diff --git a/tests/regression/subdomain/Makefile b/tests/regression/subdomain/Makefile index 626c0a5ed..ef4ede639 100644 --- a/tests/regression/subdomain/Makefile +++ b/tests/regression/subdomain/Makefile @@ -26,6 +26,9 @@ SRC=access.c \ exec.c \ exec_qual.c \ exec_qual2.c \ + fchgrp.c \ + fchmod.c \ + fchown.c \ fork.c \ link.c \ mmap.c \ diff --git a/tests/regression/subdomain/chgrp.c b/tests/regression/subdomain/chgrp.c index 9376acd25..7a4197720 100644 --- a/tests/regression/subdomain/chgrp.c +++ b/tests/regression/subdomain/chgrp.c @@ -19,24 +19,23 @@ int main(int argc, char *argv[]) { -gid_t gid; + gid_t gid; - if (argc != 3){ + if (argc != 3) { fprintf(stderr, "usage: %s file groupname|gid\n", argv[0]); return 1; } - if (sscanf(argv[2], "%d", &gid) != 1){ + if (sscanf(argv[2], "%d", &gid) != 1) { fprintf(stderr, "FAIL: bad gid %s\n", argv[2]); return 1; } - if (chown(argv[1], -1, gid) == -1){ + if (chown(argv[1], -1, gid) == -1) { fprintf(stderr, "FAIL: chgrp %s %d failed - %s\n", - argv[1], gid, - strerror(errno)); + argv[1], gid, strerror(errno)); return 1; } diff --git a/tests/regression/subdomain/chmod.c b/tests/regression/subdomain/chmod.c index 4b008443c..32c5bd371 100644 --- a/tests/regression/subdomain/chmod.c +++ b/tests/regression/subdomain/chmod.c @@ -14,29 +14,27 @@ #include #include #include -#include #include #include int main(int argc, char *argv[]) { -mode_t mode; + mode_t mode; - if (argc != 3){ + if (argc != 3) { fprintf(stderr, "usage: %s file mode\n", argv[0]); return 1; } - if (sscanf(argv[2], "%o", &mode) != 1){ + if (sscanf(argv[2], "%o", &mode) != 1) { fprintf(stderr, "FAIL: bad mode %s\n", argv[2]); return 1; } - if (chmod(argv[1], mode) == -1){ - fprintf(stderr, "FAIL: chmod %s %o failed - %s\n", - argv[1], mode, - strerror(errno)); + if (chmod(argv[1], mode) == -1) { + fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n", + argv[1], mode, strerror(errno)); return 1; } diff --git a/tests/regression/subdomain/chown.c b/tests/regression/subdomain/chown.c index bb99cdd44..44938f81d 100644 --- a/tests/regression/subdomain/chown.c +++ b/tests/regression/subdomain/chown.c @@ -19,23 +19,22 @@ int main(int argc, char *argv[]) { -uid_t uid; + uid_t uid; - if (argc != 3){ + if (argc != 3) { fprintf(stderr, "usage: %s file username|uid\n", argv[0]); return 1; } - if (sscanf(argv[2], "%d", &uid) != 1){ + if (sscanf(argv[2], "%d", &uid) != 1) { fprintf(stderr, "FAIL: bad uid %s\n", argv[2]); return 1; } - if (chown(argv[1], uid, -1) == -1){ + if (chown(argv[1], uid, -1) == -1) { fprintf(stderr, "FAIL: chown %s %d failed - %s\n", - argv[1], uid, - strerror(errno)); + argv[1], uid, strerror(errno)); return 1; } diff --git a/tests/regression/subdomain/fchgrp.c b/tests/regression/subdomain/fchgrp.c new file mode 100644 index 000000000..042a7195c --- /dev/null +++ b/tests/regression/subdomain/fchgrp.c @@ -0,0 +1,54 @@ +/* $Id$ */ + +/* + * Copyright (C) 2002-2007 Novell/SUSE + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + gid_t gid; + int fd; + + if (argc != 3) { + fprintf(stderr, "usage: %s file groupname|gid\n", + argv[0]); + return 1; + } + + + if (sscanf(argv[2], "%d", &gid) != 1) { + fprintf(stderr, "FAIL: bad gid %s\n", argv[2]); + return 1; + } + + fd = open(argv[1], O_RDONLY); + if (fd == -1) { + fprintf(stderr, "FAIL: open %s failed - %s\n", + argv[1], strerror(errno)); + perror("FAIL: open"); + return 1; + } + + if (fchown(fd, -1, gid) == -1) { + fprintf(stderr, "FAIL: fchgrp %s %d failed - %s\n", + argv[1], gid, strerror(errno)); + return 1; + } + + printf("PASS\n"); + + return 0; +} diff --git a/tests/regression/subdomain/fchmod.c b/tests/regression/subdomain/fchmod.c new file mode 100644 index 000000000..8d34bfc00 --- /dev/null +++ b/tests/regression/subdomain/fchmod.c @@ -0,0 +1,50 @@ +/* $Id$ */ + +/* + * Copyright (C) 2007 Novell/SUSE + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + mode_t mode; + int fd; + + if (argc != 3) { + fprintf(stderr, "usage: %s file mode\n", argv[0]); + return 1; + } + + if (sscanf(argv[2], "%o", &mode) != 1) { + fprintf(stderr, "FAIL: bad mode %s\n", argv[2]); + return 1; + } + + fd = open(argv[1], O_RDONLY); + if (fd == -1) { + fprintf(stderr, "FAIL: open %s failed - %s\n", + argv[1], strerror(errno)); + perror("FAIL: open"); + return 1; + } + + if (fchmod(fd, mode) == -1) { + fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n", + argv[1], mode, strerror(errno)); + return 1; + } + + printf("PASS\n"); + return 0; +} diff --git a/tests/regression/subdomain/fchown.c b/tests/regression/subdomain/fchown.c new file mode 100644 index 000000000..d7ebd2682 --- /dev/null +++ b/tests/regression/subdomain/fchown.c @@ -0,0 +1,53 @@ +/* $Id$ */ + +/* + * Copyright (C) 2002-2005 Novell/SUSE + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + uid_t uid; + int fd; + + if (argc != 3) { + fprintf(stderr, "usage: %s file username|uid\n", + argv[0]); + return 1; + } + + if (sscanf(argv[2], "%d", &uid) != 1) { + fprintf(stderr, "FAIL: bad uid %s\n", argv[2]); + return 1; + } + + fd = open(argv[1], O_RDONLY); + if (fd == -1) { + fprintf(stderr, "FAIL: open %s failed - %s\n", + argv[1], strerror(errno)); + perror("FAIL: open"); + return 1; + } + + if (fchown(fd, uid, -1) == -1) { + fprintf(stderr, "FAIL: chown %s %d failed - %s\n", + argv[1], uid, strerror(errno)); + return 1; + } + + printf("PASS\n"); + + return 0; +} diff --git a/tests/regression/subdomain/open.sh b/tests/regression/subdomain/open.sh index 4111fda80..388dd8bbc 100755 --- a/tests/regression/subdomain/open.sh +++ b/tests/regression/subdomain/open.sh @@ -46,6 +46,10 @@ genprofile $file:$badperm2 runchecktest "OPEN W" fail $file # FAILURE TEST (3) +genprofile $file:$badperm1 cap:dac_override +runchecktest "OPEN R+dac_override" fail $file + +# FAILURE TEST (4) # This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885 # When we open O_CREAT|O_RDWR, we are (were?) allowing only write access # to be required. diff --git a/tests/regression/subdomain/setattr.sh b/tests/regression/subdomain/setattr.sh index a987ff3a9..84f6d74a4 100644 --- a/tests/regression/subdomain/setattr.sh +++ b/tests/regression/subdomain/setattr.sh @@ -9,28 +9,36 @@ # License. #=NAME setattr -#=DESCRIPTION -# Write permission is required in a confined processes profile in order to -# change the mode (chmod, chgrp, chown) of a file. This test verifies these -# system calls for unconfined and confined processes. +#=DESCRIPTION +# Write permission is required in a confined processes profile in order to +# change the mode (chmod, chgrp, chown) of a file. This test verifies these +# system calls for unconfined and confined processes. It also includes +# the fxxx version of the tests. #=END checkfile() { -_file=$1 -_str=$2 -_newfileperm=$3 -_newuser=$4 -_newgroup=$5 + _file=$1 + _str=$2 + _newfileperm=$3 + _newuser=$4 + _newgroup=$5 -set -- `ls -l $_file` + set -- `ls -l $_file` -if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ] -then - echo "Error: ($_str)" - echo "Error: ls -l $file output does not look correct" - echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup" -fi + if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ] + then + echo "Error: ($_str)" + echo "Error: ls -l $file output does not look correct" + echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup" + fi +} + +resettest() +{ + rm -f $file + touch $file + chmod $origfileperm $file } pwd=`dirname $0` @@ -49,8 +57,8 @@ pwfiles="/etc/passwd:r /etc/group:r" origfileperm=644 origfilepermstr="-rw-r--r--" -newfileperm=000 -newfilepermstr="----------" +newfileperm=400 +newfilepermstr="-r--------" origuser=`id -un` newuser=nobody newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd) @@ -68,60 +76,131 @@ newgid=$(awk -F: "/^${newgroup}:/ {print \$3}" /etc/group) #echo newuser=${newuser} newuid=${newuid} #echo newgroup=${newgroup} newgid=${newgid} -touch $file -chmod $origfileperm $file -# NOTE on the ordering of tests: XFS requires the FOWNER capability +# NOTE on the ordering of tests: XFS requires the FOWNER capability # to chgrp a file that you are not the owner of; linux's vfs layer will # allow you to do it if you are in the group of the file without FOWNER. # Therefore, we should do the chgrp test BEFORE changing the owner of # the file. # PASS TEST (UNCONSTRAINED) +resettest settest chmod runchecktest "CHMOD (unconstrained)" pass $file $newfileperm + settest chgrp runchecktest "CHGRP (unconstrained)" pass $file $newgid + settest chown runchecktest "CHOWN (unconstrained)" pass $file $newuid checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup +# PASS TEST (UNCONSTRAINED w/FOPS) +resettest + +settest fchmod +runchecktest "FCHMOD (unconstrained)" pass $file $newfileperm + +settest fchgrp +runchecktest "FCHGRP (unconstrained)" pass $file $newgid + +settest fchown +runchecktest "FCHOWN (unconstrained)" pass $file $newuid + +checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup + # PASS TEST (CONSTRAINED) -rm -f $file -touch $file -chmod $origfileperm $file +resettest settest chmod genprofile $file:$okperm -runchecktest "CHMOD (constrained $okperm)" pass $file 000 +runchecktest "CHMOD (constrained $okperm)" pass $file $newfileperm settest chgrp -genprofile $file:$okperm $pwfiles capability:chown +genprofile $file:$okperm $pwfiles cap:chown runchecktest "CHGRP (constrained $okperm)" pass $file $newgid settest chown -genprofile $file:$okperm $pwfiles capability:chown +genprofile $file:$okperm $pwfiles cap:chown runchecktest "CHOWN (constrained $okperm)" pass $file $newuid checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup +# PASS TEST (CONSTRAINED w/FOPS) +resettest + +settest fchmod +genprofile $file:$okperm +runchecktest "FCHMOD (constrained $okperm)" pass $file $newfileperm + +settest fchgrp +genprofile $file:$okperm $pwfiles cap:chown +runchecktest "FCHGRP (constrained $okperm)" pass $file $newgid + +settest fchown +genprofile $file:$okperm $pwfiles cap:chown +runchecktest "FCHOWN (constrained $okperm)" pass $file $newuid + +checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup + # FAIL TEST (CONSTRAINED) -rm -f $file -touch $file -chmod $origfileperm $file +resettest settest chmod genprofile $file:$badperm $pwfiles -runchecktest "CHMOD (constrained $badperm)" fail $file 000 +runchecktest "CHMOD (constrained $badperm)" fail $file $newfileperm settest chgrp -genprofile $file:$badperm $pwfiles +genprofile $file:$badperm $pwfiles cap:chown runchecktest "CHGRP (constrained $badperm)" fail $file $newgid settest chown -genprofile $file:$badperm $pwfiles +genprofile $file:$badperm $pwfiles cap:chown runchecktest "CHOWN (constrained $badperm)" fail $file $newuid checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup + +# FAIL TEST (CONSTRAINED/LACKING CAPS) +resettest + +settest chgrp +genprofile $file:$okperm $pwfiles +runchecktest "CHGRP (constrained $okperm/no capabilities)" fail $file $newgid + +settest chown +genprofile $file:$okperm $pwfiles +runchecktest "CHOWN (constrained $okperm/no capabilities)" fail $file $newuid + +checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup + +# FAIL TEST (CONSTRAINED w/FOPS) +resettest + +settest fchmod +genprofile $file:$badperm $pwfiles +runchecktest "FCHMOD (constrained $badperm)" fail $file $newfileperm + +settest fchgrp +genprofile $file:$badperm $pwfiles cap:chown +runchecktest "FCHGRP (constrained $badperm)" fail $file $newgid + +settest fchown +genprofile $file:$badperm $pwfiles cap:chown +runchecktest "FCHOWN (constrained $badperm)" fail $file $newuid + +checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup + +# FAIL TEST (CONSTRAINED w/FOPS/LACKING CAPS) +resettest + +settest fchgrp +genprofile $file:$okperm $pwfiles +runchecktest "FCHGRP (constrained $okperm/no capabilities)" fail $file $newgid + +settest fchown +genprofile $file:$okperm $pwfiles +runchecktest "FCHOWN (constrained $okperm/no capabilities)" fail $file $newuid + +checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup