svn commit: r292845 - stable/10/tools/regression/mac/mac_portacl
Garrett Cooper
ngie at FreeBSD.org
Mon Dec 28 23:32:29 UTC 2015
Author: ngie
Date: Mon Dec 28 23:32:27 2015
New Revision: 292845
URL: https://svnweb.freebsd.org/changeset/base/292845
Log:
MFC r292569:
Make the mac_portacl testcases work / more robust
- A trap(1) call has been added to the test scripts to better
ensure that the tests do a better job at trying to restore the
test host state at the end of the tests (if the test was
interrupted before it would leave the system in an odd state,
potentially making the test results for subsequent runs
non-deterministic).
- Add root user checks
- Fix nc(1) usage:
-- -o is deprecated
-- Using `-w 10` will make the call timeout after 10 seconds so it
doesn't block indefinitely
- Use local variables
- Be more terse in the error messages
- Parameterize out "127.0.0.1"
Sponsored by: EMC / Isilon Storage Division
Modified:
stable/10/tools/regression/mac/mac_portacl/misc.sh
stable/10/tools/regression/mac/mac_portacl/nobody.t
stable/10/tools/regression/mac/mac_portacl/root.t
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/tools/regression/mac/mac_portacl/misc.sh
==============================================================================
--- stable/10/tools/regression/mac/mac_portacl/misc.sh Mon Dec 28 23:05:13 2015 (r292844)
+++ stable/10/tools/regression/mac/mac_portacl/misc.sh Mon Dec 28 23:32:27 2015 (r292845)
@@ -6,10 +6,18 @@ if [ $? -ne 0 ]; then
echo "1..0 # SKIP MAC_PORTACL is unavailable."
exit 0
fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP testcases must be run as root"
+ exit 0
+fi
ntest=1
check_bind() {
+ local host idtype name proto port udpflag
+
+ host="127.0.0.1"
+
idtype=${1}
name=${2}
proto=${3}
@@ -17,10 +25,10 @@ check_bind() {
[ "${proto}" = "udp" ] && udpflag="-u"
- out=`(
+ out=$(
case "${idtype}" in
uid|gid)
- ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
+ ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) &
;;
jail)
kill $$
@@ -29,9 +37,9 @@ check_bind() {
kill $$
esac
sleep 0.3
- echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
+ echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1
wait
- )`
+ )
case "${out}" in
"nc: Permission denied"*|"nc: Operation not permitted"*)
echo fl
@@ -46,6 +54,8 @@ check_bind() {
}
bind_test() {
+ local expect_without_rule expect_with_rule idtype name proto port
+
expect_without_rule=${1}
expect_with_rule=${2}
idtype=${3}
@@ -54,40 +64,40 @@ bind_test() {
port=${6}
sysctl security.mac.portacl.rules= >/dev/null
- out=`check_bind ${idtype} ${name} ${proto} ${port}`
+ out=$(check_bind ${idtype} ${name} ${proto} ${port})
if [ "${out}" = "${expect_without_rule}" ]; then
echo "ok ${ntest}"
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
- echo "not ok ${ntest}"
+ echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
else
- echo "not ok ${ntest} # ${out}"
+ echo "not ok ${ntest} # unexpected output: '${out}'"
fi
- ntest=$((ntest+1))
+ : $(( ntest += 1 ))
if [ "${idtype}" = "uid" ]; then
- idstr=`id -u ${name}`
+ idstr=$(id -u ${name})
elif [ "${idtype}" = "gid" ]; then
- idstr=`id -g ${name}`
+ idstr=$(id -g ${name})
else
idstr=${name}
fi
sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
- out=`check_bind ${idtype} ${name} ${proto} ${port}`
+ out=$(check_bind ${idtype} ${name} ${proto} ${port})
if [ "${out}" = "${expect_with_rule}" ]; then
echo "ok ${ntest}"
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
- echo "not ok ${ntest}"
+ echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
else
- echo "not ok ${ntest} # ${out}"
+ echo "not ok ${ntest} # unexpected output: '${out}'"
fi
- ntest=$((ntest+1))
+ : $(( ntest += 1 ))
sysctl security.mac.portacl.rules= >/dev/null
}
-reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
-suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
-port_high=`sysctl -n security.mac.portacl.port_high`
+reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
+suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
+port_high=$(sysctl -n security.mac.portacl.port_high)
restore_settings() {
sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
Modified: stable/10/tools/regression/mac/mac_portacl/nobody.t
==============================================================================
--- stable/10/tools/regression/mac/mac_portacl/nobody.t Mon Dec 28 23:05:13 2015 (r292844)
+++ stable/10/tools/regression/mac/mac_portacl/nobody.t Mon Dec 28 23:32:27 2015 (r292845)
@@ -10,6 +10,8 @@ echo "1..64"
# behaviour.
# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
+trap restore_settings EXIT INT TERM
+
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
@@ -63,5 +65,3 @@ bind_test fl ok gid nobody tcp 77
bind_test ok ok gid nobody tcp 7777
bind_test fl ok gid nobody udp 77
bind_test ok ok gid nobody udp 7777
-
-restore_settings
Modified: stable/10/tools/regression/mac/mac_portacl/root.t
==============================================================================
--- stable/10/tools/regression/mac/mac_portacl/root.t Mon Dec 28 23:05:13 2015 (r292844)
+++ stable/10/tools/regression/mac/mac_portacl/root.t Mon Dec 28 23:32:27 2015 (r292845)
@@ -8,6 +8,8 @@ echo "1..48"
# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
+trap restore_settings EXIT INT TERM
+
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
bind_test ok ok uid root tcp 77
@@ -47,5 +49,3 @@ bind_test fl ok gid root tcp 77
bind_test fl ok gid root tcp 7777
bind_test fl ok gid root udp 77
bind_test fl ok gid root udp 7777
-
-restore_settings
More information about the svn-src-all
mailing list