Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | |
| 3 | SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` |
| 4 | RC=0 |
| 5 | TMP="/tmp" |
| 6 | test_file=$TMP/smack_test_access_file |
| 7 | CAT=`which cat` |
| 8 | ECHO=`which echo` |
| 9 | uid=1000 |
| 10 | initial_label=`cat /proc/self/attr/current` |
Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 11 | python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file |
Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 12 | chsmack -a "TheOther" $test_file |
| 13 | |
| 14 | # 12345678901234567890123456789012345678901234567890123456 |
| 15 | delrule="TheOne TheOther -----" |
| 16 | rule_ro="TheOne TheOther r----" |
| 17 | |
| 18 | # Remove pre-existent rules for "TheOne TheOther <access>" |
| 19 | echo -n "$delrule" > $SMACK_PATH/load |
Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 20 | python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? |
Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 21 | if [ $RC -ne 0 ]; then |
| 22 | echo "Process with different label than the test file and no read access on it can read it" |
| 23 | exit $RC |
| 24 | fi |
| 25 | |
| 26 | # adding read access |
| 27 | echo -n "$rule_ro" > $SMACK_PATH/load |
Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 28 | python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? |
Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 29 | if [ $RC -ne 0 ]; then |
| 30 | echo "Process with different label than the test file but with read access on it cannot read it" |
| 31 | exit $RC |
| 32 | fi |
| 33 | |
| 34 | # Remove pre-existent rules for "TheOne TheOther <access>" |
| 35 | echo -n "$delrule" > $SMACK_PATH/load |
| 36 | # changing label of test file to * |
| 37 | # according to SMACK documentation, read access on a * object is always permitted |
| 38 | chsmack -a '*' $test_file |
Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 39 | python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? |
Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 40 | if [ $RC -ne 0 ]; then |
| 41 | echo "Process cannot read file with * label" |
| 42 | exit $RC |
| 43 | fi |
| 44 | |
| 45 | # changing subject label to * |
| 46 | # according to SMACK documentation, every access requested by a star labeled subject is rejected |
| 47 | TOUCH=`which touch` |
Andrew Geissler | 615f2f1 | 2022-07-15 14:00:58 -0500 | [diff] [blame^] | 48 | python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 |
Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 49 | ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? |
| 50 | if [ $RC -ne 0 ];then |
| 51 | echo "Process with label '*' should not have any access" |
| 52 | exit $RC |
| 53 | fi |
| 54 | exit 0 |