when_finished cleanup && setup &&
touch /tmp/slsm/x &&
\
- rules p=/tmp/slsm a=$LN m=5 &&
+ rules p=/tmp/slsm a=$LN m=5 f=0 &&
test_must_fail $LN -s y /tmp/slsm/y &&
test_must_fail $LN /tmp/slsm/x /tmp/slsm/y
"
@@ -381,9 +384,9 @@ test_expect_success 'example SSH private key setup' "
echo pub >/tmp/slsm/home/user/.ssh/id_rsa.pub &&
echo cfg >/tmp/slsm/home/user/.ssh/config &&
\
- rules p=/tmp/slsm/home/user/.ssh/private m=0 '' \
- p=/tmp/slsm/home/user/.ssh/private f=4 m=4 '' \
- p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 &&
+ rules p=/tmp/slsm/home/user/.ssh/private a= m=0 f=0 '' \
+ p=/tmp/slsm/home/user/.ssh/private a= m=4 f=4 '' \
+ p=/tmp/slsm/home/user/.ssh/private a=$HEAD m=4 f=0 &&
echo cfg >expected &&
test_cmp expected /tmp/slsm/home/user/.ssh/config &&
rm /tmp/slsm/home/user/.ssh/config &&
@@ -413,20 +416,20 @@ test_expect_success 'example mpv setup' "
echo movie >/tmp/slsm/home/user/Movies/movie &&
echo cfg >/tmp/slsm/home/user/.config/mpv/mpv.conf &&
\
- rules p=/ a=$PERL m=0 '' \
- p=/etc a=$PERL m=4 '' \
- p=/lib a=$PERL m=4 '' \
- p=/proc a=$PERL m=4 '' \
- p=/sys a=$PERL m=4 '' \
- p=/usr a=$PERL m=4 '' \
- p=/dev a=$PERL m=6 '' \
+ rules p=/ a=$PERL m=0 f=0 '' \
+ p=/etc a=$PERL m=4 f=0 '' \
+ p=/lib a=$PERL m=4 f=0 '' \
+ p=/proc a=$PERL m=4 f=0 '' \
+ p=/sys a=$PERL m=4 f=0 '' \
+ p=/usr a=$PERL m=4 f=0 '' \
p=/usr/bin/head a=$PERL m=5 f=1 '' \
- p=/tmp/slsm/home/ a=$PERL m=0 '' \
- p=/tmp/slsm/home/user/Downloads a=$PERL m=4 '' \
- p=/tmp/slsm/home/user/Music a=$PERL m=4 '' \
- p=/tmp/slsm/home/user/Movies a=$PERL m=4 '' \
- p=/tmp/slsm/home/user/.config/mpv a=$PERL m=4 '' \
- p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 &&
+ p=/dev a=$PERL m=6 f=0 '' \
+ p=/tmp/slsm/home/ a=$PERL m=0 f=0 '' \
+ p=/tmp/slsm/home/user/Downloads a=$PERL m=4 f=0 '' \
+ p=/tmp/slsm/home/user/Music a=$PERL m=4 f=0 '' \
+ p=/tmp/slsm/home/user/Movies a=$PERL m=4 f=0 '' \
+ p=/tmp/slsm/home/user/.config/mpv a=$PERL m=4 f=0 '' \
+ p=/tmp/slsm/home/user/.config/mpv/watch_later a=$PERL m=6 f=0 &&
echo file >expected &&
$PERL -e 'print (<> or exit 1)' /tmp/slsm/home/user/Downloads/file >actual &&
test_cmp expected actual &&