From nobody Thu May 21 19:30:54 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLz666TyYz6dlHC for ; Thu, 21 May 2026 19:30:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLz663435z3mjT for ; Thu, 21 May 2026 19:30:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779391854; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AmUxBtyEtvCrg7L6UWEVca9cbFluC1KHZ5ADUBO5nHw=; b=otHSbvhJfbzS9h2PKM8yJBcXj6TwIxQfmZIk8o9XH/kCfVGcgqkc0QXyjpDPc8GBEfgMbb 26TpJA1e5+ZKp9s8KY8fz6q1zmScuwm5i9Fno3YnUkBx+xMEpS6uZ4SrN470hJ7qEMe1kD gz6xbJQdc8j+kJGxl0EAQzY7nVBwWfqdpYxtpkhmxZjs5F5gftz3SqWdoz/Sozkd5PNokj 8DrfWaa8c+Tik+QQdgtu9ASlGD4LLDj4t51GUleHGNXD2wn5S6Bb5lSFf6meDjDi9dQotR qBe+zAV8SaBsZ36E+tsVMV9kVJGIq7XxOzmPhgYMm+ffM7Wpv0AAAQ34o1YQHg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779391854; a=rsa-sha256; cv=none; b=vZfATKfSwQVGRPEAV8dPfr3H9Y5n7J4VV4YBzJO9Z6XkB+qqgjxF8iN9fp9Yef2gJkiJxZ Zt9M3YNUtZg3y09rw5YaGEBBivYDKnUXYa+LTLaUnxpa/G4s5b+ACMrtEUSLo8eGbw44UC +V+RESWi68+S+PvJCeFjSVVlSyEyjm9VriS0ag+wPxf+onzF0ipIKlxz6uNfuLPpFgOySj W4wFnrnYUwQ+cNX/3RyVUWiDF+LgbBaTBjuv9uIE8so10FIwbtVuq2HnVF9Tua/mcOA2G7 7Kp8iQQEIxjs25oN/pqTFgv5iAgkVWd2QGFIeJSjs8ziqW+Gved5R6mhknI8WQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779391854; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=AmUxBtyEtvCrg7L6UWEVca9cbFluC1KHZ5ADUBO5nHw=; b=g3Cq5pQREv0Evn5Neiubi49On8TwqCAuSrn+J3p962FG0OrjTxPTA3ro8JCE4EsAhfFa64 riooxhbGVTX6fw+NNk9s8iwHbqOAzQZpIZluzPpwN1oOM7EgskRxng55pa1IBA5eGmaE8U xrTWsNuTT6OqR5i9JW6KV6ZB3K4bXiwFIck8PxmoumbXjF4odZS4fBRTHMMPxzh/O5cf95 wf3v7/nAK1gClMjGsB+6XSnOVRx6GUq5m5PM8cLg4rADh2KAjQceRPxcTvu9Go2a51Wjw4 Su63DwT4eYiB6aV5Mu3xPyj6zYvbFNhpeHgllrRCRfPC2ai3W5O7bFx0nUPjhA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gLz661Z49zmnh for ; Thu, 21 May 2026 19:30:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 39b83 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Thu, 21 May 2026 19:30:54 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Olivier Certner Subject: git: a05c4fb24bc9 - stable/15 - MAC/do: Add basic tests on setting rules List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: olce X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: a05c4fb24bc9a8454b2b695b6f53142d5f8d07a1 Auto-Submitted: auto-generated Date: Thu, 21 May 2026 19:30:54 +0000 Message-Id: <6a0f5d6e.39b83.4f06a525@gitrepo.freebsd.org> The branch stable/15 has been updated by olce: URL: https://cgit.FreeBSD.org/src/commit/?id=a05c4fb24bc9a8454b2b695b6f53142d5f8d07a1 commit a05c4fb24bc9a8454b2b695b6f53142d5f8d07a1 Author: Olivier Certner AuthorDate: 2026-05-21 13:34:14 +0000 Commit: Olivier Certner CommitDate: 2026-05-21 19:30:20 +0000 MAC/do: Add basic tests on setting rules MFC after: 1 minute Sponsored by: The FreeBSD Foundation (cherry picked from commit cba191e291c17b32247e12d6f94dcde56994bfe6) --- tests/sys/mac/Makefile | 1 + tests/sys/mac/do/Makefile | 14 ++++ tests/sys/mac/do/common.sh | 72 +++++++++++++++++++ tests/sys/mac/do/invalid_configs.sh | 86 +++++++++++++++++++++++ tests/sys/mac/do/valid_configs.sh | 135 ++++++++++++++++++++++++++++++++++++ 5 files changed, 308 insertions(+) diff --git a/tests/sys/mac/Makefile b/tests/sys/mac/Makefile index 3447d00122f5..9858b09b5f1d 100644 --- a/tests/sys/mac/Makefile +++ b/tests/sys/mac/Makefile @@ -1,6 +1,7 @@ TESTSDIR= ${TESTSBASE}/sys/mac TESTS_SUBDIRS+= bsdextended +TESTS_SUBDIRS+= do TESTS_SUBDIRS+= ipacl TESTS_SUBDIRS+= portacl diff --git a/tests/sys/mac/do/Makefile b/tests/sys/mac/do/Makefile new file mode 100644 index 000000000000..980067ea56e6 --- /dev/null +++ b/tests/sys/mac/do/Makefile @@ -0,0 +1,14 @@ +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/mac/do + +ATF_TESTS_SH+= valid_configs invalid_configs + +${PACKAGE}FILES+= common.sh + +TEST_METADATA+= execenv="jail" +TEST_METADATA+= required_kmods="mac_do" +TEST_METADATA+= required_user="root" +TEST_METADATA+= required_programs="sysctl" + +.include diff --git a/tests/sys/mac/do/common.sh b/tests/sys/mac/do/common.sh new file mode 100644 index 000000000000..88529adcc1f3 --- /dev/null +++ b/tests/sys/mac/do/common.sh @@ -0,0 +1,72 @@ +# +# Copyright (c) 2026, The FreeBSD Foundation +# +# This software was developed by Olivier Certner at +# Kumacom SARL under sponsorship from the FreeBSD Foundation. + +rules_parameter() +{ + echo "$1".rules +} + + +CONF_ROOT_KNOB=security.mac.do +RULES_KNOB=$(rules_parameter ${CONF_ROOT_KNOB}) +PPE_KNOB=${CONF_ROOT_KNOB}.print_parse_error + + +# $1 = knob name, $2 = value +sysctl_set_and_check() +{ + local knob value + + knob=$1 + value=$2 + atf_check -o ignore sysctl "$knob"="$value" + atf_check -o inline:"$value\n" sysctl -n "$knob" +} + +# $1 = knob name, $2 = value +sysctl_set_and_check_fails() +{ + local knob value orig_value + + knob=$1 + value=$2 + orig_value=$(sysctl -n "$knob") + atf_check -s not-exit:0 -o ignore -e ignore sysctl "$knob"="$value" + atf_check -o inline:"${orig_value}\n" sysctl -n "$knob" +} + +# $1 = sysctl function, $2 = value +sysctl_set_and_check_rules_common() +{ + local func value + + func=$1 + value=$2 + "$func" ${RULES_KNOB} "$value" + # Same spec but using the older in-rule separator (':') + "$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')" +} + +# $1 = value +sysctl_set_and_check_rules() +{ + local value + + value=$1 + sysctl_set_and_check_rules_common sysctl_set_and_check "$value" +} + +# $1 = value +sysctl_set_and_check_fails_rules() +{ + local value + + value=$1 + sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value" +} + +# Do not pollute kernel logs with parse errors +sysctl $PPE_KNOB=0 >/dev/null 2>&1 diff --git a/tests/sys/mac/do/invalid_configs.sh b/tests/sys/mac/do/invalid_configs.sh new file mode 100644 index 000000000000..f24309cb2f3b --- /dev/null +++ b/tests/sys/mac/do/invalid_configs.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env atf-sh +# +# Copyright (c) 2026, The FreeBSD Foundation +# +# This software was developed by Olivier Certner at +# Kumacom SARL under sponsorship from the FreeBSD Foundation. + +atf_test_case rule_no_target_part +rule_no_target_part_head() +{ + atf_set descr "Missing target part in a rule" +} +rule_no_target_part_body() +{ + sysctl_set_and_check_fails_rules "uid=0>" + sysctl_set_and_check_fails_rules "gid=0>" + sysctl_set_and_check_fails_rules "uid=0" + sysctl_set_and_check_fails_rules "gid=0" +} + +atf_test_case rule_no_match_part +rule_no_match_part_head() +{ + atf_set descr "Missing match part in a rule" +} +rule_no_match_part_body() +{ + sysctl_set_and_check_fails_rules ">uid=0" + sysctl_set_and_check_fails_rules ">gid=0" +} + +atf_test_case rule_space_between_flag_and_gid_fail +rule_space_between_flag_and_gid_fail_head() +{ + atf_set descr "No space allowed between flag and GID" +} +rule_space_between_flag_and_gid_fail_body() +{ + sysctl_set_and_check_fails_rules "uid=1001>uid=0,gid=0,+ gid=0" +} + +atf_test_case rule_user_names_fail +rule_user_names_fail_head() +{ + atf_set descr "Reject user names (only numerical IDs supported)" +} +rule_user_names_fail_body() +{ + sysctl_set_and_check_fails_rules "uid=user>uid=0" + sysctl_set_and_check_fails_rules "uid=1001>uid=root" +} + +atf_test_case rule_group_names_fail +rule_group_names_fail_head() +{ + atf_set descr "Reject group names (only numerical IDs supported)" +} +rule_group_names_fail_body() +{ + sysctl_set_and_check_fails_rules "gid=group>gid=0" + sysctl_set_and_check_fails_rules "gid=1001>gid=root" + sysctl_set_and_check_fails_rules "gid=1001>gid=0,+gid=operator" +} + +atf_test_case rules_wrong_separator +rules_wrong_separator_head() +{ + atf_set descr "Wrong rules separator" +} +rules_wrong_separator_body() +{ + sysctl_set_and_check_fails_rules "uid=1001>gid=0:gid=1001>gid=5" +} + + +atf_init_test_cases() +{ + . $(atf_get_srcdir)/common.sh + + atf_add_test_case rule_no_target_part + atf_add_test_case rule_no_match_part + atf_add_test_case rule_space_between_flag_and_gid_fail + atf_add_test_case rule_user_names_fail + atf_add_test_case rule_group_names_fail + atf_add_test_case rules_wrong_separator +} diff --git a/tests/sys/mac/do/valid_configs.sh b/tests/sys/mac/do/valid_configs.sh new file mode 100644 index 000000000000..bd5b53b5d5d8 --- /dev/null +++ b/tests/sys/mac/do/valid_configs.sh @@ -0,0 +1,135 @@ +#!/usr/bin/env atf-sh +# +# Copyright (c) 2026, The FreeBSD Foundation +# +# This software was developed by Olivier Certner at +# Kumacom SARL under sponsorship from the FreeBSD Foundation. + +atf_test_case rule_uid_to_any +rule_uid_to_any_head() +{ + atf_set descr "Single \"to any\" rule" +} +rule_uid_to_any_body() +{ + sysctl_set_and_check_rules "uid=1001>any" + sysctl_set_and_check_rules "gid=1001>any" +} + +atf_test_case rule_uid_to_uid +rule_uid_to_uid_head() +{ + atf_set descr "Single \"to UID\" rule" +} +rule_uid_to_uid_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=0" + sysctl_set_and_check_rules "gid=1001>uid=0" +} + +atf_test_case rule_uid_to_uid_any +rule_uid_to_uid_any_head() +{ + atf_set descr "Single \"to UID any\" rule" +} +rule_uid_to_uid_any_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=any" + sysctl_set_and_check_rules "gid=1001>uid=any" +} + +atf_test_case rule_uid_to_uid_star +rule_uid_to_uid_star_head() +{ + atf_set descr "Single \"to any (with '*')\" rule" +} +rule_uid_to_uid_star_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=*" + sysctl_set_and_check_rules "gid=1001>uid=*" +} + +atf_test_case rule_uid_to_uid_gid +rule_uid_to_uid_gid_head() +{ + atf_set descr "Single \"to UID and GID\" rule" +} +rule_uid_to_uid_gid_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=0,gid=0" + sysctl_set_and_check_rules "gid=1001>uid=0,gid=0" +} + +atf_test_case rule_uid_to_uid_gid_optional_sgid +rule_uid_to_uid_gid_optional_sgid_head() +{ + atf_set descr "Single \"to UID, GID and \ +optional supplementary group rule\" rule" +} +rule_uid_to_uid_gid_optional_sgid_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=0,gid=0,+gid=0" + sysctl_set_and_check_rules "gid=1001>uid=0,gid=0,+gid=0" +} + +atf_test_case rule_uid_to_uid_gid_mandatory_sgid +rule_uid_to_uid_gid_mandatory_sgid_head() +{ + atf_set descr "Single \"to UID, GID and \ +mandatory supplementary group\" rule" +} +rule_uid_to_uid_gid_mandatory_sgid_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=0,gid=0,!gid=0" + sysctl_set_and_check_rules "gid=1001>uid=0,gid=0,!gid=0" +} + +atf_test_case rule_uid_to_uid_gid_excluded_sgid +rule_uid_to_uid_gid_excluded_sgid_head() +{ + atf_set descr "Single \"to UID, GID and excluded supplementary group\" rule" +} +rule_uid_to_uid_gid_excluded_sgid_body() +{ + sysctl_set_and_check_rules "uid=1001>uid=0,gid=0,-gid=0" + sysctl_set_and_check_rules "gid=1001>uid=0,gid=0,-gid=0" +} + +atf_test_case rules_uid_to_uid +rules_uid_to_uid_head() +{ + atf_set descr "Multiple \"to UID\" rules" +} +rules_uid_to_uid_body() { + sysctl_set_and_check_rules \ + "uid=1001>uid=0;uid=1001>uid=0,gid=0,!gid=0,+gid=5;gid=1001>gid=5" +} + +atf_test_case rules_uid_to_uid_with_spaces +rules_uid_to_uid_with_spaces_head() +{ + atf_set descr "Multiple \"to UID\" rules with extra spaces" +} +rules_uid_to_uid_with_spaces_body() +{ + sysctl_set_and_check_rules \ + "uid=1001 > uid=0; uid=1001>uid=0, gid = 0, !gid =0,+gid =5; \ +gid= 1001 >gid =5" +} + + +atf_init_test_cases() +{ + . $(atf_get_srcdir)/common.sh + + atf_add_test_case rule_uid_to_any + atf_add_test_case rule_uid_to_uid + atf_add_test_case rule_uid_to_uid_any + atf_add_test_case rule_uid_to_uid_star + atf_add_test_case rule_uid_to_uid_gid + atf_add_test_case rule_uid_to_uid_gid_optional_sgid + atf_add_test_case rule_uid_to_uid_gid_mandatory_sgid + atf_add_test_case rule_uid_to_uid_gid_excluded_sgid + atf_add_test_case rules_uid_to_uid + atf_add_test_case rules_uid_to_uid_with_spaces +}