PERFORCE change 132373 for review
Zhouyi ZHOU
zhouzhouyi at FreeBSD.org
Wed Jan 2 22:37:39 PST 2008
http://perforce.freebsd.org/chv.cgi?CH=132373
Change 132373 by zhouzhouyi at zhouzhouyi_mactest on 2008/01/03 06:36:44
style modification
Affected files ...
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/open/02.t#5 edit
Differences ...
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/open/02.t#5 (text+ko) ====
@@ -1,80 +1,91 @@
#!/bin/sh
-# $FreeBSD: src/tools/regression/mactest/tests/open/02.t,v 1.1 2007/06/04 01:42:08 zhouzhouyi Exp $
+# $FreeBSD$
-desc="open opens (and eventually creates) a file, checking the effects of MAC enforcement"
+desc="open opens (and eventually creates) a file"
-
-
dir=`dirname $0`
. ${dir}/../misc.sh
-echo "1..7"
+case "${os}" in
+FreeBSD)
+
+ mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
+ mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
+ mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
-n0=`namegen`
-n1=`namegen`
+ if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
+ [ "${mac_test_support}" != "" ]; then
#turn off all the switches
-for i in `sysctl security.mac | grep "\.enabled"|
- sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
-sysctl ${i}=0
-done
+ for i in `sysctl security.mac | grep "\.enabled"|
+ sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
+ sysctl ${i}=0 >/dev/null
+ done
+
+
+ if [ -f ${mactest_conf} ]; then
+ rm ${mactest_conf}
+ fi
+ touch ${mactest_conf}
+ setfmac "mls/equal,biba/equal" ${mactest_conf}
+
+ echo "1..7"
+
+ n0=`namegen`
+ n1=`namegen`
+
-mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
-#following test case is to show, when subject's effective mls level does not dominate
-#object's effective mls level, a ESRCH is returned when signaling
-if [ "${mac_mls_support}" != "" ] ; then
+ dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`;
- dvplabel=`getfmac "."| sed 's/\(\.:\ \)\([a-z\,\/]*\)/\2/`
-
+ sysctl security.mac.mls.enabled=1 > /dev/null
+#case 1 unsucessful create
#examine the label of its parent directory
- echo -n "pid = -1 mac_test_check_vnode_lookup:" > ${mactest_conf}
- echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf}
+ echo -n "pid = -1 vnode_check_lookup:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf}
#check the label of its parent directory
- echo -n "pid = -1 mac_test_check_vnode_create:" >> ${mactest_conf}
- echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf}
+ echo -n "pid = -1 vnode_check_create:" >> ${mactest_conf}
+ echo "biba/high(low-high),mls/10(low-high) ${dvplabel}" >> ${mactest_conf}
#since the mac_mls forbid the vnode create, there are no vnode label initialization
-#and vnode extattr creating.
+#BLP: no write down
+ mactestexpect "" EACCES -m "mls/10(low-high)" -f ${mactest_conf} mkdir ${n1} 0755
+ truncate -s 0 ${mactest_conf}
- t=`sysctl security.mac.mls.enabled=1`
- echo "enforcing mac/mls!"
-
-#BLP: no write down
- mactestexpect "" EACCES -m "mls/10(low-high)" -f ${mactest_conf} mkdir ${n1} 0755
-
- rm ${mactest_conf}
- touch ${mactest_conf}
#the mac hook checking is already done in previous test cases!
- mactestexpect "" 0 -m ${dvplabel} -f ${mactest_conf} mkdir ${n1} 0755
- mactestexpect "" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/10" ${n1}
+#case 2 create the directory
+ mactestexpect "" 0 -m ${dvplabel} -f ${mactest_conf} mkdir ${n1} 0755
+#case 3 label the directory
+ mactestexpect "" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/10" ${n1}
-#BLP: no read high
- echo -n "pid = -1 mac_test_check_vnode_open#VREAD:" > ${mactest_conf}
- echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf}
- mactestexpect "" EACCES -m ${dvplabel} -f ${mactest_conf} open ${n1} O_RDONLY
+#case 4 BLP: no read high
+ echo -n "pid = -1 vnode_check_open#VREAD:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf}
+ mactestexpect "" EACCES -m ${dvplabel} -f ${mactest_conf} open ${n1} O_RDONLY
+#case 5
#there will be mac_check_vnode_stat in setfmac
- echo -n "pid = -2 mac_test_check_vnode_stat:" > ${mactest_conf}
- echo "biba/high(low-high),mls/low(low-high) NULL biba/high,mls/10" >> ${mactest_conf}
- mactestexpect "setfmac:.traversing.${n1}:.Permission.denied" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/low" ${n1}
+ echo -n "pid = -2 vnode_check_stat:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/low(low-high) biba/high,mls/10" >> ${mactest_conf}
+ mactestexpect "setfmac:.traversing.${n1}:.Permission.denied" "" -m ${dvplabel} -f ${mactest_conf} system setfmac "mls/low" ${n1}
-#relabel the vnode to mls/low
- rm ${mactest_conf}
- touch ${mactest_conf}
- mactestexpect "" "" -m mls/10 -f ${mactest_conf} system setfmac "mls/low" ${n1}
+#case 6 relabel the vnode to mls/low
+ truncate -s 0 ${mactest_conf}
+ mactestexpect "" "" -m mls/10 -f ${mactest_conf} system setfmac "mls/low" ${n1}
+#case 7 BLP: ok read low
+ mactestexpect "" 0 -m mls/10 -f ${mactest_conf} open ${n1} O_RDONLY
-#BLP: ok read low
- mactestexpect "" 0 -m mls/10 -f ${mactest_conf} open ${n1} O_RDONLY
-
-
- t=`sysctl security.mac.mls.enabled=0`
- echo "disabling mac/mls!"
-
#cleanup:
-# cd ..
- rm -fr ${n1}
- rm ${mactest_conf}
-
-fi+ sysctl security.mac.mls.enabled=0 >/dev/null
+ sysctl security.mac.biba.enabled=0 > /dev/null
+ cd ..
+ rm -fr ${n1}
+ rm ${mactest_conf}
+#mac_mls mac_biba and mac_test support
+ fi
+ ;;
+*)
+ quick_exit
+ ;;
+esac
More information about the p4-projects
mailing list