mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-12 03:10:13 +00:00
Code Issues Projects Releases Wiki Activity

oeqa: update smack runtime test

Browse Source 
drop test_smack_mmap_enforced as is was skipped do to possible licensing issues

Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Armin Kuster
2022-06-13 12:15:41 -07:00
parent 95f7abc7ef
commit 102e47f14d
1 changed files with 15 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
lib/oeqa/runtime/cases/smack.py
View File

@@ -15,17 +15,16 @@ class SmackBasicTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
cls.smack_path = output
@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()
@@ -41,11 +40,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
m = re.search('(?<=access=")\S+(?=")', output)
m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
label_retrieved = m .group(0)
label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
m= re.search('(?<=execute=")\S+(?=")', output)
m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
label_retrieved = m.group(0)
label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
m = re.search('(?<=mmap=")\S+(?=")', output)
m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
label_retrieved = m.group(0)
label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
m = re.search('(?<=transmute=")\S+(?=")', output)
m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
label_retrieved = m.group(0)
label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@ class SmackBasicTest(OERuntimeTestCase):
'''
labelf = "/proc/self/attr/current"
command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
status, output = self.target.run(
"notroot.py 0 %s %s" %(self.current_label, command))
"/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@ class SmackBasicTest(OERuntimeTestCase):
command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
"notroot.py %d %s %s"
"/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )
@@ -160,9 +159,9 @@ class SmackBasicTest(OERuntimeTestCase):
filename = "/tmp/test_unprivileged_change_file_label"
self.target.run("touch %s" % filename)
self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
"notroot.py " +
"/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )
@@ -346,78 +345,6 @@ class SmackBasicTest(OERuntimeTestCase):
self.assertEqual(status, 0, output)
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_mmap_enforced(self):
'''Test if smack mmap access is enforced'''
raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
# 12345678901234567890123456789012345678901234567890123456
delr1="mmap_label mmap_test_label1 -----"
delr2="mmap_label mmap_test_label2 -----"
delr3="mmap_file_label mmap_test_label1 -----"
delr4="mmap_file_label mmap_test_label2 -----"
RuleA="mmap_label mmap_test_label1 rw---"
RuleB="mmap_label mmap_test_label2 r--at"
RuleC="mmap_file_label mmap_test_label1 rw---"
RuleD="mmap_file_label mmap_test_label2 rwxat"
mmap_label="mmap_label"
file_label="mmap_file_label"
test_file = "/usr/sbin/smack_test_mmap"
mmap_exe = "/tmp/mmap_test"
status, echo = self.target.run("which echo")
status, output = self.target.run(
"notroot.py %d %s %s 'test' > %s" \
%(self.uid, self.current_label, echo, test_file))
status, output = self.target.run("ls %s" %test_file)
self.assertEqual(status, 0, "Could not create mmap test file")
self.target.run("chsmack -m %s %s" %(file_label, test_file))
self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
# test with no rules with mmap label or exec label as subject
# access should be granted
self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
self.assertEqual(
status, 0,
"Should have mmap access without rules. Output: %s" %output)
# add rules that do not match access required
self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
self.assertNotEqual(
status, 0,
"Should not have mmap access with unmatching rules. " +
"Output: %s" %output)
self.assertIn(
"Permission denied", output,
"Mmap access should be denied with unmatching rules")
# add rule to match only partially (one way)
self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
self.assertNotEqual(
status, 0,
"Should not have mmap access with partial matching rules. " +
"Output: %s" %output)
self.assertIn(
"Permission denied", output,
"Mmap access should be denied with partial matching rules")
# add rule to match fully
self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
self.assertEqual(
status, 0,
"Should have mmap access with full matching rules." +
"Output: %s" %output)
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works