summaryrefslogtreecommitdiffstats
path: root/tools/regression
diff options
context:
space:
mode:
authorngie <ngie@FreeBSD.org>2015-12-21 21:15:23 +0000
committerngie <ngie@FreeBSD.org>2015-12-21 21:15:23 +0000
commit08f67a93a94acdc7d20d653c6790533046b4f7cd (patch)
treefd9172f4effe4d2c043ccf907d42a056ad4de7d2 /tools/regression
parentbcce3a9a606a3685d5ea1493b506f0dcc777d23d (diff)
downloadFreeBSD-src-08f67a93a94acdc7d20d653c6790533046b4f7cd.zip
FreeBSD-src-08f67a93a94acdc7d20d653c6790533046b4f7cd.tar.gz
Make the mac_portacl testcases work / more robust
- A trap(1) call has been added to the test scripts to better ensure that the tests do a better job at trying to restore the test host state at the end of the tests (if the test was interrupted before it would leave the system in an odd state, potentially making the test results for subsequent runs non-deterministic). - Add root user checks - Fix nc(1) usage: -- -o is deprecated -- Using `-w 10` will make the call timeout after 10 seconds so it doesn't block indefinitely - Use local variables - Be more terse in the error messages - Parameterize out "127.0.0.1" MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
Diffstat (limited to 'tools/regression')
-rwxr-xr-xtools/regression/mac/mac_portacl/misc.sh44
-rwxr-xr-xtools/regression/mac/mac_portacl/nobody.t4
-rwxr-xr-xtools/regression/mac/mac_portacl/root.t4
3 files changed, 31 insertions, 21 deletions
diff --git a/tools/regression/mac/mac_portacl/misc.sh b/tools/regression/mac/mac_portacl/misc.sh
index a1f152b..5a9e67b 100755
--- a/tools/regression/mac/mac_portacl/misc.sh
+++ b/tools/regression/mac/mac_portacl/misc.sh
@@ -6,10 +6,18 @@ if [ $? -ne 0 ]; then
echo "1..0 # SKIP MAC_PORTACL is unavailable."
exit 0
fi
+if [ $(id -u) -ne 0 ]; then
+ echo "1..0 # SKIP testcases must be run as root"
+ exit 0
+fi
ntest=1
check_bind() {
+ local host idtype name proto port udpflag
+
+ host="127.0.0.1"
+
idtype=${1}
name=${2}
proto=${3}
@@ -17,10 +25,10 @@ check_bind() {
[ "${proto}" = "udp" ] && udpflag="-u"
- out=`(
+ out=$(
case "${idtype}" in
uid|gid)
- ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) &
+ ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) &
;;
jail)
kill $$
@@ -29,9 +37,9 @@ check_bind() {
kill $$
esac
sleep 0.3
- echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1
+ echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1
wait
- )`
+ )
case "${out}" in
"nc: Permission denied"*|"nc: Operation not permitted"*)
echo fl
@@ -46,6 +54,8 @@ check_bind() {
}
bind_test() {
+ local expect_without_rule expect_with_rule idtype name proto port
+
expect_without_rule=${1}
expect_with_rule=${2}
idtype=${3}
@@ -54,40 +64,40 @@ bind_test() {
port=${6}
sysctl security.mac.portacl.rules= >/dev/null
- out=`check_bind ${idtype} ${name} ${proto} ${port}`
+ out=$(check_bind ${idtype} ${name} ${proto} ${port})
if [ "${out}" = "${expect_without_rule}" ]; then
echo "ok ${ntest}"
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
- echo "not ok ${ntest}"
+ echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'"
else
- echo "not ok ${ntest} # ${out}"
+ echo "not ok ${ntest} # unexpected output: '${out}'"
fi
- ntest=$((ntest+1))
+ : $(( ntest += 1 ))
if [ "${idtype}" = "uid" ]; then
- idstr=`id -u ${name}`
+ idstr=$(id -u ${name})
elif [ "${idtype}" = "gid" ]; then
- idstr=`id -g ${name}`
+ idstr=$(id -g ${name})
else
idstr=${name}
fi
sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null
- out=`check_bind ${idtype} ${name} ${proto} ${port}`
+ out=$(check_bind ${idtype} ${name} ${proto} ${port})
if [ "${out}" = "${expect_with_rule}" ]; then
echo "ok ${ntest}"
elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then
- echo "not ok ${ntest}"
+ echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'"
else
- echo "not ok ${ntest} # ${out}"
+ echo "not ok ${ntest} # unexpected output: '${out}'"
fi
- ntest=$((ntest+1))
+ : $(( ntest += 1 ))
sysctl security.mac.portacl.rules= >/dev/null
}
-reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh`
-suser_exempt=`sysctl -n security.mac.portacl.suser_exempt`
-port_high=`sysctl -n security.mac.portacl.port_high`
+reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh)
+suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt)
+port_high=$(sysctl -n security.mac.portacl.port_high)
restore_settings() {
sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null
diff --git a/tools/regression/mac/mac_portacl/nobody.t b/tools/regression/mac/mac_portacl/nobody.t
index c0754eb..7d8dbd6 100755
--- a/tools/regression/mac/mac_portacl/nobody.t
+++ b/tools/regression/mac/mac_portacl/nobody.t
@@ -10,6 +10,8 @@ echo "1..64"
# behaviour.
# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
+trap restore_settings EXIT INT TERM
+
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
@@ -63,5 +65,3 @@ bind_test fl ok gid nobody tcp 77
bind_test ok ok gid nobody tcp 7777
bind_test fl ok gid nobody udp 77
bind_test ok ok gid nobody udp 7777
-
-restore_settings
diff --git a/tools/regression/mac/mac_portacl/root.t b/tools/regression/mac/mac_portacl/root.t
index 626bdfa..9ed452f 100755
--- a/tools/regression/mac/mac_portacl/root.t
+++ b/tools/regression/mac/mac_portacl/root.t
@@ -8,6 +8,8 @@ echo "1..48"
# Verify if security.mac.portacl.suser_exempt=1 really exempts super-user.
+trap restore_settings EXIT INT TERM
+
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
bind_test ok ok uid root tcp 77
@@ -47,5 +49,3 @@ bind_test fl ok gid root tcp 77
bind_test fl ok gid root tcp 7777
bind_test fl ok gid root udp 77
bind_test fl ok gid root udp 7777
-
-restore_settings
OpenPOWER on IntegriCloud