PERFORCE change 124002 for review

Zhouyi ZHOU zhouzhouyi at FreeBSD.org
Tue Jul 24 09:05:01 UTC 2007 

http://perforce.freebsd.org/chv.cgi?CH=124002

Change 124002 by zhouzhouyi at zhouzhouyi_mactest on 2007/07/24 09:04:59

	Information leak by means of mount

Affected files ...

.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/link/01.t#3 edit

Differences ...

==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/link/01.t#3 (text+ko) ====

@@ -16,10 +16,10 @@
 	  sysctl ${i}=0
 	done
 
-	echo "1..5"
+	echo "1..10"
         n0=`namegenshort`
         n1=`namegen`
-        n2=`namegen`
+        n2=`namegenshort`
        
 	mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
 	mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
@@ -40,22 +40,52 @@
 #case 1: mkdir
 	mactestexpect ""  0  -m "mls/low(low-high)"  -f ${mactest_conf} mkdir ${n0}  0755
 
-#case 2: mdconfig
-        mactestexpect "" "[0-9]*" -m "mls/7(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
+#case 2: mdconfig, couldn't open /dev/mdctl, BLP prevents write down
+	echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+	echo "biba/high(low-high),mls/7(low-high) biba/high,mls/low" >> ${mactest_conf}
+        mactestexpect "*Permission.denied" "" -m "mls/7(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
+
+#case 3: mdconfig, successfully open /dev/mdctl
+	echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+	echo "biba/high(low-high),mls/low(low-high) biba/high,mls/low" >> ${mactest_conf}
+        mactestexpect "" "*" -m "mls/low(low-high)" -f ${mactest_conf} system mdconfig -a -n -t malloc -s 1m
 	mdnum=${ret}
-#case 3: newfs
-	mactestexpect "" "*" -m "mls/7(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum} 
+
+#case 4: newfs, fail for writing, BLP prevents write down
+	echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+	echo "biba/high(low-high),mls/7(low-high) biba/high,mls/low" >> ${mactest_conf}
+	mactestexpect "*failed.to.open.disk.for.writing" "*" -m "mls/7(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum} 
+
+#case 5: newfs, success
+	echo -n "pid = -2 mac_test_check_vnode_open#VREAD VWRITE:" > ${mactest_conf}
+	echo "biba/high(low-high),mls/low(low-high) biba/high,mls/low" >> ${mactest_conf}
+	mactestexpect "" "*" -m "mls/low(low-high)" -f ${mactest_conf} system newfs -i 1 /dev/md${mdnum} 
 
-#case 4: mount	
-#	echo ${mdnum}
+#case 6: mount	
+	rm ${mactest_conf}
+	touch ${mactest_conf}
         mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system mount /dev/md${mdnum} ${n0}
-	umount ${n0}
+
+#case 7: touch
+        mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system touch ${n0}/${n1}
+	
+#case 8: umount
+        mactestexpect "" "" -m "mls/7(low-high)" -f ${mactest_conf} system umount ${n0}
+
 
+#case 9: remount with low label
+	mkdir ${n2}
+        mactestexpect "" "" -m "mls/low(low-high)" -f ${mactest_conf} system mount /dev/md${mdnum} ${n2}
+#	umount ${n0}
 
+#case 10: lookup the previous touched file
+	mactestexpect "" ${n1} -m "mls/low(low-high)" -f ${mactest_conf} system ls ${n2}
+	umount ${n2}
 #cleanup:
 	t=`sysctl security.mac.mls.enabled=0`
 	echo "disabling mac/mls!"
 	rm -fr ${n0}
+	rm -fr ${n2}
 	rm ${mactest_conf}
 	fi

More information about the p4-projects mailing list