diff options
Diffstat (limited to 'meta-security/lib/oeqa/runtime')
9 files changed, 1044 insertions, 0 deletions
diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/meta-security/lib/oeqa/runtime/__init__.py diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py new file mode 100644 index 000000000..f0eb0b5b9 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/notroot.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python +# +# Script used for running executables with custom labels, as well as custom uid/gid +# Process label is changed by writing to /proc/self/attr/curent +# +# Script expects user id and group id to exist, and be the same. +# +# From adduser manual: +# """By default, each user in Debian GNU/Linux is given a corresponding group +# with the same name. """ +# +# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..] +# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1 +# +# Author: Alexandru Cornea <alexandru.cornea@intel.com> +import os +import sys + +try: + uid = int(sys.argv[1]) + sys.argv.pop(1) + label = sys.argv[1] + sys.argv.pop(1) + open("/proc/self/attr/current", "w").write(label) + path=sys.argv[1] + sys.argv.pop(0) + os.setgid(uid) + os.setuid(uid) + os.execv(path,sys.argv) + +except Exception,e: + print e.message + sys.exit(1) diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh new file mode 100644 index 000000000..5a0ce84f2 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +RC=0 +TMP="/tmp" +test_file=$TMP/smack_test_access_file +CAT=`which cat` +ECHO=`which echo` +uid=1000 +initial_label=`cat /proc/self/attr/current` +python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file +chsmack -a "TheOther" $test_file + +# 12345678901234567890123456789012345678901234567890123456 +delrule="TheOne TheOther -----" +rule_ro="TheOne TheOther r----" + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file and no read access on it can read it" + exit $RC +fi + +# adding read access +echo -n "$rule_ro" > $SMACK_PATH/load +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process with different label than the test file but with read access on it cannot read it" + exit $RC +fi + +# Remove pre-existent rules for "TheOne TheOther <access>" +echo -n "$delrule" > $SMACK_PATH/load +# changing label of test file to * +# according to SMACK documentation, read access on a * object is always permitted +chsmack -a '*' $test_file +python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? +if [ $RC -ne 0 ]; then + echo "Process cannot read file with * label" + exit $RC +fi + +# changing subject label to * +# according to SMACK documentation, every access requested by a star labeled subject is rejected +TOUCH=`which touch` +python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 +ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? +if [ $RC -ne 0 ];then + echo "Process with label '*' should not have any access" + exit $RC +fi +exit 0 diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh new file mode 100644 index 000000000..26d9e9d22 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +initial_label=`cat /proc/self/attr/current 2>/dev/null` +modified_label="test_label" + +echo "$modified_label" >/proc/self/attr/current 2>/dev/null + +new_label=`cat /proc/self/attr/current 2>/dev/null` + +if [ "$new_label" != "$modified_label" ]; then + # restore proper label + echo $initial_label >/proc/self/attr/current + echo "Privileged process could not change its label" + exit 1 +fi + +echo "$initial_label" >/proc/self/attr/current 2>/dev/null +exit 0
\ No newline at end of file diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh new file mode 100644 index 000000000..1c4a93ab6 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh @@ -0,0 +1,27 @@ +#!/bin/sh +RC=0 +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'` +test_label="test_label" +onlycap_initial=`cat $SMACK_PATH/onlycap` +smack_initial=`cat /proc/self/attr/current` + +# need to set out label to be the same as onlycap, otherwise we lose our smack privileges +# even if we are root +echo "$test_label" > /proc/self/attr/current + +echo "$test_label" > $SMACK_PATH/onlycap || RC=$? +if [ $RC -ne 0 ]; then + echo "Onlycap label could not be set" + return $RC +fi + +if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then + echo "Onlycap label was not set correctly." + return 1 +fi + +# resetting original onlycap label +echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null + +# resetting our initial's process label +echo "$smack_initial" > /proc/self/attr/current diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh new file mode 100644 index 000000000..ed18f2371 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh @@ -0,0 +1,108 @@ +#!/bin/sh +RC=0 +test_file=/tmp/smack_socket_tcp +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +tcp_server=`which tcp_server` +if [ -z $tcp_server ]; then + if [ -f "/tmp/tcp_server" ]; then + tcp_server="/tmp/tcp_server" + else + echo "tcp_server binary not found" + exit 1 + fi +fi +tcp_client=`which tcp_client` +if [ -z $tcp_client ]; then + if [ -f "/tmp/tcp_client" ]; then + tcp_client="/tmp/tcp_client" + else + echo "tcp_client binary not found" + exit 1 + fi +fi + +# checking access for sockets with different labels +$tcp_server 50016 label1 &>/dev/null & +server_pid=$! +sleep 2 +$tcp_client 50016 label2 label1 &>/dev/null & +client_pid=$! + +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? + +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on tcp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$tcp_server 50017 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50017 label2 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on tcp" + exit 1 +fi + +# checking access for sockets with the same label +$tcp_server 50018 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50018 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on tcp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$tcp_server 50019 \* 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50019 label1 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on tcp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$tcp_server 50020 label1 2>$test_file & +server_pid=$! +sleep 1 +$tcp_client 50020 label1 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any tcp socket" + exit 1 +fi diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh new file mode 100644 index 000000000..419ab9f91 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh @@ -0,0 +1,107 @@ +#!/bin/sh +RC=0 +test_file="/tmp/smack_socket_udp" +SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` + +udp_server=`which udp_server` +if [ -z $udp_server ]; then + if [ -f "/tmp/udp_server" ]; then + udp_server="/tmp/udp_server" + else + echo "udp_server binary not found" + exit 1 + fi +fi +udp_client=`which udp_client` +if [ -z $udp_client ]; then + if [ -f "/tmp/udp_client" ]; then + udp_client="/tmp/udp_client" + else + echo "udp_client binary not found" + exit 1 + fi +fi + +# make sure no access is granted +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 -----" > $SMACK_PATH/load + +# checking access for sockets with different labels +$udp_server 50021 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50021 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Sockets with different labels should not communicate on udp" + exit 1 +fi + +# granting access between different labels +# 12345678901234567890123456789012345678901234567890123456 +echo -n "label1 label2 rw---" > $SMACK_PATH/load +# checking access for sockets with different labels, but having a rule granting rw +$udp_server 50022 label2 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50022 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with different labels, but having rw access, should communicate on udp" + exit 1 +fi + +# checking access for sockets with the same label +$udp_server 50023 label1 & +server_pid=$! +sleep 1 +$udp_client 50023 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Sockets with same labels should communicate on udp" + exit 1 +fi + +# checking access on socket labeled star (*) +# should always be permitted +$udp_server 50024 \* 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50024 label1 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then + echo "Should have access on udp socket labeled star (*)" + exit 1 +fi + +# checking access from socket labeled star (*) +# all access from subject star should be denied +$udp_server 50025 label1 2>$test_file & +server_pid=$! +sleep 1 +$udp_client 50025 \* 2>$test_file & +client_pid=$! +wait $server_pid +server_rv=$? +wait $client_pid +client_rv=$? +if [ $server_rv -eq 0 ]; then + echo "Socket labeled star should not have access to any udp socket" + exit 1 +fi diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py new file mode 100644 index 000000000..ab0df5a42 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/securitymanager.py @@ -0,0 +1,108 @@ +import unittest +import re +import os +import string +from oeqa.oetest import oeRuntimeTest, skipModule +from oeqa.utils.decorators import * + +def get_files_dir(): + """Get directory of supporting files""" + pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) + deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) + return os.path.join(deploydir, "files", "target", pkgarch) + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +def setUpModule(): + if not oeRuntimeTest.hasPackage('security-manager'): + skipModule( + "security-manager module skipped: " + "target doesn't have security-manager installed") + +class SecurityManagerBasicTest(oeRuntimeTest): + ''' base smack test ''' + def setUp(self): + # TODO: avoid hardcoding path (also in SecurityManager itself) + self.security_manager_db = '/usr/dbspace/.security-manager.db' + cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + self.privileges = output.split() + if not self.privileges: + # Only privileges that map to a Unix group need to be known to + # SecurityManager. Therefore it is possible that the query above + # returns nothing. In that case, make up something for the tests. + self.privileges.append('FoobarPrivilege') + self.appid = 'test-app-id' + self.pkgid = 'test-pkg-id' + self.user = 'security-manager-user' + idcmd = 'id -u %s' % self.user + status, output = self.target.run(idcmd) + if status: + # -D is from busybox. It disables setting a password. + createcmd = 'adduser -D %s' % self.user + status, output = self.target.run(createcmd) + self.assertFalse(status, msg="%s failed: %s" % (createcmd, output)) + status, output = self.target.run(idcmd) + self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output)) + self.uid = output + +class SecurityManagerApp(SecurityManagerBasicTest): + '''Tests covering app installation. Ordering is important, therefore tests are numbered.''' + + @skipUnlessPassed('test_ssh') + def test_security_manager_01_setup(self): + '''Check that basic SecurityManager setup is in place.''' + # If we get this far, then at least the sqlite db must have been in place. + # This does not mean much, but we need to start somewhere. + pass + + @skipUnlessPassed('test_security_manager_01_setup') + def test_security_manager_02_install(self): + '''Test if installing an app sets up privilege rules for it, also in Cynara.''' + self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/") + cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \ + (self.appid, self.pkgid, self.uid, self.privileges[0]) + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ + (self.security_manager_db, self.appid) + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid))) + cmd = 'grep -r %s /var/cynara/db/' % self.appid + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + # User::App:: prefix still hard-coded here because it is not customizable at the moment. + self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \ + (self.appid, self.uid, self.privileges[0])) + + @skipUnlessPassed('test_security_manager_02_install') + def test_security_manager_03_run(self): + '''Test running as app. Depends on preparations in test_security_manager_install().''' + cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \ + (self.appid, self.uid) + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid)) + + @skipUnlessPassed('test_security_manager_02_install') + def test_security_manager_03_uninstall(self): + '''Test removal of an app.''' + cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \ + (self.appid, self.pkgid, self.uid) + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \ + (self.security_manager_db, self.appid) + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + # Entry does not really get removed. Bug filed here: + # https://github.com/Samsung/security-manager/issues/2 + # self.assertEqual(output, '') + cmd = 'grep -r %s /var/cynara/db/' % self.appid + status, output = self.target.run(cmd) + self.assertFalse(status, msg="%s failed: %s" % (cmd, output)) + # This also does not get removed. Perhaps same root cause. + # self.assertEqual(output, '') diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py new file mode 100644 index 000000000..96af443b8 --- /dev/null +++ b/meta-security/lib/oeqa/runtime/smack.py @@ -0,0 +1,589 @@ +import unittest +import re +import os +import string +from oeqa.oetest import oeRuntimeTest, skipModule +from oeqa.utils.decorators import * + +def get_files_dir(): + """Get directory of supporting files""" + pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True) + deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True) + return os.path.join(deploydir, "files", "target", pkgarch) + +MAX_LABEL_LEN = 255 +LABEL = "a" * MAX_LABEL_LEN + +def setUpModule(): + if not oeRuntimeTest.hasFeature('smack'): + skipModule( + "smack module skipped: " + "target doesn't have smack in DISTRO_FEATURES") + +class SmackBasicTest(oeRuntimeTest): + ''' base smack test ''' + def setUp(self): + status, output = self.target.run( + "grep smack /proc/mounts | awk '{print $2}'") + self.smack_path = output + self.files_dir = os.path.join( + os.path.abspath(os.path.dirname(__file__)), 'files') + self.uid = 1000 + status,output = self.target.run("cat /proc/self/attr/current") + self.current_label = output.strip() + +class SmackAccessLabel(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_add_access_label(self): + ''' Test if chsmack can correctly set a SMACK label ''' + filename = "/tmp/test_access_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack access label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=access=")\S+(?=")', output) + if m is None: + self.fail("Did not find access attribute") + else: + label_retrieved = m .group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) + +class SmackExecLabel(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_add_exec_label(self): + '''Test if chsmack can correctly set a SMACK Exec label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack exec label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m= re.search('(?<=execute=")\S+(?=")', output) + if m is None: + self.fail("Did not find execute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + +class SmackMmapLabel(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_add_mmap_label(self): + '''Test if chsmack can correctly set a SMACK mmap label''' + filename = "/tmp/test_exec_label" + self.target.run("touch %s" %filename) + status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename)) + self.assertEqual( + status, 0, + "Cannot set smack mmap label. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %filename) + self.target.run("rm %s" %filename) + m = re.search('(?<=mmap=")\S+(?=")', output) + if m is None: + self.fail("Did not find mmap attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + LABEL, label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + +class SmackTransmutable(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_add_transmutable(self): + '''Test if chsmack can correctly set a SMACK transmutable mode''' + + directory = "~/test_transmutable" + self.target.run("mkdir -p %s" %directory) + status, output = self.target.run("chsmack -t %s" %directory) + self.assertEqual(status, 0, "Cannot set smack transmutable. " + "Status and output: %d %s" %(status, output)) + status, output = self.target.run("chsmack %s" %directory) + self.target.run("rmdir %s" %directory) + m = re.search('(?<=transmute=")\S+(?=")', output) + if m is None: + self.fail("Did not find transmute attribute") + else: + label_retrieved = m.group(0) + self.assertEqual( + "TRUE", label_retrieved, + "label not set correctly. expected and gotten: " + + "%s %s" %(LABEL,label_retrieved)) + +class SmackChangeSelfLabelPrivilege(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_privileged_change_self_label(self): + '''Test if privileged process (with CAP_MAC_ADMIN privilege) + can change its label. + ''' + + status, output = self.target.run("ls /tmp/notroot.py") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'notroot.py'), + "/tmp/notroot.py") + + labelf = "/proc/self/attr/current" + command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + + status, output = self.target.run( + "python /tmp/notroot.py 0 %s %s" %(self.current_label, command)) + + self.assertIn("PRIVILEGED", output, + "Privilege process did not change label.Output: %s" %output) + +class SmackChangeSelfLabelUnprivilege(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_unprivileged_change_self_label(self): + '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) + cannot change its label''' + + status, output = self.target.run("ls /tmp/notroot.py") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'notroot.py'), + "/tmp/notroot.py") + + command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL + status, output = self.target.run( + "python /tmp/notroot.py %d %s %s" + %(self.uid, self.current_label, command) + + " 2>&1 | grep 'Operation not permitted'" ) + + self.assertEqual( + status, 0, + "Unprivileged process should not be able to change its label") + + +class SmackChangeFileLabelPrivilege(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_unprivileged_change_file_label(self): + '''Test if unprivileged process cannot change file labels''' + + status, chsmack = self.target.run("which chsmack") + status, touch = self.target.run("which touch") + filename = "/tmp/test_unprivileged_change_file_label" + + status, output = self.target.run("ls /tmp/notroot.py") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'notroot.py'), + "/tmp/notroot.py") + + self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename)) + status, output = self.target.run( + "python /tmp/notroot.py " + + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + + "| grep 'Operation not permitted'" ) + + self.target.run("rm %s" %filename) + self.assertEqual( + status, 0, + "Unprivileged process changed label for %s" %filename) + +class SmackLoadRule(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_load_smack_rule(self): + '''Test if new smack access rules can be loaded''' + + # old 23 character format requires special spaces formatting + # 12345678901234567890123456789012345678901234567890123 + ruleA="TheOne TheOther rwxat" + ruleB="TheOne TheOther r----" + clean="TheOne TheOther -----" + modeA = "rwxat" + modeB = "r" + + status, output = self.target.run( + 'echo -n "%s" > %s/load' %(ruleA, self.smack_path)) + status, output = self.target.run( + 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + self.assertEqual(status, 0, "Rule A was not added") + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( + mode, modeA, + "Mode A was not set correctly; mode: %s" %mode) + + status, output = self.target.run( + 'echo -n "%s" > %s/load' %(ruleB, self.smack_path)) + status, output = self.target.run( + 'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path) + mode = list(filter(bool, output.split(" ")))[2].strip() + self.assertEqual( + mode, modeB, + "Mode B was not set correctly; mode: %s" %mode) + + self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) + + +class SmackOnlycap(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_smack_onlycap(self): + '''Test if smack onlycap label can be set + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("ls /tmp/test_smack_onlycap.sh") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'test_smack_onlycap.sh'), + "/tmp/test_smack_onlycap.sh") + + status, output = self.target.run("sh /tmp/test_smack_onlycap.sh") + self.assertEqual(status, 0, output) + +class SmackNetlabel(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smack_netlabel(self): + + test_label="191.191.191.191 TheOne" + expected_label="191.191.191.191/32 TheOne" + + status, output = self.target.run( + "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( + status, 0, + "Netlabel /32 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + expected_label, output, + "Did not find expected label in output: %s" %output) + + test_label="253.253.253.0/24 TheOther" + status, output = self.target.run( + "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path)) + self.assertEqual( + status, 0, + "Netlabel /24 could not be set. Output: %s" %output) + + status, output = self.target.run("cat %s/netlabel" %self.smack_path) + self.assertIn( + test_label, output, + "Did not find expected label in output: %s" %output) + +class SmackCipso(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smack_cipso(self): + '''Test if smack cipso rules can be set''' + # 12345678901234567890123456789012345678901234567890123456 + ruleA="TheOneA 2 0 " + ruleB="TheOneB 3 1 55 " + ruleC="TheOneC 4 2 17 33 " + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label A. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneA'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule A was not set") + self.assertIn(" 2", output, "Rule A was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path)) + self.assertEqual(status, 0, + "Could not set cipso label B. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneB'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule B was not set") + self.assertIn("/55", output, "Rule B was not set correctly") + + status, output = self.target.run( + "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path)) + self.assertEqual( + status, 0, + "Could not set cipso label C. Ouput: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep '^TheOneC'" %self.smack_path) + self.assertEqual(status, 0, "Cipso rule C was not set") + self.assertIn("/17,33", output, "Rule C was not set correctly") + +class SmackDirect(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smack_direct(self): + status, initial_direct = self.target.run( + "cat %s/direct" %self.smack_path) + + test_direct="17" + status, output = self.target.run( + "echo '%s' > %s/direct" %(test_direct, self.smack_path)) + self.assertEqual(status, 0 , + "Could not set smack direct. Output: %s" %output) + status, new_direct = self.target.run("cat %s/direct" %self.smack_path) + # initial label before checking + status, output = self.target.run( + "echo '%s' > %s/direct" %(initial_direct, self.smack_path)) + self.assertEqual( + test_direct, new_direct.strip(), + "Smack direct label does not match.") + + +class SmackAmbient(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smack_ambient(self): + test_ambient = "test_ambient" + status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(test_ambient, self.smack_path)) + self.assertEqual(status, 0, + "Could not set smack ambient. Output: %s" %output) + + status, output = self.target.run("cat %s/ambient" %self.smack_path) + # Filter '\x00', which is sometimes added to the ambient label + new_ambient = ''.join(filter(lambda x: x in string.printable, output)) + initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient)) + status, output = self.target.run( + "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path)) + self.assertEqual( + test_ambient, new_ambient.strip(), + "Ambient label does not match") + + +class SmackloadBinary(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smackload(self): + '''Test if smackload command works''' + rule="testobject testsubject rwx" + + status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule) + status, output = self.target.run("smackload /tmp/rules") + self.assertEqual( + status, 0, + "Smackload failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/load | grep '%s'" %(self.smack_path, rule)) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + +class SmackcipsoBinary(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_smackcipso(self): + '''Test if smackcipso command works''' + # 12345678901234567890123456789012345678901234567890123456 + rule="cipsolabel 2 2 " + + status, output = self.target.run("echo '%s' | smackcipso" %rule) + self.assertEqual( + status, 0, + "Smackcipso failed to load rule. Output: %s" %output) + + status, output = self.target.run( + "cat %s/cipso | grep 'cipsolabel'" %self.smack_path) + self.assertEqual(status, 0, "Smackload rule was loaded correctly") + self.assertIn( + "2/2", output, + "Rule was not set correctly. Got: %s" %output) + +class SmackEnforceFileAccess(SmackBasicTest): + @skipUnlessPassed('test_ssh') + def test_smack_enforce_file_access(self): + '''Test if smack file access is enforced (rwx) + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + status, output = self.target.run("ls /tmp/smack_test_file_access.sh") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'smack_test_file_access.sh'), + "/tmp/smack_test_file_access.sh") + + status, output = self.target.run("sh /tmp/smack_test_file_access.sh") + self.assertEqual(status, 0, output) + +class SmackEnforceMmap(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_smack_mmap_enforced(self): + '''Test if smack mmap access is enforced''' + raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") + + # 12345678901234567890123456789012345678901234567890123456 + delr1="mmap_label mmap_test_label1 -----" + delr2="mmap_label mmap_test_label2 -----" + delr3="mmap_file_label mmap_test_label1 -----" + delr4="mmap_file_label mmap_test_label2 -----" + + RuleA="mmap_label mmap_test_label1 rw---" + RuleB="mmap_label mmap_test_label2 r--at" + RuleC="mmap_file_label mmap_test_label1 rw---" + RuleD="mmap_file_label mmap_test_label2 rwxat" + + mmap_label="mmap_label" + file_label="mmap_file_label" + test_file = "/tmp/smack_test_mmap" + self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/") + mmap_exe = "/tmp/mmap_test" + status, echo = self.target.run("which echo") + status, output = self.target.run("ls /tmp/notroot.py") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'notroot.py'), + "/tmp/notroot.py") + status, output = self.target.run( + "python /tmp/notroot.py %d %s %s 'test' > %s" \ + %(self.uid, self.current_label, echo, test_file)) + status, output = self.target.run("ls %s" %test_file) + self.assertEqual(status, 0, "Could not create mmap test file") + self.target.run("chsmack -m %s %s" %(file_label, test_file)) + self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) + + # test with no rules with mmap label or exec label as subject + # access should be granted + self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access without rules. Output: %s" %output) + + # add rules that do not match access required + self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) + self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) + status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with unmatching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with unmatching rules") + + # add rule to match only partially (one way) + self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertNotEqual( + status, 0, + "Should not have mmap access with partial matching rules. " + + "Output: %s" %output) + self.assertIn( + "Permission denied", output, + "Mmap access should be denied with partial matching rules") + + # add rule to match fully + self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) + status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) + self.assertEqual( + status, 0, + "Should have mmap access with full matching rules." + + "Output: %s" %output) + +class SmackEnforceTransmutable(SmackBasicTest): + + def test_smack_transmute_dir(self): + '''Test if smack transmute attribute works + + test needs to change the running label of the current process, + so whole test takes places on image + ''' + test_dir = "/tmp/smack_transmute_dir" + label="transmute_label" + status, initial_label = self.target.run("cat /proc/self/attr/current") + + self.target.run("mkdir -p %s" %test_dir) + self.target.run("chsmack -a %s %s" %(label, test_dir)) + self.target.run("chsmack -t %s" %test_dir) + self.target.run( + "echo -n '%s %s rwxat' | smackload" %(initial_label, label) ) + + self.target.run("touch %s/test" %test_dir) + status, output = self.target.run("chsmack %s/test" %test_dir) + self.assertIn( + 'access="%s"' %label, output, + "Did not get expected label. Output: %s" %output) + + +class SmackTcpSockets(SmackBasicTest): + def test_smack_tcp_sockets(self): + '''Test if smack is enforced on tcp sockets + + whole test takes places on image, depends on tcp_server/tcp_client''' + + self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/") + self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/") + status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'), + "/tmp/test_smack_tcp_sockets.sh") + + status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh") + self.assertEqual(status, 0, output) + +class SmackUdpSockets(SmackBasicTest): + def test_smack_udp_sockets(self): + '''Test if smack is enforced on udp sockets + + whole test takes places on image, depends on udp_server/udp_client''' + + self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/") + self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/") + status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh") + if status != 0: + self.target.copy_to( + os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'), + "/tmp/test_smack_udp_sockets.sh") + + status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh") + self.assertEqual(status, 0, output) + +class SmackFileLabels(SmackBasicTest): + + @skipUnlessPassed('test_ssh') + def test_smack_labels(self): + '''Check for correct Smack labels.''' + expected = ''' +/tmp/ access="*" +/etc/ access="System::Shared" transmute="TRUE" +/etc/passwd access="System::Shared" +/etc/terminfo access="System::Shared" transmute="TRUE" +/etc/skel/ access="System::Shared" transmute="TRUE" +/etc/skel/.profile access="System::Shared" +/var/log/ access="System::Log" transmute="TRUE" +/var/tmp/ access="*" +''' + files = ' '.join([x.split()[0] for x in expected.split('\n') if x]) + files_wildcard = ' '.join([x + '/*' for x in files.split()]) + # Auxiliary information. + status, output = self.target.run( + 'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % ( + ' '.join([x.rstrip('/') for x in files.split()]), files, files + ) + ) + msg = "File status:\n" + output + status, output = self.target.run('chsmack %s' % files) + self.assertEqual( + status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg)) + self.longMessage = True + self.maxDiff = None + self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg) |