mirror of
https://git.yoctoproject.org/meta-security
synced 2026-07-16 03:47:21 +00:00
smack-test: more py3 covertion
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -1,4 +1,4 @@
|
|||||||
#!/usr/bin/env python
|
#!/usr/bin/env python3
|
||||||
#
|
#
|
||||||
# Script used for running executables with custom labels, as well as custom uid/gid
|
# Script used for running executables with custom labels, as well as custom uid/gid
|
||||||
# Process label is changed by writing to /proc/self/attr/curent
|
# Process label is changed by writing to /proc/self/attr/curent
|
||||||
@@ -9,8 +9,8 @@
|
|||||||
# """By default, each user in Debian GNU/Linux is given a corresponding group
|
# """By default, each user in Debian GNU/Linux is given a corresponding group
|
||||||
# with the same name. """
|
# with the same name. """
|
||||||
#
|
#
|
||||||
# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
|
# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
|
||||||
# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
|
# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
|
||||||
#
|
#
|
||||||
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
|
# Author: Alexandru Cornea <alexandru.cornea@intel.com>
|
||||||
import os
|
import os
|
||||||
@@ -28,6 +28,6 @@ try:
|
|||||||
os.setuid(uid)
|
os.setuid(uid)
|
||||||
os.execv(path,sys.argv)
|
os.execv(path,sys.argv)
|
||||||
|
|
||||||
except Exception,e:
|
except Exception as e:
|
||||||
print e.message
|
print(e.strerror)
|
||||||
sys.exit(1)
|
sys.exit(-1)
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ CAT=`which cat`
|
|||||||
ECHO=`which echo`
|
ECHO=`which echo`
|
||||||
uid=1000
|
uid=1000
|
||||||
initial_label=`cat /proc/self/attr/current`
|
initial_label=`cat /proc/self/attr/current`
|
||||||
python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
|
python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
|
||||||
chsmack -a "TheOther" $test_file
|
chsmack -a "TheOther" $test_file
|
||||||
|
|
||||||
# 12345678901234567890123456789012345678901234567890123456
|
# 12345678901234567890123456789012345678901234567890123456
|
||||||
@@ -17,7 +17,7 @@ rule_ro="TheOne TheOther r----"
|
|||||||
|
|
||||||
# Remove pre-existent rules for "TheOne TheOther <access>"
|
# Remove pre-existent rules for "TheOne TheOther <access>"
|
||||||
echo -n "$delrule" > $SMACK_PATH/load
|
echo -n "$delrule" > $SMACK_PATH/load
|
||||||
python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
|
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
|
||||||
if [ $RC -ne 0 ]; then
|
if [ $RC -ne 0 ]; then
|
||||||
echo "Process with different label than the test file and no read access on it can read it"
|
echo "Process with different label than the test file and no read access on it can read it"
|
||||||
exit $RC
|
exit $RC
|
||||||
@@ -25,7 +25,7 @@ fi
|
|||||||
|
|
||||||
# adding read access
|
# adding read access
|
||||||
echo -n "$rule_ro" > $SMACK_PATH/load
|
echo -n "$rule_ro" > $SMACK_PATH/load
|
||||||
python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
||||||
if [ $RC -ne 0 ]; then
|
if [ $RC -ne 0 ]; then
|
||||||
echo "Process with different label than the test file but with read access on it cannot read it"
|
echo "Process with different label than the test file but with read access on it cannot read it"
|
||||||
exit $RC
|
exit $RC
|
||||||
@@ -36,7 +36,7 @@ echo -n "$delrule" > $SMACK_PATH/load
|
|||||||
# changing label of test file to *
|
# changing label of test file to *
|
||||||
# according to SMACK documentation, read access on a * object is always permitted
|
# according to SMACK documentation, read access on a * object is always permitted
|
||||||
chsmack -a '*' $test_file
|
chsmack -a '*' $test_file
|
||||||
python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
|
||||||
if [ $RC -ne 0 ]; then
|
if [ $RC -ne 0 ]; then
|
||||||
echo "Process cannot read file with * label"
|
echo "Process cannot read file with * label"
|
||||||
exit $RC
|
exit $RC
|
||||||
@@ -45,7 +45,7 @@ fi
|
|||||||
# changing subject label to *
|
# changing subject label to *
|
||||||
# according to SMACK documentation, every access requested by a star labeled subject is rejected
|
# according to SMACK documentation, every access requested by a star labeled subject is rejected
|
||||||
TOUCH=`which touch`
|
TOUCH=`which touch`
|
||||||
python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
|
python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
|
||||||
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
|
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
|
||||||
if [ $RC -ne 0 ];then
|
if [ $RC -ne 0 ];then
|
||||||
echo "Process with label '*' should not have any access"
|
echo "Process with label '*' should not have any access"
|
||||||
|
|||||||
Reference in New Issue
Block a user