blob: 5a0ce84f206d5c5bbab8b2bbcda51636903c672c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#!/bin/sh
SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
RC=0
TMP="/tmp"
test_file=$TMP/smack_test_access_file
CAT=`which cat`
ECHO=`which echo`
uid=1000
initial_label=`cat /proc/self/attr/current`
python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
chsmack -a "TheOther" $test_file
# 12345678901234567890123456789012345678901234567890123456
delrule="TheOne TheOther -----"
rule_ro="TheOne TheOther r----"
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file and no read access on it can read it"
exit $RC
fi
# adding read access
echo -n "$rule_ro" > $SMACK_PATH/load
python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process with different label than the test file but with read access on it cannot read it"
exit $RC
fi
# Remove pre-existent rules for "TheOne TheOther <access>"
echo -n "$delrule" > $SMACK_PATH/load
# changing label of test file to *
# according to SMACK documentation, read access on a * object is always permitted
chsmack -a '*' $test_file
python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
if [ $RC -ne 0 ]; then
echo "Process cannot read file with * label"
exit $RC
fi
# changing subject label to *
# according to SMACK documentation, every access requested by a star labeled subject is rejected
TOUCH=`which touch`
python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
if [ $RC -ne 0 ];then
echo "Process with label '*' should not have any access"
exit $RC
fi
exit 0
|
