git: a95ff5ef7d1f - main - MAC/do: Tests: Add support for exec paths, jail parameters, subjails

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Olivier Certner <olce_at_FreeBSD.org>
Date: Fri, 29 May 2026 16:02:06 UTC
The branch main has been updated by olce:

URL: https://cgit.FreeBSD.org/src/commit/?id=a95ff5ef7d1ffcb701913028253a4700cd9a1459

commit a95ff5ef7d1ffcb701913028253a4700cd9a1459
Author:     Olivier Certner <olce@FreeBSD.org>
AuthorDate: 2026-05-22 14:23:31 +0000
Commit:     Olivier Certner <olce@FreeBSD.org>
CommitDate: 2026-05-29 15:41:36 +0000

    MAC/do: Tests: Add support for exec paths, jail parameters, subjails
    
    And also allow configuration of the mdo(1) executable path.
    
    This commit only contains new or modified infrastructure.  No functional
    change intended at this point.
    
    Reviewed by:    bapt
    MFC after:      1 month
    Sponsored by:   The FreeBSD Foundation
    Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
---
 tests/sys/mac/do/common.sh | 119 +++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 110 insertions(+), 9 deletions(-)

diff --git a/tests/sys/mac/do/common.sh b/tests/sys/mac/do/common.sh
index 6c4b138bdac0..4f0e838bbf5f 100644
--- a/tests/sys/mac/do/common.sh
+++ b/tests/sys/mac/do/common.sh
@@ -10,11 +10,79 @@ rules_parameter()
     echo "$1".rules
 }
 
+exec_paths_parameter()
+{
+    echo "$1".exec_paths
+}
+
+: ${MDO:=/usr/bin/mdo}
+
+ROOT_KNOB=security.mac.do
+RULES_KNOB=$(rules_parameter ${ROOT_KNOB})
+EXEC_PATHS_KNOB=$(exec_paths_parameter ${ROOT_KNOB})
+PPE_KNOB=${ROOT_KNOB}.print_parse_error
+
+ROOT_JAIL_PARAM=mac.do
+RULES_JAIL_PARAM=$(rules_parameter ${ROOT_JAIL_PARAM})
+EXEC_PATHS_JAIL_PARAM=$(exec_paths_parameter ${ROOT_JAIL_PARAM})
+
+# To be overridden to execute commands in a sub-jail
+JEXEC=
+
+# Exit status: 0 iff disabled
+mac_do_disabled()
+{
+    [ -z "$($JEXEC sysctl -n ${RULES_KNOB})" ] ||
+        [ -z "$($JEXEC sysctl -n ${EXEC_PATHS_KNOB})" ]
+}
+
+mac_do_check_disabled()
+{
+    mac_do_disabled || atf_fail "mac_do(4) expected disabled but is not."
+}
+
+mac_do_ensure_disabled()
+{
+    mac_do_disabled || $JEXEC sysctl ${RULES_KNOB}=""
+}
+
+sysctl_rules()
+{
+    $JEXEC sysctl -n ${RULES_KNOB}
+}
+
+sysctl_exec_paths()
+{
+    $JEXEC sysctl -n ${EXEC_PATHS_KNOB}
+}
+
+# $1 = sysctl func, $2 = expected value
+sysctl_check()
+{
+    local func value
+
+    func=$1
+    value=$2
+    atf_check [ "$($func)" = "$value" ]
+}
+
+# $1 = value
+sysctl_check_rules()
+{
+    local value
 
-CONF_ROOT_KNOB=security.mac.do
-RULES_KNOB=$(rules_parameter ${CONF_ROOT_KNOB})
-PPE_KNOB=${CONF_ROOT_KNOB}.print_parse_error
+    value=$1
+    sysctl_check sysctl_rules $value
+}
 
+# $1 = value
+sysctl_check_exec_paths()
+{
+    local value
+
+    value=$1
+    sysctl_check sysctl_exec_paths $value
+}
 
 # $1 = knob name, $2 = value
 sysctl_set_and_check()
@@ -23,8 +91,8 @@ sysctl_set_and_check()
 
     knob=$1
     value=$2
-    atf_check -o ignore sysctl "$knob"="$value"
-    atf_check -o inline:"$value\n" sysctl -n "$knob"
+    atf_check -o ignore $JEXEC sysctl "$knob"="$value"
+    atf_check -o inline:"$value\n" $JEXEC sysctl -n "$knob"
 }
 
 # $1 = knob name, $2 = value
@@ -35,8 +103,8 @@ sysctl_set_and_check_fails()
     knob=$1
     value=$2
     orig_value=$(sysctl -n "$knob")
-    atf_check -s not-exit:0 -o ignore -e ignore sysctl "$knob"="$value"
-    atf_check -o inline:"${orig_value}\n" sysctl -n "$knob"
+    atf_check -s not-exit:0 -o ignore -e ignore $JEXEC sysctl "$knob"="$value"
+    atf_check -o inline:"${orig_value}\n" $JEXEC sysctl -n "$knob"
 }
 
 # $1 = sysctl function, $2 = value
@@ -46,9 +114,9 @@ sysctl_set_and_check_rules_common()
 
     func=$1
     value=$2
-    "$func" ${RULES_KNOB} "$value"
-    # Same spec but using the older in-rule separator (':')
+    # Use older in-rule separator (':') first to have final value as specified
     "$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')"
+    "$func" ${RULES_KNOB} "$value"
 }
 
 # $1 = value
@@ -69,7 +137,40 @@ sysctl_set_and_check_fails_rules()
     sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value"
 }
 
+# $1 = sysctl function, $2 = value
+sysctl_set_and_check_exec_paths_common()
+{
+    local func value
+
+    func=$1
+    value=$2
+    # Use older in-rule separator (':') first to have final value as specified
+    "$func" ${EXEC_PATHS_KNOB} "$(echo "$value" | sed 's%>%:%')"
+    "$func" ${EXEC_PATHS_KNOB} "$value"
+}
+
+# $1 = value
+sysctl_set_and_check_exec_paths()
+{
+    local value
+
+    value=$1
+    sysctl_set_and_check_exec_paths_common sysctl_set_and_check "$value"
+}
+
+# Create a persistent subjail.  Echoes its JID.
+launch_subjail()
+{
+    (
+        set -o pipefail
+        $JEXEC jail -c -J /dev/stdout persist=true |
+            sed -nE 's%^.*jid=([0-9]+).*$%\1%p'
+    ) || atf_fail "Cannot create a subjail (check children limits?)"
+}
+
 atf_require_prog sysctl
+atf_require_prog jail
+atf_require_prog sed
 
 # Do not pollute kernel logs with parse errors
 sysctl $PPE_KNOB=0 >/dev/null 2>&1