PERFORCE change 131757 for review
Zhouyi ZHOU
zhouzhouyi at FreeBSD.org
Wed Dec 26 23:57:50 PST 2007
http://perforce.freebsd.org/chv.cgi?CH=131757
Change 131757 by zhouzhouyi at zhouzhouyi_mactest on 2007/12/27 07:57:39
style modification
Affected files ...
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/macping.c#4 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/misc.sh#25 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/00.t#4 edit
.. //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/01.t#3 edit
Differences ...
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/macping.c#4 (text+ko) ====
@@ -60,7 +60,7 @@
#include "mactest.h"
-
+const char *macconf_file = NULL;
struct tv32 {
int32_t tv32_sec;
int32_t tv32_usec;
@@ -181,6 +181,7 @@
if (i < 0) {
warn("sendto");
close(logfd);
+ machookmatch(macconf_file, getpid());
exit(1);
} else {
warn("%s: partial write: %d of %d bytes",
@@ -210,7 +211,6 @@
const char *label_string = NULL;
const char *socket_label = NULL;
char *target = NULL;
- const char *macconf_file = NULL;
int pid;
char buf[10];
int flags;
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/misc.sh#25 (text+ko) ====
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/00.t#4 (text+ko) ====
@@ -1,62 +1,76 @@
#!/bin/sh
-# $FreeBSD: src/tools/regression/mactest/tests/netinet/00.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $
+# $FreeBSD$
-desc="manipulate fifo files"
+desc="test mandatory access control hooks for the interface relabelling"
dir=`dirname $0`
. ${dir}/../misc.sh
-echo "1..3"
+
+dir=`dirname $0`
+. ${dir}/../misc.sh
+case "${os}" in
+FreeBSD)
-#turn off all the switches
-for i in `sysctl security.mac | grep "\.enabled"|
- sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
-sysctl ${i}=0
-done
+ mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
+ mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
+ mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
-mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
-mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
-mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
+ if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
+ [ "${mac_test_support}" != "" ]; then
+#turn off all the switches
+ for i in `sysctl security.mac | grep "\.enabled"|
+ sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
+ sysctl ${i}=0 >/dev/null
+ done
-if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
- [ "${mac_test_support}" != "" ]; then
- dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`;
+ if [ -f ${mactest_conf} ]; then
+ rm ${mactest_conf}
+ fi
+ touch ${mactest_conf}
+
+ timewait=`netstat -p tcp|grep 1234|grep TIME_WAIT`
+ if [ "${#timewait}" -eq 0 ]; then
- if [ -f ${mactest_conf} ]; then
- rm ${mactest_conf}
- fi
- touch ${mactest_conf}
+ echo "1..3"
+ sysctl security.mac.mls.enabled=1 > /dev/null
+ sysctl security.mac.mls.revocation_enabled=1 > /dev/null
+ sysctl security.mac.test.pseudoinit=1 > /dev/null
+ ifconfig mac_test0 192.167.0.33
+ ifconfig mac_test1 192.167.1.34
-#############################################################
- t=`sysctl security.mac.mls.enabled=1`
- echo "enforcing mac/mls!"
- t=`sysctl security.mac.mls.revocation_enabled=1`
- echo "enabling revoking"
- t=`sysctl security.mac.test.pseudoinit=1`
- t=`ifconfig mac_test0 192.167.0.33`
- t=`ifconfig mac_test1 192.167.1.34`
- echo "enabling mactest pseudo interface"
#case 1,2,3: set the maclabel of the interface, effective, range or both is allowed, while
# the subject should be priviledeged.
-
- mactestexpect "setifmac:.Operation.not.permitted" "" -m "biba/high(high-high)" \
- -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)"
- mactestexpect "setifmac:.Operation.not.permitted" "" -m "mls/low(low-low)" \
- -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)"
- echo -n "pid = -2 mac_test_check_ifnet_relabel:" > ${mactest_conf}
- echo "biba/high(low-high),mls/low(low-high) mls/low(low-high) biba/,mls/low(low-high)" >> ${mactest_conf}
- mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
- -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)"
-
+#case 1
+ mactestexpect "setifmac:.Operation.not.permitted" "" \
+ -m "biba/high(high-high)" \
+ -f ${mactest_conf} system ifconfig mac_test0 \
+ maclabel "mls/low\(low-high\)"
+#case 2
+ mactestexpect "setifmac:.Operation.not.permitted" "" \
+ -m "mls/low(low-low)" \
+ -f ${mactest_conf} system ifconfig mac_test0 \
+ maclabel "mls/low\(low-high\)"
+#case 3
+ echo -n "pid = -2 ifnet_check_relabel:" > ${mactest_conf}
+ echo "biba/high(low-high),mls/low(low-high) mls/low(low-high) biba/,mls/low(low-high)" >> ${mactest_conf}
+ mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
+ -f ${mactest_conf} system ifconfig mac_test0 maclabel "mls/low\(low-high\)"
#cleanup:
- t=`sysctl security.mac.mls.enabled=0`
- echo "disabling mac/mls!"
-
-
- rm ${mactest_conf}
-fi
+ sysctl security.mac.mls.enabled=0 >/dev/null
+ sysctl security.mac.biba.enabled=0 > /dev/null
+ rm ${mactest_conf}
+#ping received, no firewall
+ fi
+#mac_mls mac_biba and mac_test support
+ fi
+ ;;
+*)
+ quick_exit
+ ;;
+esac
==== //depot/projects/soc2007/zhouzhouyi_mactest_soc/regression/mactest/tests/netinet/01.t#3 (text+ko) ====
@@ -1,84 +1,81 @@
#!/bin/sh
-# $FreeBSD: src/tools/regression/mactest/tests/netinet/01.t,v 1.2 2007/01/25 20:50:02 zhouzhouyi Exp $
+# $FreeBSD$
-desc="test the ifnet transmit"
+desc="test mandatory access control for the ifnet transmit"
-
dir=`dirname $0`
. ${dir}/../misc.sh
-echo "1..5"
+case "${os}" in
+FreeBSD)
+
+ mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
+ mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
+ mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
+ if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
+ [ "${mac_test_support}" != "" ]; then
#turn off all the switches
-for i in `sysctl security.mac | grep "\.enabled"|
- sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
-sysctl ${i}=0
-done
+ for i in `sysctl security.mac | grep "\.enabled"|
+ sed 's/\([a-z\.]*\.enabled\)\(:\ \)\([01]\)/\1/`; do
+ sysctl ${i}=0 >/dev/null
+ done
-mac_mls_support=`sysctl -n security.mac.mls.enabled 2>/dev/null`
-mac_biba_support=`sysctl -n security.mac.biba.enabled 2>/dev/null`
-mac_test_support=`sysctl -n security.mac.test.pseudoinit 2>/dev/null`
+ if [ -f ${mactest_conf} ]; then
+ rm ${mactest_conf}
+ fi
+ touch ${mactest_conf}
+ setfmac "mls/equal,biba/equal" ${mactest_conf}
-if [ "${mac_mls_support}" != "" ] && [ "${mac_biba_support}" != "" ] &&
- [ "${mac_test_support}" != "" ]; then
- dvplabel=`getfmac ".."| sed 's/\(\.\.:\ \)\([a-z\,\/]*\)/\2/`;
+ sysctl security.mac.test.pseudoinit=1 > /dev/null
+ ifconfig mac_test0 192.167.0.33 > /dev/null
+ ifconfig mac_test1 192.167.1.34 > /dev/null
-
- if [ -f ${mactest_conf} ]; then
- rm ${mactest_conf}
- fi
- touch ${mactest_conf}
-
- t=`sysctl security.mac.test.pseudoinit=1`
- t=`ifconfig mac_test0 192.167.0.33`
- t=`ifconfig mac_test1 192.167.1.34`
- echo "enabling mactest pseudo interface"
-
#ensuring there is no firewall thing
- notreceived=`${macping} -f ${mactest_conf} -t 2 192.167.0.34`
- if [ "${#notreceived}" -eq 0 ]; then
+ notreceived=`${macping} -f ${mactest_conf} -t 2 192.167.0.34`
+
+ if [ "${#notreceived}" -eq 0 ]; then
+ echo "1..5"
-
+ sysctl security.mac.mls.enabled=1 > /dev/null
+ sysctl security.mac.biba.enabled=1 > /dev/null
-
-#############################################################
- t=`sysctl security.mac.mls.enabled=1`
- echo "enforcing mac/mls!"
- t=`sysctl security.mac.biba.enabled=1`
- echo "enforcing mac/biba!"
-
-
#case 1: set the maclabel of the interface
# the subject should be priviledeged.
- mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
- -f ${mactest_conf} system ifconfig mac_test0 maclabel \
- "mls/5\(4-6\),biba/low\(low-low\)"
+ mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
+ -f ${mactest_conf} system ifconfig mac_test0 maclabel \
+ "mls/5\(4-6\),biba/low\(low-low\)"
+
#case 2: the packet's level must between the range of the interface
- bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \
- "" -m "mls/9(low-high)" -f ${mactest_conf} -t 1 192.167.0.34
+ bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \
+ "" -m "mls/9(low-high)" -f ${mactest_conf} -t 1 192.167.0.34
+
#case 3: the packet's level is between the range of the interface
- bizarretestexpect ${macping} "" \
- "" -m "mls/5,biba/low" -f ${mactest_conf} -t 1 192.167.0.34
+ bizarretestexpect ${macping} "" \
+ "" -m "mls/5,biba/low" -f ${mactest_conf} -t 1 192.167.0.34
+
#case 4: also do check for biba
- mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
- -f ${mactest_conf} system ifconfig mac_test0 maclabel "biba/5\(4-6\)"
+ mactestexpect "" "" -m "biba/high(low-high),mls/low(low-high)" \
+ -f ${mactest_conf} system ifconfig mac_test0 maclabel "biba/5\(4-6\)"
+
#case 5:
- echo -n "pid = -2 mac_test_check_ifnet_transmit:" > ${mactest_conf}
- echo "biba/5(4-6),mls/5(4-6) biba/9,mls/low" >> ${mactest_conf}
- bizarretestexpect ${macping} "macping:.sendto:.Permission.denied" \
- "" -m "biba/9" -f ${mactest_conf} -t 1 192.167.0.34
+ echo -n "pid = -2 ifnet_check_transmit:" > ${mactest_conf}
+ echo "biba/5(4-6),mls/5(4-6) biba/9,mls/low" >> ${mactest_conf}
+ bizarretestexpect ${macping} "macping:.sendto:.Permission.denied"\
+ "" -m "biba/9" -f ${mactest_conf} -t 1 192.167.0.34
#cleanup:
- t=`sysctl security.mac.mls.enabled=0`
- echo "disabling mac/mls!"
- t=`sysctl security.mac.biba.enabled=0`
- echo "disabling mac/biba!"
-
-
- rm ${mactest_conf}
- fi
-
-fi
-
+ sysctl security.mac.mls.enabled=0 >/dev/null
+ sysctl security.mac.biba.enabled=0 > /dev/null
+ rm ${mactest_conf}
+#ping received, no firewall
+ fi
+#mac_mls mac_biba and mac_test support
+ fi
+ ;;
+*)
+ quick_exit
+ ;;
+esac
More information about the p4-projects
mailing list