PERFORCE change 129682 for review

Zhouyi ZHOU zhouzhouyi at FreeBSD.org
Tue Nov 27 23:00:58 PST 2007 

http://perforce.freebsd.org/chv.cgi?CH=129682

Change 129682 by zhouzhouyi at zhouzhouyi_mactest on 2007/11/28 07:00:06

	modify sysv semaphore test for mandatory access control

Affected files ...

.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/posix_sem.c#2 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/sysvsem/00.t#2 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#15 edit

Differences ...

==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/posix_sem.c#2 (text+ko) ====

@@ -34,7 +34,7 @@
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $FreeBSD
+ * $FreeBSD$
  */
 #include <semaphore.h>
 #include <unistd.h>
@@ -50,7 +50,7 @@
 sem_t          *sem;
 int		val;
 
-int logfd;
+
 const char *macconf_file = NULL;
 const char *creator_label = NULL;	
 const char *write_label = NULL;
@@ -109,7 +109,7 @@
 	if (sigaction(SIGSYS, &sa, NULL) == -1)
 		err(1, "sigaction SIGSYS");
 
-	logfd = open("/dev/mactest", O_RDWR);
+	logfd = open(LOGDEV, O_RDWR);
 	ioctl(logfd, BEGINLOG, NULL);
 
 	switch ((child_pid = fork())) {

==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/sysvsem/00.t#2 (text+ko) ====

@@ -1,75 +1,75 @@
 #!/bin/sh
-# $FreeBSD: src/tools/regression/mactest/tests/sysvsem/00.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $
+# $FreeBSD$
 
-desc="manipulate sysv share memory"
+desc="manipulate sysv semaphore"
 
 
 dir=`dirname $0`
 . ${dir}/../misc.sh
 
-echo "1..4"
 
+case "${os}" in
+FreeBSD)
 
-#turn off all the switches
-for i in `sysctl security.mac | grep "\.enabled"| 
-     sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
-sysctl ${i}=0
-done
+	mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
+	mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
+	mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
 
-mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
-mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
-mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
+	if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
+	    [ "${mac_test_support}" != "" ]; then
 
+#turn off all the switches
+		for i in `sysctl security.mac | grep "\.enabled"| 
+			sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
+			sysctl ${i}=0 >/dev/null
+		done
 
-if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
-   [ "${mac_test_support}" != "" ] ;  then
+		if [ -f ${mactest_conf} ]; then
+			rm ${mactest_conf}
+		fi
+		touch ${mactest_conf}
+		setfmac "mls/equal,biba/equal" ${mactest_conf}
 
-
-
-    if [ -f ${mactest_conf} ]; then
-	rm ${mactest_conf}
-    fi
-    touch ${mactest_conf}
+		echo "1..4"
 
 #############################################################
-    t=`sysctl security.mac.mls.enabled=1`
-    echo "enforcing mac/mls!"
-    t=`sysctl security.mac.biba.enabled=1`
-    echo "enforcing mac/biba!"
-    t=`sysctl security.mac.mls.revocation_enabled=1`
-    t=`sysctl security.mac.biba.revocation_enabled=1`
-    echo "enabling revoking"
-#option -c creator's label, option -u undo label
+		sysctl security.mac.mls.enabled=1 >/dev/null
+		sysctl security.mac.biba.enabled=1 > /dev/null
+#semtest option -c creator's label, option -u undo label
 #option -s ipc_stat label, -e ipc_set label -f macconf_file
 
 #case 1: check mls no ipc_stat high, will be intercepted by semget at the first place instead
 #of semctl
-    echo -n "pid = -2 mac_test_check_sysv_semget with cr_label and semaklabel:" > ${mactest_conf}
-    echo "biba/high(low-high),mls/4(low-high) biba/high,mls/5" >> ${mactest_conf}
-    bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "mls/5" -s "mls/4" \
-	-u "mls/5"  -e "mls/5" -f ${mactest_conf} 
+		echo -n "pid = -2 sysvsem_check_semget:" > ${mactest_conf}
+		echo "biba/high(low-high),mls/4(low-high) biba/high,mls/5" >> ${mactest_conf}
+		bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "mls/5" -s "mls/4" \
+		    -u "mls/5"  -e "mls/5" -f ${mactest_conf} 
+
 #case 2: biba no ipc_stat low
-    truncate -s 0 ${mactest_conf}
-    bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "biba/5" -s "biba/6" \
-	-u "biba/5"  -e "biba/5" -f ${mactest_conf} 
+		truncate -s 0 ${mactest_conf}
+		bizarretestexpect ${semtest} "semtest:.ipc.stat:.semget:.Permission.denied" "" -c "biba/5" -s "biba/6" \
+		    -u "biba/5"  -e "biba/5" -f ${mactest_conf} 
+
 #case 3: check mls no write down by means of semop UNDO
-    echo -n "pid = -2 mac_test_check_sysv_semop#SEM_A:" > ${mactest_conf}
-    echo "biba/high(low-high),mls/6(low-high) biba/high,mls/5" >> ${mactest_conf}
-    bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "mls/5" -s "mls/5" \
-	-u "mls/6"  -e "mls/5" -f ${mactest_conf} 
+		echo -n "pid = -2 sysvsem_check_semop#SEM_A:" > ${mactest_conf}
+		echo "biba/high(low-high),mls/6(low-high) biba/high,mls/5" >> ${mactest_conf}
+		bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "mls/5" -s "mls/5" \
+		    -u "mls/6"  -e "mls/5" -f ${mactest_conf} 
+
 #case 4: biba no write high by means of semop UNDO
-    truncate -s 0 ${mactest_conf}
-    bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "biba/5" -s "biba/5" \
-	-u "biba/4"  -e "biba/5" -f ${mactest_conf} 
-
-
+		truncate -s 0 ${mactest_conf}
+		bizarretestexpect ${semtest} "*semop.\-1:.Permission.denied" "" -c "biba/5" -s "biba/5" \
+		    -u "biba/4"  -e "biba/5" -f ${mactest_conf} 
 
 #cleanup:
-    t=`sysctl security.mac.mls.enabled=0`
-    echo "disabling mac/mls!"
-    t=`sysctl security.mac.biba.enabled=0`
-    echo "disabling mac/biba!"
+		sysctl security.mac.mls.enabled=0 >/dev/null
+		sysctl security.mac.biba.enabled=0 > /dev/null
+		rm ${mactest_conf}
+	fi
+	;;
+*)
+        quick_exit
+        ;;
+esac
 
-    rm ${mactest_conf}
-fi
 

==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/sys/security/mac_test/mac_test.c#15 (text+ko) ====

@@ -2222,6 +2222,10 @@
 	LOG_DECL
 	LABEL_CHECK(cred->cr_label, MAGIC_CRED);
 	LABEL_CHECK(semaklabel, MAGIC_SYSV_SEM);
+	if (accesstype & SEM_A)
+		APPEND_FLAG("SEM_A");
+	if (accesstype & SEM_R)
+		APPEND_FLAG("SEM_R");
 	COUNTER_INC(sysvsem_check_semop);
 
 	return (0);

More information about the p4-projects mailing list