diff options
Diffstat (limited to 'meta-security/lib/oeqa/runtime')
9 files changed, 0 insertions, 1044 deletions
diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py deleted file mode 100644 index e69de29bb..000000000 --- a/meta-security/lib/oeqa/runtime/__init__.py +++ /dev/null diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py deleted file mode 100644 index f0eb0b5b9..000000000 --- a/meta-security/lib/oeqa/runtime/files/notroot.py +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env python -# -# Script used for running executables with custom labels, as well as custom uid/gid -# Process label is changed by writing to /proc/self/attr/curent -# -# Script expects user id and group id to exist, and be the same. -# -# From adduser manual: -# """By default, each user in Debian GNU/Linux is given a corresponding group -# with the same name. """ -# -# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] -# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 -# -# Author: Alexandru Cornea <alexandru.cornea@intel.com> -import os -import sys - -try: - uid = int(sys.argv[1]) - sys.argv.pop(1) - label = sys.argv[1] - sys.argv.pop(1) - open("/proc/self/attr/current", "w").write(label) - path=sys.argv[1] - sys.argv.pop(0) - os.setgid(uid) - os.setuid(uid) - os.execv(path,sys.argv) - -except Exception,e: - print e.message - sys.exit(1) diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh deleted file mode 100644 index 5a0ce84f2..000000000 --- a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh - -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -RC=0 -TMP="/tmp" -test_file=$TMP/smack_test_access_file -CAT=`which cat` -ECHO=`which echo` -uid=1000 -initial_label=`cat /proc/self/attr/current` -python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file -chsmack -a "TheOther" $test_file - -# 12345678901234567890123456789012345678901234567890123456 -delrule="TheOne TheOther -----" -rule_ro="TheOne TheOther r----" - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file and no read access on it can read it" - exit $RC -fi - -# adding read access -echo -n "$rule_ro" > $SMACK_PATH/load -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process with different label than the test file but with read access on it cannot read it" - exit $RC -fi - -# Remove pre-existent rules for "TheOne TheOther <access>" -echo -n "$delrule" > $SMACK_PATH/load -# changing label of test file to * -# according to SMACK documentation, read access on a * object is always permitted -chsmack -a '*' $test_file -python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? -if [ $RC -ne 0 ]; then - echo "Process cannot read file with * label" - exit $RC -fi - -# changing subject label to * -# according to SMACK documentation, every access requested by a star labeled subject is rejected -TOUCH=`which touch` -python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 -ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? -if [ $RC -ne 0 ];then - echo "Process with label '*' should not have any access" - exit $RC -fi -exit 0 diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh deleted file mode 100644 index 26d9e9d22..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -initial_label=`cat /proc/self/attr/current 2>/dev/null` -modified_label="test_label" - -echo "$modified_label" >/proc/self/attr/current 2>/dev/null - -new_label=`cat /proc/self/attr/current 2>/dev/null` - -if [ "$new_label" != "$modified_label" ]; then - # restore proper label - echo $initial_label >/proc/self/attr/current - echo "Privileged process could not change its label" - exit 1 -fi - -echo "$initial_label" >/proc/self/attr/current 2>/dev/null -exit 0
\ No newline at end of file diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh deleted file mode 100644 index 1c4a93ab6..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh -RC=0 -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` -test_label="test_label" -onlycap_initial=`cat $SMACK_PATH/onlycap` -smack_initial=`cat /proc/self/attr/current` - -# need to set out label to be the same as onlycap, otherwise we lose our smack privileges -# even if we are root -echo "$test_label" > /proc/self/attr/current - -echo "$test_label" > $SMACK_PATH/onlycap || RC=$? -if [ $RC -ne 0 ]; then - echo "Onlycap label could not be set" - return $RC -fi - -if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then - echo "Onlycap label was not set correctly." - return 1 -fi - -# resetting original onlycap label -echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null - -# resetting our initial's process label -echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh deleted file mode 100644 index ed18f2371..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/sh -RC=0 -test_file=/tmp/smack_socket_tcp -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -tcp_server=`which tcp_server` -if [ -z $tcp_server ]; then - if [ -f "/tmp/tcp_server" ]; then - tcp_server="/tmp/tcp_server" - else - echo "tcp_server binary not found" - exit 1 - fi -fi -tcp_client=`which tcp_client` -if [ -z $tcp_client ]; then - if [ -f "/tmp/tcp_client" ]; then - tcp_client="/tmp/tcp_client" - else - echo "tcp_client binary not found" - exit 1 - fi -fi - -# checking access for sockets with different labels -$tcp_server 50016 label1 &>/dev/null & -server_pid=$! -sleep 2 -$tcp_client 50016 label2 label1 &>/dev/null & -client_pid=$! - -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? - -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on tcp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$tcp_server 50017 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50017 label2 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on tcp" - exit 1 -fi - -# checking access for sockets with the same label -$tcp_server 50018 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50018 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on tcp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$tcp_server 50019 \* 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50019 label1 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on tcp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$tcp_server 50020 label1 2>$test_file & -server_pid=$! -sleep 1 -$tcp_client 50020 label1 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any tcp socket" - exit 1 -fi diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh deleted file mode 100644 index 419ab9f91..000000000 --- a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/sh -RC=0 -test_file="/tmp/smack_socket_udp" -SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` - -udp_server=`which udp_server` -if [ -z $udp_server ]; then - if [ -f "/tmp/udp_server" ]; then - udp_server="/tmp/udp_server" - else - echo "udp_server binary not found" - exit 1 - fi -fi -udp_client=`which udp_client` -if [ -z $udp_client ]; then - if [ -f "/tmp/udp_client" ]; then - udp_client="/tmp/udp_client" - else - echo "udp_client binary not found" - exit 1 - fi -fi - -# make sure no access is granted -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 -----" > $SMACK_PATH/load - -# checking access for sockets with different labels -$udp_server 50021 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50021 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Sockets with different labels should not communicate on udp" - exit 1 -fi - -# granting access between different labels -# 12345678901234567890123456789012345678901234567890123456 -echo -n "label1 label2 rw---" > $SMACK_PATH/load -# checking access for sockets with different labels, but having a rule granting rw -$udp_server 50022 label2 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50022 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with different labels, but having rw access, should communicate on udp" - exit 1 -fi - -# checking access for sockets with the same label -$udp_server 50023 label1 & -server_pid=$! -sleep 1 -$udp_client 50023 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Sockets with same labels should communicate on udp" - exit 1 -fi - -# checking access on socket labeled star (*) -# should always be permitted -$udp_server 50024 \* 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50024 label1 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then - echo "Should have access on udp socket labeled star (*)" - exit 1 -fi - -# checking access from socket labeled star (*) -# all access from subject star should be denied -$udp_server 50025 label1 2>$test_file & -server_pid=$! -sleep 1 -$udp_client 50025 \* 2>$test_file & -client_pid=$! -wait $server_pid -server_rv=$? -wait $client_pid -client_rv=$? -if [ $server_rv -eq 0 ]; then - echo "Socket labeled star should not have access to any udp socket" - exit 1 -fi diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py deleted file mode 100644 index ab0df5a42..000000000 --- a/meta-security/lib/oeqa/runtime/securitymanager.py +++ /dev/null @@ -1,108 +0,0 @@ -import unittest -import re -import os -import string -from oeqa.oetest import oeRuntimeTest, skipModule -from oeqa.utils.decorators import * - -def get_files_dir(): - """Get directory of supporting files""" - pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) - deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) - return os.path.join(deploydir, "files", "target", pkgarch) - -MAX_LABEL_LEN = 255 -LABEL = "a" * MAX_LABEL_LEN - -def setUpModule(): - if not oeRuntimeTest.hasPackage('security-manager'): - skipModule( - "security-manager module skipped: " - "target doesn't have security-manager installed") - -class SecurityManagerBasicTest(oeRuntimeTest): - ''' base smack test ''' - def setUp(self): - # TODO: avoid hardcoding path (also in SecurityManager itself) - self.security_manager_db = '/usr/dbspace/.security-manager.db' - cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.privileges = output.split() - if not self.privileges: - # Only privileges that map to a Unix group need to be known to - # SecurityManager. Therefore it is possible that the query above - # returns nothing. In that case, make up something for the tests. - self.privileges.append('FoobarPrivilege') - self.appid = 'test-app-id' - self.pkgid = 'test-pkg-id' - self.user = 'security-manager-user' - idcmd = 'id -u %s' % self.user - status, output = self.target.run(idcmd) - if status: - # -D is from busybox. It disables setting a password. - createcmd = 'adduser -D %s' % self.user - status, output = self.target.run(createcmd) - self.assertFalse(status, msg="%s failed: %s" % (createcmd, output)) - status, output = self.target.run(idcmd) - self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output)) - self.uid = output - -class SecurityManagerApp(SecurityManagerBasicTest): - '''Tests covering app installation. Ordering is important, therefore tests are numbered.''' - - @skipUnlessPassed('test_ssh') - def test_security_manager_01_setup(self): - '''Check that basic SecurityManager setup is in place.''' - # If we get this far, then at least the sqlite db must have been in place. - # This does not mean much, but we need to start somewhere. - pass - - @skipUnlessPassed('test_security_manager_01_setup') - def test_security_manager_02_install(self): - '''Test if installing an app sets up privilege rules for it, also in Cynara.''' - self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/") - cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \ - (self.appid, self.pkgid, self.uid, self.privileges[0]) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ - (self.security_manager_db, self.appid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid))) - cmd = 'grep -r %s /var/cynara/db/' % self.appid - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # User::App:: prefix still hard-coded here because it is not customizable at the moment. - self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \ - (self.appid, self.uid, self.privileges[0])) - - @skipUnlessPassed('test_security_manager_02_install') - def test_security_manager_03_run(self): - '''Test running as app. Depends on preparations in test_security_manager_install().''' - cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \ - (self.appid, self.uid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid)) - - @skipUnlessPassed('test_security_manager_02_install') - def test_security_manager_03_uninstall(self): - '''Test removal of an app.''' - cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \ - (self.appid, self.pkgid, self.uid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ - (self.security_manager_db, self.appid) - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # Entry does not really get removed. Bug filed here: - # https://github.com/Samsung/security-manager/issues/2 - # self.assertEqual(output, '') - cmd = 'grep -r %s /var/cynara/db/' % self.appid - status, output = self.target.run(cmd) - self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) - # This also does not get removed. Perhaps same root cause. - # self.assertEqual(output, '') diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py deleted file mode 100644 index 96af443b8..000000000 --- a/meta-security/lib/oeqa/runtime/smack.py +++ /dev/null @@ -1,589 +0,0 @@ -import unittest -import re -import os -import string -from oeqa.oetest import oeRuntimeTest, skipModule -from oeqa.utils.decorators import * - -def get_files_dir(): - """Get directory of supporting files""" - pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) - deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) - return os.path.join(deploydir, "files", "target", pkgarch) - -MAX_LABEL_LEN = 255 -LABEL = "a" * MAX_LABEL_LEN - -def setUpModule(): - if not oeRuntimeTest.hasFeature('smack'): - skipModule( - "smack module skipped: " - "target doesn't have smack in DISTRO_FEATURES") - -class SmackBasicTest(oeRuntimeTest): - ''' base smack test ''' - def setUp(self): - status, output = self.target.run( - "grep smack /proc/mounts | awk '{print $2}'") - self.smack_path = output - self.files_dir = os.path.join( - os.path.abspath(os.path.dirname(__file__)), 'files') - self.uid = 1000 - status,output = self.target.run("cat /proc/self/attr/current") - self.current_label = output.strip() - -class SmackAccessLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_access_label(self): - ''' Test if chsmack can correctly set a SMACK label ''' - filename = "/tmp/test_access_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack access label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m = re.search('(?<=access=")\S+(?=")', output) - if m is None: - self.fail("Did not find access attribute") - else: - label_retrieved = m .group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " - "%s %s" %(LABEL,label_retrieved)) - -class SmackExecLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_exec_label(self): - '''Test if chsmack can correctly set a SMACK Exec label''' - filename = "/tmp/test_exec_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack exec label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m= re.search('(?<=execute=")\S+(?=")', output) - if m is None: - self.fail("Did not find execute attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackMmapLabel(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_mmap_label(self): - '''Test if chsmack can correctly set a SMACK mmap label''' - filename = "/tmp/test_exec_label" - self.target.run("touch %s" %filename) - status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) - self.assertEqual( - status, 0, - "Cannot set smack mmap label. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %filename) - self.target.run("rm %s" %filename) - m = re.search('(?<=mmap=")\S+(?=")', output) - if m is None: - self.fail("Did not find mmap attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - LABEL, label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackTransmutable(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_add_transmutable(self): - '''Test if chsmack can correctly set a SMACK transmutable mode''' - - directory = "~/test_transmutable" - self.target.run("mkdir -p %s" %directory) - status, output = self.target.run("chsmack -t %s" %directory) - self.assertEqual(status, 0, "Cannot set smack transmutable. " - "Status and output: %d %s" %(status, output)) - status, output = self.target.run("chsmack %s" %directory) - self.target.run("rmdir %s" %directory) - m = re.search('(?<=transmute=")\S+(?=")', output) - if m is None: - self.fail("Did not find transmute attribute") - else: - label_retrieved = m.group(0) - self.assertEqual( - "TRUE", label_retrieved, - "label not set correctly. expected and gotten: " + - "%s %s" %(LABEL,label_retrieved)) - -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_privileged_change_self_label(self): - '''Test if privileged process (with CAP_MAC_ADMIN privilege) - can change its label. - ''' - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - labelf = "/proc/self/attr/current" - command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) - - status, output = self.target.run( - "python /tmp/notroot.py 0 %s %s" %(self.current_label, command)) - - self.assertIn("PRIVILEGED", output, - "Privilege process did not change label.Output: %s" %output) - -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_unprivileged_change_self_label(self): - '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) - cannot change its label''' - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL - status, output = self.target.run( - "python /tmp/notroot.py %d %s %s" - %(self.uid, self.current_label, command) + - " 2>&1 | grep 'Operation not permitted'" ) - - self.assertEqual( - status, 0, - "Unprivileged process should not be able to change its label") - - -class SmackChangeFileLabelPrivilege(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_unprivileged_change_file_label(self): - '''Test if unprivileged process cannot change file labels''' - - status, chsmack = self.target.run("which chsmack") - status, touch = self.target.run("which touch") - filename = "/tmp/test_unprivileged_change_file_label" - - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - - self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename)) - status, output = self.target.run( - "python /tmp/notroot.py " + - "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + - "| grep 'Operation not permitted'" ) - - self.target.run("rm %s" %filename) - self.assertEqual( - status, 0, - "Unprivileged process changed label for %s" %filename) - -class SmackLoadRule(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_load_smack_rule(self): - '''Test if new smack access rules can be loaded''' - - # old 23 character format requires special spaces formatting - # 12345678901234567890123456789012345678901234567890123 - ruleA="TheOne TheOther rwxat" - ruleB="TheOne TheOther r----" - clean="TheOne TheOther -----" - modeA = "rwxat" - modeB = "r" - - status, output = self.target.run( - 'echo -n "%s" > %s/load' %(ruleA, self.smack_path)) - status, output = self.target.run( - 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) - self.assertEqual(status, 0, "Rule A was not added") - mode = list(filter(bool, output.split(" ")))[2].strip() - self.assertEqual( - mode, modeA, - "Mode A was not set correctly; mode: %s" %mode) - - status, output = self.target.run( - 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) - status, output = self.target.run( - 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) - mode = list(filter(bool, output.split(" ")))[2].strip() - self.assertEqual( - mode, modeB, - "Mode B was not set correctly; mode: %s" %mode) - - self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) - - -class SmackOnlycap(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_onlycap(self): - '''Test if smack onlycap label can be set - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - status, output = self.target.run("ls /tmp/test_smack_onlycap.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_onlycap.sh'), - "/tmp/test_smack_onlycap.sh") - - status, output = self.target.run("sh /tmp/test_smack_onlycap.sh") - self.assertEqual(status, 0, output) - -class SmackNetlabel(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_netlabel(self): - - test_label="191.191.191.191 TheOne" - expected_label="191.191.191.191/32 TheOne" - - status, output = self.target.run( - "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) - self.assertEqual( - status, 0, - "Netlabel /32 could not be set. Output: %s" %output) - - status, output = self.target.run("cat %s/netlabel" %self.smack_path) - self.assertIn( - expected_label, output, - "Did not find expected label in output: %s" %output) - - test_label="253.253.253.0/24 TheOther" - status, output = self.target.run( - "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) - self.assertEqual( - status, 0, - "Netlabel /24 could not be set. Output: %s" %output) - - status, output = self.target.run("cat %s/netlabel" %self.smack_path) - self.assertIn( - test_label, output, - "Did not find expected label in output: %s" %output) - -class SmackCipso(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_cipso(self): - '''Test if smack cipso rules can be set''' - # 12345678901234567890123456789012345678901234567890123456 - ruleA="TheOneA 2 0 " - ruleB="TheOneB 3 1 55 " - ruleC="TheOneC 4 2 17 33 " - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) - self.assertEqual(status, 0, - "Could not set cipso label A. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneA'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule A was not set") - self.assertIn(" 2", output, "Rule A was not set correctly") - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) - self.assertEqual(status, 0, - "Could not set cipso label B. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneB'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule B was not set") - self.assertIn("/55", output, "Rule B was not set correctly") - - status, output = self.target.run( - "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) - self.assertEqual( - status, 0, - "Could not set cipso label C. Ouput: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep '^TheOneC'" %self.smack_path) - self.assertEqual(status, 0, "Cipso rule C was not set") - self.assertIn("/17,33", output, "Rule C was not set correctly") - -class SmackDirect(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_direct(self): - status, initial_direct = self.target.run( - "cat %s/direct" %self.smack_path) - - test_direct="17" - status, output = self.target.run( - "echo '%s' > %s/direct" %(test_direct, self.smack_path)) - self.assertEqual(status, 0 , - "Could not set smack direct. Output: %s" %output) - status, new_direct = self.target.run("cat %s/direct" %self.smack_path) - # initial label before checking - status, output = self.target.run( - "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) - self.assertEqual( - test_direct, new_direct.strip(), - "Smack direct label does not match.") - - -class SmackAmbient(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_ambient(self): - test_ambient = "test_ambient" - status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) - status, output = self.target.run( - "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) - self.assertEqual(status, 0, - "Could not set smack ambient. Output: %s" %output) - - status, output = self.target.run("cat %s/ambient" %self.smack_path) - # Filter '\x00', which is sometimes added to the ambient label - new_ambient = ''.join(filter(lambda x: x in string.printable, output)) - initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) - status, output = self.target.run( - "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) - self.assertEqual( - test_ambient, new_ambient.strip(), - "Ambient label does not match") - - -class SmackloadBinary(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smackload(self): - '''Test if smackload command works''' - rule="testobject testsubject rwx" - - status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) - status, output = self.target.run("smackload /tmp/rules") - self.assertEqual( - status, 0, - "Smackload failed to load rule. Output: %s" %output) - - status, output = self.target.run( - "cat %s/load | grep '%s'" %(self.smack_path, rule)) - self.assertEqual(status, 0, "Smackload rule was loaded correctly") - -class SmackcipsoBinary(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smackcipso(self): - '''Test if smackcipso command works''' - # 12345678901234567890123456789012345678901234567890123456 - rule="cipsolabel 2 2 " - - status, output = self.target.run("echo '%s' | smackcipso" %rule) - self.assertEqual( - status, 0, - "Smackcipso failed to load rule. Output: %s" %output) - - status, output = self.target.run( - "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) - self.assertEqual(status, 0, "Smackload rule was loaded correctly") - self.assertIn( - "2/2", output, - "Rule was not set correctly. Got: %s" %output) - -class SmackEnforceFileAccess(SmackBasicTest): - @skipUnlessPassed('test_ssh') - def test_smack_enforce_file_access(self): - '''Test if smack file access is enforced (rwx) - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - status, output = self.target.run("ls /tmp/smack_test_file_access.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'smack_test_file_access.sh'), - "/tmp/smack_test_file_access.sh") - - status, output = self.target.run("sh /tmp/smack_test_file_access.sh") - self.assertEqual(status, 0, output) - -class SmackEnforceMmap(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_mmap_enforced(self): - '''Test if smack mmap access is enforced''' - raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") - - # 12345678901234567890123456789012345678901234567890123456 - delr1="mmap_label mmap_test_label1 -----" - delr2="mmap_label mmap_test_label2 -----" - delr3="mmap_file_label mmap_test_label1 -----" - delr4="mmap_file_label mmap_test_label2 -----" - - RuleA="mmap_label mmap_test_label1 rw---" - RuleB="mmap_label mmap_test_label2 r--at" - RuleC="mmap_file_label mmap_test_label1 rw---" - RuleD="mmap_file_label mmap_test_label2 rwxat" - - mmap_label="mmap_label" - file_label="mmap_file_label" - test_file = "/tmp/smack_test_mmap" - self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/") - mmap_exe = "/tmp/mmap_test" - status, echo = self.target.run("which echo") - status, output = self.target.run("ls /tmp/notroot.py") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'notroot.py'), - "/tmp/notroot.py") - status, output = self.target.run( - "python /tmp/notroot.py %d %s %s 'test' > %s" \ - %(self.uid, self.current_label, echo, test_file)) - status, output = self.target.run("ls %s" %test_file) - self.assertEqual(status, 0, "Could not create mmap test file") - self.target.run("chsmack -m %s %s" %(file_label, test_file)) - self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) - - # test with no rules with mmap label or exec label as subject - # access should be granted - self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access without rules. Output: %s" %output) - - # add rules that do not match access required - self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with unmatching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with unmatching rules") - - # add rule to match only partially (one way) - self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with partial matching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with partial matching rules") - - # add rule to match fully - self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access with full matching rules." + - "Output: %s" %output) - -class SmackEnforceTransmutable(SmackBasicTest): - - def test_smack_transmute_dir(self): - '''Test if smack transmute attribute works - - test needs to change the running label of the current process, - so whole test takes places on image - ''' - test_dir = "/tmp/smack_transmute_dir" - label="transmute_label" - status, initial_label = self.target.run("cat /proc/self/attr/current") - - self.target.run("mkdir -p %s" %test_dir) - self.target.run("chsmack -a %s %s" %(label, test_dir)) - self.target.run("chsmack -t %s" %test_dir) - self.target.run( - "echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) - - self.target.run("touch %s/test" %test_dir) - status, output = self.target.run("chsmack %s/test" %test_dir) - self.assertIn( - 'access="%s"' %label, output, - "Did not get expected label. Output: %s" %output) - - -class SmackTcpSockets(SmackBasicTest): - def test_smack_tcp_sockets(self): - '''Test if smack is enforced on tcp sockets - - whole test takes places on image, depends on tcp_server/tcp_client''' - - self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/") - self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/") - status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'), - "/tmp/test_smack_tcp_sockets.sh") - - status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh") - self.assertEqual(status, 0, output) - -class SmackUdpSockets(SmackBasicTest): - def test_smack_udp_sockets(self): - '''Test if smack is enforced on udp sockets - - whole test takes places on image, depends on udp_server/udp_client''' - - self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/") - self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/") - status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh") - if status != 0: - self.target.copy_to( - os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'), - "/tmp/test_smack_udp_sockets.sh") - - status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh") - self.assertEqual(status, 0, output) - -class SmackFileLabels(SmackBasicTest): - - @skipUnlessPassed('test_ssh') - def test_smack_labels(self): - '''Check for correct Smack labels.''' - expected = ''' -/tmp/ access="*" -/etc/ access="System::Shared" transmute="TRUE" -/etc/passwd access="System::Shared" -/etc/terminfo access="System::Shared" transmute="TRUE" -/etc/skel/ access="System::Shared" transmute="TRUE" -/etc/skel/.profile access="System::Shared" -/var/log/ access="System::Log" transmute="TRUE" -/var/tmp/ access="*" -''' - files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) - files_wildcard = ' '.join([x + '/*' for x in files.split()]) - # Auxiliary information. - status, output = self.target.run( - 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( - ' '.join([x.rstrip('/') for x in files.split()]), files, files - ) - ) - msg = "File status:\n" + output - status, output = self.target.run('chsmack %s' % files) - self.assertEqual( - status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) - self.longMessage = True - self.maxDiff = None - self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) |