diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-01-24 11:38:43 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-13 11:02:00 +0100 |
commit | f70d712e4f505f5c5b50ae17f4f023d20a667568 (patch) | |
tree | 57b0aaa702651012e1adfc07f9b6b6c580506f66 /meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh | |
parent | 3f962c7d202055777dd0238f12dbcf70f09ac07d (diff) |
Integrate parts of meta-intel-iot-security
Adds the recipes of the sub layers
- meta-security-framework
- meta-security-smack
Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh')
-rw-r--r-- | meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh new file mode 100644 index 000000000..ed18f2371 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi |