smack-test: add smack tests from meta-intel-iot-security

ported over smack tests Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2019-05-06 11:36:58 -0700
committer: Armin Kuster <akuster808@gmail.com> 2019-05-09 17:45:13 -0700
commit: 8eee8727cb09a9fc14e899b4058fcd108f44a0eb (patch)
tree: e6cd90e7b08c098e425a8d0efbb29fd88fc9ee2e /recipes-mac/smack/smack-test
parent: 5d37937f2e495147fd2a756d22c09f49773ac8ae (diff)
download: meta-security-8eee8727cb09a9fc14e899b4058fcd108f44a0eb.tar.gz
4 files changed, 132 insertions, 0 deletions
diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py
new file mode 100644
index 0000000..f0eb0b5
--- /dev/null
+++ b/recipes-mac/smack/smack-test/notroot.py
@@ -0,0 +1,33 @@
+#!/usr/bin/env python
+#
+# Script used for running executables with custom labels, as well as custom uid/gid
+# Process label is changed by writing to /proc/self/attr/curent
+#
+# Script expects user id and group id to exist, and be the same.
+#
+# From adduser manual: 
+# """By  default,  each  user  in Debian GNU/Linux is given a corresponding group 
+# with the same name. """
+#
+# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+#
+# Author: Alexandru Cornea <alexandru.cornea@intel.com>
+import os
+import sys
+try:
+        uid = int(sys.argv[1])
+        sys.argv.pop(1)
+        label = sys.argv[1]
+        sys.argv.pop(1)
+        open("/proc/self/attr/current", "w").write(label)
+        path=sys.argv[1]
+        sys.argv.pop(0)
+        os.setgid(uid)
+        os.setuid(uid)  
+        os.execv(path,sys.argv)
+except Exception,e:
+        print e.message
+        sys.exit(1)
diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh
new file mode 100644
index 0000000..5a0ce84
--- /dev/null
+++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
+RC=0
+TMP="/tmp"
+test_file=$TMP/smack_test_access_file
+CAT=`which cat`
+ECHO=`which echo`
+uid=1000
+initial_label=`cat /proc/self/attr/current`
+python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+chsmack -a "TheOther" $test_file
+#        12345678901234567890123456789012345678901234567890123456
+delrule="TheOne                  TheOther                -----"
+rule_ro="TheOne                  TheOther                r----"
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Process with different label than the test file and no read access on it can read it"
+        exit $RC
+fi
+# adding read access
+echo -n "$rule_ro" > $SMACK_PATH/load
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Process with different label than the test file but with read access on it cannot read it"
+        exit $RC
+fi
+# Remove pre-existent rules for "TheOne TheOther <access>"
+echo -n "$delrule" > $SMACK_PATH/load
+# changing label of test file to *
+# according to SMACK documentation, read access on a * object is always permitted
+chsmack -a '*' $test_file
+python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+if [ $RC -ne 0 ]; then
+        echo  "Process cannot read file with * label"
+        exit $RC
+fi
+# changing subject label to *
+# according to SMACK documentation, every access requested by a star labeled subject is rejected
+TOUCH=`which touch`
+python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
+if [ $RC -ne 0 ];then
+        echo "Process with label '*' should not have any access"
+        exit $RC
+fi
+exit 0
diff --git a/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
new file mode 100644
index 0000000..26d9e9d
--- /dev/null
+++ b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+initial_label=`cat /proc/self/attr/current 2>/dev/null`
+modified_label="test_label"
+echo "$modified_label" >/proc/self/attr/current 2>/dev/null
+new_label=`cat /proc/self/attr/current 2>/dev/null`
+if [ "$new_label" != "$modified_label" ]; then
+        # restore proper label
+        echo $initial_label >/proc/self/attr/current
+        echo "Privileged process could not change its label"
+        exit 1
+fi
+echo "$initial_label" >/proc/self/attr/current 2>/dev/null
+exit 0
+\ No newline at end of file
diff --git a/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/recipes-mac/smack/smack-test/test_smack_onlycap.sh
new file mode 100644
index 0000000..1c4a93a
--- /dev/null
+++ b/recipes-mac/smack/smack-test/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+RC=0
+SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}'`
+test_label="test_label"
+onlycap_initial=`cat $SMACK_PATH/onlycap`               
+smack_initial=`cat /proc/self/attr/current`
+# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
+# even if we are root
+echo "$test_label" > /proc/self/attr/current
+echo "$test_label" > $SMACK_PATH/onlycap || RC=$?
+if [ $RC -ne 0 ]; then
+        echo "Onlycap label could not be set"
+        return $RC
+fi
+if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
+        echo "Onlycap label was not set correctly."
+        return 1
+fi
+# resetting original onlycap label
+echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
+# resetting our initial's process label
+echo "$smack_initial" > /proc/self/attr/current
author	Armin Kuster <akuster808@gmail.com>	2019-05-06 11:36:58 -0700
committer	Armin Kuster <akuster808@gmail.com>	2019-05-09 17:45:13 -0700
commit	8eee8727cb09a9fc14e899b4058fcd108f44a0eb (patch)
tree	e6cd90e7b08c098e425a8d0efbb29fd88fc9ee2e /recipes-mac/smack/smack-test
parent	5d37937f2e495147fd2a756d22c09f49773ac8ae (diff)
download	meta-security-8eee8727cb09a9fc14e899b4058fcd108f44a0eb.tar.gz

diff --git a/recipes-mac/smack/smack-test/notroot.py b/recipes-mac/smack/smack-test/notroot.py new file mode 100644 index 0000000..f0eb0b5 --- /dev/null +++ b/recipes-mac/smack/smack-test/notroot.py
@@ -0,0 +1,33 @@
	1	#!/usr/bin/env python
	2	#
	3	# Script used for running executables with custom labels, as well as custom uid/gid
	4	# Process label is changed by writing to /proc/self/attr/curent
	5	#
	6	# Script expects user id and group id to exist, and be the same.
	7	#
	8	# From adduser manual:
	9	# """By default, each user in Debian GNU/Linux is given a corresponding group
	10	# with the same name. """
	11	#
	12	# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
	13	# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
	14	#
	15	# Author: Alexandru Cornea <alexandru.cornea@intel.com>
	16	import os
	17	import sys
	18
	19	try:
	20	uid = int(sys.argv[1])
	21	sys.argv.pop(1)
	22	label = sys.argv[1]
	23	sys.argv.pop(1)
	24	open("/proc/self/attr/current", "w").write(label)
	25	path=sys.argv[1]
	26	sys.argv.pop(0)
	27	os.setgid(uid)
	28	os.setuid(uid)
	29	os.execv(path,sys.argv)
	30
	31	except Exception,e:
	32	print e.message
	33	sys.exit(1)


diff --git a/recipes-mac/smack/smack-test/smack_test_file_access.sh b/recipes-mac/smack/smack-test/smack_test_file_access.sh new file mode 100644 index 0000000..5a0ce84 --- /dev/null +++ b/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -0,0 +1,54 @@
	1	#!/bin/sh
	2
	3	SMACK_PATH=`grep smack /proc/mounts \| awk '{print $2}' `
	4	RC=0
	5	TMP="/tmp"
	6	test_file=$TMP/smack_test_access_file
	7	CAT=`which cat`
	8	ECHO=`which echo`
	9	uid=1000
	10	initial_label=`cat /proc/self/attr/current`
	11	python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
	12	chsmack -a "TheOther" $test_file
	13
	14	# 12345678901234567890123456789012345678901234567890123456
	15	delrule="TheOne TheOther -----"
	16	rule_ro="TheOne TheOther r----"
	17
	18	# Remove pre-existent rules for "TheOne TheOther <access>"
	19	echo -n "$delrule" > $SMACK_PATH/load
	20	python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null \| grep -q "Permission denied" \|\| RC=$?
	21	if [ $RC -ne 0 ]; then
	22	echo "Process with different label than the test file and no read access on it can read it"
	23	exit $RC
	24	fi
	25
	26	# adding read access
	27	echo -n "$rule_ro" > $SMACK_PATH/load
	28	python $TMP/notroot.py $uid "TheOne" $CAT $test_file \| grep -q "TEST" \|\| RC=$?
	29	if [ $RC -ne 0 ]; then
	30	echo "Process with different label than the test file but with read access on it cannot read it"
	31	exit $RC
	32	fi
	33
	34	# Remove pre-existent rules for "TheOne TheOther <access>"
	35	echo -n "$delrule" > $SMACK_PATH/load
	36	# changing label of test file to *
	37	# according to SMACK documentation, read access on a * object is always permitted
	38	chsmack -a '*' $test_file
	39	python $TMP/notroot.py $uid "TheOne" $CAT $test_file \| grep -q "TEST" \|\| RC=$?
	40	if [ $RC -ne 0 ]; then
	41	echo "Process cannot read file with * label"
	42	exit $RC
	43	fi
	44
	45	# changing subject label to *
	46	# according to SMACK documentation, every access requested by a star labeled subject is rejected
	47	TOUCH=`which touch`
	48	python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
	49	ls -la $TMP/test_file_2 2>&1 \| grep -q 'No such file or directory' \|\| RC=$?
	50	if [ $RC -ne 0 ];then
	51	echo "Process with label '*' should not have any access"
	52	exit $RC
	53	fi
	54	exit 0


diff --git a/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh new file mode 100644 index 0000000..26d9e9d --- /dev/null +++ b/recipes-mac/smack/smack-test/test_privileged_change_self_label.sh
@@ -0,0 +1,18 @@
	1	#!/bin/sh
	2
	3	initial_label=`cat /proc/self/attr/current 2>/dev/null`
	4	modified_label="test_label"
	5
	6	echo "$modified_label" >/proc/self/attr/current 2>/dev/null
	7
	8	new_label=`cat /proc/self/attr/current 2>/dev/null`
	9
	10	if [ "$new_label" != "$modified_label" ]; then
	11	# restore proper label
	12	echo $initial_label >/proc/self/attr/current
	13	echo "Privileged process could not change its label"
	14	exit 1
	15	fi
	16
	17	echo "$initial_label" >/proc/self/attr/current 2>/dev/null
	18	exit 0 \ No newline at end of file


diff --git a/recipes-mac/smack/smack-test/test_smack_onlycap.sh b/recipes-mac/smack/smack-test/test_smack_onlycap.sh new file mode 100644 index 0000000..1c4a93a --- /dev/null +++ b/recipes-mac/smack/smack-test/test_smack_onlycap.sh
@@ -0,0 +1,27 @@
	1	#!/bin/sh
	2	RC=0
	3	SMACK_PATH=`grep smack /proc/mounts \| awk '{print $2}'`
	4	test_label="test_label"
	5	onlycap_initial=`cat $SMACK_PATH/onlycap`
	6	smack_initial=`cat /proc/self/attr/current`
	7
	8	# need to set out label to be the same as onlycap, otherwise we lose our smack privileges
	9	# even if we are root
	10	echo "$test_label" > /proc/self/attr/current
	11
	12	echo "$test_label" > $SMACK_PATH/onlycap \|\| RC=$?
	13	if [ $RC -ne 0 ]; then
	14	echo "Onlycap label could not be set"
	15	return $RC
	16	fi
	17
	18	if [ `cat $SMACK_PATH/onlycap` != "$test_label" ]; then
	19	echo "Onlycap label was not set correctly."
	20	return 1
	21	fi
	22
	23	# resetting original onlycap label
	24	echo "$onlycap_initial" > $SMACK_PATH/onlycap 2>/dev/null
	25
	26	# resetting our initial's process label
	27	echo "$smack_initial" > /proc/self/attr/current