From f33b8e3d597932c9c97e7fe2b392d821b5460b24 Mon Sep 17 00:00:00 2001 From: jruoho Date: Mon, 9 May 2011 17:53:54 +0000 Subject: [PATCH] Add a test case for PR kern/44946. This tests that common first level sysctl nodes (ddb, hw, machdep, etc.) are not writable by a normal user. --- distrib/sets/lists/tests/mi | 5 +- etc/mtree/NetBSD.dist.tests | 3 +- tests/sbin/Makefile | 4 +- tests/sbin/sysctl/Makefile | 9 ++ tests/sbin/sysctl/t_perm.sh | 207 ++++++++++++++++++++++++++++++++++++ 5 files changed, 224 insertions(+), 4 deletions(-) create mode 100644 tests/sbin/sysctl/Makefile create mode 100644 tests/sbin/sysctl/t_perm.sh diff --git a/distrib/sets/lists/tests/mi b/distrib/sets/lists/tests/mi index ba5382425ecc..f0971028e8ce 100644 --- a/distrib/sets/lists/tests/mi +++ b/distrib/sets/lists/tests/mi @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.334 2011/05/09 07:31:50 jruoho Exp $ +# $NetBSD: mi,v 1.335 2011/05/09 17:53:54 jruoho Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -2293,6 +2293,9 @@ ./usr/tests/sbin/route tests-sbin-tests ./usr/tests/sbin/route/Atffile tests-sbin-tests atf ./usr/tests/sbin/route/t_missing tests-sbin-tests atf +./usr/tests/sbin/sysctl tests-sbin-tests +./usr/tests/sbin/sysctl/Atffile tests-sbin-tests atf +./usr/tests/sbin/sysctl/t_perm tests-sbin-tests atf ./usr/tests/sys tests-sys-tests ./usr/tests/sys/Atffile tests-sys-tests atf ./usr/tests/sys/rc tests-sys-tests diff --git a/etc/mtree/NetBSD.dist.tests b/etc/mtree/NetBSD.dist.tests index da027864feae..d5ac6346922f 100644 --- a/etc/mtree/NetBSD.dist.tests +++ b/etc/mtree/NetBSD.dist.tests @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.dist.tests,v 1.47 2011/05/05 05:39:11 jruoho Exp $ +# $NetBSD: NetBSD.dist.tests,v 1.48 2011/05/09 17:53:54 jruoho Exp $ ./usr/libdata/debug/usr/tests ./usr/libdata/debug/usr/tests/atf @@ -234,6 +234,7 @@ ./usr/tests/sbin/newfs ./usr/tests/sbin/resize_ffs ./usr/tests/sbin/route +./usr/tests/sbin/sysctl ./usr/tests/sys ./usr/tests/sys/rc ./usr/tests/syscall diff --git a/tests/sbin/Makefile b/tests/sbin/Makefile index eb25a632718a..8c954f49b4d7 100644 --- a/tests/sbin/Makefile +++ b/tests/sbin/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.4 2011/05/03 07:56:42 jruoho Exp $ +# $NetBSD: Makefile,v 1.5 2011/05/09 17:53:54 jruoho Exp $ # .include TESTSDIR= ${TESTSBASE}/sbin -TESTS_SUBDIRS+= fsck_ffs ifconfig newfs resize_ffs route +TESTS_SUBDIRS+= fsck_ffs ifconfig newfs resize_ffs route sysctl .include diff --git a/tests/sbin/sysctl/Makefile b/tests/sbin/sysctl/Makefile new file mode 100644 index 000000000000..a44c4762b58b --- /dev/null +++ b/tests/sbin/sysctl/Makefile @@ -0,0 +1,9 @@ +# $NetBSD: Makefile,v 1.1 2011/05/09 17:53:54 jruoho Exp $ + +.include + +TESTSDIR= ${TESTSBASE}/sbin/sysctl + +TESTS_SH= t_perm + +.include diff --git a/tests/sbin/sysctl/t_perm.sh b/tests/sbin/sysctl/t_perm.sh new file mode 100644 index 000000000000..5cef31de506c --- /dev/null +++ b/tests/sbin/sysctl/t_perm.sh @@ -0,0 +1,207 @@ +#! /usr/bin/atf-sh +# +# $NetBSD: t_perm.sh,v 1.1 2011/05/09 17:53:54 jruoho Exp $ +# +# Copyright (c) 2011 The NetBSD Foundation, Inc. +# All rights reserved. +# +# This code is derived from software contributed to The NetBSD Foundation +# by Jukka Ruohonen. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# +clean() { + + if [ -f /tmp/d_sysctl.out ]; then + rm /tmp/d_sysctl.out + fi +} + +sysctl_write() { + + + deadbeef="3735928559" + file="/tmp/d_sysctl.out" + + sysctl "$1" | cut -d= -f1 > $file + + if [ ! -f $file ]; then + atf_fail "sysctl -a failed" + fi + + # This should probably include a functional verification + # that $deadbeef was not actually written to the node... + # + while read line; do + + node="$(echo $line)" + + case "$node" in + + "$1."*) + atf_check -s not-exit:0 -e ignore \ + -x sysctl -w "$node=$deadbeef" + ;; + esac + + done < $file +} + +# ddb. +# +atf_test_case sysctl_ddb cleanup +sysctl_ddb_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'ddb' sysctl node as an user" +} + +sysctl_ddb_body() { + sysctl_write "ddb" +} + +sysctl_ddb_cleanup() { + clean +} + +# hw. +# +atf_test_case sysctl_hw cleanup +sysctl_hw_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'hw' sysctl node as an user" +} + +sysctl_hw_body() { + sysctl_write "hw" +} + +sysctl_hw_cleanup() { + clean +} + +# kern. +# +atf_test_case sysctl_kern #cleanup +sysctl_kern_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'kern' sysctl node as an user" +} + +sysctl_kern_body() { + atf_expect_fail "PR kern/44946" + sysctl_write "kern" +} + +sysctl_kern_cleanup() { + clean +} + +# machdep. +# +atf_test_case sysctl_machdep cleanup +sysctl_machdep_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'machdep' sysctl node as an user" +} + +sysctl_machdep_body() { + sysctl_write "machdep" +} + +sysctl_machdep_cleanup() { + clean +} + +# net. +# +atf_test_case sysctl_net cleanup +sysctl_net_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'net' sysctl node as an user" +} + +sysctl_net_body() { + sysctl_write "net" +} + +sysctl_net_cleanup() { + clean +} + +# security. +# +atf_test_case sysctl_security cleanup +sysctl_security_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'security' sysctl node as an user" +} + +sysctl_security_body() { + sysctl_write "security" +} + +sysctl_security_cleanup() { + clean +} + +# vfs. +# +atf_test_case sysctl_vfs cleanup +sysctl_vfs_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'vfs' sysctl node as an user" +} + +sysctl_vfs_body() { + sysctl_write "vfs" +} + +sysctl_vfs_cleanup() { + clean +} + +# vm. +# +atf_test_case sysctl_vm cleanup +sysctl_vm_head() { + atf_set "require.user" "unprivileged" + atf_set "descr" "Test writing to 'vm' sysctl node as an user" +} + +sysctl_vm_body() { + sysctl_write "vm" +} + +sysctl_vm_cleanup() { + clean +} + +atf_init_test_cases() { + atf_add_test_case sysctl_ddb + atf_add_test_case sysctl_hw + atf_add_test_case sysctl_kern + atf_add_test_case sysctl_machdep + atf_add_test_case sysctl_net + atf_add_test_case sysctl_security + atf_add_test_case sysctl_vfs + atf_add_test_case sysctl_vm +}