Add testcases for fchmod/fchown and clean up some formatting in the

original chmod/chown tests.

tests/regression/subdomain/Makefile

@@ -26,6 +26,9 @@ SRC=access.c \
     exec.c \
     exec_qual.c \
     exec_qual2.c \
+    fchgrp.c \
+    fchmod.c \
+    fchown.c \
     fork.c \
     link.c \
     mmap.c \

tests/regression/subdomain/chgrp.c

@@ -19,24 +19,23 @@
 
 int main(int argc, char *argv[])
 {
-gid_t gid;
+	gid_t gid;
 
-	if (argc != 3){
+	if (argc != 3) {
 		fprintf(stderr, "usage: %s file groupname|gid\n",
 			argv[0]);
 		return 1;
 	}
 
 
-	if (sscanf(argv[2], "%d", &gid) != 1){
+	if (sscanf(argv[2], "%d", &gid) != 1) {
 		fprintf(stderr, "FAIL: bad gid %s\n", argv[2]);
 		return 1;
 	}
 	
-	if (chown(argv[1], -1, gid) == -1){
+	if (chown(argv[1], -1, gid) == -1) {
 		fprintf(stderr, "FAIL: chgrp %s %d failed - %s\n",
-			argv[1], gid,
-			strerror(errno));
+			argv[1], gid, strerror(errno));
 		return 1;
 	}
 

tests/regression/subdomain/chmod.c

@@ -14,29 +14,27 @@
 #include <errno.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/stat.h>
 #include <fcntl.h>
 #include <string.h>
 
 int main(int argc, char *argv[])
 {
-mode_t mode;
+	mode_t mode;
 
-	if (argc != 3){
+	if (argc != 3) {
 		fprintf(stderr, "usage: %s file mode\n",
 			argv[0]);
 		return 1;
 	}
 
-	if (sscanf(argv[2], "%o", &mode) != 1){
+	if (sscanf(argv[2], "%o", &mode) != 1) {
 		fprintf(stderr, "FAIL: bad mode %s\n", argv[2]);
 		return 1;
 	}
 	
-	if (chmod(argv[1], mode) == -1){
-		fprintf(stderr, "FAIL: chmod %s %o failed - %s\n",
-			argv[1], mode,
-			strerror(errno));
+	if (chmod(argv[1], mode) == -1) {
+		fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n",
+			argv[1], mode, strerror(errno));
 		return 1;
 	}
 

tests/regression/subdomain/chown.c

@@ -19,23 +19,22 @@
 
 int main(int argc, char *argv[])
 {
-uid_t uid;
+	uid_t uid;
 
-	if (argc != 3){
+	if (argc != 3) {
 		fprintf(stderr, "usage: %s file username|uid\n",
 			argv[0]);
 		return 1;
 	}
 
-	if (sscanf(argv[2], "%d", &uid) != 1){
+	if (sscanf(argv[2], "%d", &uid) != 1) {
 		fprintf(stderr, "FAIL: bad uid %s\n", argv[2]);
 		return 1;
 	}
 	
-	if (chown(argv[1], uid, -1) == -1){
+	if (chown(argv[1], uid, -1) == -1) {
 		fprintf(stderr, "FAIL: chown %s %d failed - %s\n",
-			argv[1], uid,
-			strerror(errno));
+			argv[1], uid, strerror(errno));
 		return 1;
 	}
 

tests/regression/subdomain/fchgrp.c

@@ -0,0 +1,54 @@
+/* $Id$ */
+
+/*
+ *	Copyright (C) 2002-2007 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+
+int main(int argc, char *argv[])
+{
+	gid_t gid;
+	int fd;
+
+	if (argc != 3) {
+		fprintf(stderr, "usage: %s file groupname|gid\n",
+			argv[0]);
+		return 1;
+	}
+
+
+	if (sscanf(argv[2], "%d", &gid) != 1) {
+		fprintf(stderr, "FAIL: bad gid %s\n", argv[2]);
+		return 1;
+	}
+	
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "FAIL: open %s failed - %s\n",
+			argv[1], strerror(errno));
+		perror("FAIL: open");
+		return 1;
+	}
+
+	if (fchown(fd, -1, gid) == -1) {
+		fprintf(stderr, "FAIL: fchgrp %s %d failed - %s\n",
+			argv[1], gid, strerror(errno));
+		return 1;
+	}
+
+	printf("PASS\n");
+
+	return 0;
+}

tests/regression/subdomain/fchmod.c

@@ -0,0 +1,50 @@
+/* $Id$ */
+
+/*
+ *	Copyright (C) 2007 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+
+int main(int argc, char *argv[])
+{
+	mode_t mode;
+	int fd;
+
+	if (argc != 3) {
+		fprintf(stderr, "usage: %s file mode\n", argv[0]);
+		return 1;
+	}
+
+	if (sscanf(argv[2], "%o", &mode) != 1) {
+		fprintf(stderr, "FAIL: bad mode %s\n", argv[2]);
+		return 1;
+	}
+
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "FAIL: open %s failed - %s\n",
+			argv[1], strerror(errno));
+		perror("FAIL: open");
+		return 1;
+	}
+
+	if (fchmod(fd,  mode) == -1) {
+		fprintf(stderr, "FAIL: fchmod %s %o failed - %s\n",
+			argv[1], mode, strerror(errno));
+		return 1;
+	}
+
+	printf("PASS\n");
+	return 0;
+}

tests/regression/subdomain/fchown.c

@@ -0,0 +1,53 @@
+/* $Id$ */
+
+/*
+ *	Copyright (C) 2002-2005 Novell/SUSE
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License as
+ *	published by the Free Software Foundation, version 2 of the
+ *	License.
+ */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+
+int main(int argc, char *argv[])
+{
+	uid_t uid;
+	int fd;
+
+	if (argc != 3) {
+		fprintf(stderr, "usage: %s file username|uid\n",
+			argv[0]);
+		return 1;
+	}
+
+	if (sscanf(argv[2], "%d", &uid) != 1) {
+		fprintf(stderr, "FAIL: bad uid %s\n", argv[2]);
+		return 1;
+	}
+	
+	fd = open(argv[1], O_RDONLY);
+	if (fd == -1) {
+		fprintf(stderr, "FAIL: open %s failed - %s\n",
+			argv[1], strerror(errno));
+		perror("FAIL: open");
+		return 1;
+	}
+
+	if (fchown(fd, uid, -1) == -1) {
+		fprintf(stderr, "FAIL: chown %s %d failed - %s\n",
+			argv[1], uid, strerror(errno));
+		return 1;
+	}
+
+	printf("PASS\n");
+
+	return 0;
+}

tests/regression/subdomain/open.sh

@@ -46,6 +46,10 @@ genprofile $file:$badperm2
 runchecktest "OPEN W" fail $file
 
 # FAILURE TEST (3)
+genprofile $file:$badperm1 cap:dac_override
+runchecktest "OPEN R+dac_override" fail $file
+
+# FAILURE TEST (4)
 # This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885
 # When we open O_CREAT|O_RDWR, we are (were?) allowing only write access
 # to be required.

tests/regression/subdomain/setattr.sh

@@ -12,25 +12,33 @@
 #=DESCRIPTION
 # Write permission is required in a confined processes profile in order to
 # change the mode (chmod, chgrp, chown) of a file.  This test verifies these
-# system calls for unconfined and confined processes.
+# system calls for unconfined and confined processes. It also includes
+# the fxxx version of the tests.
 #=END
 
 checkfile()
 {
-_file=$1
-_str=$2
-_newfileperm=$3
-_newuser=$4
-_newgroup=$5
+	_file=$1
+	_str=$2
+	_newfileperm=$3
+	_newuser=$4
+	_newgroup=$5
 
-set -- `ls -l $_file`
+	set -- `ls -l $_file`
 
-if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ]
-then
+	if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ]
+	then
 		echo "Error: ($_str)"
 		echo "Error: ls -l $file output does not look correct"
 		echo "Error: saw: $1/$3/$4   expected: $_newfileperm/$_newuser/$_newgroup"
-fi
+	fi
+}
+
+resettest()
+{
+	rm -f $file
+	touch $file
+	chmod $origfileperm $file
 }
 
 pwd=`dirname $0`
@@ -49,8 +57,8 @@ pwfiles="/etc/passwd:r /etc/group:r"
 
 origfileperm=644
 origfilepermstr="-rw-r--r--"
-newfileperm=000
-newfilepermstr="----------"
+newfileperm=400
+newfilepermstr="-r--------"
 origuser=`id -un`
 newuser=nobody
 newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd)
@@ -68,8 +76,6 @@ newgid=$(awk -F: "/^${newgroup}:/ {print \$3}" /etc/group)
 #echo newuser=${newuser} newuid=${newuid}
 #echo newgroup=${newgroup} newgid=${newgid}
 
-touch $file
-chmod $origfileperm $file
 
 # NOTE on the ordering of tests: XFS requires the FOWNER capability
 # to chgrp a file that you are not the owner of; linux's vfs layer will
@@ -78,50 +84,123 @@ chmod $origfileperm $file
 # the file.
 
 # PASS TEST (UNCONSTRAINED)
+resettest
 
 settest chmod
 runchecktest "CHMOD (unconstrained)" pass $file $newfileperm
+
 settest chgrp
 runchecktest "CHGRP (unconstrained)" pass $file $newgid
+
 settest chown
 runchecktest "CHOWN (unconstrained)" pass $file $newuid
 
 checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup
 
+# PASS TEST (UNCONSTRAINED w/FOPS)
+resettest
+
+settest fchmod
+runchecktest "FCHMOD (unconstrained)" pass $file $newfileperm
+
+settest fchgrp
+runchecktest "FCHGRP (unconstrained)" pass $file $newgid
+
+settest fchown
+runchecktest "FCHOWN (unconstrained)" pass $file $newuid
+
+checkfile $file "unconstrained" $newfilepermstr $newuser $newgroup
+
 # PASS TEST (CONSTRAINED)
-rm -f $file
-touch $file
-chmod $origfileperm $file
+resettest
 
 settest chmod
 genprofile $file:$okperm 
-runchecktest "CHMOD (constrained $okperm)" pass $file 000
+runchecktest "CHMOD (constrained $okperm)" pass $file $newfileperm
 
 settest chgrp
-genprofile $file:$okperm $pwfiles capability:chown
+genprofile $file:$okperm $pwfiles cap:chown
 runchecktest "CHGRP (constrained $okperm)" pass $file $newgid
 
 settest chown
-genprofile $file:$okperm $pwfiles capability:chown
+genprofile $file:$okperm $pwfiles cap:chown
 runchecktest "CHOWN (constrained $okperm)" pass $file $newuid
 
 checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup
 
+# PASS TEST (CONSTRAINED w/FOPS)
+resettest
+
+settest fchmod
+genprofile $file:$okperm 
+runchecktest "FCHMOD (constrained $okperm)" pass $file $newfileperm
+
+settest fchgrp
+genprofile $file:$okperm $pwfiles cap:chown
+runchecktest "FCHGRP (constrained $okperm)" pass $file $newgid
+
+settest fchown
+genprofile $file:$okperm $pwfiles cap:chown
+runchecktest "FCHOWN (constrained $okperm)" pass $file $newuid
+
+checkfile $file "constrained $okperm" $newfilepermstr $newuser $newgroup
+
 # FAIL TEST (CONSTRAINED)
-rm -f $file
-touch $file
-chmod $origfileperm $file
+resettest
 
 settest chmod
 genprofile $file:$badperm $pwfiles
-runchecktest "CHMOD (constrained $badperm)" fail $file 000
+runchecktest "CHMOD (constrained $badperm)" fail $file $newfileperm
 
 settest chgrp
-genprofile $file:$badperm $pwfiles
+genprofile $file:$badperm $pwfiles cap:chown
 runchecktest "CHGRP (constrained $badperm)" fail $file $newgid
 
 settest chown
-genprofile $file:$badperm $pwfiles
+genprofile $file:$badperm $pwfiles cap:chown
 runchecktest "CHOWN (constrained $badperm)" fail $file $newuid
 
 checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
+
+# FAIL TEST (CONSTRAINED/LACKING CAPS)
+resettest
+
+settest chgrp
+genprofile $file:$okperm $pwfiles
+runchecktest "CHGRP (constrained $okperm/no capabilities)" fail $file $newgid
+
+settest chown
+genprofile $file:$okperm $pwfiles
+runchecktest "CHOWN (constrained $okperm/no capabilities)" fail $file $newuid
+
+checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
+
+# FAIL TEST (CONSTRAINED w/FOPS)
+resettest
+
+settest fchmod
+genprofile $file:$badperm $pwfiles
+runchecktest "FCHMOD (constrained $badperm)" fail $file $newfileperm
+
+settest fchgrp
+genprofile $file:$badperm $pwfiles cap:chown
+runchecktest "FCHGRP (constrained $badperm)" fail $file $newgid
+
+settest fchown
+genprofile $file:$badperm $pwfiles cap:chown
+runchecktest "FCHOWN (constrained $badperm)" fail $file $newuid
+
+checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup
+
+# FAIL TEST (CONSTRAINED w/FOPS/LACKING CAPS)
+resettest
+
+settest fchgrp
+genprofile $file:$okperm $pwfiles
+runchecktest "FCHGRP (constrained $okperm/no capabilities)" fail $file $newgid
+
+settest fchown
+genprofile $file:$okperm $pwfiles
+runchecktest "FCHOWN (constrained $okperm/no capabilities)" fail $file $newuid
+
+checkfile $file "constrained $badperm" $origfilepermstr $origuser $origgroup