From f70d712e4f505f5c5b50ae17f4f023d20a667568 Mon Sep 17 00:00:00 2001
From: José Bollo <jose.bollo@iot.bzh>
Date: Wed, 24 Jan 2018 11:38:43 +0100
Subject: Integrate parts of meta-intel-iot-security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the recipes of the sub layers
 - meta-security-framework
 - meta-security-smack

Change-Id: I618608008a3b3d1d34adb6e38048110f13ac0643
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
---
 meta-security/lib/oeqa/runtime/__init__.py         |   0
 meta-security/lib/oeqa/runtime/files/notroot.py    |  33 ++
 .../oeqa/runtime/files/smack_test_file_access.sh   |  54 ++
 .../files/test_privileged_change_self_label.sh     |  18 +
 .../lib/oeqa/runtime/files/test_smack_onlycap.sh   |  27 +
 .../oeqa/runtime/files/test_smack_tcp_sockets.sh   | 108 ++++
 .../oeqa/runtime/files/test_smack_udp_sockets.sh   | 107 ++++
 meta-security/lib/oeqa/runtime/securitymanager.py  | 108 ++++
 meta-security/lib/oeqa/runtime/smack.py            | 589 +++++++++++++++++++++
 9 files changed, 1044 insertions(+)
 create mode 100644 meta-security/lib/oeqa/runtime/__init__.py
 create mode 100644 meta-security/lib/oeqa/runtime/files/notroot.py
 create mode 100644 meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
 create mode 100644 meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
 create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
 create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
 create mode 100644 meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
 create mode 100644 meta-security/lib/oeqa/runtime/securitymanager.py
 create mode 100644 meta-security/lib/oeqa/runtime/smack.py

(limited to 'meta-security/lib/oeqa')

diff --git a/meta-security/lib/oeqa/runtime/__init__.py b/meta-security/lib/oeqa/runtime/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/meta-security/lib/oeqa/runtime/files/notroot.py b/meta-security/lib/oeqa/runtime/files/notroot.py
new file mode 100644
index 000000000..f0eb0b5b9
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual: 
+# """By  default,  each  user  in Debian GNU/Linux is given a corresponding group 
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+
+try:
+	uid = int(sys.argv[1])
+	sys.argv.pop(1)
+	label = sys.argv[1]
+	sys.argv.pop(1)
+	open("/proc/self/attr/current", "w").write(label)
+	path=sys.argv[1]
+	sys.argv.pop(0)
+	os.setgid(uid)
+	os.setuid(uid)	
+	os.execv(path,sys.argv)
+
+except Exception,e:
+	print e.message
+	sys.exit(1)
diff --git a/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
new file mode 100644
index 000000000..5a0ce84f2
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+
+#        12345678901234567890123456789012345678901234567890123456
+delrule="TheOne                  TheOther                -----"
+rule_ro="TheOne                  TheOther                r----"
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Process with different label than the test file and no read access on it can read it"
+	exit $RC
+fi
+
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Process with different label than the test file but with read access on it cannot read it"
+	exit $RC
+fi
+
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+	echo  "Process cannot read file with * label"
+	exit $RC
+fi
+
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+	echo "Process with label '*' should not have any access"
+	exit $RC
+fi
+exit 0
diff --git a/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
new file mode 100644
index 000000000..26d9e9d22
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+
+if [ "$new_label" != "$modified_label" ]; then
+	# restore proper label
+	echo $initial_label >/proc/self/attr/current
+	echo "Privileged process could not change its label"
+	exit 1
+fi
+
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0
\ No newline at end of file
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
new file mode 100644
index 000000000..1c4a93ab6
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`		
+smack_initial=`cat /proc/self/attr/current`
+
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+	echo "Onlycap label could not be set"
+	return $RC
+fi
+
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+	echo "Onlycap label was not set correctly."
+	return 1
+fi
+
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
new file mode 100644
index 000000000..ed18f2371
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_tcp_sockets.sh
@@ -0,0 +1,108 @@
+#!/bin/sh
+RC=0
+test_file=/tmp/smack_socket_tcp
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+tcp_server=`which tcp_server`
+if [ -z $tcp_server ]; then
+	if [ -f "/tmp/tcp_server" ]; then
+		tcp_server="/tmp/tcp_server"
+	else
+		echo "tcp_server binary not found"
+		exit 1
+	fi
+fi
+tcp_client=`which tcp_client`
+if [ -z $tcp_client ]; then
+	if [ -f "/tmp/tcp_client" ]; then
+		tcp_client="/tmp/tcp_client"
+	else
+		echo "tcp_client binary not found"
+		exit 1
+	fi
+fi
+
+# checking access for sockets with different labels
+$tcp_server 50016 label1 &>/dev/null &
+server_pid=$!
+sleep 2
+$tcp_client 50016 label2 label1 &>/dev/null &
+client_pid=$!
+
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+
+if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then
+	echo "Sockets with different labels should not communicate on tcp"
+	exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$tcp_server 50017 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50017 label2 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with different labels, but having rw access, should communicate on tcp"
+	exit 1
+fi
+
+# checking access for sockets with the same label
+$tcp_server 50018 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50018 label1 label1  2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with same labels should communicate on tcp"
+	exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$tcp_server 50019 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50019 label1 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Should have access on tcp socket labeled star (*)"
+	exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$tcp_server 50020 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$tcp_client 50020 label1 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 -o  $client_rv -eq 0 ]; then
+	echo "Socket labeled star should not have access to any tcp socket"
+	exit 1
+fi
diff --git a/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
new file mode 100644
index 000000000..419ab9f91
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/files/test_smack_udp_sockets.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+RC=0
+test_file="/tmp/smack_socket_udp"
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+
+udp_server=`which udp_server`
+if [ -z $udp_server ]; then
+	if [ -f "/tmp/udp_server" ]; then
+		udp_server="/tmp/udp_server"
+	else
+		echo "udp_server binary not found"
+		exit 1
+	fi
+fi
+udp_client=`which udp_client`
+if [ -z $udp_client ]; then
+	if [ -f "/tmp/udp_client" ]; then
+		udp_client="/tmp/udp_client"
+	else
+		echo "udp_client binary not found"
+		exit 1
+	fi
+fi
+
+# make sure no access is granted
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  -----" > $SMACK_PATH/load
+
+# checking access for sockets with different labels
+$udp_server 50021 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50021 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+	echo "Sockets with different labels should not communicate on udp"
+	exit 1
+fi
+
+# granting access between different labels
+#        12345678901234567890123456789012345678901234567890123456
+echo -n "label1                  label2                  rw---" > $SMACK_PATH/load
+# checking access for sockets with different labels, but having a rule granting rw
+$udp_server 50022 label2 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50022 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with different labels, but having rw access, should communicate on udp"
+	exit 1
+fi
+
+# checking access for sockets with the same label
+$udp_server 50023 label1 &
+server_pid=$!
+sleep 1
+$udp_client 50023 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Sockets with same labels should communicate on udp"
+	exit 1
+fi
+
+# checking access on socket labeled star (*)
+# should always be permitted
+$udp_server 50024 \* 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50024 label1 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then
+	echo "Should have access on udp socket labeled star (*)"
+	exit 1
+fi
+
+# checking access from socket labeled star (*)
+# all access from subject star should be denied
+$udp_server 50025 label1 2>$test_file &
+server_pid=$!
+sleep 1
+$udp_client 50025 \* 2>$test_file &
+client_pid=$!
+wait $server_pid
+server_rv=$?
+wait $client_pid
+client_rv=$?
+if [ $server_rv -eq 0 ]; then
+	echo "Socket labeled star should not have access to any udp socket"
+	exit 1
+fi
diff --git a/meta-security/lib/oeqa/runtime/securitymanager.py b/meta-security/lib/oeqa/runtime/securitymanager.py
new file mode 100644
index 000000000..ab0df5a42
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/securitymanager.py
@@ -0,0 +1,108 @@
+import unittest
+import re
+import os
+import string
+from oeqa.oetest import oeRuntimeTest, skipModule
+from oeqa.utils.decorators import *
+
+def get_files_dir():
+    """Get directory of supporting files"""
+    pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
+    deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
+    return os.path.join(deploydir, "files", "target", pkgarch)
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+def setUpModule():
+    if not oeRuntimeTest.hasPackage('security-manager'):
+        skipModule(
+            "security-manager module skipped: "
+            "target doesn't have security-manager installed")
+
+class SecurityManagerBasicTest(oeRuntimeTest):
+    ''' base smack test '''
+    def setUp(self):
+        # TODO: avoid hardcoding path (also in SecurityManager itself)
+        self.security_manager_db = '/usr/dbspace/.security-manager.db'
+        cmd = "sqlite3 %s 'SELECT name from privilege ORDER BY privilege_id'" % self.security_manager_db
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        self.privileges = output.split()
+        if not self.privileges:
+            # Only privileges that map to a Unix group need to be known to
+            # SecurityManager. Therefore it is possible that the query above
+            # returns nothing. In that case, make up something for the tests.
+            self.privileges.append('FoobarPrivilege')
+        self.appid = 'test-app-id'
+        self.pkgid = 'test-pkg-id'
+        self.user = 'security-manager-user'
+        idcmd = 'id -u %s' % self.user
+        status, output = self.target.run(idcmd)
+        if status:
+            # -D is from busybox. It disables setting a password.
+            createcmd = 'adduser -D %s' % self.user
+            status, output = self.target.run(createcmd)
+            self.assertFalse(status, msg="%s failed: %s" % (createcmd, output))
+            status, output = self.target.run(idcmd)
+        self.assertTrue(output.isdigit(), msg="Unexpected output from %s: %s" % (idcmd, output))
+        self.uid = output
+
+class SecurityManagerApp(SecurityManagerBasicTest):
+    '''Tests covering app installation. Ordering is important, therefore tests are numbered.'''
+
+    @skipUnlessPassed('test_ssh')
+    def test_security_manager_01_setup(self):
+        '''Check that basic SecurityManager setup is in place.'''
+        # If we get this far, then at least the sqlite db must have been in place.
+        # This does not mean much, but we need to start somewhere.
+        pass
+
+    @skipUnlessPassed('test_security_manager_01_setup')
+    def test_security_manager_02_install(self):
+        '''Test if installing an app sets up privilege rules for it, also in Cynara.'''
+        self.target.copy_to(os.path.join(get_files_dir(), "app-runas"), "/tmp/")
+        cmd = '/tmp/app-runas -a %s -p %s -u %s -r %s -i' % \
+              (self.appid, self.pkgid, self.uid, self.privileges[0])
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
+              (self.security_manager_db, self.appid)
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        self.assertEqual(output, '|'.join((self.uid, self.appid, self.pkgid)))
+        cmd = 'grep -r %s /var/cynara/db/' % self.appid
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        # User::App:: prefix still hard-coded here because it is not customizable at the moment.
+        self.assertEqual(output, '/var/cynara/db/_MANIFESTS:User::App::%s;%s;%s;0xFFFF;' % \
+                         (self.appid, self.uid, self.privileges[0]))
+
+    @skipUnlessPassed('test_security_manager_02_install')
+    def test_security_manager_03_run(self):
+        '''Test running as app. Depends on preparations in test_security_manager_install().'''
+        cmd = '''/tmp/app-runas -a %s -u %s -e -- sh -c 'id -u && cat /proc/self/attr/current' ''' % \
+              (self.appid, self.uid)
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        self.assertEqual(output, '%s\nUser::App::%s' % (self.uid, self.appid))
+
+    @skipUnlessPassed('test_security_manager_02_install')
+    def test_security_manager_03_uninstall(self):
+        '''Test removal of an app.'''
+        cmd = '/tmp/app-runas -a %s -p %s -u %s -d' % \
+              (self.appid, self.pkgid, self.uid)
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        cmd = '''sqlite3 %s 'SELECT uid,app_name,pkg_name from app_pkg_view WHERE app_name = "%s"' ''' % \
+              (self.security_manager_db, self.appid)
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        # Entry does not really get removed. Bug filed here:
+        # https://github.com/Samsung/security-manager/issues/2
+        # self.assertEqual(output, '')
+        cmd = 'grep -r %s /var/cynara/db/' % self.appid
+        status, output = self.target.run(cmd)
+        self.assertFalse(status, msg="%s failed: %s" % (cmd, output))
+        # This also does not get removed. Perhaps same root cause.
+        # self.assertEqual(output, '')
diff --git a/meta-security/lib/oeqa/runtime/smack.py b/meta-security/lib/oeqa/runtime/smack.py
new file mode 100644
index 000000000..96af443b8
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/smack.py
@@ -0,0 +1,589 @@
+import unittest
+import re
+import os
+import string
+from oeqa.oetest import oeRuntimeTest, skipModule
+from oeqa.utils.decorators import *
+
+def get_files_dir():
+    """Get directory of supporting files"""
+    pkgarch = oeRuntimeTest.tc.d.getVar('MACHINE', True)
+    deploydir = oeRuntimeTest.tc.d.getVar('DEPLOY_DIR', True)
+    return os.path.join(deploydir, "files", "target", pkgarch)
+
+MAX_LABEL_LEN = 255
+LABEL = "a" * MAX_LABEL_LEN
+
+def setUpModule():
+    if not oeRuntimeTest.hasFeature('smack'):
+        skipModule(
+            "smack module skipped: "
+            "target doesn't have smack in DISTRO_FEATURES")
+
+class SmackBasicTest(oeRuntimeTest):
+    ''' base smack test '''
+    def setUp(self):
+        status, output = self.target.run(
+            "grep smack /proc/mounts | awk '{print $2}'")
+        self.smack_path = output
+        self.files_dir = os.path.join(
+            os.path.abspath(os.path.dirname(__file__)), 'files')
+        self.uid = 1000
+        status,output = self.target.run("cat /proc/self/attr/current")
+        self.current_label = output.strip()
+
+class SmackAccessLabel(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_add_access_label(self):
+        ''' Test if chsmack can correctly set a SMACK label '''
+        filename = "/tmp/test_access_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -a %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack access label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m = re.search('(?<=access=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find access attribute")
+        else:
+            label_retrieved = m .group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: "
+                "%s %s" %(LABEL,label_retrieved))
+
+class SmackExecLabel(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_add_exec_label(self):
+        '''Test if chsmack can correctly set a SMACK Exec label'''
+        filename = "/tmp/test_exec_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -e %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack exec label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m= re.search('(?<=execute=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find execute attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+class SmackMmapLabel(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_add_mmap_label(self):
+        '''Test if chsmack can correctly set a SMACK mmap label'''
+        filename = "/tmp/test_exec_label"
+        self.target.run("touch %s" %filename)
+        status, output = self.target.run("chsmack -m %s %s" %(LABEL, filename))
+        self.assertEqual(
+            status, 0,
+            "Cannot set smack mmap label. "
+            "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %filename)
+        self.target.run("rm %s" %filename)
+        m = re.search('(?<=mmap=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find mmap attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                LABEL, label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+class SmackTransmutable(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_add_transmutable(self):
+        '''Test if chsmack can correctly set a SMACK transmutable mode'''
+
+        directory = "~/test_transmutable"
+        self.target.run("mkdir -p %s" %directory)
+        status, output = self.target.run("chsmack -t %s" %directory)
+        self.assertEqual(status, 0, "Cannot set smack transmutable. "
+                        "Status and output: %d %s" %(status, output))
+        status, output = self.target.run("chsmack %s" %directory)
+        self.target.run("rmdir %s" %directory)
+        m = re.search('(?<=transmute=")\S+(?=")', output)
+        if m is None:
+            self.fail("Did not find transmute attribute")
+        else:
+            label_retrieved = m.group(0)
+            self.assertEqual(
+                "TRUE", label_retrieved,
+                "label not set correctly. expected and gotten: " +
+                "%s %s" %(LABEL,label_retrieved))
+
+class SmackChangeSelfLabelPrivilege(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_privileged_change_self_label(self):
+        '''Test if privileged process (with CAP_MAC_ADMIN privilege)
+        can change its label.
+        '''
+
+        status, output = self.target.run("ls /tmp/notroot.py")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'notroot.py'),
+                "/tmp/notroot.py")
+
+        labelf = "/proc/self/attr/current"
+        command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+
+        status, output = self.target.run(
+            "python /tmp/notroot.py 0 %s %s" %(self.current_label, command))
+
+        self.assertIn("PRIVILEGED", output,
+                    "Privilege process did not change label.Output: %s" %output)
+
+class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_unprivileged_change_self_label(self):
+        '''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
+        cannot change its label'''
+
+        status, output = self.target.run("ls /tmp/notroot.py")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'notroot.py'),
+                "/tmp/notroot.py")
+
+        command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
+        status, output = self.target.run(
+            "python /tmp/notroot.py %d %s %s"
+            %(self.uid, self.current_label, command) +
+            " 2>&1 | grep 'Operation not permitted'" )
+
+        self.assertEqual(
+            status, 0,
+            "Unprivileged process should not be able to change its label")
+
+
+class SmackChangeFileLabelPrivilege(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_unprivileged_change_file_label(self):
+        '''Test if unprivileged process cannot change file labels'''
+
+        status, chsmack = self.target.run("which chsmack")
+        status, touch = self.target.run("which touch")
+        filename = "/tmp/test_unprivileged_change_file_label"
+
+        status, output = self.target.run("ls /tmp/notroot.py")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'notroot.py'),
+                "/tmp/notroot.py")
+
+        self.target.run("python /tmp/notroot.py %d %s %s %s" %(self.uid, self.current_label, touch, filename))
+        status, output = self.target.run(
+            "python /tmp/notroot.py " +
+            "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
+            "| grep 'Operation not permitted'"  )
+
+        self.target.run("rm %s" %filename)
+        self.assertEqual(
+            status, 0,
+            "Unprivileged process changed label for %s" %filename)
+
+class SmackLoadRule(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_load_smack_rule(self):
+        '''Test if new smack access rules can be loaded'''
+
+        # old 23 character format requires special spaces formatting
+        #      12345678901234567890123456789012345678901234567890123
+        ruleA="TheOne                  TheOther                rwxat"
+        ruleB="TheOne                  TheOther                r----"
+        clean="TheOne                  TheOther                -----"
+        modeA = "rwxat"
+        modeB = "r"
+
+        status, output = self.target.run(
+            'echo -n "%s" > %s/load' %(ruleA, self.smack_path))
+        status, output = self.target.run(
+            'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+        self.assertEqual(status, 0, "Rule A was not added")
+        mode = list(filter(bool, output.split(" ")))[2].strip()
+        self.assertEqual(
+            mode, modeA,
+            "Mode A was not set correctly; mode: %s" %mode)
+
+        status, output = self.target.run(
+            'echo -n "%s" > %s/load' %(ruleB, self.smack_path))
+        status, output = self.target.run(
+            'cat %s/load | grep "^TheOne" | grep " TheOther "' %self.smack_path)
+        mode = list(filter(bool, output.split(" ")))[2].strip()
+        self.assertEqual(
+            mode, modeB,
+            "Mode B was not set correctly; mode: %s" %mode)
+
+        self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
+
+
+class SmackOnlycap(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_smack_onlycap(self):
+        '''Test if smack onlycap label can be set
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        status, output = self.target.run("ls /tmp/test_smack_onlycap.sh")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'test_smack_onlycap.sh'),
+                "/tmp/test_smack_onlycap.sh")
+
+        status, output = self.target.run("sh /tmp/test_smack_onlycap.sh")
+        self.assertEqual(status, 0, output)
+
+class SmackNetlabel(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smack_netlabel(self):
+
+        test_label="191.191.191.191 TheOne"
+        expected_label="191.191.191.191/32 TheOne"
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+        self.assertEqual(
+            status, 0,
+            "Netlabel /32 could not be set. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+        self.assertIn(
+            expected_label, output,
+            "Did not find expected label in output: %s" %output)
+
+        test_label="253.253.253.0/24 TheOther"
+        status, output = self.target.run(
+            "echo -n '%s' > %s/netlabel" %(test_label, self.smack_path))
+        self.assertEqual(
+            status, 0,
+            "Netlabel /24 could not be set. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/netlabel" %self.smack_path)
+        self.assertIn(
+            test_label, output,
+            "Did not find expected label in output: %s" %output)
+
+class SmackCipso(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smack_cipso(self):
+        '''Test if smack cipso rules can be set'''
+        #      12345678901234567890123456789012345678901234567890123456
+        ruleA="TheOneA                 2   0   "
+        ruleB="TheOneB                 3   1   55  "
+        ruleC="TheOneC                 4   2   17  33  "
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleA, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set cipso label A. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneA'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule A was not set")
+        self.assertIn(" 2", output, "Rule A was not set correctly")
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleB, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set cipso label B. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneB'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule B was not set")
+        self.assertIn("/55", output, "Rule B was not set correctly")
+
+        status, output = self.target.run(
+            "echo -n '%s' > %s/cipso" %(ruleC, self.smack_path))
+        self.assertEqual(
+            status, 0,
+            "Could not set cipso label C. Ouput: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep '^TheOneC'" %self.smack_path)
+        self.assertEqual(status, 0, "Cipso rule C was not set")
+        self.assertIn("/17,33", output, "Rule C was not set correctly")
+
+class SmackDirect(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smack_direct(self):
+        status, initial_direct = self.target.run(
+            "cat %s/direct" %self.smack_path)
+
+        test_direct="17"
+        status, output = self.target.run(
+            "echo '%s' > %s/direct" %(test_direct, self.smack_path))
+        self.assertEqual(status, 0 ,
+            "Could not set smack direct. Output: %s" %output)
+        status, new_direct = self.target.run("cat %s/direct" %self.smack_path)
+        # initial label before checking
+        status, output = self.target.run(
+            "echo '%s' > %s/direct" %(initial_direct, self.smack_path))
+        self.assertEqual(
+            test_direct, new_direct.strip(),
+            "Smack direct label does not match.")
+
+
+class SmackAmbient(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smack_ambient(self):
+        test_ambient = "test_ambient"
+        status, initial_ambient = self.target.run("cat %s/ambient" %self.smack_path)
+        status, output = self.target.run(
+            "echo '%s' > %s/ambient" %(test_ambient, self.smack_path))
+        self.assertEqual(status, 0,
+            "Could not set smack ambient. Output: %s" %output)
+
+        status, output = self.target.run("cat %s/ambient" %self.smack_path)
+        # Filter '\x00', which is sometimes added to the ambient label
+        new_ambient = ''.join(filter(lambda x: x in string.printable, output))
+        initial_ambient = ''.join(filter(lambda x: x in string.printable, initial_ambient))
+        status, output = self.target.run(
+            "echo '%s' > %s/ambient" %(initial_ambient, self.smack_path))
+        self.assertEqual(
+            test_ambient, new_ambient.strip(),
+            "Ambient label does not match")
+
+
+class SmackloadBinary(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smackload(self):
+        '''Test if smackload command works'''
+        rule="testobject testsubject rwx"
+
+        status, output = self.target.run("echo -n '%s' > /tmp/rules" %rule)
+        status, output = self.target.run("smackload /tmp/rules")
+        self.assertEqual(
+            status, 0,
+            "Smackload failed to load rule. Output: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/load | grep '%s'" %(self.smack_path, rule))
+        self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+
+class SmackcipsoBinary(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_smackcipso(self):
+        '''Test if smackcipso command works'''
+        #     12345678901234567890123456789012345678901234567890123456
+        rule="cipsolabel                  2   2   "
+
+        status, output = self.target.run("echo '%s' | smackcipso" %rule)
+        self.assertEqual(
+            status, 0,
+            "Smackcipso failed to load rule. Output: %s" %output)
+
+        status, output = self.target.run(
+            "cat %s/cipso | grep 'cipsolabel'" %self.smack_path)
+        self.assertEqual(status, 0, "Smackload rule was loaded correctly")
+        self.assertIn(
+            "2/2", output,
+            "Rule was not set correctly. Got: %s" %output)
+
+class SmackEnforceFileAccess(SmackBasicTest):
+    @skipUnlessPassed('test_ssh')
+    def test_smack_enforce_file_access(self):
+        '''Test if smack file access is enforced (rwx)
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        status, output = self.target.run("ls /tmp/smack_test_file_access.sh")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'smack_test_file_access.sh'),
+                "/tmp/smack_test_file_access.sh")
+
+        status, output = self.target.run("sh /tmp/smack_test_file_access.sh")
+        self.assertEqual(status, 0, output)
+
+class SmackEnforceMmap(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_smack_mmap_enforced(self):
+        '''Test if smack mmap access is enforced'''
+        raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
+
+        #      12345678901234567890123456789012345678901234567890123456
+        delr1="mmap_label              mmap_test_label1        -----"
+        delr2="mmap_label              mmap_test_label2        -----"
+        delr3="mmap_file_label         mmap_test_label1        -----"
+        delr4="mmap_file_label         mmap_test_label2        -----"
+
+        RuleA="mmap_label              mmap_test_label1        rw---"
+        RuleB="mmap_label              mmap_test_label2        r--at"
+        RuleC="mmap_file_label         mmap_test_label1        rw---"
+        RuleD="mmap_file_label         mmap_test_label2        rwxat"
+
+        mmap_label="mmap_label"
+        file_label="mmap_file_label"
+        test_file = "/tmp/smack_test_mmap"
+        self.target.copy_to(os.path.join(get_files_dir(), "mmap_test"), "/tmp/")
+        mmap_exe = "/tmp/mmap_test"
+        status, echo = self.target.run("which echo")
+        status, output = self.target.run("ls /tmp/notroot.py")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'notroot.py'),
+                "/tmp/notroot.py")
+        status, output = self.target.run(
+            "python /tmp/notroot.py %d %s %s 'test' > %s" \
+            %(self.uid, self.current_label, echo, test_file))
+        status, output = self.target.run("ls %s" %test_file)
+        self.assertEqual(status, 0, "Could not create mmap test file")
+        self.target.run("chsmack -m %s %s" %(file_label, test_file))
+        self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
+
+        # test with no rules with mmap label or exec label as subject
+        # access should be granted
+        self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+        self.assertEqual(
+            status, 0,
+            "Should have mmap access without rules. Output: %s" %output)
+
+        # add rules that do not match access required
+        self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
+        self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
+        self.assertNotEqual(
+            status, 0,
+            "Should not have mmap access with unmatching rules. " +
+            "Output: %s" %output)
+        self.assertIn(
+            "Permission denied", output,
+            "Mmap access should be denied with unmatching rules")
+
+        # add rule to match only partially (one way)
+        self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+        self.assertNotEqual(
+            status, 0,
+            "Should not have mmap access with partial matching rules. " +
+            "Output: %s" %output)
+        self.assertIn(
+            "Permission denied", output,
+            "Mmap access should be denied with partial matching rules")
+
+        # add rule to match fully
+        self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
+        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
+        self.assertEqual(
+            status, 0,
+            "Should have mmap access with full matching rules." +
+            "Output: %s" %output)
+
+class SmackEnforceTransmutable(SmackBasicTest):
+
+    def test_smack_transmute_dir(self):
+        '''Test if smack transmute attribute works
+
+        test needs to change the running label of the current process,
+        so whole test takes places on image
+        '''
+        test_dir = "/tmp/smack_transmute_dir"
+        label="transmute_label"
+        status, initial_label = self.target.run("cat /proc/self/attr/current")
+
+        self.target.run("mkdir -p %s" %test_dir)
+        self.target.run("chsmack -a %s %s" %(label, test_dir))
+        self.target.run("chsmack -t %s" %test_dir)
+        self.target.run(
+            "echo -n '%s %s rwxat' | smackload" %(initial_label, label) )
+
+        self.target.run("touch %s/test" %test_dir)
+        status, output = self.target.run("chsmack %s/test" %test_dir)
+        self.assertIn(
+            'access="%s"' %label, output,
+            "Did not get expected label. Output: %s" %output)
+
+
+class SmackTcpSockets(SmackBasicTest):
+    def test_smack_tcp_sockets(self):
+        '''Test if smack is enforced on tcp sockets
+
+        whole test takes places on image, depends on tcp_server/tcp_client'''
+
+        self.target.copy_to(os.path.join(get_files_dir(), "tcp_client"), "/tmp/")
+        self.target.copy_to(os.path.join(get_files_dir(), "tcp_server"), "/tmp/")
+        status, output = self.target.run("ls /tmp/test_smack_tcp_sockets.sh")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'test_smack_tcp_sockets.sh'),
+                "/tmp/test_smack_tcp_sockets.sh")
+
+        status, output = self.target.run("sh /tmp/test_smack_tcp_sockets.sh")
+        self.assertEqual(status, 0, output)
+
+class SmackUdpSockets(SmackBasicTest):
+    def test_smack_udp_sockets(self):
+        '''Test if smack is enforced on udp sockets
+
+        whole test takes places on image, depends on udp_server/udp_client'''
+
+        self.target.copy_to(os.path.join(get_files_dir(), "udp_client"), "/tmp/")
+        self.target.copy_to(os.path.join(get_files_dir(), "udp_server"), "/tmp/")
+        status, output = self.target.run("ls /tmp/test_smack_udp_sockets.sh")
+        if status != 0:
+            self.target.copy_to(
+                os.path.join(self.files_dir, 'test_smack_udp_sockets.sh'),
+                "/tmp/test_smack_udp_sockets.sh")
+
+        status, output = self.target.run("sh /tmp/test_smack_udp_sockets.sh")
+        self.assertEqual(status, 0, output)
+
+class SmackFileLabels(SmackBasicTest):
+
+    @skipUnlessPassed('test_ssh')
+    def test_smack_labels(self):
+        '''Check for correct Smack labels.'''
+        expected = '''
+/tmp/ access="*"
+/etc/ access="System::Shared" transmute="TRUE"
+/etc/passwd access="System::Shared"
+/etc/terminfo access="System::Shared" transmute="TRUE"
+/etc/skel/ access="System::Shared" transmute="TRUE"
+/etc/skel/.profile access="System::Shared"
+/var/log/ access="System::Log" transmute="TRUE"
+/var/tmp/ access="*"
+'''
+        files = ' '.join([x.split()[0] for x in expected.split('\n') if x])
+        files_wildcard = ' '.join([x + '/*' for x in files.split()])
+        # Auxiliary information.
+        status, output = self.target.run(
+            'set -x; mount; ls -l -d %s; find %s | xargs ls -d -l; find %s | xargs chsmack' % (
+                ' '.join([x.rstrip('/') for x in files.split()]), files, files
+            )
+        )
+        msg = "File status:\n" + output
+        status, output = self.target.run('chsmack %s' % files)
+        self.assertEqual(
+            status, 0, msg="status and output: %s and %s\n%s" % (status,output, msg))
+        self.longMessage = True
+        self.maxDiff = None
+        self.assertEqual(output.strip().split('\n'), expected.strip().split('\n'), msg=msg)
-- 
cgit 1.2.3-korg