MAC/do: Tests: Add support for exec paths, jail parameters, subjails

And also allow configuration of the mdo(1) executable path.

This commit only contains new or modified infrastructure.  No functional
change intended at this point.

Reviewed by:    bapt
MFC after:      1 month
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
This commit is contained in:
Olivier Certner
2026-05-22 16:23:31 +02:00
parent 33daea3f86
commit a95ff5ef7d
+110 -9
View File
@@ -10,11 +10,79 @@ rules_parameter()
echo "$1".rules
}
exec_paths_parameter()
{
echo "$1".exec_paths
}
CONF_ROOT_KNOB=security.mac.do
RULES_KNOB=$(rules_parameter ${CONF_ROOT_KNOB})
PPE_KNOB=${CONF_ROOT_KNOB}.print_parse_error
: ${MDO:=/usr/bin/mdo}
ROOT_KNOB=security.mac.do
RULES_KNOB=$(rules_parameter ${ROOT_KNOB})
EXEC_PATHS_KNOB=$(exec_paths_parameter ${ROOT_KNOB})
PPE_KNOB=${ROOT_KNOB}.print_parse_error
ROOT_JAIL_PARAM=mac.do
RULES_JAIL_PARAM=$(rules_parameter ${ROOT_JAIL_PARAM})
EXEC_PATHS_JAIL_PARAM=$(exec_paths_parameter ${ROOT_JAIL_PARAM})
# To be overridden to execute commands in a sub-jail
JEXEC=
# Exit status: 0 iff disabled
mac_do_disabled()
{
[ -z "$($JEXEC sysctl -n ${RULES_KNOB})" ] ||
[ -z "$($JEXEC sysctl -n ${EXEC_PATHS_KNOB})" ]
}
mac_do_check_disabled()
{
mac_do_disabled || atf_fail "mac_do(4) expected disabled but is not."
}
mac_do_ensure_disabled()
{
mac_do_disabled || $JEXEC sysctl ${RULES_KNOB}=""
}
sysctl_rules()
{
$JEXEC sysctl -n ${RULES_KNOB}
}
sysctl_exec_paths()
{
$JEXEC sysctl -n ${EXEC_PATHS_KNOB}
}
# $1 = sysctl func, $2 = expected value
sysctl_check()
{
local func value
func=$1
value=$2
atf_check [ "$($func)" = "$value" ]
}
# $1 = value
sysctl_check_rules()
{
local value
value=$1
sysctl_check sysctl_rules $value
}
# $1 = value
sysctl_check_exec_paths()
{
local value
value=$1
sysctl_check sysctl_exec_paths $value
}
# $1 = knob name, $2 = value
sysctl_set_and_check()
@@ -23,8 +91,8 @@ sysctl_set_and_check()
knob=$1
value=$2
atf_check -o ignore sysctl "$knob"="$value"
atf_check -o inline:"$value\n" sysctl -n "$knob"
atf_check -o ignore $JEXEC sysctl "$knob"="$value"
atf_check -o inline:"$value\n" $JEXEC sysctl -n "$knob"
}
# $1 = knob name, $2 = value
@@ -35,8 +103,8 @@ sysctl_set_and_check_fails()
knob=$1
value=$2
orig_value=$(sysctl -n "$knob")
atf_check -s not-exit:0 -o ignore -e ignore sysctl "$knob"="$value"
atf_check -o inline:"${orig_value}\n" sysctl -n "$knob"
atf_check -s not-exit:0 -o ignore -e ignore $JEXEC sysctl "$knob"="$value"
atf_check -o inline:"${orig_value}\n" $JEXEC sysctl -n "$knob"
}
# $1 = sysctl function, $2 = value
@@ -46,9 +114,9 @@ sysctl_set_and_check_rules_common()
func=$1
value=$2
"$func" ${RULES_KNOB} "$value"
# Same spec but using the older in-rule separator (':')
# Use older in-rule separator (':') first to have final value as specified
"$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')"
"$func" ${RULES_KNOB} "$value"
}
# $1 = value
@@ -69,7 +137,40 @@ sysctl_set_and_check_fails_rules()
sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value"
}
# $1 = sysctl function, $2 = value
sysctl_set_and_check_exec_paths_common()
{
local func value
func=$1
value=$2
# Use older in-rule separator (':') first to have final value as specified
"$func" ${EXEC_PATHS_KNOB} "$(echo "$value" | sed 's%>%:%')"
"$func" ${EXEC_PATHS_KNOB} "$value"
}
# $1 = value
sysctl_set_and_check_exec_paths()
{
local value
value=$1
sysctl_set_and_check_exec_paths_common sysctl_set_and_check "$value"
}
# Create a persistent subjail. Echoes its JID.
launch_subjail()
{
(
set -o pipefail
$JEXEC jail -c -J /dev/stdout persist=true |
sed -nE 's%^.*jid=([0-9]+).*$%\1%p'
) || atf_fail "Cannot create a subjail (check children limits?)"
}
atf_require_prog sysctl
atf_require_prog jail
atf_require_prog sed
# Do not pollute kernel logs with parse errors
sysctl $PPE_KNOB=0 >/dev/null 2>&1