From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Subject: Re: [d-kernel] [PATCH v8 2/2] AltHa: add tests
Date: Fri, 3 Jun 2022 23:50:19 +0300
Message-ID: <20220603205019.uwywnaoxari5uhbk@altlinux.org> (raw)
In-Reply-To: <20220603164442.1416842-2-vseleznv@altlinux.org>
Vladimir,
On Fri, Jun 03, 2022 at 04:44:42PM +0000, Vladimir D. Seleznev wrote:
Updated description and applied (to un-def/sisyphus yet).
Thanks.
> ---
> security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++
> 1 file changed, 114 insertions(+)
> create mode 100755 security/altha/altha-test.sh
>
> diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh
> new file mode 100755
> index 000000000000..402c0ef047c8
> --- /dev/null
> +++ b/security/altha/altha-test.sh
> @@ -0,0 +1,114 @@
> +#!/bin/bash -efu
> +# Copyright (c) 2022 Vladimir D. Seleznev
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# AltHa test for nosuid feature
> +
> +sysctl -q kernel.altha.nosuid.enabled >/dev/null || {
> + echo >&2 "AltHa is not enabled, quitting"
> + exit 2
> +}
> +
> +ret=0
> +
> +num_failed=0
> +num_tests=0
> +
> +nosuid_enabled=kernel.altha.nosuid.enabled
> +nosuid_exeptions=kernel.altha.nosuid.exceptions
> +
> +tmpdir="$(mktemp -d)"
> +cleanup()
> +{
> + if [ -f "$tmpdir/tmp_mount_options" ] &&
> + [ -f "$tmpdir/tmp_mount_target" ]; then
> + mount -o remount,"$(cat "$tmpdir/tmp_mount_options")" \
> + "$(cat "$tmpdir/tmp_mount_target")"
> + fi
> +
> + [ ! -f "$tmpdir/nosuid_enabled" ] ||
> + sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")"
> +
> + [ ! -f "$tmpdir/nosuid_exceptions" ] ||
> + sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")"
> +
> + rm -r "$tmpdir"
> + exit "$@"
> +}
> +trap 'cleanup $?' EXIT QUIT INT ERR
> +
> +save_altha_state()
> +{
> + findmnt /tmp |sed 1d |while read -r target source fstype options; do
> + echo "$options" > "$tmpdir/tmp_mount_options"
> + echo "$target" > "$tmpdir/tmp_mount_target"
> + mount -o remount,suid "$target"
> + done
> +
> + sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled"
> + sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions"
> +}
> +
> +run_test()
> +{
> + local test_cmd="$1"; shift
> + local test_cond="$1"; shift
> +
> + while IFS=$'\t' read -r precond expres; do
> + num_tests=$((num_tests + 1))
> +
> + eval "$precond"
> + eval "$test_cmd" >"$tmpdir/result" 2>&1 ||:
> +
> + if [ "$(cat "$tmpdir/result")" != "$expres" ]; then
> + echo >&2 "$test_cmd FAILED with $precond"
> + echo >&2 "expected result: $expres"
> + echo >&2 "actual result: $(cat "$tmpdir/result")"
> + num_failed=$((num_failed + 1))
> + fi
> + done <"$test_cond"
> +}
> +
> +check_setuid()
> +{
> + install -pm4755 -t "$tmpdir" /usr/bin/id
> +
> + local nobody_uid
> + nobody_uid="$(grep -E '^\<nobody\>' /etc/passwd |cut -f3 -d:)"
> +
> + cat <<EOF >"$tmpdir/setuid_test"
> +sysctl $nosuid_enabled=0 0
> +sysctl $nosuid_enabled=1 $nobody_uid
> +sysctl $nosuid_exeptions=$tmpdir/id 0
> +EOF
> +
> +
> + run_test "setpriv --reuid nobody -- $tmpdir/id -u" "$tmpdir/setuid_test"
> +}
> +
> +check_setcap()
> +{
> + install -p -t "$tmpdir" /usr/bin/nc
> + setcap cap_net_bind_service,cap_net_admin+ep "$tmpdir/nc"
> +
> + cat <<EOF >"$tmpdir/setcap_test"
> +sysctl $nosuid_enabled=0
> +sysctl $nosuid_enabled=1 nc: Permission denied
> +sysctl $nosuid_exeptions=$tmpdir/nc
> +EOF
> +
> + run_test "timeout 1 setpriv --reuid nobody -- $tmpdir/nc -l 9" "$tmpdir/setcap_test"
> +}
> +
> +save_altha_state
> +check_setuid
> +check_setcap
> +
> +if [ "$num_failed" -ne 0 ]; then
> + echo >&2 "$num_failed of $num_tests tests FAILED"
> + ret=1
> +else
> + echo >&2 "All $num_tests tests succeed"
> +fi
> +
> +exit $ret
> --
> 2.33.3
>
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
prev parent reply other threads:[~2022-06-03 20:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 16:44 [d-kernel] [PATCH v8 1/2] AltHa: handle setcap binaries in the same way as setuid ones Vladimir D. Seleznev
2022-06-03 16:44 ` [d-kernel] [PATCH v8 2/2] AltHa: add tests Vladimir D. Seleznev
2022-06-03 20:50 ` Vitaly Chikunov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220603205019.uwywnaoxari5uhbk@altlinux.org \
--to=vt@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git