2
# Copyright (C) 2002-2005 Novell/SUSE
4
# This program is free software; you can redistribute it and/or
5
# modify it under the terms of the GNU General Public License as
6
# published by the Free Software Foundation, version 2 of the
11
# Write permission is required in a confined processes profile in order to
12
# change the mode (chmod, chgrp, chown) of a file. This test verifies these
13
# system calls for unconfined and confined processes. It also includes
14
# the fxxx version of the tests.
25
set -- `ls -ld $_file`
27
if [ $1 != "$_newfileperm" -o $3 != $_newuser -o $4 != $_newgroup ]
30
echo "Error: ls -l $file output does not look correct"
31
echo "Error: saw: $1/$3/$4 expected: $_newfileperm/$_newuser/$_newgroup"
39
chmod $origfileperm $file
42
chmod $origfileperm $dir
46
pwd=`cd $pwd ; /bin/pwd`
58
pwfiles="/etc/passwd:r /etc/group:r"
61
origfilepermstr="-rw-r--r--"
63
newfilepermstr="-r--------"
65
origdirpermstr="drw-r--r--"
67
newdirpermstr="dr--------"
70
newuid=$(awk -F: "/^${newuser}:/ {print \$3}" /etc/passwd)
72
# Sigh, debian uses group nogroup instead of nobody
73
# XXX - not sure what to do if neither exist.
74
if [ $(grep -c nobody /etc/group) -gt 0 ] ; then
76
elif [ $(grep -c nogroup /etc/group) -gt 0 ] ; then
81
newgid=$(awk -F: "/^${newgroup}:/ {print \$3}" /etc/group)
82
#echo newuser=${newuser} newuid=${newuid}
83
#echo newgroup=${newgroup} newgid=${newgid}
86
# NOTE on the ordering of tests: XFS requires the FOWNER capability
87
# to chgrp a file that you are not the owner of; linux's vfs layer will
88
# allow you to do it if you are in the group of the file without FOWNER.
89
# Therefore, we should do the chgrp test BEFORE changing the owner of
92
# PASS TEST (UNCONFINED)
96
runchecktest "CHMOD (unconfined)" pass $file $newfileperm
99
runchecktest "CHGRP (unconfined)" pass $file $newgid
100
runchecktest "CHGRP dir (unconfined)" pass $dir $newgid
103
runchecktest "CHOWN (unconfined)" pass $file $newuid
105
checkfile $file "unconfined" $newfilepermstr $newuser $newgroup
109
runchecktest "CHMOD dir (unconfined)" pass $dir $newfileperm
112
runchecktest "CHGRP dir (unconfined)" pass $dir $newgid
115
runchecktest "CHOWN dir (unconfined)" pass $dir $newuid
117
checkfile $dir "dir unconfined" $newdirpermstr $newuser $newgroup
120
# PASS TEST (UNCONFINED w/FOPS)
124
runchecktest "FCHMOD (unconfined)" pass $file $newfileperm
127
runchecktest "FCHGRP (unconfined)" pass $file $newgid
130
runchecktest "FCHOWN (unconfined)" pass $file $newuid
132
checkfile $file "unconfined" $newfilepermstr $newuser $newgroup
136
runchecktest "FCHMOD dir (unconfined)" pass $dir $newfileperm
139
runchecktest "FCHGRP dir (unconfined)" pass $dir $newgid
142
runchecktest "FCHOWN dir (unconfined)" pass $dir $newuid
144
checkfile $dir "dir unconfined" $newdirpermstr $newuser $newgroup
146
# PASS TEST (CONFINED)
150
genprofile $file:$okperm
151
runchecktest "CHMOD (confined $okperm)" pass $file $newfileperm
154
genprofile $file:$okperm $pwfiles cap:chown
155
runchecktest "CHGRP (confined $okperm)" pass $file $newgid
158
genprofile $file:$okperm $pwfiles cap:chown
159
runchecktest "CHOWN (confined $okperm)" pass $file $newuid
161
checkfile $file "confined $okperm" $newfilepermstr $newuser $newgroup
165
genprofile $dir:$okperm
166
runchecktest "CHMOD dir (confined $okperm)" pass $dir $newfileperm
169
genprofile $dir:$okperm $pwfiles cap:chown
170
runchecktest "CHGRP dir (confined $okperm)" pass $dir $newgid
173
genprofile $dir:$okperm $pwfiles cap:chown
174
runchecktest "CHOWN dir (confined $okperm)" pass $dir $newuid
176
checkfile $dir "confined dir $okperm" $newdirpermstr $newuser $newgroup
178
# PASS TEST (CONFINED w/FOPS)
182
genprofile $file:$okperm
183
runchecktest "FCHMOD (confined $okperm)" pass $file $newfileperm
186
genprofile $file:$okperm $pwfiles cap:chown
187
runchecktest "FCHGRP (confined $okperm)" pass $file $newgid
190
genprofile $file:$okperm $pwfiles cap:chown
191
runchecktest "FCHOWN (confined $okperm)" pass $file $newuid
193
checkfile $file "confined $okperm" $newfilepermstr $newuser $newgroup
197
genprofile $dir:$okperm
198
runchecktest "FCHMOD dir (confined $okperm)" pass $dir $newfileperm
201
genprofile $dir:$okperm $pwfiles cap:chown
202
runchecktest "FCHGRP dir (confined $okperm)" pass $dir $newgid
205
genprofile $dir:$okperm $pwfiles cap:chown
206
runchecktest "FCHOWN dir (confined $okperm)" pass $dir $newuid
208
checkfile $dir "confined dir $okperm" $newdirpermstr $newuser $newgroup
210
# FAIL TEST (CONFINED)
214
genprofile $file:$badperm $pwfiles
215
runchecktest "CHMOD (confined $badperm)" fail $file $newfileperm
218
genprofile $file:$badperm $pwfiles cap:chown
219
runchecktest "CHGRP (confined $badperm)" fail $file $newgid
222
genprofile $file:$badperm $pwfiles cap:chown
223
runchecktest "CHOWN (confined $badperm)" fail $file $newuid
225
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
229
genprofile $dir:$badperm $pwfiles
230
runchecktest "CHMOD dir (confined $badperm)" fail $dir $newfileperm
233
genprofile $dir:$badperm $pwfiles cap:chown
234
runchecktest "CHGRP dir (confined $badperm)" fail $dir $newgid
237
genprofile $dir:$badperm $pwfiles cap:chown
238
runchecktest "CHOWN dir (confined $badperm)" fail $dir $newuid
240
checkfile $dir "confined dir $badperm" $origdirpermstr $origuser $origgroup
242
# FAIL TEST (CONFINED/LACKING CAPS)
246
genprofile $file:$okperm $pwfiles
247
runchecktest "CHGRP (confined $okperm/no capabilities)" fail $file $newgid
250
genprofile $file:$okperm $pwfiles
251
runchecktest "CHOWN (confined $okperm/no capabilities)" fail $file $newuid
253
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
257
genprofile $dir:$okperm $pwfiles
258
runchecktest "CHGRP dir (confined $okperm/no capabilities)" fail $dir $newgid
261
genprofile $dir:$okperm $pwfiles
262
runchecktest "CHOWN dir (confined $okperm/no capabilities)" fail $dir $newuid
264
checkfile $dir "confined dir $badperm" $origdirpermstr $origuser $origgroup
266
# FAIL TEST (CONFINED w/FOPS)
270
genprofile $file:$badperm $pwfiles
271
runchecktest "FCHMOD (confined $badperm)" fail $file $newfileperm
274
genprofile $file:$badperm $pwfiles cap:chown
275
runchecktest "FCHGRP (confined $badperm)" fail $file $newgid
278
genprofile $file:$badperm $pwfiles cap:chown
279
runchecktest "FCHOWN (confined $badperm)" fail $file $newuid
281
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
285
genprofile $dir:$badperm $pwfiles
286
runchecktest "FCHMOD dir (confined $badperm)" fail $dir $newfileperm
289
genprofile $dir:$badperm $pwfiles cap:chown
290
runchecktest "FCHGRP dir (confined $badperm)" fail $dir $newgid
293
genprofile $dir:$badperm $pwfiles cap:chown
294
runchecktest "FCHOWN dir (confined $badperm)" fail $dir $newuid
296
checkfile $dir "confined dir $badperm" $origdirpermstr $origuser $origgroup
298
# FAIL TEST (CONFINED w/FOPS/LACKING CAPS)
302
genprofile $file:$okperm $pwfiles
303
runchecktest "FCHGRP (confined $okperm/no capabilities)" fail $file $newgid
306
genprofile $file:$okperm $pwfiles
307
runchecktest "FCHOWN (confined $okperm/no capabilities)" fail $file $newuid
309
checkfile $file "confined $badperm" $origfilepermstr $origuser $origgroup
313
genprofile $dir:$okperm $pwfiles
314
runchecktest "FCHGRP dir (confined $okperm/no capabilities)" fail $dir $newgid
317
genprofile $dir:$okperm $pwfiles
318
runchecktest "FCHOWN dir (confined $okperm/no capabilities)" fail $dir $newuid
320
checkfile $dir "confined dir $badperm" $origdirpermstr $origuser $origgroup