From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <vt@altlinux.org>
Date: Fri, 3 Jun 2022 23:50:19 +0300
From: Vitaly Chikunov <vt@altlinux.org>
To: ALT Linux kernel packages development <devel-kernel@lists.altlinux.org>
Message-ID: <20220603205019.uwywnaoxari5uhbk@altlinux.org>
References: <20220603164442.1416842-1-vseleznv@altlinux.org>
 <20220603164442.1416842-2-vseleznv@altlinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <20220603164442.1416842-2-vseleznv@altlinux.org>
Subject: Re: [d-kernel] [PATCH v8 2/2] AltHa: add tests
X-BeenThere: devel-kernel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux kernel packages development
 <devel-kernel@lists.altlinux.org>
List-Id: ALT Linux kernel packages development
 <devel-kernel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel-kernel>
List-Post: <mailto:devel-kernel@lists.altlinux.org>
List-Help: <mailto:devel-kernel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel-kernel>,
 <mailto:devel-kernel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2022 20:50:20 -0000
Archived-At: <http://lore.altlinux.org/devel-kernel/20220603205019.uwywnaoxari5uhbk@altlinux.org/>
List-Archive: <http://lore.altlinux.org/devel-kernel/>
List-Post: <mailto:devel-kernel@altlinux.org>

Vladimir,

On Fri, Jun 03, 2022 at 04:44:42PM +0000, Vladimir D. Seleznev wrote:

Updated description and applied (to un-def/sisyphus yet).
Thanks.

> ---
>  security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++
>  1 file changed, 114 insertions(+)
>  create mode 100755 security/altha/altha-test.sh
> 
> diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh
> new file mode 100755
> index 000000000000..402c0ef047c8
> --- /dev/null
> +++ b/security/altha/altha-test.sh
> @@ -0,0 +1,114 @@
> +#!/bin/bash -efu
> +# Copyright (c) 2022 Vladimir D. Seleznev
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# AltHa test for nosuid feature
> +
> +sysctl -q kernel.altha.nosuid.enabled >/dev/null || {
> +	echo >&2 "AltHa is not enabled, quitting"
> +	exit 2
> +}
> +
> +ret=0
> +
> +num_failed=0
> +num_tests=0
> +
> +nosuid_enabled=kernel.altha.nosuid.enabled
> +nosuid_exeptions=kernel.altha.nosuid.exceptions
> +
> +tmpdir="$(mktemp -d)"
> +cleanup()
> +{
> +	if [ -f "$tmpdir/tmp_mount_options" ] &&
> +	   [ -f "$tmpdir/tmp_mount_target" ]; then
> +		   mount -o remount,"$(cat "$tmpdir/tmp_mount_options")" \
> +			   "$(cat "$tmpdir/tmp_mount_target")"
> +	fi
> +
> +	[ ! -f "$tmpdir/nosuid_enabled" ] ||
> +		sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")"
> +
> +	[ ! -f "$tmpdir/nosuid_exceptions" ] ||
> +		sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")"
> +
> +	rm -r "$tmpdir"
> +	exit "$@"
> +}
> +trap 'cleanup $?' EXIT QUIT INT ERR
> +
> +save_altha_state()
> +{
> +	findmnt /tmp |sed 1d |while read -r target source fstype options; do
> +		echo "$options" > "$tmpdir/tmp_mount_options"
> +		echo "$target" > "$tmpdir/tmp_mount_target"
> +		mount -o remount,suid "$target"
> +	done
> +
> +	sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled"
> +	sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions"
> +}
> +
> +run_test()
> +{
> +	local test_cmd="$1"; shift
> +	local test_cond="$1"; shift
> +
> +	while IFS=$'\t' read -r precond expres; do
> +		num_tests=$((num_tests + 1))
> +
> +		eval "$precond"
> +		eval "$test_cmd" >"$tmpdir/result" 2>&1 ||:
> +
> +		if [ "$(cat "$tmpdir/result")" != "$expres" ]; then
> +			echo >&2 "$test_cmd FAILED with $precond"
> +			echo >&2 "expected result: $expres"
> +			echo >&2 "actual result: $(cat "$tmpdir/result")"
> +			num_failed=$((num_failed + 1))
> +		fi
> +	done <"$test_cond"
> +}
> +
> +check_setuid()
> +{
> +	install -pm4755 -t "$tmpdir" /usr/bin/id
> +
> +	local nobody_uid
> +	nobody_uid="$(grep -E '^\<nobody\>' /etc/passwd |cut -f3 -d:)"
> +
> +	cat <<EOF >"$tmpdir/setuid_test"
> +sysctl $nosuid_enabled=0	0
> +sysctl $nosuid_enabled=1	$nobody_uid
> +sysctl $nosuid_exeptions=$tmpdir/id	0
> +EOF
> +
> +
> +	run_test "setpriv --reuid nobody -- $tmpdir/id -u" "$tmpdir/setuid_test"
> +}
> +
> +check_setcap()
> +{
> +	install -p -t "$tmpdir" /usr/bin/nc
> +	setcap cap_net_bind_service,cap_net_admin+ep "$tmpdir/nc"
> +
> +	cat <<EOF >"$tmpdir/setcap_test"
> +sysctl $nosuid_enabled=0
> +sysctl $nosuid_enabled=1	nc: Permission denied
> +sysctl $nosuid_exeptions=$tmpdir/nc
> +EOF
> +
> +	run_test "timeout 1 setpriv --reuid nobody -- $tmpdir/nc -l 9" "$tmpdir/setcap_test"
> +}
> +
> +save_altha_state
> +check_setuid
> +check_setcap
> +
> +if [ "$num_failed" -ne 0 ]; then
> +	echo >&2 "$num_failed of $num_tests tests FAILED"
> +	ret=1
> +else
> +	echo >&2 "All $num_tests tests succeed"
> +fi
> +
> +exit $ret
> -- 
> 2.33.3
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel