2
# Copyright (C) 2012 Canonical, Ltd.
4
# This program is free software; you can redistribute it and/or
5
# modify it under the terms of the GNU General Public License as
6
# published by the Free Software Foundation, version 2 of the
11
# Verifies basic file access permission checks for change_onexec
15
pwd=`cd $pwd ; /bin/pwd`
25
othertest="$pwd/rename"
27
fqsubbase="$pwd/onexec"
28
fqsubtest="$fqsubbase//$subtest"
32
onexec="/proc/*/attr/exec"
40
actual=`cat /proc/$1/attr/exec 2>/dev/null`
43
# /proc/$1/attr/exec returns invalid argument if onexec has not been called
44
if [ $rc -ne 0 ] ; then
45
if [ "$2" == "nochange" ] ; then
48
echo "ONEXEC - exec transition not set"
51
if [ "${actual% (*)}" != "$2" ] ; then
52
echo "ONEXEC - check exec '${actual% (*)}' != expected '$2'"
63
actual=`cat /proc/$1/attr/current 2>/dev/null`
66
# /proc/$1/attr/current return enoent if the onexec process already exited due to error
67
if [ $rc -ne 0 ] ; then
71
if [ "${actual% (*)}" != "$2" ] ; then
72
echo "ONEXEC - check current '${actual% (*)}' != expected '$2'"
83
local target_prof="$3"
87
#ignore prologue.inc error trapping that catches our subfn return values
89
runtestbg "ONEXEC $desc ($prof -> $target_prof)" $res $target_prof "$@"
90
# check that transition does not happen before exec, and that transition
93
if ! check_current $_pid $prof ; then
98
if ! check_exec $_pid $target_prof ; then
109
# ONEXEC from UNCONFINED - don't change profile
110
do_test "" unconfined nochange pass $bin/open $file
112
# ONEXEC from UNCONFINED - target does NOT exist
113
genprofile image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
114
do_test "" unconfined noexist fail $bin/open $file
116
# ONEXEC from UNCONFINED - change to rw profile, no exec profile to override
117
genprofile image=$bin/rw $bin/open:rix $file:rw
118
do_test "no px profile" unconfined $bin/rw pass $bin/open $file
120
# ONEXEC from UNCONFINED - don't change profile, make sure exec profile is applied
121
genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open $file:rw
122
do_test "nochange px" unconfined nochange pass $bin/open $file
124
# ONEXEC from UNCONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
125
genprofile image=$bin/rw $bin/open:px $file:rw -- image=$bin/open
126
do_test "override px" unconfined $bin/rw pass $bin/open $file
130
# ONEXEC from CONFINED - don't change profile, open can't exec
131
genprofile 'change_profile->':$bin/rw $onexec:w
132
do_test "no px perm" $bin/onexec nochange fail $bin/open $file
134
# ONEXEC from CONFINED - don't change profile, open is run unconfined
135
genprofile 'change_profile->':$bin/rw $bin/open:rux $onexec:w
136
do_test "nochange rux" $bin/onexec nochange pass $bin/open $file
138
# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
139
genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/open $file:rw
140
do_test "nochange px - no px perm" $bin/onexec nochange fail $bin/open $file
142
# ONEXEC from CONFINED - don't change profile, open is run confined without necessary perms
143
genprofile 'change_profile->':$bin/rw $bin/open:rpx $onexec:w -- image=$bin/open
144
do_test "nochange px - no file perm" $bin/onexec nochange fail $bin/open $file
146
# ONEXEC from CONFINED - target does NOT exist
147
genprofile 'change_profile->':$bin/open $onexec:w -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
148
do_test "noexist px" $bin/onexec noexist fail $bin/open $file
150
# ONEXEC from CONFINED - change to rw profile, no exec profile to override
151
genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw
152
do_test "change profile - override rix" $bin/onexec $bin/rw pass $bin/open $file
154
# ONEXEC from CONFINED - change to rw profile, no exec profile to override, no explicit access to /proc/*/attr/exec
155
genprofile 'change_profile->':$bin/rw -- image=$bin/rw $bin/open:rix $file:rw
156
do_test "change profile - no onexec:w" $bin/onexec $bin/rw pass $bin/open $file
158
# ONEXEC from CONFINED - don't change profile, make sure exec profile is applied
159
genprofile 'change_profile->':$bin/rw $onexec:w $bin/open:rpx -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw
160
do_test "nochange px" $bin/onexec nochange pass $bin/open $file
162
# ONEXEC from CONFINED - change to rw profile, override regular exec profile, exec profile doesn't have perms
163
genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
164
do_test "override px" $bin/onexec $bin/rw pass $bin/open $file
166
# ONEXEC from - change to rw profile, override regular exec profile, exec profile has perms, rw doesn't
167
genprofile 'change_profile->':$bin/rw $onexec:w -- image=$bin/rw $bin/open:rix -- image=$bin/open $file:rw
168
do_test "override px" $bin/onexec $bin/rw fail $bin/open $file
170
# ONEXEC from COFINED - change to rw profile via glob rule, override exec profile, exec profile doesn't have perms
171
genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
172
do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file
174
# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile doesn't have perms
175
genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open
176
do_test "glob override px" $bin/onexec $bin/open fail $bin/open $file
178
# ONEXEC from COFINED - change to exec profile via glob rule, override exec profile, exec profile has perms
179
genprofile 'change_profile->':/** $onexec:w -- image=$bin/rw $bin/open:rix $file:rw -- image=$bin/open $file:rw
180
do_test "glob override px" $bin/onexec $bin/rw pass $bin/open $file