PERFORCE change 124002 for review
Zhouyi ZHOU
zhouzhouyi at FreeBSD.org
Tue Jul 24 09:05:01 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=124002
Change 124002 by zhouzhouyi at zhouzhouyi_mactest on 2007/07/24 09:04:59
Information leak by means of mount
Affected files ...
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/link/01.t#3 edit
Differences ...
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/link/01.t#3 (text+ko) ====
@@ -16,10 +16,10 @@
sysctl ${i}=0
done
- echo "1..5"
+ echo "1..10"
n0=`namegenshort`
n1=`namegen`
- n2=`namegen`
+ n2=`namegenshort`
mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
@@ -40,22 +40,52 @@
#case 1: mkdir
mactestexpect "" 0 -m "mls/low(low-high)" -f ${mactest_conf} mkdir ${n0} 0755
-#case 2: mdconfig
- mactestexpect "" "[0-9]*" -m "mls/7(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
+#case 2: mdconfig, couldn't open /dev/mdctl, BLP prevents write down
+ echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/7(low-high) biba/high,mls/low" >> ${mactest_conf}
+ mactestexpect "*Permission.denied" "" -m "mls/7(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
+
+#case 3: mdconfig, successfully open /dev/mdctl
+ echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/low(low-high) biba/high,mls/low" >> ${mactest_conf}
+ mactestexpect "" "*" -m "mls/low(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
mdnum=${ret}
-#case 3: newfs
- mactestexpect "" "*" -m "mls/7(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum}
+
+#case 4: newfs, fail for writing, BLP prevents write down
+ echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/7(low-high) biba/high,mls/low" >> ${mactest_conf}
+ mactestexpect "*failed.to.open.disk.for.writing" "*" -m "mls/7(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum}
+
+#case 5: newfs, success
+ echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/low(low-high) biba/high,mls/low" >> ${mactest_conf}
+ mactestexpect "" "*" -m "mls/low(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum}
-#case 4: mount
-# echo ${mdnum}
+#case 6: mount
+ rm ${mactest_conf}
+ touch ${mactest_conf}
mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system mount /dev/md${mdnum} ${n0}
- umount ${n0}
+
+#case 7: touch
+ mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system touch ${n0}/${n1}
+
+#case 8: umount
+ mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system umount ${n0}
+
+#case 9: remount with low label
+ mkdir ${n2}
+ mactestexpect "" "" -m "mls/low(low-high)" -f ${mactest_conf} system mount /dev/md${mdnum} ${n2}
+# umount ${n0}
+#case 10: lookup the previous touched file
+ mactestexpect "" ${n1} -m "mls/low(low-high)" -f ${mactest_conf} system ls ${n2}
+ umount ${n2}
#cleanup:
t=`sysctl security.mac.mls.enabled=0`
echo "disabling mac/mls!"
rm -fr ${n0}
+ rm -fr ${n2}
rm ${mactest_conf}
fi
More information about the p4-projects
mailing list