diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-01-24 11:38:43 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-13 11:02:00 +0100 |
commit | f70d712e4f505f5c5b50ae17f4f023d20a667568 (patch) | |
tree | 57b0aaa702651012e1adfc07f9b6b6c580506f66 /meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh | |
parent | 3f962c7d202055777dd0238f12dbcf70f09ac07d (diff) |
Integrate parts of meta-intel-iot-security
Adds the recipes of the sub layers
- meta-security-framework
- meta-security-smack
Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh')
-rw-r--r-- | meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh new file mode 100644 index 000000000..419ab9f91 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi |