2
# $Id: exec_qual.sh 430 2007-03-08 21:23:17Z steve-beattie $
4
# Copyright (C) 2002-2005 Novell/SUSE
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of the GNU General Public License as
8
# published by the Free Software Foundation, version 2 of the
13
# See 'matrix.doc' in the SubDomain/Documentation directory. This test
14
# currently verifies the enforce mode handling of exec between the various
15
# confinement conditions for execer and execee. It needs to be extended to
16
# include the complain mode verification.
20
pwd=`cd $pwd ; /bin/pwd`
30
test2_rex1=$bin/exec_\*
31
test2_rex2=$bin/exec_qual[1-9]
40
expected_confinement=$3
45
runtestbg "$desc" $passfail $*
49
if [ -r /proc/$_pid/attr/current ]
51
actual_confinement=`cat /proc/$_pid/attr/current | cut -d ' ' -f1`
53
# signal pid to continue
57
echo "FAIL: Unable to determine confinment for pid $pid" >> $outfile
62
if [ "$teststatus" == "pass" -a -n "$actual_confinement" -a "$actual_confinement" != "$expected_confinement" ]
64
echo "Error: ${testname} failed. Test '${_testdesc}' actual confinement '$actual_confinement' differed from expected confinement '$expected_confinement'"
71
# confined parent, exec child with 'px'
72
# case 1: parent profile grants access (should be irrelevant)
73
# child profile grants access
74
# expected behaviour: child should be able to access resource
76
genprofile $test2:px $file:$fileperm -- image=$test2 $file:$fileperm
77
local_runchecktest "enforce px case1" pass $test2 $test2 $file
79
# case 2: parent profile grants access (should be irrelevant)
80
# child profile disallows access
81
# expected behaviour: child should be unable to access resource
83
genprofile $test2:px $file:$fileperm -- image=$test2
84
local_runchecktest "enforce px case2" fail $test2 $test2 $file
86
# case 3: parent profile disallows access (should be irrelevant)
87
# child profile allows access
88
# expected behaviour: child should be able to access resource
90
genprofile $test2:px -- image=$test2 $file:$fileperm
91
local_runchecktest "enforce px case3" pass $test2 $test2 $file
93
# case 4: parent profile grants access (should be irrelevant)
94
# missing child profile
95
# expected behaviour: exec of child fails
97
genprofile $test2:px $file:$fileperm
98
local_runchecktest "enforce px case4" fail "n/a" $test2 $file
100
# confined parent, exec child with 'ix'
101
# case 1: parent profile grants access
102
# child profile grants access (should be irrelevant)
103
# expected behaviour: child should be able to access resource
105
genprofile $test2:rix $file:$fileperm -- image=$test2 $file:$fileperm
106
local_runchecktest "enforce ix case1" pass $test1 $test2 $file
108
# case 2: parent profile grants access
109
# child profile disallows access (should be irrelevant)
110
# expected behaviour: child should be able to access resource
112
genprofile $test2:rix $file:$fileperm -- image=$test2
113
local_runchecktest "enforce ix case2" pass $test1 $test2 $file
115
# case 3: parent profile disallows access
116
# child profile allows access (should be irrelevant)
117
# expected behaviour: child should be unable to access resource
119
genprofile $test2:rix -- image=$test2 $file:$fileperm
120
local_runchecktest "enforce ix case3" fail $test1 $test2 $file
122
# case 4: parent profile grants access
123
# missing child profile (irrelvant)
124
# expected behaviour: child should be able to access resource
126
genprofile $test2:rix $file:$fileperm
127
local_runchecktest "enforce ix case4" pass $test1 $test2 $file
129
# confined parent, exec child with 'ux'
130
# case 1: parent profile grants access (should be irrelevant)
131
# expected behaviour, child should be able to access resource
133
genprofile $test2:ux $file:$fileperm
134
local_runchecktest "enforce ux case1" pass "unconstrained" $test2 $file
136
# case 2: parent profile denies access (should be irrelevant)
137
# expected behaviour, child should be able to access resource
140
local_runchecktest "enforce ux case1" pass "unconstrained" $test2 $file
142
# confined parent, exec child with conflicting exec qualifiers
144
# expected behaviour: exec of child fails
146
genprofile $test2_rex1:px $test2_rex2:ix -- image=$test2 $file:$fileperm
147
local_runchecktest "enforce conflicting exec qual" fail "n/a" $test2 $file
150
# case 1: child profile exists, child profile grants access
151
# expected behaviour: child should be able to access resource
153
genprofile image=$test2 $file:$fileperm
154
local_runchecktest "enforce unconfined case1" pass $test2 $test2 $file
156
# case 2: child profile exists, child profile denies access
157
# expected behaviour: child should be unable to access resource
159
genprofile image=$test2
160
local_runchecktest "enforce unconfined case2" fail $test2 $test2 $file
162
# case 3: no child profile exists, unconfined
163
# expected behaviour: child should be able to access resource
166
local_runchecktest "enforce unconfined case3" pass "unconstrained" $test2 $file
168
# -----------------------------------------------------------------------
170
# COMPLAIN mode -- all the tests again but with profiles loaded in
171
# complain mode rather than enforce mode
173
# confined parent, exec child with 'px'
174
# case 1: expected behaviour: as enforce
175
# case 2: expected behaviour: child should be able to access resource
176
# case 3: expected behaviour: as enforce
177
# case 4: expected behaviour: child should be able to access resource
178
# verify child is in null-complain-profile
180
# confined parent, exec child with 'ix'
181
# case 1: expected behaviour: as enforce
182
# case 2: expected behaviour: as enforce
183
# case 3: expected behaviour: child should be able to access resource
184
# case 4: expected behaviour: as enforce
186
# constrined parent, exec child with 'ux'
187
# case 1: expected behaviour, child should be able to access resource
188
# case 2: expected behaviour, child should be able to access resource
190
# confined parent, exec child with conflicting exec qualifiers
191
# case 1: child should be able to access resource
192
# verify that child is in null-complain-profile
195
# case 1: expected behaviour: as enforce
196
# case 2: expected behaviour, child should be able to access resource
197
# case 3: expected behaviour: as enforce