mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-30 05:47:59 +00:00
Code Issues Releases Wiki Activity

Add testcases for fchmod/fchown and clean up some formatting in the

Browse Source 
original chmod/chown tests.
This commit is contained in:
Steve Beattie 2007-03-08 00:09:47 +00:00
parent ad542aba23
commit 23f05801f6
9 changed files with 292 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
tests/regression/subdomain/Makefile
View File

@ -26,6 +26,9 @@ SRC=access.c \
exec.c \ exec.c \
exec_qual.c \ exec_qual.c \
exec_qual2.c \ exec_qual2.c \
fchgrp.c \
fchmod.c \
fchown.c \
fork.c \ fork.c \
link.c \ link.c \
mmap.c \ mmap.c \

11
tests/regression/subdomain/chgrp.c
View File

@ -19,24 +19,23 @@
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
gid_t gid; gid_t gid;
if (argc != 3){ if (argc != 3) {
fprintf(stderr, "usage: %s file groupname|gid\n", fprintf(stderr, "usage: %s file groupname|gid\n",
argv[0]); argv[0]);
return 1; return 1;
} }
if (sscanf(argv[2], "%d", &gid) != 1){ if (sscanf(argv[2], "%d", &gid) != 1) {
fprintf(stderr, "FAIL: bad gid %s\n", argv[2]); fprintf(stderr, "FAIL: bad gid %s\n", argv[2]);
return 1; return 1;
} }
if (chown(argv[1], -1, gid) == -1){ if (chown(argv[1], -1, gid) == -1) {
fprintf(stderr, "FAIL: chgrp %s %d failed - %s\n", fprintf(stderr, "FAIL: chgrp %s %d failed - %s\n",
argv[1], gid, argv[1], gid, strerror(errno));
strerror(errno));
return 1; return 1;
} }

14
tests/regression/subdomain/chmod.c
View File

@ -14,29 +14,27 @@
#include <errno.h> #include <errno.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <string.h> #include <string.h>
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
mode_t mode; mode_t mode;
if (argc != 3){ if (argc != 3) {
fprintf(stderr, "usage: %s file mode\n", fprintf(stderr, "usage: %s file mode\n",
argv[0]); argv[0]);
return 1; return 1;
} }
if (sscanf(argv[2], "%o", &mode) != 1){ if (sscanf(argv[2], "%o", &mode) != 1) {
fprintf(stderr, "FAIL: bad mode %s\n", argv[2]); fprintf(stderr, "FAIL: bad mode %s\n", argv[2]);
return 1; return 1;
} }
if (chmod(argv[1], mode) == -1){ if (chmod(argv[1], mode) == -1) {
fprintf(stderr, "FAIL: chmod %s %o failed - %s\n", fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n",
argv[1], mode, argv[1], mode, strerror(errno));
strerror(errno));
return 1; return 1;
} }

11
tests/regression/subdomain/chown.c
View File

@ -19,23 +19,22 @@
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
uid_t uid; uid_t uid;
if (argc != 3){ if (argc != 3) {
fprintf(stderr, "usage: %s file username|uid\n", fprintf(stderr, "usage: %s file username|uid\n",
argv[0]); argv[0]);
return 1; return 1;
} }
if (sscanf(argv[2], "%d", &uid) != 1){ if (sscanf(argv[2], "%d", &uid) != 1) {
fprintf(stderr, "FAIL: bad uid %s\n", argv[2]); fprintf(stderr, "FAIL: bad uid %s\n", argv[2]);
return 1; return 1;
} }
if (chown(argv[1], uid, -1) == -1){ if (chown(argv[1], uid, -1) == -1) {
fprintf(stderr, "FAIL: chown %s %d failed - %s\n", fprintf(stderr, "FAIL: chown %s %d failed - %s\n",
argv[1], uid, argv[1], uid, strerror(errno));
strerror(errno));
return 1; return 1;
} }

54
tests/regression/subdomain/fchgrp.c Normal file
View File

@ -0,0 +1,54 @@
/* $Id$ */
/*
* Copyright (C) 2002-2007 Novell/SUSE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
int main(int argc, char *argv[])
{
gid_t gid;
int fd;
if (argc != 3) {
fprintf(stderr, "usage: %s file groupname|gid\n",
argv[0]);
return 1;
}
if (sscanf(argv[2], "%d", &gid) != 1) {
fprintf(stderr, "FAIL: bad gid %s\n", argv[2]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd == -1) {
fprintf(stderr, "FAIL: open %s failed - %s\n",
argv[1], strerror(errno));
perror("FAIL: open");
return 1;
}
if (fchown(fd, -1, gid) == -1) {
fprintf(stderr, "FAIL: fchgrp %s %d failed - %s\n",
argv[1], gid, strerror(errno));
return 1;
}
printf("PASS\n");
return 0;
}

50
tests/regression/subdomain/fchmod.c Normal file
View File

@ -0,0 +1,50 @@
/* $Id$ */
/*
* Copyright (C) 2007 Novell/SUSE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
int main(int argc, char *argv[])
{
mode_t mode;
int fd;
if (argc != 3) {
fprintf(stderr, "usage: %s file mode\n", argv[0]);
return 1;
}
if (sscanf(argv[2], "%o", &mode) != 1) {
fprintf(stderr, "FAIL: bad mode %s\n", argv[2]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd == -1) {
fprintf(stderr, "FAIL: open %s failed - %s\n",
argv[1], strerror(errno));
perror("FAIL: open");
return 1;
}
if (fchmod(fd, mode) == -1) {
fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n",
argv[1], mode, strerror(errno));
return 1;
}
printf("PASS\n");
return 0;
}

53
tests/regression/subdomain/fchown.c Normal file
View File

@ -0,0 +1,53 @@
/* $Id$ */
/*
* Copyright (C) 2002-2005 Novell/SUSE
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
int main(int argc, char *argv[])
{
uid_t uid;
int fd;
if (argc != 3) {
fprintf(stderr, "usage: %s file username|uid\n",
argv[0]);
return 1;
}
if (sscanf(argv[2], "%d", &uid) != 1) {
fprintf(stderr, "FAIL: bad uid %s\n", argv[2]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd == -1) {
fprintf(stderr, "FAIL: open %s failed - %s\n",
argv[1], strerror(errno));
perror("FAIL: open");
return 1;
}
if (fchown(fd, uid, -1) == -1) {
fprintf(stderr, "FAIL: chown %s %d failed - %s\n",
argv[1], uid, strerror(errno));
return 1;
}
printf("PASS\n");
return 0;
}

4
tests/regression/subdomain/open.sh
View File

@ -46,6 +46,10 @@ genprofile $file:$badperm2
runchecktest "OPEN W" fail $file runchecktest "OPEN W" fail $file
# FAILURE TEST (3) # FAILURE TEST (3)
genprofile $file:$badperm1 cap:dac_override
runchecktest "OPEN R+dac_override" fail $file
# FAILURE TEST (4)
# This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885 # This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885
# When we open O_CREAT|O_RDWR, we are (were?) allowing only write access # When we open O_CREAT|O_RDWR, we are (were?) allowing only write access
# to be required. # to be required.

145
tests/regression/subdomain/setattr.sh
View File

@ -9,28 +9,36 @@
# License. # License.
#=NAME setattr #=NAME setattr
#=DESCRIPTION #=DESCRIPTION
# Write permission is required in a confined processes profile in order to # Write permission is required in a confined processes profile in order to
# change the mode (chmod, chgrp, chown) of a file. This test verifies these # change the mode (chmod, chgrp, chown) of a file. This test verifies these
# system calls for unconfined and confined processes. # system calls for unconfined and confined processes. It also includes
# the fxxx version of the tests.
#=END #=END
checkfile() checkfile()
{ {
_file=$1 _file=$1
_str=$2 _str=$2
_newfileperm=$3 _newfileperm=$3
_newuser=$4 _newuser=$4
_newgroup=$5 _newgroup=$5
set -- `ls -l $_file` set -- `ls -l $_file`
if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ] if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ]
then then
echo "Error: ($_str)" echo "Error: ($_str)"
echo "Error: ls -l $file output does not look correct" echo "Error: ls -l $file output does not look correct"
echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup" echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup"
fi fi
}
resettest()
{
rm -f $file
touch $file
chmod $origfileperm $file
} }
pwd=`dirname $0` pwd=`dirname $0`
@ -49,8 +57,8 @@ pwfiles="/etc/passwd:r /etc/group:r"
origfileperm=644 origfileperm=644
origfilepermstr="-rw-r--r--" origfilepermstr="-rw-r--r--"
newfileperm=000 newfileperm=400
newfilepermstr="----------" newfilepermstr="-r--------"
origuser=`id -un` origuser=`id -un`
newuser=nobody newuser=nobody
newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd) newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd)
@ -68,60 +76,131 @@ newgid=$(awk -F: "/^${newgroup}:/ {print \$3}" /etc/group)
#echo newuser=${newuser} newuid=${newuid} #echo newuser=${newuser} newuid=${newuid}
#echo newgroup=${newgroup} newgid=${newgid} #echo newgroup=${newgroup} newgid=${newgid}
touch $file
chmod $origfileperm $file
# NOTE on the ordering of tests: XFS requires the FOWNER capability # NOTE on the ordering of tests: XFS requires the FOWNER capability
# to chgrp a file that you are not the owner of; linux's vfs layer will # to chgrp a file that you are not the owner of; linux's vfs layer will
# allow you to do it if you are in the group of the file without FOWNER. # allow you to do it if you are in the group of the file without FOWNER.
# Therefore, we should do the chgrp test BEFORE changing the owner of # Therefore, we should do the chgrp test BEFORE changing the owner of
# the file. # the file.
# PASS TEST (UNCONSTRAINED) # PASS TEST (UNCONSTRAINED)
resettest
settest chmod settest chmod
runchecktest "CHMOD (unconstrained)" pass $file $newfileperm runchecktest "CHMOD (unconstrained)" pass $file $newfileperm
settest chgrp settest chgrp
runchecktest "CHGRP (unconstrained)" pass $file $newgid runchecktest "CHGRP (unconstrained)" pass $file $newgid
settest chown settest chown
runchecktest "CHOWN (unconstrained)" pass $file $newuid runchecktest "CHOWN (unconstrained)" pass $file $newuid
checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup
# PASS TEST (UNCONSTRAINED w/FOPS)
resettest
settest fchmod
runchecktest "FCHMOD (unconstrained)" pass $file $newfileperm
settest fchgrp
runchecktest "FCHGRP (unconstrained)" pass $file $newgid
settest fchown
runchecktest "FCHOWN (unconstrained)" pass $file $newuid
checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup
# PASS TEST (CONSTRAINED) # PASS TEST (CONSTRAINED)
rm -f $file resettest
touch $file
chmod $origfileperm $file
settest chmod settest chmod
genprofile $file:$okperm genprofile $file:$okperm
runchecktest "CHMOD (constrained $okperm)" pass $file 000 runchecktest "CHMOD (constrained $okperm)" pass $file $newfileperm
settest chgrp settest chgrp
genprofile $file:$okperm $pwfiles capability:chown genprofile $file:$okperm $pwfiles cap:chown
runchecktest "CHGRP (constrained $okperm)" pass $file $newgid runchecktest "CHGRP (constrained $okperm)" pass $file $newgid
settest chown settest chown
genprofile $file:$okperm $pwfiles capability:chown genprofile $file:$okperm $pwfiles cap:chown
runchecktest "CHOWN (constrained $okperm)" pass $file $newuid runchecktest "CHOWN (constrained $okperm)" pass $file $newuid
checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup
# PASS TEST (CONSTRAINED w/FOPS)
resettest
settest fchmod
genprofile $file:$okperm
runchecktest "FCHMOD (constrained $okperm)" pass $file $newfileperm
settest fchgrp
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "FCHGRP (constrained $okperm)" pass $file $newgid
settest fchown
genprofile $file:$okperm $pwfiles cap:chown
runchecktest "FCHOWN (constrained $okperm)" pass $file $newuid
checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup
# FAIL TEST (CONSTRAINED) # FAIL TEST (CONSTRAINED)
rm -f $file resettest
touch $file
chmod $origfileperm $file
settest chmod settest chmod
genprofile $file:$badperm $pwfiles genprofile $file:$badperm $pwfiles
runchecktest "CHMOD (constrained $badperm)" fail $file 000 runchecktest "CHMOD (constrained $badperm)" fail $file $newfileperm
settest chgrp settest chgrp
genprofile $file:$badperm $pwfiles genprofile $file:$badperm $pwfiles cap:chown
runchecktest "CHGRP (constrained $badperm)" fail $file $newgid runchecktest "CHGRP (constrained $badperm)" fail $file $newgid
settest chown settest chown
genprofile $file:$badperm $pwfiles genprofile $file:$badperm $pwfiles cap:chown
runchecktest "CHOWN (constrained $badperm)" fail $file $newuid runchecktest "CHOWN (constrained $badperm)" fail $file $newuid
checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONSTRAINED/LACKING CAPS)
resettest
settest chgrp
genprofile $file:$okperm $pwfiles
runchecktest "CHGRP (constrained $okperm/no capabilities)" fail $file $newgid
settest chown
genprofile $file:$okperm $pwfiles
runchecktest "CHOWN (constrained $okperm/no capabilities)" fail $file $newuid
checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONSTRAINED w/FOPS)
resettest
settest fchmod
genprofile $file:$badperm $pwfiles
runchecktest "FCHMOD (constrained $badperm)" fail $file $newfileperm
settest fchgrp
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "FCHGRP (constrained $badperm)" fail $file $newgid
settest fchown
genprofile $file:$badperm $pwfiles cap:chown
runchecktest "FCHOWN (constrained $badperm)" fail $file $newuid
checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
# FAIL TEST (CONSTRAINED w/FOPS/LACKING CAPS)
resettest
settest fchgrp
genprofile $file:$okperm $pwfiles
runchecktest "FCHGRP (constrained $okperm/no capabilities)" fail $file $newgid
settest fchown
genprofile $file:$okperm $pwfiles
runchecktest "FCHOWN (constrained $okperm/no capabilities)" fail $file $newuid
checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup