diff --git a/tests/regression/subdomain/Makefile b/tests/regression/subdomain/Makefile index 406e38745..962dc18fd 100644 --- a/tests/regression/subdomain/Makefile +++ b/tests/regression/subdomain/Makefile @@ -38,6 +38,7 @@ SRC=access.c \ named_pipe.c \ net_raw.c \ open.c \ + openat.c \ pipe.c \ ptrace.c \ ptrace_helper.c \ @@ -119,7 +120,9 @@ TESTS=access \ mult_mount \ named_pipe \ net_raw \ - open pipe \ + open \ + openat \ + pipe \ ptrace \ pwrite \ regex \ diff --git a/tests/regression/subdomain/openat.c b/tests/regression/subdomain/openat.c new file mode 100644 index 000000000..0a8646833 --- /dev/null +++ b/tests/regression/subdomain/openat.c @@ -0,0 +1,52 @@ +/* $Id$ */ + +/* + * Copyright (C) 2002-2007 Novell/SUSE + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) +{ + int fd = -1, dirfd = -1; + + if (argc != 3){ + fprintf(stderr, "usage: %s dir file\n", argv[0]); + return 1; + } + + dirfd = open(argv[1], O_RDONLY | O_DIRECTORY); + if (dirfd == -1) { + fprintf(stderr, "FAIL: open %s failed - %s\n", + argv[1], strerror(errno)); + return 1; + } + + fd = openat(dirfd, argv[2], O_RDWR | O_CREAT, S_IWUSR | S_IRUSR); + if (fd == -1) { + fprintf(stderr, "FAIL: openat %s failed - %s\n", + argv[2], strerror(errno)); + close(dirfd); + return 1; + } + + close(fd); + close(dirfd); + + printf("PASS\n"); + + return 0; +} diff --git a/tests/regression/subdomain/openat.sh b/tests/regression/subdomain/openat.sh new file mode 100755 index 000000000..05c60931b --- /dev/null +++ b/tests/regression/subdomain/openat.sh @@ -0,0 +1,64 @@ +#! /bin/bash +# $Id$ + +# Copyright (C) 2002-2007 Novell/SUSE +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, version 2 of the +# License. + +#=NAME open +#=DESCRIPTION +# Verify that the openat syscall is correctly managed for confined profiles. +# FIXME: need to add tests that delete the directory after it is opened +# but before the openat() call occurs. +#=END + +pwd=`dirname $0` +pwd=`cd $pwd ; /bin/pwd` + +bin=$pwd + +. $bin/prologue.inc + +subdir=deleteme +file=${subdir}/file +filepath=${tmpdir}/${file} +okperm=rw +badperm1=r +badperm2=w + +mkdir ${tmpdir}/${subdir} + +# PASS UNCONFINED +runchecktest "OPENAT unconfined RW (create) " pass $tmpdir $file + +# PASS TEST (the file shouldn't exist, so open should create it +rm -f ${filepath} +genprofile ${tmpdir}:r ${filepath}:$okperm +runchecktest "OPENAT RW (create) " pass $tmpdir $file + +# PASS TEST +genprofile ${tmpdir}:r ${filepath}:$okperm +runchecktest "OPENAT RW" pass $tmpdir $file + +# FAILURE TEST (1) +genprofile ${tmpdir}:r ${filepath}:$badperm1 +runchecktest "OPENAT R" fail $tmpdir $file + +# FAILURE TEST (2) +genprofile ${tmpdir}:r ${filepath}:$badperm2 +runchecktest "OPENAT W" fail $tmpdir $file + +# FAILURE TEST (3) +genprofile ${tmpdir}:r ${filepath}:$badperm1 cap:dac_override +runchecktest "OPENAT R+dac_override" fail $tmpdir $file + +# FAILURE TEST (4) +# This is testing for bug: https://bugs.wirex.com/show_bug.cgi?id=2885 +# When we open O_CREAT|O_RDWR, we are (were?) allowing only write access +# to be required. +rm -f ${filepath} +genprofile ${tmpdir}:r ${filepath}:$badperm2 +runchecktest "OPENAT W (create)" fail $tmpdir $file