o First pass at an inter-process authorization regression testing suite.

  This test utility attempts to evaluate the current kernel policy
  for authorization inter-process activities, currently ptrace(),
  kill(, SIGHUP), getpriority(), and setpriority().  The utility creates
  pairs of processes, initializes their credential sets to useful
  cases, and reports on whether the results are in keeping with hard-coded
  safety expectations.

o Currently, this utility relies on the availability of __setugid(),
  an uncomitted system call used for managing the P_SUGID bit.  Due to
  continuing discussion of optional regression testing kernel components
  ("options REGRESSION") I'll hold off on committing that until the
  discussion has reached its natural termination.

o A number of additional testing factors should be taken into account
  in the testing, including tests for different classes of signals,
  interactions with process session characteristics, I/O signalling,
  broadcast activities such as broadcast signalling, mass priority
  setting, and to take into group-related aspects of credentials.
  Additional operations should also be taken into account, such as ktrace,
  debugging attach using procfs, and so on.

o This testing suite is intended to prevent the introduction of bugs
  in the upcoming sets of authorization changes associated with the
  introduction of process capabilities and mandatory access control.

Obtained from: TrustedBSD Project

1 files changed, 53 insertions, 0 deletions

diff --git a/tools/regression/security/proc_to_proc/README b/tools/regression/security/proc_to_proc/README
new file mode 100644
index 0000000..978ef68
--- /dev/null
+++ b/tools/regression/security/proc_to_proc/README
@@ -0,0 +1,53 @@
+$FreeBSD$
+
+  Inter-Process Authorization Test Suite
+  Robert Watson, TrustedBSD Project
+
+This test suite attempts to determine the behavior of inter-process
+authorization policy present in the kernel.  It analyzes a series of
+important scenarios using specifically crafted process credentials
+and a set of operations.  It then reports on any divergence from the
+expected results.
+
+Test operations:
+
+ptrace		cred1 attempts ptrace attach to cred2
+signal		cred1 attempts SIGHUP of cred2
+see		cred1 attempts getpriority() on cred2
+sched		cred1 attempts setpriority() on cred2
+
+Test scenarioes:
+
+priv on priv		root process on another root process
+priv on unpriv1		root process on a non-root process
+unpriv1 on priv		non-root process on a root process
+unpriv1 on unpriv1	non-root process on a similar non-root process
+unpriv1 on unpriv2	non-root process on a different non-root process
+unpriv1 on daemon1	non-root process on a root daemon process acting with
+			same non-root effective credentials
+unpriv1 on daemon2	non-root process on a root daemon process acting with
+			different non-root effective credentials
+unpriv1 on setuid1	non-root process on a setuid-root process with same
+			non-root real credentials
+unpriv1 on setuid2	non-root process on a setuid-root process with
+			different non-root real credentials
+
+The credential elements supported by the test suite are:
+
+	effective uid
+	real uid
+	saved uid
+	P_SUGID flag
+
+Other untested aspects of interest include groups, as well as session
+relationship.  Other test operations that might be of interest are SIGCONT,
+SIGIO, and SIGSEGV.
+
+The current set of tests includes some tests where normally the P_SUGID
+flag is set, but isn't in the test.  The result is that some tests fail
+that may not reflect real-world software configurations.  However, they
+do point to possible changes that could be made in the authorization system
+to improve resilience to failure or violation of invariants.
+
+These tests rely on __setugid(), a system call enabled using options
+REGRESSION.