diff options
Diffstat (limited to 'lib/oeqa/runtime/cases/smack.py')
-rw-r--r-- | lib/oeqa/runtime/cases/smack.py | 142 |
1 files changed, 15 insertions, 127 deletions
diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py index 35e87ef..6b87574 100644 --- a/lib/oeqa/runtime/cases/smack.py +++ b/lib/oeqa/runtime/cases/smack.py @@ -15,22 +15,19 @@ class SmackBasicTest(OERuntimeTestCase): @classmethod def setUpClass(cls): - cls.smack_path = "" cls.current_label = "" cls.uid = 1000 + status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'") + cls.smack_path = output @skipIfNotFeature('smack', 'Test requires smack to be in DISTRO_FEATURES') @OEHasPackage(['smack-test']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_smack_basic(self): - status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'") - self.smack_path = output status,output = self.target.run("cat /proc/self/attr/current") self.current_label = output.strip() -class SmackAccessLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_access_label(self): ''' Test if chsmack can correctly set a SMACK label ''' @@ -43,19 +40,17 @@ class SmackAccessLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=access=")\S+(?=")', output) + m = re.search('(access=")\S+(?=")', output) if m is None: self.fail("Did not find access attribute") else: - label_retrieved = m .group(0) + label_retrieved = re.split("access=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " "%s %s" %(LABEL,label_retrieved)) -class SmackExecLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_exec_label(self): '''Test if chsmack can correctly set a SMACK Exec label''' @@ -68,19 +63,17 @@ class SmackExecLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m= re.search('(?<=execute=")\S+(?=")', output) + m= re.search('(execute=")\S+(?=")', output) if m is None: self.fail("Did not find execute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("execute=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackMmapLabel(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_mmap_label(self): '''Test if chsmack can correctly set a SMACK mmap label''' @@ -93,19 +86,17 @@ class SmackMmapLabel(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %filename) self.target.run("rm %s" %filename) - m = re.search('(?<=mmap=")\S+(?=")', output) + m = re.search('(mmap=")\S+(?=")', output) if m is None: self.fail("Did not find mmap attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("mmap=\"", output)[1][:-1] self.assertEqual( LABEL, label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_add_transmutable(self): '''Test if chsmack can correctly set a SMACK transmutable mode''' @@ -117,19 +108,17 @@ class SmackTransmutable(SmackBasicTest): "Status and output: %d %s" %(status, output)) status, output = self.target.run("chsmack %s" %directory) self.target.run("rmdir %s" %directory) - m = re.search('(?<=transmute=")\S+(?=")', output) + m = re.search('(transmute=")\S+(?=")', output) if m is None: self.fail("Did not find transmute attribute") else: - label_retrieved = m.group(0) + label_retrieved = re.split("transmute=\"", output)[1][:-1] self.assertEqual( "TRUE", label_retrieved, "label not set correctly. expected and gotten: " + "%s %s" %(LABEL,label_retrieved)) -class SmackChangeSelfLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_privileged_change_self_label(self): '''Test if privileged process (with CAP_MAC_ADMIN privilege) @@ -137,16 +126,14 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest): ''' labelf = "/proc/self/attr/current" - command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf) + command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf) status, output = self.target.run( - "notroot.py 0 %s %s" %(self.current_label, command)) + "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command)) self.assertIn("PRIVILEGED", output, "Privilege process did not change label.Output: %s" %output) -class SmackChangeSelfLabelUnprivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_self_label(self): '''Test if unprivileged process (without CAP_MAC_ADMIN privilege) @@ -154,7 +141,7 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL status, output = self.target.run( - "notroot.py %d %s %s" + "/usr/sbin/notroot.py %d %s %s" %(self.uid, self.current_label, command) + " 2>&1 | grep 'Operation not permitted'" ) @@ -163,8 +150,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest): "Unprivileged process should not be able to change its label") -class SmackChangeFileLabelPrivilege(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_unprivileged_change_file_label(self): '''Test if unprivileged process cannot change file labels''' @@ -174,17 +159,15 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest): filename = "/tmp/test_unprivileged_change_file_label" self.target.run("touch %s" % filename) - self.target.run("notroot.py %d %s" %(self.uid, self.current_label)) + self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label)) status, output = self.target.run( - "notroot.py " + + "/usr/sbin/notroot.py " + "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) + "| grep 'Operation not permitted'" ) self.target.run("rm %s" % filename) self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename) -class SmackLoadRule(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_load_smack_rule(self): '''Test if new smack access rules can be loaded''' @@ -211,8 +194,6 @@ class SmackLoadRule(SmackBasicTest): self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path)) -class SmackOnlycap(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_onlycap(self): '''Test if smack onlycap label can be set @@ -223,7 +204,6 @@ class SmackOnlycap(SmackBasicTest): status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh") self.assertEqual(status, 0, output) -class SmackNetlabel(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_netlabel(self): @@ -246,7 +226,6 @@ class SmackNetlabel(SmackBasicTest): test_label, output, "Did not find expected label in output: %s" %output) -class SmackCipso(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_cipso(self): @@ -287,7 +266,6 @@ class SmackCipso(SmackBasicTest): self.assertEqual(status, 0, "Cipso rule C was not set") self.assertIn("/17,33", output, "Rule C was not set correctly") -class SmackDirect(SmackBasicTest): @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_direct(self): @@ -308,8 +286,6 @@ class SmackDirect(SmackBasicTest): "Smack direct label does not match.") -class SmackAmbient(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_ambient(self): test_ambient = "test_ambient" @@ -330,8 +306,6 @@ class SmackAmbient(SmackBasicTest): "Ambient label does not match") -class SmackloadBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackload(self): '''Test if smackload command works''' @@ -345,8 +319,6 @@ class SmackloadBinary(SmackBasicTest): self.assertEqual(status, 0, "Smackload rule was loaded correctly") -class SmackcipsoBinary(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smackcipso(self): '''Test if smackcipso command works''' @@ -362,8 +334,6 @@ class SmackcipsoBinary(SmackBasicTest): self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output) -class SmackEnforceFileAccess(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_enforce_file_access(self): '''Test if smack file access is enforced (rwx) @@ -375,82 +345,6 @@ class SmackEnforceFileAccess(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackEnforceMmap(SmackBasicTest): - - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) - def test_smack_mmap_enforced(self): - '''Test if smack mmap access is enforced''' - raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.") - - # 12345678901234567890123456789012345678901234567890123456 - delr1="mmap_label mmap_test_label1 -----" - delr2="mmap_label mmap_test_label2 -----" - delr3="mmap_file_label mmap_test_label1 -----" - delr4="mmap_file_label mmap_test_label2 -----" - - RuleA="mmap_label mmap_test_label1 rw---" - RuleB="mmap_label mmap_test_label2 r--at" - RuleC="mmap_file_label mmap_test_label1 rw---" - RuleD="mmap_file_label mmap_test_label2 rwxat" - - mmap_label="mmap_label" - file_label="mmap_file_label" - test_file = "/usr/sbin/smack_test_mmap" - mmap_exe = "/tmp/mmap_test" - status, echo = self.target.run("which echo") - status, output = self.target.run( - "notroot.py %d %s %s 'test' > %s" \ - %(self.uid, self.current_label, echo, test_file)) - status, output = self.target.run("ls %s" %test_file) - self.assertEqual(status, 0, "Could not create mmap test file") - self.target.run("chsmack -m %s %s" %(file_label, test_file)) - self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe)) - - # test with no rules with mmap label or exec label as subject - # access should be granted - self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access without rules. Output: %s" %output) - - # add rules that do not match access required - self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path)) - self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path)) - status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with unmatching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with unmatching rules") - - # add rule to match only partially (one way) - self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertNotEqual( - status, 0, - "Should not have mmap access with partial matching rules. " + - "Output: %s" %output) - self.assertIn( - "Permission denied", output, - "Mmap access should be denied with partial matching rules") - - # add rule to match fully - self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path)) - status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file)) - self.assertEqual( - status, 0, - "Should have mmap access with full matching rules." + - "Output: %s" %output) - - -class SmackEnforceTransmutable(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_transmute_dir(self): '''Test if smack transmute attribute works @@ -473,8 +367,6 @@ class SmackEnforceTransmutable(SmackBasicTest): "Did not get expected label. Output: %s" % output) -class SmackTcpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_tcp_sockets(self): '''Test if smack is enforced on tcp sockets @@ -485,8 +377,6 @@ class SmackTcpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackUdpSockets(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_udp_sockets(self): '''Test if smack is enforced on udp sockets @@ -497,8 +387,6 @@ class SmackUdpSockets(SmackBasicTest): self.assertEqual(status, 0, output) -class SmackFileLabels(SmackBasicTest): - @OETestDepends(['smack.SmackBasicTest.test_smack_basic']) def test_smack_labels(self): '''Check for correct Smack labels.''' |