diff options
author | ngie <ngie@FreeBSD.org> | 2015-12-21 21:15:23 +0000 |
---|---|---|
committer | ngie <ngie@FreeBSD.org> | 2015-12-21 21:15:23 +0000 |
commit | 08f67a93a94acdc7d20d653c6790533046b4f7cd (patch) | |
tree | fd9172f4effe4d2c043ccf907d42a056ad4de7d2 /tools/regression | |
parent | bcce3a9a606a3685d5ea1493b506f0dcc777d23d (diff) | |
download | FreeBSD-src-08f67a93a94acdc7d20d653c6790533046b4f7cd.zip FreeBSD-src-08f67a93a94acdc7d20d653c6790533046b4f7cd.tar.gz |
Make the mac_portacl testcases work / more robust
- A trap(1) call has been added to the test scripts to better
ensure that the tests do a better job at trying to restore the
test host state at the end of the tests (if the test was
interrupted before it would leave the system in an odd state,
potentially making the test results for subsequent runs
non-deterministic).
- Add root user checks
- Fix nc(1) usage:
-- -o is deprecated
-- Using `-w 10` will make the call timeout after 10 seconds so it
doesn't block indefinitely
- Use local variables
- Be more terse in the error messages
- Parameterize out "127.0.0.1"
MFC after: 1 week
Sponsored by: EMC / Isilon Storage Division
Diffstat (limited to 'tools/regression')
-rwxr-xr-x | tools/regression/mac/mac_portacl/misc.sh | 44 | ||||
-rwxr-xr-x | tools/regression/mac/mac_portacl/nobody.t | 4 | ||||
-rwxr-xr-x | tools/regression/mac/mac_portacl/root.t | 4 |
3 files changed, 31 insertions, 21 deletions
diff --git a/tools/regression/mac/mac_portacl/misc.sh b/tools/regression/mac/mac_portacl/misc.sh index a1f152b..5a9e67b 100755 --- a/tools/regression/mac/mac_portacl/misc.sh +++ b/tools/regression/mac/mac_portacl/misc.sh @@ -6,10 +6,18 @@ if [ $? -ne 0 ]; then echo "1..0 # SKIP MAC_PORTACL is unavailable." exit 0 fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP testcases must be run as root" + exit 0 +fi ntest=1 check_bind() { + local host idtype name proto port udpflag + + host="127.0.0.1" + idtype=${1} name=${2} proto=${3} @@ -17,10 +25,10 @@ check_bind() { [ "${proto}" = "udp" ] && udpflag="-u" - out=`( + out=$( case "${idtype}" in uid|gid) - ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) & + ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) & ;; jail) kill $$ @@ -29,9 +37,9 @@ check_bind() { kill $$ esac sleep 0.3 - echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1 + echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1 wait - )` + ) case "${out}" in "nc: Permission denied"*|"nc: Operation not permitted"*) echo fl @@ -46,6 +54,8 @@ check_bind() { } bind_test() { + local expect_without_rule expect_with_rule idtype name proto port + expect_without_rule=${1} expect_with_rule=${2} idtype=${3} @@ -54,40 +64,40 @@ bind_test() { port=${6} sysctl security.mac.portacl.rules= >/dev/null - out=`check_bind ${idtype} ${name} ${proto} ${port}` + out=$(check_bind ${idtype} ${name} ${proto} ${port}) if [ "${out}" = "${expect_without_rule}" ]; then echo "ok ${ntest}" elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then - echo "not ok ${ntest}" + echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'" else - echo "not ok ${ntest} # ${out}" + echo "not ok ${ntest} # unexpected output: '${out}'" fi - ntest=$((ntest+1)) + : $(( ntest += 1 )) if [ "${idtype}" = "uid" ]; then - idstr=`id -u ${name}` + idstr=$(id -u ${name}) elif [ "${idtype}" = "gid" ]; then - idstr=`id -g ${name}` + idstr=$(id -g ${name}) else idstr=${name} fi sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null - out=`check_bind ${idtype} ${name} ${proto} ${port}` + out=$(check_bind ${idtype} ${name} ${proto} ${port}) if [ "${out}" = "${expect_with_rule}" ]; then echo "ok ${ntest}" elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then - echo "not ok ${ntest}" + echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'" else - echo "not ok ${ntest} # ${out}" + echo "not ok ${ntest} # unexpected output: '${out}'" fi - ntest=$((ntest+1)) + : $(( ntest += 1 )) sysctl security.mac.portacl.rules= >/dev/null } -reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh` -suser_exempt=`sysctl -n security.mac.portacl.suser_exempt` -port_high=`sysctl -n security.mac.portacl.port_high` +reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh) +suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt) +port_high=$(sysctl -n security.mac.portacl.port_high) restore_settings() { sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null diff --git a/tools/regression/mac/mac_portacl/nobody.t b/tools/regression/mac/mac_portacl/nobody.t index c0754eb..7d8dbd6 100755 --- a/tools/regression/mac/mac_portacl/nobody.t +++ b/tools/regression/mac/mac_portacl/nobody.t @@ -10,6 +10,8 @@ echo "1..64" # behaviour. # mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. +trap restore_settings EXIT INT TERM + sysctl security.mac.portacl.suser_exempt=1 >/dev/null sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null @@ -63,5 +65,3 @@ bind_test fl ok gid nobody tcp 77 bind_test ok ok gid nobody tcp 7777 bind_test fl ok gid nobody udp 77 bind_test ok ok gid nobody udp 7777 - -restore_settings diff --git a/tools/regression/mac/mac_portacl/root.t b/tools/regression/mac/mac_portacl/root.t index 626bdfa..9ed452f 100755 --- a/tools/regression/mac/mac_portacl/root.t +++ b/tools/regression/mac/mac_portacl/root.t @@ -8,6 +8,8 @@ echo "1..48" # Verify if security.mac.portacl.suser_exempt=1 really exempts super-user. +trap restore_settings EXIT INT TERM + sysctl security.mac.portacl.suser_exempt=1 >/dev/null bind_test ok ok uid root tcp 77 @@ -47,5 +49,3 @@ bind_test fl ok gid root tcp 77 bind_test fl ok gid root tcp 7777 bind_test fl ok gid root udp 77 bind_test fl ok gid root udp 7777 - -restore_settings |