[d-kernel] [PATCH v7 2/2] AltHa: add tests

Пт Июн 3 03:24:49 MSK 2022

Vladimir,

On Thu, Jun 02, 2022 at 10:42:43AM +0000, Vladimir D. Seleznev wrote:
> ---
>  security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++
>  1 file changed, 114 insertions(+)
>  create mode 100755 security/altha/altha-test.sh
> 
> diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh
> new file mode 100755
> index 000000000000..b8057947eb4e
> --- /dev/null
> +++ b/security/altha/altha-test.sh
> @@ -0,0 +1,114 @@
> +#!/bin/bash -efu
> +# SPDX-License-Identifier: GPL-2.0

1. Pls, add copyright line as this what makes license legal.
2. Test the test before sending.
3. Pls, make it runnable in vm-run.
   For this cp id and nc into /tmp and use something else instead of su
   (such as setpriv, unshare, or capsh).

Thanks,

> +#
> +# AltHa test for nosuid feature
> +
> +sysctl -q kernel.altha.nosuid.enabled >/dev/null || {
> +	echo >&2 "AltHa is not enabled, quitting"
> +	exit 2
> +}
> +
> +ret=0
> +
> +num_failed=0
> +num_tests=0
> +
> +nosuid_enabled=kernel.altha.nosuid.enabled
> +nosuid_exeptions=kernel.altha.nosuid.exceptions
> +ID_CMD=/usr/bin/id
> +NC_CMD=/usr/bin/nc
> +
> +tmpdir="$(mktemp -d)"
> +cleanup()
> +{
> +	[ ! -f "$tmpdir/id_perms" ] ||
> +		chmod "$(cat "$tmpdir/id_perms")" "$ID_CMD"
> +
> +	local caps
> +	if [ -f "$tmpdir/nc_caps" ]; then
> +		caps="$(cat "$tmpdir/nc_caps")"
> +		setcap "${caps:--r}" "$NC_CMD"
> +	fi
> +
> +	[ ! -f "$tmpdir/nosuid_enabled" ] ||
> +		sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")"
> +
> +	[ ! -f "$tmpdir/nosuid_exceptions" ] ||
> +		sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")"
> +
> +	rm -r "$tmpdir"
> +	exit "$@"
> +}
> +trap 'cleanup $?' EXIT QUIT INT ERR
> +
> +save_altha_state()
> +{
> +	sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled"
> +	sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions"
> +}
> +
> +run_test()
> +{
> +	local test_cmd="$1"; shift
> +	local test_cond="$1"; shift
> +
> +	while IFS=$'\t' read -r precond expres; do
> +		num_tests=$((num_tests + 1))
> +
> +		eval "$precond"
> +		eval "$test_cmd" >"$tmpdir/result" 2>&1 ||:
> +
> +		if [ "$(cat "$tmpdir/result")" != "$expres" ]; then
> +			echo >&2 "$test_cmd FAILED with $precond"
> +			echo >&2 "expected result: $expres"
> +			echo >&2 "actual result: $(cat "$tmpdir/result")"
> +			num_failed=$((num_failed + 1))
> +		fi
> +	done <"$test_cond"
> +}
> +
> +check_setuid()
> +{
> +	# save id perm and make it setuid
> +	stat -c '%a' "$ID_CMD" > "$tmpdir/id_perms"
> +	chmod 4755 "$ID_CMD"
> +
> +	local nobody_uid
> +	nobody_uid="$(grep -E '^\<nobody\>' /etc/passwd |cut -f3 -d:)"
> +
> +	cat <<EOF >"$tmpdir/setuid_test"
> +sysctl $nosuid_enabled=0	0
> +sysctl $nosuid_enabled=1	$nobody_uid
> +sysctl $nosuid_exeptions=$ID_CMD	0
> +EOF
> +
> +
> +	run_test 'su nobody -s /bin/bash -c "id -u"' "$tmpdir/setuid_test"
> +}
> +
> +check_setcap()
> +{
> +	getcap "$NC_CMD" |cut -d' ' -f3 > "$tmpdir/nc_caps"
> +	setcap cap_net_bind_service,cap_net_admin+ep "$NC_CMD"
> +
> +	cat <<EOF >"$tmpdir/setcap_test"
> +sysctl $nosuid_enabled=0
> +sysctl $nosuid_enabled=1	nc: Permission denied
> +sysctl $nosuid_exeptions=$NC_CMD
> +EOF
> +
> +	run_test "timeout 1 nc -l 9" "$tmpdir/setcap_test"
> +}
> +
> +save_altha_state
> +check_setuid
> +check_setcap
> +
> +if [ "$num_failed" -ne 0 ]; then
> +	echo >&2 "$num_failed of $num_tests tests FAILED"
> +	ret=1
> +else
> +	echo >&2 "All $num_tests tests succeed"
> +fi
> +
> +exit $ret
> -- 
> 2.33.3
> 
> _______________________________________________
> devel-kernel mailing list
> devel-kernel at lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel