diff options
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/regression/mac/mac_portacl/misc.sh | 44 | ||||
| -rwxr-xr-x | tools/regression/mac/mac_portacl/nobody.t | 4 | ||||
| -rwxr-xr-x | tools/regression/mac/mac_portacl/root.t | 4 |
3 files changed, 31 insertions, 21 deletions
diff --git a/tools/regression/mac/mac_portacl/misc.sh b/tools/regression/mac/mac_portacl/misc.sh index a1f152b..5a9e67b 100755 --- a/tools/regression/mac/mac_portacl/misc.sh +++ b/tools/regression/mac/mac_portacl/misc.sh @@ -6,10 +6,18 @@ if [ $? -ne 0 ]; then echo "1..0 # SKIP MAC_PORTACL is unavailable." exit 0 fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP testcases must be run as root" + exit 0 +fi ntest=1 check_bind() { + local host idtype name proto port udpflag + + host="127.0.0.1" + idtype=${1} name=${2} proto=${3} @@ -17,10 +25,10 @@ check_bind() { [ "${proto}" = "udp" ] && udpflag="-u" - out=`( + out=$( case "${idtype}" in uid|gid) - ( echo -n | su -m ${name} -c "nc ${udpflag} -o -l 127.0.0.1 $port" 2>&1 ) & + ( echo -n | su -m ${name} -c "nc ${udpflag} -l -w 10 $host $port" 2>&1 ) & ;; jail) kill $$ @@ -29,9 +37,9 @@ check_bind() { kill $$ esac sleep 0.3 - echo | nc ${udpflag} -o 127.0.0.1 $port >/dev/null 2>&1 + echo | nc ${udpflag} -w 10 $host $port >/dev/null 2>&1 wait - )` + ) case "${out}" in "nc: Permission denied"*|"nc: Operation not permitted"*) echo fl @@ -46,6 +54,8 @@ check_bind() { } bind_test() { + local expect_without_rule expect_with_rule idtype name proto port + expect_without_rule=${1} expect_with_rule=${2} idtype=${3} @@ -54,40 +64,40 @@ bind_test() { port=${6} sysctl security.mac.portacl.rules= >/dev/null - out=`check_bind ${idtype} ${name} ${proto} ${port}` + out=$(check_bind ${idtype} ${name} ${proto} ${port}) if [ "${out}" = "${expect_without_rule}" ]; then echo "ok ${ntest}" elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then - echo "not ok ${ntest}" + echo "not ok ${ntest} # '${out}' != '${expect_without_rule}'" else - echo "not ok ${ntest} # ${out}" + echo "not ok ${ntest} # unexpected output: '${out}'" fi - ntest=$((ntest+1)) + : $(( ntest += 1 )) if [ "${idtype}" = "uid" ]; then - idstr=`id -u ${name}` + idstr=$(id -u ${name}) elif [ "${idtype}" = "gid" ]; then - idstr=`id -g ${name}` + idstr=$(id -g ${name}) else idstr=${name} fi sysctl security.mac.portacl.rules=${idtype}:${idstr}:${proto}:${port} >/dev/null - out=`check_bind ${idtype} ${name} ${proto} ${port}` + out=$(check_bind ${idtype} ${name} ${proto} ${port}) if [ "${out}" = "${expect_with_rule}" ]; then echo "ok ${ntest}" elif [ "${out}" = "ok" -o "${out}" = "fl" ]; then - echo "not ok ${ntest}" + echo "not ok ${ntest} # '${out}' != '${expect_with_rule}'" else - echo "not ok ${ntest} # ${out}" + echo "not ok ${ntest} # unexpected output: '${out}'" fi - ntest=$((ntest+1)) + : $(( ntest += 1 )) sysctl security.mac.portacl.rules= >/dev/null } -reserved_high=`sysctl -n net.inet.ip.portrange.reservedhigh` -suser_exempt=`sysctl -n security.mac.portacl.suser_exempt` -port_high=`sysctl -n security.mac.portacl.port_high` +reserved_high=$(sysctl -n net.inet.ip.portrange.reservedhigh) +suser_exempt=$(sysctl -n security.mac.portacl.suser_exempt) +port_high=$(sysctl -n security.mac.portacl.port_high) restore_settings() { sysctl -n net.inet.ip.portrange.reservedhigh=${reserved_high} >/dev/null diff --git a/tools/regression/mac/mac_portacl/nobody.t b/tools/regression/mac/mac_portacl/nobody.t index c0754eb..7d8dbd6 100755 --- a/tools/regression/mac/mac_portacl/nobody.t +++ b/tools/regression/mac/mac_portacl/nobody.t @@ -10,6 +10,8 @@ echo "1..64" # behaviour. # mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh. +trap restore_settings EXIT INT TERM + sysctl security.mac.portacl.suser_exempt=1 >/dev/null sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null @@ -63,5 +65,3 @@ bind_test fl ok gid nobody tcp 77 bind_test ok ok gid nobody tcp 7777 bind_test fl ok gid nobody udp 77 bind_test ok ok gid nobody udp 7777 - -restore_settings diff --git a/tools/regression/mac/mac_portacl/root.t b/tools/regression/mac/mac_portacl/root.t index 626bdfa..9ed452f 100755 --- a/tools/regression/mac/mac_portacl/root.t +++ b/tools/regression/mac/mac_portacl/root.t @@ -8,6 +8,8 @@ echo "1..48" # Verify if security.mac.portacl.suser_exempt=1 really exempts super-user. +trap restore_settings EXIT INT TERM + sysctl security.mac.portacl.suser_exempt=1 >/dev/null bind_test ok ok uid root tcp 77 @@ -47,5 +49,3 @@ bind_test fl ok gid root tcp 77 bind_test fl ok gid root tcp 7777 bind_test fl ok gid root udp 77 bind_test fl ok gid root udp 7777 - -restore_settings |
