MAC/do: Tests: Add support for exec paths, jail parameters, subjails
And also allow configuration of the mdo(1) executable path. This commit only contains new or modified infrastructure. No functional change intended at this point. Reviewed by: bapt MFC after: 1 month Sponsored by: The FreeBSD Foundation Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/38
This commit is contained in:
+110
-9
@@ -10,11 +10,79 @@ rules_parameter()
|
||||
echo "$1".rules
|
||||
}
|
||||
|
||||
exec_paths_parameter()
|
||||
{
|
||||
echo "$1".exec_paths
|
||||
}
|
||||
|
||||
CONF_ROOT_KNOB=security.mac.do
|
||||
RULES_KNOB=$(rules_parameter ${CONF_ROOT_KNOB})
|
||||
PPE_KNOB=${CONF_ROOT_KNOB}.print_parse_error
|
||||
: ${MDO:=/usr/bin/mdo}
|
||||
|
||||
ROOT_KNOB=security.mac.do
|
||||
RULES_KNOB=$(rules_parameter ${ROOT_KNOB})
|
||||
EXEC_PATHS_KNOB=$(exec_paths_parameter ${ROOT_KNOB})
|
||||
PPE_KNOB=${ROOT_KNOB}.print_parse_error
|
||||
|
||||
ROOT_JAIL_PARAM=mac.do
|
||||
RULES_JAIL_PARAM=$(rules_parameter ${ROOT_JAIL_PARAM})
|
||||
EXEC_PATHS_JAIL_PARAM=$(exec_paths_parameter ${ROOT_JAIL_PARAM})
|
||||
|
||||
# To be overridden to execute commands in a sub-jail
|
||||
JEXEC=
|
||||
|
||||
# Exit status: 0 iff disabled
|
||||
mac_do_disabled()
|
||||
{
|
||||
[ -z "$($JEXEC sysctl -n ${RULES_KNOB})" ] ||
|
||||
[ -z "$($JEXEC sysctl -n ${EXEC_PATHS_KNOB})" ]
|
||||
}
|
||||
|
||||
mac_do_check_disabled()
|
||||
{
|
||||
mac_do_disabled || atf_fail "mac_do(4) expected disabled but is not."
|
||||
}
|
||||
|
||||
mac_do_ensure_disabled()
|
||||
{
|
||||
mac_do_disabled || $JEXEC sysctl ${RULES_KNOB}=""
|
||||
}
|
||||
|
||||
sysctl_rules()
|
||||
{
|
||||
$JEXEC sysctl -n ${RULES_KNOB}
|
||||
}
|
||||
|
||||
sysctl_exec_paths()
|
||||
{
|
||||
$JEXEC sysctl -n ${EXEC_PATHS_KNOB}
|
||||
}
|
||||
|
||||
# $1 = sysctl func, $2 = expected value
|
||||
sysctl_check()
|
||||
{
|
||||
local func value
|
||||
|
||||
func=$1
|
||||
value=$2
|
||||
atf_check [ "$($func)" = "$value" ]
|
||||
}
|
||||
|
||||
# $1 = value
|
||||
sysctl_check_rules()
|
||||
{
|
||||
local value
|
||||
|
||||
value=$1
|
||||
sysctl_check sysctl_rules $value
|
||||
}
|
||||
|
||||
# $1 = value
|
||||
sysctl_check_exec_paths()
|
||||
{
|
||||
local value
|
||||
|
||||
value=$1
|
||||
sysctl_check sysctl_exec_paths $value
|
||||
}
|
||||
|
||||
# $1 = knob name, $2 = value
|
||||
sysctl_set_and_check()
|
||||
@@ -23,8 +91,8 @@ sysctl_set_and_check()
|
||||
|
||||
knob=$1
|
||||
value=$2
|
||||
atf_check -o ignore sysctl "$knob"="$value"
|
||||
atf_check -o inline:"$value\n" sysctl -n "$knob"
|
||||
atf_check -o ignore $JEXEC sysctl "$knob"="$value"
|
||||
atf_check -o inline:"$value\n" $JEXEC sysctl -n "$knob"
|
||||
}
|
||||
|
||||
# $1 = knob name, $2 = value
|
||||
@@ -35,8 +103,8 @@ sysctl_set_and_check_fails()
|
||||
knob=$1
|
||||
value=$2
|
||||
orig_value=$(sysctl -n "$knob")
|
||||
atf_check -s not-exit:0 -o ignore -e ignore sysctl "$knob"="$value"
|
||||
atf_check -o inline:"${orig_value}\n" sysctl -n "$knob"
|
||||
atf_check -s not-exit:0 -o ignore -e ignore $JEXEC sysctl "$knob"="$value"
|
||||
atf_check -o inline:"${orig_value}\n" $JEXEC sysctl -n "$knob"
|
||||
}
|
||||
|
||||
# $1 = sysctl function, $2 = value
|
||||
@@ -46,9 +114,9 @@ sysctl_set_and_check_rules_common()
|
||||
|
||||
func=$1
|
||||
value=$2
|
||||
"$func" ${RULES_KNOB} "$value"
|
||||
# Same spec but using the older in-rule separator (':')
|
||||
# Use older in-rule separator (':') first to have final value as specified
|
||||
"$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')"
|
||||
"$func" ${RULES_KNOB} "$value"
|
||||
}
|
||||
|
||||
# $1 = value
|
||||
@@ -69,7 +137,40 @@ sysctl_set_and_check_fails_rules()
|
||||
sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value"
|
||||
}
|
||||
|
||||
# $1 = sysctl function, $2 = value
|
||||
sysctl_set_and_check_exec_paths_common()
|
||||
{
|
||||
local func value
|
||||
|
||||
func=$1
|
||||
value=$2
|
||||
# Use older in-rule separator (':') first to have final value as specified
|
||||
"$func" ${EXEC_PATHS_KNOB} "$(echo "$value" | sed 's%>%:%')"
|
||||
"$func" ${EXEC_PATHS_KNOB} "$value"
|
||||
}
|
||||
|
||||
# $1 = value
|
||||
sysctl_set_and_check_exec_paths()
|
||||
{
|
||||
local value
|
||||
|
||||
value=$1
|
||||
sysctl_set_and_check_exec_paths_common sysctl_set_and_check "$value"
|
||||
}
|
||||
|
||||
# Create a persistent subjail. Echoes its JID.
|
||||
launch_subjail()
|
||||
{
|
||||
(
|
||||
set -o pipefail
|
||||
$JEXEC jail -c -J /dev/stdout persist=true |
|
||||
sed -nE 's%^.*jid=([0-9]+).*$%\1%p'
|
||||
) || atf_fail "Cannot create a subjail (check children limits?)"
|
||||
}
|
||||
|
||||
atf_require_prog sysctl
|
||||
atf_require_prog jail
|
||||
atf_require_prog sed
|
||||
|
||||
# Do not pollute kernel logs with parse errors
|
||||
sysctl $PPE_KNOB=0 >/dev/null 2>&1
|
||||
|
||||
Reference in New Issue
Block a user