From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: "Vladimir D. Seleznev" To: devel-kernel@lists.altlinux.org Date: Wed, 1 Jun 2022 23:17:51 +0000 Message-Id: <20220601231751.326920-2-vseleznv@altlinux.org> X-Mailer: git-send-email 2.33.3 In-Reply-To: <20220601231751.326920-1-vseleznv@altlinux.org> References: <20220530213135.38935-1-vseleznv@altlinux.org> <20220601231751.326920-1-vseleznv@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH v6 2/2] AltHa: add tests X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2022 23:18:02 -0000 Archived-At: List-Archive: List-Post: --- security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100755 security/altha/altha-test.sh diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh new file mode 100755 index 000000000000..5de4c66b643b --- /dev/null +++ b/security/altha/altha-test.sh @@ -0,0 +1,114 @@ +#!/bin/bash -efu +# SPDX-License-Identifier: GPL-2.0 +# +# AltHa test for nosuid feature + +sysctl -q kernel.altha.nosuid.enabled >/dev/null || { + echo >&2 "AltHa is not enabled, quitting" + exit 2 +} + +ret=0 + +num_failed=0 +num_tests=0 + +nosuid_enabled=kernel.altha.nosuid.enabled +nosuid_exeptions=kernel.altha.nosuid.exceptions +ID_CMD=/usr/bin/id +NC_CMD=/usr/bin/nc + +tmpdir="$(mktemp -d)" +cleanup() +{ + [ ! -f "$tmpdir/id_perms" ] || + chmod "$(cat "$tmpdir/id_perms")" "$ID_CMD" + + local caps + if [ -f "$tmpdir/nc_caps" ]; then + caps="$(cat "$tmpdir/nc_caps")" + setcap "${caps:--r}" "$NC_CMD" + fi + + [ ! -f "$tmpdir/nosuid_enabled" ] || + sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")" + + [ ! -f "$tmpdir/nosuid_exceptions" ] || + sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")" + + rm -r "$tmpdir" + exit "$@" +} +trap 'cleanup $?' EXIT QUIT INT ERR + +save_altha_state() +{ + sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled" + sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions" +} + +run_test() +{ + local test_cmd="$1"; shift + local test_cond="$1"; shift + + while IFS=$'\t' read -r precond expres; do + num_tests=$((num_tests + 1)) + + eval "$precond" + eval "$test_cmd" >"$tmpdir/result" 2>&1 ||: + + if [ "$(cat "$tmpdir/result")" != "$expres" ]; then + echo >&2 "$test_cmd FAILED with $precond" + echo >&2 "expected result: $expres" + echo >&2 "actual result: $(cat "$tmpdir/result")" + num_failed=$((num_failed + 1)) + fi + done <"$test_cond" +} + +check_setuid() +{ + # save id perm and make it setuid + stat -c '%a' "$ID_CMD" > "$tmpdir/id_perms" + chmod 4755 "$ID_CMD" + + local nobody_uid + nobody_uid="$(grep -E '^\' /etc/passwd |cut -f3 -d:)" + + cat <"$tmpdir/setuid_test" +sysctl $nosuid_enabled=0 0 +sysctl $nosuid_enabled=1 $nobody_uid +sysctl $nosuid_exeptions=$ID_CMD 0 +EOF + + + run_test 'su nobody -s /bin/bash -c "id -u"' "$tmpdir/setuid_test" +} + +check_setcap() +{ + getcap "$NC_CMD" |cut -d' ' -f3 > "$tmpdir/nc_caps" + setcap cap_net_bind_service,cap_net_admin+ep "$NC_CMD" + + cat <"$tmpdir/setcap_test" +sysctl $nosuid_enabled=0 +sysctl $nosuid_enabled=1 nc: Permission denied +sysctl $nosuid_exeptions=$NC_CMD +EOF + + run_test "timeout 1 "$NC_CMD" -l 80" "$tmpdir/setcap_test" +} + +save_altha_state +check_setuid +check_setcap + +if [ "$num_failed" -ne 0 ]; then + echo >&2 "$num_failed of $num_tests tests FAILED" + ret=1 +else + echo >&2 "All $num_tests tests succeed" +fi + +exit $ret -- 2.33.3