summaryrefslogtreecommitdiffstats
path: root/meta-security/lib/oeqa/runtime/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta-security/lib/oeqa/runtime/files')
-rw-r--r--meta-security/lib/oeqa/runtime/files/notroot.py33
-rw-r--r--meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh54
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh18
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh27
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh108
-rw-r--r--meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh107
6 files changed, 347 insertions, 0 deletions
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py
new file mode 100644
index 000000000..f0eb0b5b9
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual:
+# """By default, each user in Debian GNU/Linux is given a corresponding group
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+ uid = int(sys.argv[1])
+ sys.argv.pop(1)
+ label = sys.argv[1]
+ sys.argv.pop(1)
+ open("/proc/self/attr/current", "w").write(label)
+ path=sys.argv[1]
+ sys.argv.pop(0)
+ os.setgid(uid)
+ os.setuid(uid)
+ os.execv(path,sys.argv)
+
+except Exception,e:
+ print e.message
+ sys.exit(1)
diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
new file mode 100644
index 000000000..5a0ce84f2
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+# 12345678901234567890123456789012345678901234567890123456
+delrule="TheOne TheOther -----"
+rule_ro="TheOne TheOther r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file and no read access on it can read it"
+ exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process with different label than the test file but with read access on it cannot read it"
+ exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Process cannot read file with * label"
+ exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+ echo "Process with label '*' should not have any access"
+ exit $RC
+fi
+exit 0
diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
new file mode 100644
index 000000000..26d9e9d22
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+ # restore proper label
+ echo $initial_label >/proc/self/attr/current
+ echo "Privileged process could not change its label"
+ exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0 \ No newline at end of file
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
new file mode 100644
index 000000000..1c4a93ab6
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+ echo "Onlycap label could not be set"
+ return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+ echo "Onlycap label was not set correctly."
+ return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
new file mode 100644
index 000000000..ed18f2371
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+ if [ -f "/tmp/tcp_server" ]; then
+ tcp_server="/tmp/tcp_server"
+ else
+ echo "tcp_server binary not found"
+ exit 1
+ fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+ if [ -f "/tmp/tcp_client" ]; then
+ tcp_client="/tmp/tcp_client"
+ else
+ echo "tcp_client binary not found"
+ exit 1
+ fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on tcp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on tcp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on tcp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on tcp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any tcp socket"
+ exit 1
+fi
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
new file mode 100644
index 000000000..419ab9f91
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+ if [ -f "/tmp/udp_server" ]; then
+ udp_server="/tmp/udp_server"
+ else
+ echo "udp_server binary not found"
+ exit 1
+ fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+ if [ -f "/tmp/udp_client" ]; then
+ udp_client="/tmp/udp_client"
+ else
+ echo "udp_client binary not found"
+ exit 1
+ fi
+fi
+
+# make sure no access is granted
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Sockets with different labels should not communicate on udp"
+ exit 1
+fi
+
+# granting access between different labels
+# 12345678901234567890123456789012345678901234567890123456
+echo -n "label1 label2 rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with different labels, but having rw access, should communicate on udp"
+ exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Sockets with same labels should communicate on udp"
+ exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+ echo "Should have access on udp socket labeled star (*)"
+ exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+ echo "Socket labeled star should not have access to any udp socket"
+ exit 1
+fi