diff options
author | bz <bz@FreeBSD.org> | 2007-11-16 21:24:45 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2007-11-16 21:24:45 +0000 |
commit | 34d08946eefbe42dc7f210995f595dc5c6dd95ec (patch) | |
tree | f9e34da558ed51e817c92a3c6f0780cc53b9355d | |
parent | 17f2e4c7f6eb41fc9994922518a6b7d6e46ef1e3 (diff) | |
download | FreeBSD-src-34d08946eefbe42dc7f210995f595dc5c6dd95ec.zip FreeBSD-src-34d08946eefbe42dc7f210995f595dc5c6dd95ec.tar.gz |
Remove empty setup and cleanup functions for the pfkey test.
Add regression tests for privileged and supposedly unprivileged
IP_IPSEC_POLICY,IPV6_IPSEC_POLICY setsockopt cases.
We may need to review the current 'good' results to make
sure they reflect what we really want.
Discussed with: rwatson
Reviewed by: rwatson
-rw-r--r-- | tools/regression/priv/Makefile | 3 | ||||
-rw-r--r-- | tools/regression/priv/main.c | 23 | ||||
-rw-r--r-- | tools/regression/priv/main.h | 12 | ||||
-rw-r--r-- | tools/regression/priv/priv_netinet_ipsec.c | 236 |
4 files changed, 268 insertions, 6 deletions
diff --git a/tools/regression/priv/Makefile b/tools/regression/priv/Makefile index 1377513..6f494a8 100644 --- a/tools/regression/priv/Makefile +++ b/tools/regression/priv/Makefile @@ -46,4 +46,7 @@ SRCS= main.c \ NO_MAN= WARNS= 3 +DPADD+= ${LIBIPSEC} +LDADD+= -lipsec + .include <bsd.prog.mk> diff --git a/tools/regression/priv/main.c b/tools/regression/priv/main.c index 11f9249..5dd411a 100644 --- a/tools/regression/priv/main.c +++ b/tools/regression/priv/main.c @@ -135,8 +135,27 @@ static struct test tests[] = { { "priv_msgbuf_unprivok", priv_msgbuf_unprivok_setup, priv_msgbuf_unprivok, priv_msgbuf_cleanup }, - { "priv_netinet_ipsec_pfkey", priv_netinet_ipsec_pfkey_setup, - priv_netinet_ipsec_pfkey, priv_netinet_ipsec_pfkey_cleanup }, + { "priv_netinet_ipsec_pfkey", NULL, priv_netinet_ipsec_pfkey, NULL }, + + { "priv_netinet_ipsec_policy4_bypass", + priv_netinet_ipsec_policy4_bypass_setup, + priv_netinet_ipsec_policy4_bypass, + priv_netinet_ipsec_policy_bypass_cleanup }, + + { "priv_netinet_ipsec_policy6_bypass", + priv_netinet_ipsec_policy6_bypass_setup, + priv_netinet_ipsec_policy6_bypass, + priv_netinet_ipsec_policy_bypass_cleanup }, + + { "priv_netinet_ipsec_policy4_entrust", + priv_netinet_ipsec_policy4_entrust_setup, + priv_netinet_ipsec_policy4_entrust, + priv_netinet_ipsec_policy_entrust_cleanup }, + + { "priv_netinet_ipsec_policy6_entrust", + priv_netinet_ipsec_policy6_entrust_setup, + priv_netinet_ipsec_policy6_entrust, + priv_netinet_ipsec_policy_entrust_cleanup }, { "priv_netinet_raw", priv_netinet_raw_setup, priv_netinet_raw, priv_netinet_raw_cleanup }, diff --git a/tools/regression/priv/main.h b/tools/regression/priv/main.h index 04c992e..475a47e 100644 --- a/tools/regression/priv/main.h +++ b/tools/regression/priv/main.h @@ -138,9 +138,17 @@ void priv_msgbuf_unprivok(int, int, struct test *); void priv_msgbuf_cleanup(int, int, struct test *); -int priv_netinet_ipsec_pfkey_setup(int, int, struct test *); void priv_netinet_ipsec_pfkey(int, int, struct test *); -void priv_netinet_ipsec_pfkey_cleanup(int, int, struct test *); +int priv_netinet_ipsec_policy4_bypass_setup(int, int, struct test *); +void priv_netinet_ipsec_policy4_bypass(int, int, struct test *); +int priv_netinet_ipsec_policy6_bypass_setup(int, int, struct test *); +void priv_netinet_ipsec_policy6_bypass(int, int, struct test *); +void priv_netinet_ipsec_policy_bypass_cleanup(int, int, struct test *); +int priv_netinet_ipsec_policy4_entrust_setup(int, int, struct test *); +void priv_netinet_ipsec_policy4_entrust(int, int, struct test *); +int priv_netinet_ipsec_policy6_entrust_setup(int, int, struct test *); +void priv_netinet_ipsec_policy6_entrust(int, int, struct test *); +void priv_netinet_ipsec_policy_entrust_cleanup(int, int, struct test *); int priv_netinet_raw_setup(int, int, struct test *); void priv_netinet_raw(int, int, struct test *); diff --git a/tools/regression/priv/priv_netinet_ipsec.c b/tools/regression/priv/priv_netinet_ipsec.c index e3729c6..c2014da 100644 --- a/tools/regression/priv/priv_netinet_ipsec.c +++ b/tools/regression/priv/priv_netinet_ipsec.c @@ -34,19 +34,126 @@ #include <sys/types.h> #include <sys/socket.h> #include <net/pfkeyv2.h> +#include <netinet/in.h> +#include <netipsec/ipsec.h> +#include <err.h> #include <errno.h> +#include <stdlib.h> #include <unistd.h> #include "main.h" +static char policy_bypass[] = "in bypass"; +static char policy_entrust[] = "in entrust"; +static char *bypassbuf = NULL; +static char *entrustbuf = NULL; +static int sd = -1; + + +static int +priv_netinet_ipsec_policy_bypass_setup_af(int asroot, int injail, + struct test *test, int af) +{ + + bypassbuf = ipsec_set_policy(policy_bypass, sizeof(policy_bypass) - 1); + if (bypassbuf == NULL) { + warn("%s: ipsec_set_policy(NULL)", __func__); + return (-1); + } + switch (af) { + case AF_INET: + sd = socket(AF_INET, SOCK_DGRAM, 0); + if (sd < 0) { + warn("%s: socket4", __func__); + return (-1); + } + break; + case AF_INET6: + sd = socket(AF_INET6, SOCK_DGRAM, 0); + if (sd < 0) { + warn("%s: socket6", __func__); + return (-1); + } + break; + default: + warnx("%s: unexpected address family", __func__); + return (-1); + } + return (0); +} + int -priv_netinet_ipsec_pfkey_setup(int asroot, int injail, struct test *test) +priv_netinet_ipsec_policy4_bypass_setup(int asroot, int injail, + struct test *test) { + return (priv_netinet_ipsec_policy_bypass_setup_af(asroot, injail, test, + AF_INET)); +} + +int +priv_netinet_ipsec_policy6_bypass_setup(int asroot, int injail, + struct test *test) +{ + + return (priv_netinet_ipsec_policy_bypass_setup_af(asroot, injail, test, + AF_INET6)); +} + + + +static int +priv_netinet_ipsec_policy_entrust_setup_af(int asroot, int injail, + struct test *test, int af) +{ + + entrustbuf = ipsec_set_policy(policy_entrust, sizeof(policy_entrust)-1); + if (entrustbuf == NULL) { + warn("%s: ipsec_set_policy(NULL)", __func__); + return (-1); + } + switch (af) { + case AF_INET: + sd = socket(AF_INET, SOCK_DGRAM, 0); + if (sd < 0) { + warn("%s: socket4", __func__); + return (-1); + } + break; + case AF_INET6: + sd = socket(AF_INET6, SOCK_DGRAM, 0); + if (sd < 0) { + warn("%s: socket6", __func__); + return (-1); + } + break; + default: + warnx("%s: unexpected address family", __func__); + return (-1); + } return (0); } +int +priv_netinet_ipsec_policy4_entrust_setup(int asroot, int injail, + struct test *test) +{ + + return (priv_netinet_ipsec_policy_entrust_setup_af(asroot, injail, test, + AF_INET)); +} + +int +priv_netinet_ipsec_policy6_entrust_setup(int asroot, int injail, + struct test *test) +{ + + return (priv_netinet_ipsec_policy_entrust_setup_af(asroot, injail, test, + AF_INET6)); +} + + void priv_netinet_ipsec_pfkey(int asroot, int injail, struct test *test) { @@ -77,9 +184,134 @@ priv_netinet_ipsec_pfkey(int asroot, int injail, struct test *test) (void)close(fd); } + +static void +priv_netinet_ipsec_policy_bypass_af(int asroot, int injail, struct test *test, + int af) +{ + int error, level, optname; + + switch (af) { + case AF_INET: + level = IPPROTO_IP; + optname = IP_IPSEC_POLICY; + break; + case AF_INET6: + level = IPPROTO_IPV6; + optname = IPV6_IPSEC_POLICY; + break; + default: + warnx("%s: unexpected address family", __func__); + return; + } + error = setsockopt(sd, level, optname, + bypassbuf, ipsec_get_policylen(bypassbuf)); + if (asroot && injail) + expect("priv_netinet_ipsec_policy_bypass(asroot, injail)", + error, -1, EACCES); /* see ipsec_set_policy */ + if (asroot && !injail) + expect("priv_netinet_ipsec_policy_bypass(asroot, !injail)", + error, 0, 0); + if (!asroot && injail) + expect("priv_netinet_ipsec_policy_bypass(!asroot, injail)", + error, -1, EACCES); /* see ipsec_set_policy */ + if (!asroot && !injail) + expect("priv_netinet_ipsec_policy_bypass(!asroot, !injail)", + error, -1, EACCES); /* see ipsec_set_policy */ +} + +void +priv_netinet_ipsec_policy4_bypass(int asroot, int injail, struct test *test) +{ + + priv_netinet_ipsec_policy_bypass_af(asroot, injail, test, AF_INET); +} + +void +priv_netinet_ipsec_policy6_bypass(int asroot, int injail, struct test *test) +{ + + priv_netinet_ipsec_policy_bypass_af(asroot, injail, test, AF_INET6); +} + + +static void +priv_netinet_ipsec_policy_entrust_af(int asroot, int injail, struct test *test, + int af) +{ + int error, level, optname; + + switch (af) { + case AF_INET: + level = IPPROTO_IP; + optname = IP_IPSEC_POLICY; + break; + case AF_INET6: + level = IPPROTO_IPV6; + optname = IPV6_IPSEC_POLICY; + break; + default: + warnx("%s: unexpected address family", __func__); + return; + } + error = setsockopt(sd, level, optname, + entrustbuf, ipsec_get_policylen(entrustbuf)); + if (asroot && injail) + expect("priv_netinet_ipsec_policy_entrust(asroot, injail)", + error, 0, 0); /* XXX ipsec_set_policy */ + if (asroot && !injail) + expect("priv_netinet_ipsec_policy_entrust(asroot, !injail)", + error, 0, 0); + if (!asroot && injail) + expect("priv_netinet_ipsec_policy_entrust(!asroot, injail)", + error, 0, 0); /* XXX ipsec_set_policy */ + if (!asroot && !injail) + expect("priv_netinet_ipsec_policy_entrust(!asroot, !injail)", + error, 0, 0); /* XXX ipsec_set_policy */ +} + +void +priv_netinet_ipsec_policy4_entrust(int asroot, int injail, struct test *test) +{ + + priv_netinet_ipsec_policy_entrust_af(asroot, injail, test, AF_INET); +} + +void +priv_netinet_ipsec_policy6_entrust(int asroot, int injail, struct test *test) +{ + + priv_netinet_ipsec_policy_entrust_af(asroot, injail, test, AF_INET6); +} + + +void +priv_netinet_ipsec_policy_bypass_cleanup(int asroot, int injail, + struct test *test) +{ + + if (bypassbuf != NULL) { + free(bypassbuf); + bypassbuf = NULL; + } + if (sd >= 0) { + close(sd); + sd = -1; + } +} + void -priv_netinet_ipsec_pfkey_cleanup(int asroot, int injail, struct test *test) +priv_netinet_ipsec_policy_entrust_cleanup(int asroot, int injail, + struct test *test) { + if (entrustbuf != NULL) { + free(entrustbuf); + entrustbuf = NULL; + } + if (sd >= 0) { + close(sd); + sd = -1; + } } |