diff options
author | José Bollo <jose.bollo@iot.bzh> | 2018-02-08 09:57:25 +0100 |
---|---|---|
committer | José Bollo <jose.bollo@iot.bzh> | 2018-02-13 11:02:00 +0100 |
commit | 0ffb178ea81ebcde3990dd8269ccc08ebbc83416 (patch) | |
tree | eb7db261cbbda2bb1ca31b962d9d2255a0931734 /meta-security/lib/oeqa/runtime/files | |
parent | 4c1200c414361d35faf90ba887e012ab3cbab3db (diff) |
meta-security: Remove unused content
This unused content can be devided in two parts:
- setting and feature in bitbake classes
- tests
None are actually used by AGL.
Even if this content can be later included in distribution,
I prefer to remove it now.
Change-Id: I4e6a8ac6326986a5652a7c47614dcaa3db8cabb6
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Diffstat (limited to 'meta-security/lib/oeqa/runtime/files')
6 files changed, 0 insertions, 347 deletions
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py deleted file mode 100644 index f0eb0b5b9..000000000 --- a/meta-security/lib/oeqa/runtime/files/notroot.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python -# -# Script used for running executables with custom labels, as well as custom uid/gid -# Process label is changed by writing to /proc/self/attr/curent -# -# Script expects user id and group id to exist, and be the same. -# -# From adduser manual: -# """By default, each user in Debian GNU/Linux is given a corresponding group -# with the same name. """ -# -# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] -# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 -# -# Author: Alexandru Cornea <alexandru.cornea@intel.com> -import os -import sys - -try: - uid = int(sys.argv[1]) - sys.argv.pop(1) - label = sys.argv[1] - sys.argv.pop(1) - open("/proc/self/attr/current", "w").write(label) - path=sys.argv[1] - sys.argv.pop(0) - os.setgid(uid) - os.setuid(uid) - os.execv(path,sys.argv) - -except Exception,e: - print e.message - sys.exit(1) diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh deleted file mode 100644 index 5a0ce84f2..000000000 --- a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -RC=0 -TMP="/tmp" -test_file=$TMP/smack_test_access_file -CAT=`which cat` -ECHO=`which echo` -uid=1000 -initial_label=`cat /proc/self/attr/current` -python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file -chsmack -a "TheOther" $test_file - -# 12345678901234567890123456789012345678901234567890123456 -delrule="TheOne TheOther -----" -rule_ro="TheOne TheOther r----" - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file and no read access on it can read it" - exit $RC -fi - -# adding read access -echo -n "$rule_ro" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file but with read access on it cannot read it" - exit $RC -fi - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -# changing label of test file to * -# according to SMACK documentation, read access on a * object is always permitted -chsmack -a '*' $test_file -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process cannot read file with * label" - exit $RC -fi - -# changing subject label to * -# according to SMACK documentation, every access requested by a star labeled subject is rejected -TOUCH=`which touch` -python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 -ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? -if [ $RC -ne 0 ];then - echo "Process with label '*' should not have any access" - exit $RC -fi -exit 0 diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh deleted file mode 100644 index 26d9e9d22..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -initial_label=`cat /proc/self/attr/current 2>/dev/null` -modified_label="test_label" - -echo "$modified_label" >/proc/self/attr/current 2>/dev/null - -new_label=`cat /proc/self/attr/current 2>/dev/null` - -if [ "$new_label" != "$modified_label" ]; then - # restore proper label - echo $initial_label >/proc/self/attr/current - echo "Privileged process could not change its label" - exit 1 -fi - -echo "$initial_label" >/proc/self/attr/current 2>/dev/null -exit 0
\ No newline at end of file diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh deleted file mode 100644 index 1c4a93ab6..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -RC=0 -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` -test_label="test_label" -onlycap_initial=`cat $SMACK_PATH/onlycap` -smack_initial=`cat /proc/self/attr/current` - -# need to set out label to be the same as onlycap, otherwise we lose our smack privileges -# even if we are root -echo "$test_label" > /proc/self/attr/current - -echo "$test_label" > $SMACK_PATH/onlycap || RC=$? -if [ $RC -ne 0 ]; then - echo "Onlycap label could not be set" - return $RC -fi - -if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then - echo "Onlycap label was not set correctly." - return 1 -fi - -# resetting original onlycap label -echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null - -# resetting our initial's process label -echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh deleted file mode 100644 index ed18f2371..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/sh -RC=0 -test_file=/tmp/smack_socket_tcp -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -tcp_server=`which tcp_server` -if [ -z $tcp_server ]; then - if [ -f "/tmp/tcp_server" ]; then - tcp_server="/tmp/tcp_server" - else - echo "tcp_server binary not found" - exit 1 - fi -fi -tcp_client=`which tcp_client` -if [ -z $tcp_client ]; then - if [ -f "/tmp/tcp_client" ]; then - tcp_client="/tmp/tcp_client" - else - echo "tcp_client binary not found" - exit 1 - fi -fi - -# checking access for sockets with different labels -$tcp_server 50016 label1 &>/dev/null & -server_pid=$! -sleep 2 -$tcp_client 50016 label2 label1 &>/dev/null & -client_pid=$! - -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? - -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on tcp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$tcp_server 50017 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50017 label2 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on tcp" - exit 1 -fi - -# checking access for sockets with the same label -$tcp_server 50018 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50018 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on tcp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$tcp_server 50019 \* 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50019 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on tcp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$tcp_server 50020 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50020 label1 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any tcp socket" - exit 1 -fi diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh deleted file mode 100644 index 419ab9f91..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/sh -RC=0 -test_file="/tmp/smack_socket_udp" -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` - -udp_server=`which udp_server` -if [ -z $udp_server ]; then - if [ -f "/tmp/udp_server" ]; then - udp_server="/tmp/udp_server" - else - echo "udp_server binary not found" - exit 1 - fi -fi -udp_client=`which udp_client` -if [ -z $udp_client ]; then - if [ -f "/tmp/udp_client" ]; then - udp_client="/tmp/udp_client" - else - echo "udp_client binary not found" - exit 1 - fi -fi - -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -# checking access for sockets with different labels -$udp_server 50021 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50021 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on udp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$udp_server 50022 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50022 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on udp" - exit 1 -fi - -# checking access for sockets with the same label -$udp_server 50023 label1 & -server_pid=$! -sleep 1 -$udp_client 50023 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on udp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$udp_server 50024 \* 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50024 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on udp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$udp_server 50025 label1 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50025 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any udp socket" - exit 1 -fi |