aboutsummaryrefslogtreecommitdiffstats
path: root/lib/oeqa/runtime/cases/smack.py
diff options
context:
space:
mode:
Diffstat (limited to 'lib/oeqa/runtime/cases/smack.py')
-rw-r--r--lib/oeqa/runtime/cases/smack.py142
1 files changed, 15 insertions, 127 deletions
diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index 35e87ef..6b87574 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -15,22 +15,19 @@ class SmackBasicTest(OERuntimeTestCase):
@classmethod
def setUpClass(cls):
- cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
+ status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ cls.smack_path = output
@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
- status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()
-class SmackAccessLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_access_label(self):
''' Test if chsmack can correctly set a SMACK label '''
@@ -43,19 +40,17 @@ class SmackAccessLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
+ m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
- label_retrieved = m .group(0)
+ label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
"%s %s" %(LABEL,label_retrieved))
-class SmackExecLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_exec_label(self):
'''Test if chsmack can correctly set a SMACK Exec label'''
@@ -68,19 +63,17 @@ class SmackExecLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
+ m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackMmapLabel(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_mmap_label(self):
'''Test if chsmack can correctly set a SMACK mmap label'''
@@ -93,19 +86,17 @@ class SmackMmapLabel(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
+ m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_add_transmutable(self):
'''Test if chsmack can correctly set a SMACK transmutable mode'''
@@ -117,19 +108,17 @@ class SmackTransmutable(SmackBasicTest):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
+ m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
"%s %s" %(LABEL,label_retrieved))
-class SmackChangeSelfLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_privileged_change_self_label(self):
'''Test if privileged process (with CAP_MAC_ADMIN privilege)
@@ -137,16 +126,14 @@ class SmackChangeSelfLabelPrivilege(SmackBasicTest):
'''
labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+ command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
status, output = self.target.run(
- "notroot.py 0 %s %s" %(self.current_label, command))
+ "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
-class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_self_label(self):
'''Test if unprivileged process (without CAP_MAC_ADMIN privilege)
@@ -154,7 +141,7 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
- "notroot.py %d %s %s"
+ "/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )
@@ -163,8 +150,6 @@ class SmackChangeSelfLabelUnprivilege(SmackBasicTest):
"Unprivileged process should not be able to change its label")
-class SmackChangeFileLabelPrivilege(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_unprivileged_change_file_label(self):
'''Test if unprivileged process cannot change file labels'''
@@ -174,17 +159,15 @@ class SmackChangeFileLabelPrivilege(SmackBasicTest):
filename = "/tmp/test_unprivileged_change_file_label"
self.target.run("touch %s" % filename)
- self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
- "notroot.py " +
+ "/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )
self.target.run("rm %s" % filename)
self.assertEqual( status, 0, "Unprivileged process changed label for %s" %filename)
-class SmackLoadRule(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_load_smack_rule(self):
'''Test if new smack access rules can be loaded'''
@@ -211,8 +194,6 @@ class SmackLoadRule(SmackBasicTest):
self.target.run('echo -n "%s" > %s/load' %(clean, self.smack_path))
-class SmackOnlycap(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_onlycap(self):
'''Test if smack onlycap label can be set
@@ -223,7 +204,6 @@ class SmackOnlycap(SmackBasicTest):
status, output = self.target.run("sh /usr/sbin/test_smack_onlycap.sh")
self.assertEqual(status, 0, output)
-class SmackNetlabel(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_netlabel(self):
@@ -246,7 +226,6 @@ class SmackNetlabel(SmackBasicTest):
test_label, output,
"Did not find expected label in output: %s" %output)
-class SmackCipso(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_cipso(self):
@@ -287,7 +266,6 @@ class SmackCipso(SmackBasicTest):
self.assertEqual(status, 0, "Cipso rule C was not set")
self.assertIn("/17,33", output, "Rule C was not set correctly")
-class SmackDirect(SmackBasicTest):
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_direct(self):
@@ -308,8 +286,6 @@ class SmackDirect(SmackBasicTest):
"Smack direct label does not match.")
-class SmackAmbient(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_ambient(self):
test_ambient = "test_ambient"
@@ -330,8 +306,6 @@ class SmackAmbient(SmackBasicTest):
"Ambient label does not match")
-class SmackloadBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackload(self):
'''Test if smackload command works'''
@@ -345,8 +319,6 @@ class SmackloadBinary(SmackBasicTest):
self.assertEqual(status, 0, "Smackload rule was loaded correctly")
-class SmackcipsoBinary(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smackcipso(self):
'''Test if smackcipso command works'''
@@ -362,8 +334,6 @@ class SmackcipsoBinary(SmackBasicTest):
self.assertIn( "2/2", output, "Rule was not set correctly. Got: %s" %output)
-class SmackEnforceFileAccess(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_enforce_file_access(self):
'''Test if smack file access is enforced (rwx)
@@ -375,82 +345,6 @@ class SmackEnforceFileAccess(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackEnforceMmap(SmackBasicTest):
-
- @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/usr/sbin/smack_test_mmap"
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run(
- "notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-
-class SmackEnforceTransmutable(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
@@ -473,8 +367,6 @@ class SmackEnforceTransmutable(SmackBasicTest):
"Did not get expected label. Output: %s" % output)
-class SmackTcpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_tcp_sockets(self):
'''Test if smack is enforced on tcp sockets
@@ -485,8 +377,6 @@ class SmackTcpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackUdpSockets(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_udp_sockets(self):
'''Test if smack is enforced on udp sockets
@@ -497,8 +387,6 @@ class SmackUdpSockets(SmackBasicTest):
self.assertEqual(status, 0, output)
-class SmackFileLabels(SmackBasicTest):
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_labels(self):
'''Check for correct Smack labels.'''
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-27 21:52:57 +0000