From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Fri, 3 Jun 2022 03:24:49 +0300 From: Vitaly Chikunov To: ALT Linux kernel packages development Message-ID: <20220603002449.jmi2m6byajzr45yo@altlinux.org> References: <20220602104243.340331-1-vseleznv@altlinux.org> <20220602104243.340331-2-vseleznv@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20220602104243.340331-2-vseleznv@altlinux.org> Subject: Re: [d-kernel] [PATCH v7 2/2] AltHa: add tests X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2022 00:24:49 -0000 Archived-At: List-Archive: List-Post: Vladimir, On Thu, Jun 02, 2022 at 10:42:43AM +0000, Vladimir D. Seleznev wrote: > --- > security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++ > 1 file changed, 114 insertions(+) > create mode 100755 security/altha/altha-test.sh > > diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh > new file mode 100755 > index 000000000000..b8057947eb4e > --- /dev/null > +++ b/security/altha/altha-test.sh > @@ -0,0 +1,114 @@ > +#!/bin/bash -efu > +# SPDX-License-Identifier: GPL-2.0 1. Pls, add copyright line as this what makes license legal. 2. Test the test before sending. 3. Pls, make it runnable in vm-run. For this cp id and nc into /tmp and use something else instead of su (such as setpriv, unshare, or capsh). Thanks, > +# > +# AltHa test for nosuid feature > + > +sysctl -q kernel.altha.nosuid.enabled >/dev/null || { > + echo >&2 "AltHa is not enabled, quitting" > + exit 2 > +} > + > +ret=0 > + > +num_failed=0 > +num_tests=0 > + > +nosuid_enabled=kernel.altha.nosuid.enabled > +nosuid_exeptions=kernel.altha.nosuid.exceptions > +ID_CMD=/usr/bin/id > +NC_CMD=/usr/bin/nc > + > +tmpdir="$(mktemp -d)" > +cleanup() > +{ > + [ ! -f "$tmpdir/id_perms" ] || > + chmod "$(cat "$tmpdir/id_perms")" "$ID_CMD" > + > + local caps > + if [ -f "$tmpdir/nc_caps" ]; then > + caps="$(cat "$tmpdir/nc_caps")" > + setcap "${caps:--r}" "$NC_CMD" > + fi > + > + [ ! -f "$tmpdir/nosuid_enabled" ] || > + sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")" > + > + [ ! -f "$tmpdir/nosuid_exceptions" ] || > + sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")" > + > + rm -r "$tmpdir" > + exit "$@" > +} > +trap 'cleanup $?' EXIT QUIT INT ERR > + > +save_altha_state() > +{ > + sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled" > + sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions" > +} > + > +run_test() > +{ > + local test_cmd="$1"; shift > + local test_cond="$1"; shift > + > + while IFS=$'\t' read -r precond expres; do > + num_tests=$((num_tests + 1)) > + > + eval "$precond" > + eval "$test_cmd" >"$tmpdir/result" 2>&1 ||: > + > + if [ "$(cat "$tmpdir/result")" != "$expres" ]; then > + echo >&2 "$test_cmd FAILED with $precond" > + echo >&2 "expected result: $expres" > + echo >&2 "actual result: $(cat "$tmpdir/result")" > + num_failed=$((num_failed + 1)) > + fi > + done <"$test_cond" > +} > + > +check_setuid() > +{ > + # save id perm and make it setuid > + stat -c '%a' "$ID_CMD" > "$tmpdir/id_perms" > + chmod 4755 "$ID_CMD" > + > + local nobody_uid > + nobody_uid="$(grep -E '^\' /etc/passwd |cut -f3 -d:)" > + > + cat <"$tmpdir/setuid_test" > +sysctl $nosuid_enabled=0 0 > +sysctl $nosuid_enabled=1 $nobody_uid > +sysctl $nosuid_exeptions=$ID_CMD 0 > +EOF > + > + > + run_test 'su nobody -s /bin/bash -c "id -u"' "$tmpdir/setuid_test" > +} > + > +check_setcap() > +{ > + getcap "$NC_CMD" |cut -d' ' -f3 > "$tmpdir/nc_caps" > + setcap cap_net_bind_service,cap_net_admin+ep "$NC_CMD" > + > + cat <"$tmpdir/setcap_test" > +sysctl $nosuid_enabled=0 > +sysctl $nosuid_enabled=1 nc: Permission denied > +sysctl $nosuid_exeptions=$NC_CMD > +EOF > + > + run_test "timeout 1 nc -l 9" "$tmpdir/setcap_test" > +} > + > +save_altha_state > +check_setuid > +check_setcap > + > +if [ "$num_failed" -ne 0 ]; then > + echo >&2 "$num_failed of $num_tests tests FAILED" > + ret=1 > +else > + echo >&2 "All $num_tests tests succeed" > +fi > + > +exit $ret > -- > 2.33.3 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel