[meta-security][PATCH 3/9] oeqa: update smack runtime test


Armin Kuster
 

drop test_smack_mmap_enforced as is was skipped do to possible licensing issues

Signed-off-by: Armin Kuster <akuster808@...>
---
lib/oeqa/runtime/cases/smack.py | 103 +++++---------------------------
1 file changed, 15 insertions(+), 88 deletions(-)

diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index b8255c7..6b87574 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -15,17 +15,16 @@ class SmackBasicTest(OERuntimeTestCase):

@classmethod
def setUpClass(cls):
- cls.smack_path = ""
cls.current_label = ""
cls.uid = 1000
+ status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+ cls.smack_path = output

@skipIfNotFeature('smack',
'Test requires smack to be in DISTRO_FEATURES')
@OEHasPackage(['smack-test'])
@OETestDepends(['ssh.SSHTest.test_ssh'])
def test_smack_basic(self):
- status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
- self.smack_path = output
status,output = self.target.run("cat /proc/self/attr/current")
self.current_label = output.strip()

@@ -41,11 +40,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=access=")\S+(?=")', output)
+ m = re.search('(access=")\S+(?=")', output)
if m is None:
self.fail("Did not find access attribute")
else:
- label_retrieved = m .group(0)
+ label_retrieved = re.split("access=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m= re.search('(?<=execute=")\S+(?=")', output)
+ m= re.search('(execute=")\S+(?=")', output)
if m is None:
self.fail("Did not find execute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("execute=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %filename)
self.target.run("rm %s" %filename)
- m = re.search('(?<=mmap=")\S+(?=")', output)
+ m = re.search('(mmap=")\S+(?=")', output)
if m is None:
self.fail("Did not find mmap attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("mmap=\"", output)[1][:-1]
self.assertEqual(
LABEL, label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@ class SmackBasicTest(OERuntimeTestCase):
"Status and output: %d %s" %(status, output))
status, output = self.target.run("chsmack %s" %directory)
self.target.run("rmdir %s" %directory)
- m = re.search('(?<=transmute=")\S+(?=")', output)
+ m = re.search('(transmute=")\S+(?=")', output)
if m is None:
self.fail("Did not find transmute attribute")
else:
- label_retrieved = m.group(0)
+ label_retrieved = re.split("transmute=\"", output)[1][:-1]
self.assertEqual(
"TRUE", label_retrieved,
"label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@ class SmackBasicTest(OERuntimeTestCase):
'''

labelf = "/proc/self/attr/current"
- command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+ command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)

status, output = self.target.run(
- "notroot.py 0 %s %s" %(self.current_label, command))
+ "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))

self.assertIn("PRIVILEGED", output,
"Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@ class SmackBasicTest(OERuntimeTestCase):

command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
status, output = self.target.run(
- "notroot.py %d %s %s"
+ "/usr/sbin/notroot.py %d %s %s"
%(self.uid, self.current_label, command) +
" 2>&1 | grep 'Operation not permitted'" )

@@ -160,9 +159,9 @@ class SmackBasicTest(OERuntimeTestCase):
filename = "/tmp/test_unprivileged_change_file_label"

self.target.run("touch %s" % filename)
- self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+ self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
status, output = self.target.run(
- "notroot.py " +
+ "/usr/sbin/notroot.py " +
"%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
"| grep 'Operation not permitted'" )

@@ -346,78 +345,6 @@ class SmackBasicTest(OERuntimeTestCase):
self.assertEqual(status, 0, output)


- @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
- def test_smack_mmap_enforced(self):
- '''Test if smack mmap access is enforced'''
- raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
- # 12345678901234567890123456789012345678901234567890123456
- delr1="mmap_label mmap_test_label1 -----"
- delr2="mmap_label mmap_test_label2 -----"
- delr3="mmap_file_label mmap_test_label1 -----"
- delr4="mmap_file_label mmap_test_label2 -----"
-
- RuleA="mmap_label mmap_test_label1 rw---"
- RuleB="mmap_label mmap_test_label2 r--at"
- RuleC="mmap_file_label mmap_test_label1 rw---"
- RuleD="mmap_file_label mmap_test_label2 rwxat"
-
- mmap_label="mmap_label"
- file_label="mmap_file_label"
- test_file = "/usr/sbin/smack_test_mmap"
- mmap_exe = "/tmp/mmap_test"
- status, echo = self.target.run("which echo")
- status, output = self.target.run(
- "notroot.py %d %s %s 'test' > %s" \
- %(self.uid, self.current_label, echo, test_file))
- status, output = self.target.run("ls %s" %test_file)
- self.assertEqual(status, 0, "Could not create mmap test file")
- self.target.run("chsmack -m %s %s" %(file_label, test_file))
- self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
- # test with no rules with mmap label or exec label as subject
- # access should be granted
- self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access without rules. Output: %s" %output)
-
- # add rules that do not match access required
- self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
- self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
- status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with unmatching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with unmatching rules")
-
- # add rule to match only partially (one way)
- self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertNotEqual(
- status, 0,
- "Should not have mmap access with partial matching rules. " +
- "Output: %s" %output)
- self.assertIn(
- "Permission denied", output,
- "Mmap access should be denied with partial matching rules")
-
- # add rule to match fully
- self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
- status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
- self.assertEqual(
- status, 0,
- "Should have mmap access with full matching rules." +
- "Output: %s" %output)
-
-
@OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
def test_smack_transmute_dir(self):
'''Test if smack transmute attribute works
--
2.25.1