Djam/kernel-6.6
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-6.6.git synced 2025-02-24 03:12:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
kernel-6.6/0206-AltHa-add-tests.patch

142 lines
3.5 KiB
Diff
Raw Permalink Blame History

From 08dab48fe589ebac8d8bf084641386d24efc21bb Mon Sep 17 00:00:00 2001
From: "Vladimir D. Seleznev" <vseleznv@altlinux.org>
Date: Fri, 3 Jun 2022 16:44:42 +0000
Subject: [PATCH] AltHa: add tests
Simple way to run:
$ hsh-install netcat-tls
$ hsh-shell --mountpoints=/proc,/dev/pts,/dev/kvm
builder$ vm-run --sbin --append=altha=1 security/altha/altha-test.sh
Signed-off-by: Vladimir D. Seleznev <vseleznv@altlinux.org>
[ Updated description. ]
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
security/altha/altha-test.sh | 114 +++++++++++++++++++++++++++++++++++
1 file changed, 114 insertions(+)
create mode 100755 security/altha/altha-test.sh
diff --git a/security/altha/altha-test.sh b/security/altha/altha-test.sh
new file mode 100755
index 000000000000..402c0ef047c8
--- /dev/null
+++ b/security/altha/altha-test.sh
@@ -0,0 +1,114 @@
+#!/bin/bash -efu
+# Copyright (c) 2022 Vladimir D. Seleznev
+# SPDX-License-Identifier: GPL-2.0
+#
+# AltHa test for nosuid feature
+
+sysctl -q kernel.altha.nosuid.enabled >/dev/null || {
+ echo >&2 "AltHa is not enabled, quitting"
+ exit 2
+}
+
+ret=0
+
+num_failed=0
+num_tests=0
+
+nosuid_enabled=kernel.altha.nosuid.enabled
+nosuid_exeptions=kernel.altha.nosuid.exceptions
+
+tmpdir="$(mktemp -d)"
+cleanup()
+{
+ if [ -f "$tmpdir/tmp_mount_options" ] &&
+ [ -f "$tmpdir/tmp_mount_target" ]; then
+ mount -o remount,"$(cat "$tmpdir/tmp_mount_options")" \
+ "$(cat "$tmpdir/tmp_mount_target")"
+ fi
+
+ [ ! -f "$tmpdir/nosuid_enabled" ] ||
+ sysctl "$nosuid_enabled=$(cat "$tmpdir/nosuid_enabled")"
+
+ [ ! -f "$tmpdir/nosuid_exceptions" ] ||
+ sysctl "$nosuid_exeptions=$(cat "$tmpdir/nosuid_exceptions")"
+
+ rm -r "$tmpdir"
+ exit "$@"
+}
+trap 'cleanup $?' EXIT QUIT INT ERR
+
+save_altha_state()
+{
+ findmnt /tmp |sed 1d |while read -r target source fstype options; do
+ echo "$options" > "$tmpdir/tmp_mount_options"
+ echo "$target" > "$tmpdir/tmp_mount_target"
+ mount -o remount,suid "$target"
+ done
+
+ sysctl "$nosuid_enabled" |cut -f3 -d' ' > "$tmpdir/nosuid_enabled"
+ sysctl "$nosuid_exeptions" |cut -f3 -d' ' > "$tmpdir/nosuid_exceptions"
+}
+
+run_test()
+{
+ local test_cmd="$1"; shift
+ local test_cond="$1"; shift
+
+ while IFS=$'\t' read -r precond expres; do
+ num_tests=$((num_tests + 1))
+
+ eval "$precond"
+ eval "$test_cmd" >"$tmpdir/result" 2>&1 ||:
+
+ if [ "$(cat "$tmpdir/result")" != "$expres" ]; then
+ echo >&2 "$test_cmd FAILED with $precond"
+ echo >&2 "expected result: $expres"
+ echo >&2 "actual result: $(cat "$tmpdir/result")"
+ num_failed=$((num_failed + 1))
+ fi
+ done <"$test_cond"
+}
+
+check_setuid()
+{
+ install -pm4755 -t "$tmpdir" /usr/bin/id
+
+ local nobody_uid
+ nobody_uid="$(grep -E '^\<nobody\>' /etc/passwd |cut -f3 -d:)"
+
+ cat <<EOF >"$tmpdir/setuid_test"
+sysctl $nosuid_enabled=0 0
+sysctl $nosuid_enabled=1 $nobody_uid
+sysctl $nosuid_exeptions=$tmpdir/id 0
+EOF
+
+
+ run_test "setpriv --reuid nobody -- $tmpdir/id -u" "$tmpdir/setuid_test"
+}
+
+check_setcap()
+{
+ install -p -t "$tmpdir" /usr/bin/nc
+ setcap cap_net_bind_service,cap_net_admin+ep "$tmpdir/nc"
+
+ cat <<EOF >"$tmpdir/setcap_test"
+sysctl $nosuid_enabled=0
+sysctl $nosuid_enabled=1 nc: Permission denied
+sysctl $nosuid_exeptions=$tmpdir/nc
+EOF
+
+ run_test "timeout 1 setpriv --reuid nobody -- $tmpdir/nc -l 9" "$tmpdir/setcap_test"
+}
+
+save_altha_state
+check_setuid
+check_setcap
+
+if [ "$num_failed" -ne 0 ]; then
+ echo >&2 "$num_failed of $num_tests tests FAILED"
+ ret=1
+else
+ echo >&2 "All $num_tests tests succeed"
+fi
+
+exit $ret
--
2.40.1
Reference in a new issue View git blame Copy permalink