From: "Vladimir D. Seleznev" <vseleznv@altlinux.org> To: devel-kernel@lists.altlinux.org Subject: [d-kernel] [PATCH v8 2/2] AltHa: add tests Date: Fri, 3 Jun 2022 16:44:42 +0000 Message-ID: <20220603164442.1416842-2-vseleznv@altlinux.org> (raw) In-Reply-To: <20220603164442.1416842-1-vseleznv@altlinux.org> --- security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100755 security/altha/altha-test.sh diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh new file mode 100755 index 000000000000..402c0ef047c8 --- /dev/null +++ b/security/altha/altha-test.sh @@ -0,0 +1,114 @@ +#!/bin/bash -efu +# Copyright (c) 2022 Vladimir D. Seleznev +# SPDX-License-Identifier: GPL-2.0 +# +# AltHa test for nosuid feature + +sysctl -q kernel.altha.nosuid.enabled >/dev/null || { + echo >&2 "AltHa is not enabled, quitting" + exit 2 +} + +ret=0 + +num_failed=0 +num_tests=0 + +nosuid_enabled=kernel.altha.nosuid.enabled +nosuid_exeptions=kernel.altha.nosuid.exceptions + +tmpdir="$(mktemp -d)" +cleanup() +{ + if [ -f "$tmpdir/tmp_mount_options" ] && + [ -f "$tmpdir/tmp_mount_target" ]; then + mount -o remount,"$(cat "$tmpdir/tmp_mount_options")" \ + "$(cat "$tmpdir/tmp_mount_target")" + fi + + [ ! -f "$tmpdir/nosuid_enabled" ] || + sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")" + + [ ! -f "$tmpdir/nosuid_exceptions" ] || + sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")" + + rm -r "$tmpdir" + exit "$@" +} +trap 'cleanup $?' EXIT QUIT INT ERR + +save_altha_state() +{ + findmnt /tmp |sed 1d |while read -r target source fstype options; do + echo "$options" > "$tmpdir/tmp_mount_options" + echo "$target" > "$tmpdir/tmp_mount_target" + mount -o remount,suid "$target" + done + + sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled" + sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions" +} + +run_test() +{ + local test_cmd="$1"; shift + local test_cond="$1"; shift + + while IFS=$'\t' read -r precond expres; do + num_tests=$((num_tests + 1)) + + eval "$precond" + eval "$test_cmd" >"$tmpdir/result" 2>&1 ||: + + if [ "$(cat "$tmpdir/result")" != "$expres" ]; then + echo >&2 "$test_cmd FAILED with $precond" + echo >&2 "expected result: $expres" + echo >&2 "actual result: $(cat "$tmpdir/result")" + num_failed=$((num_failed + 1)) + fi + done <"$test_cond" +} + +check_setuid() +{ + install -pm4755 -t "$tmpdir" /usr/bin/id + + local nobody_uid + nobody_uid="$(grep -E '^\<nobody\>' /etc/passwd |cut -f3 -d:)" + + cat <<EOF >"$tmpdir/setuid_test" +sysctl $nosuid_enabled=0 0 +sysctl $nosuid_enabled=1 $nobody_uid +sysctl $nosuid_exeptions=$tmpdir/id 0 +EOF + + + run_test "setpriv --reuid nobody -- $tmpdir/id -u" "$tmpdir/setuid_test" +} + +check_setcap() +{ + install -p -t "$tmpdir" /usr/bin/nc + setcap cap_net_bind_service,cap_net_admin+ep "$tmpdir/nc" + + cat <<EOF >"$tmpdir/setcap_test" +sysctl $nosuid_enabled=0 +sysctl $nosuid_enabled=1 nc: Permission denied +sysctl $nosuid_exeptions=$tmpdir/nc +EOF + + run_test "timeout 1 setpriv --reuid nobody -- $tmpdir/nc -l 9" "$tmpdir/setcap_test" +} + +save_altha_state +check_setuid +check_setcap + +if [ "$num_failed" -ne 0 ]; then + echo >&2 "$num_failed of $num_tests tests FAILED" + ret=1 +else + echo >&2 "All $num_tests tests succeed" +fi + +exit $ret -- 2.33.3
next prev parent reply other threads:[~2022-06-03 16:44 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-06-03 16:44 [d-kernel] [PATCH v8 1/2] AltHa: handle setcap binaries in the same way as setuid ones Vladimir D. Seleznev 2022-06-03 16:44 ` Vladimir D. Seleznev [this message] 2022-06-03 20:50 ` [d-kernel] [PATCH v8 2/2] AltHa: add tests Vitaly Chikunov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220603164442.1416842-2-vseleznv@altlinux.org \ --to=vseleznv@altlinux.org \ --cc=devel-kernel@lists.altlinux.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux kernel packages development This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \ devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com public-inbox-index devel-kernel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git