summaryrefslogtreecommitdiffstats
path: root/meta-security/lib/oeqa/runtime/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/lib/oeqa/runtime/files')
-rw-r--r--meta-security/lib/oeqa/runtime/files/notroot.py33
-rw-r--r--meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh54
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh18
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh27
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh108
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh107
6 files changed, 0 insertions, 347 deletions
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py
deleted file mode 100644
index f0eb0b5b9..000000000
--- a/meta-security/lib/oeqa/runtime/files/notroot.py
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/usr/bin/env python
-#
-# Script used for running executables with custom labels, as well as custom uid/gid
-# Process label is changed by writing to /proc/self/attr/curent
-#
-# Script expects user id and group id to exist, and be the same.
-#
-# From adduser manual:
-# """By default, each user in Debian GNU/Linux is given a corresponding group
-# with the same name. """
-#
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
-#
-# Author: Alexandru Cornea <alexandru.cornea@intel.com>
-import os
-import sys
-
-try:
- uid = int(sys.argv[1])
- sys.argv.pop(1)
- label = sys.argv[1]
- sys.argv.pop(1)
- open("/proc/self/attr/current", "w").write(label)
- path=sys.argv[1]
- sys.argv.pop(0)
- os.setgid(uid)
- os.setuid(uid)
- os.execv(path,sys.argv)
-
-except Exception,e:
- print e.message
- sys.exit(1)
diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
deleted file mode 100644
index 5a0ce84f2..000000000
--- a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/bin/sh
-
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-RC=0
-TMP="/tmp"
-test_file=$TMP/smack_test_access_file
-CAT=`which cat`
-ECHO=`which echo`
-uid=1000
-initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
-chsmack -a "TheOther" $test_file
-
-# 12345678901234567890123456789012345678901234567890123456
-delrule="TheOne TheOther -----"
-rule_ro="TheOne TheOther r----"
-
-# Remove pre-existent rules for "TheOne TheOther <access>"
-echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process with different label than the test file and no read access on it can read it"
- exit $RC
-fi
-
-# adding read access
-echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process with different label than the test file but with read access on it cannot read it"
- exit $RC
-fi
-
-# Remove pre-existent rules for "TheOne TheOther <access>"
-echo -n "$delrule" > $SMACK_PATH/load
-# changing label of test file to *
-# according to SMACK documentation, read access on a * object is always permitted
-chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Process cannot read file with * label"
- exit $RC
-fi
-
-# changing subject label to *
-# according to SMACK documentation, every access requested by a star labeled subject is rejected
-TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
-ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
-if [ $RC -ne 0 ];then
- echo "Process with label '*' should not have any access"
- exit $RC
-fi
-exit 0
diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
deleted file mode 100644
index 26d9e9d22..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-initial_label=`cat /proc/self/attr/current 2>/dev/null`
-modified_label="test_label"
-
-echo "$modified_label" >/proc/self/attr/current 2>/dev/null
-
-new_label=`cat /proc/self/attr/current 2>/dev/null`
-
-if [ "$new_label" != "$modified_label" ]; then
- # restore proper label
- echo $initial_label >/proc/self/attr/current
- echo "Privileged process could not change its label"
- exit 1
-fi
-
-echo "$initial_label" >/proc/self/attr/current 2>/dev/null
-exit 0 \ No newline at end of file
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
deleted file mode 100644
index 1c4a93ab6..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/sh
-RC=0
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
-test_label="test_label"
-onlycap_initial=`cat $SMACK_PATH/onlycap`
-smack_initial=`cat /proc/self/attr/current`
-
-# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
-# even if we are root
-echo "$test_label" > /proc/self/attr/current
-
-echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
-if [ $RC -ne 0 ]; then
- echo "Onlycap label could not be set"
- return $RC
-fi
-
-if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
- echo "Onlycap label was not set correctly."
- return 1
-fi
-
-# resetting original onlycap label
-echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
-
-# resetting our initial's process label
-echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
deleted file mode 100644
index ed18f2371..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
+++ /dev/null
@@ -1,108 +0,0 @@
-#!/bin/sh
-RC=0
-test_file=/tmp/smack_socket_tcp
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-# make sure no access is granted
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 -----" > $SMACK_PATH/load
-
-tcp_server=`which tcp_server`
-if [ -z $tcp_server ]; then
- if [ -f "/tmp/tcp_server" ]; then
- tcp_server="/tmp/tcp_server"
- else
- echo "tcp_server binary not found"
- exit 1
- fi
-fi
-tcp_client=`which tcp_client`
-if [ -z $tcp_client ]; then
- if [ -f "/tmp/tcp_client" ]; then
- tcp_client="/tmp/tcp_client"
- else
- echo "tcp_client binary not found"
- exit 1
- fi
-fi
-
-# checking access for sockets with different labels
-$tcp_server 50016 label1 &>/dev/null &
-server_pid=$!
-sleep 2
-$tcp_client 50016 label2 label1 &>/dev/null &
-client_pid=$!
-
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-
-if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
- echo "Sockets with different labels should not communicate on tcp"
- exit 1
-fi
-
-# granting access between different labels
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 rw---" > $SMACK_PATH/load
-# checking access for sockets with different labels, but having a rule granting rw
-$tcp_server 50017 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50017 label2 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with different labels, but having rw access, should communicate on tcp"
- exit 1
-fi
-
-# checking access for sockets with the same label
-$tcp_server 50018 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50018 label1 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with same labels should communicate on tcp"
- exit 1
-fi
-
-# checking access on socket labeled star (*)
-# should always be permitted
-$tcp_server 50019 \* 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50019 label1 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Should have access on tcp socket labeled star (*)"
- exit 1
-fi
-
-# checking access from socket labeled star (*)
-# all access from subject star should be denied
-$tcp_server 50020 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$tcp_client 50020 label1 \* 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
- echo "Socket labeled star should not have access to any tcp socket"
- exit 1
-fi
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
deleted file mode 100644
index 419ab9f91..000000000
--- a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
+++ /dev/null
@@ -1,107 +0,0 @@
-#!/bin/sh
-RC=0
-test_file="/tmp/smack_socket_udp"
-SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
-
-udp_server=`which udp_server`
-if [ -z $udp_server ]; then
- if [ -f "/tmp/udp_server" ]; then
- udp_server="/tmp/udp_server"
- else
- echo "udp_server binary not found"
- exit 1
- fi
-fi
-udp_client=`which udp_client`
-if [ -z $udp_client ]; then
- if [ -f "/tmp/udp_client" ]; then
- udp_client="/tmp/udp_client"
- else
- echo "udp_client binary not found"
- exit 1
- fi
-fi
-
-# make sure no access is granted
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 -----" > $SMACK_PATH/load
-
-# checking access for sockets with different labels
-$udp_server 50021 label2 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50021 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 ]; then
- echo "Sockets with different labels should not communicate on udp"
- exit 1
-fi
-
-# granting access between different labels
-# 12345678901234567890123456789012345678901234567890123456
-echo -n "label1 label2 rw---" > $SMACK_PATH/load
-# checking access for sockets with different labels, but having a rule granting rw
-$udp_server 50022 label2 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50022 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with different labels, but having rw access, should communicate on udp"
- exit 1
-fi
-
-# checking access for sockets with the same label
-$udp_server 50023 label1 &
-server_pid=$!
-sleep 1
-$udp_client 50023 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Sockets with same labels should communicate on udp"
- exit 1
-fi
-
-# checking access on socket labeled star (*)
-# should always be permitted
-$udp_server 50024 \* 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50024 label1 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
- echo "Should have access on udp socket labeled star (*)"
- exit 1
-fi
-
-# checking access from socket labeled star (*)
-# all access from subject star should be denied
-$udp_server 50025 label1 2>$test_file &
-server_pid=$!
-sleep 1
-$udp_client 50025 \* 2>$test_file &
-client_pid=$!
-wait $server_pid
-server_rv=$?
-wait $client_pid
-client_rv=$?
-if [ $server_rv -eq 0 ]; then
- echo "Socket labeled star should not have access to any udp socket"
- exit 1
-fi