Brad Bishop | c342db3 | 2019-05-15 21:57:59 -0400 | [diff] [blame] | 1 | #!/bin/sh |
| 2 | RC=0 |
| 3 | test_file=/tmp/smack_socket_tcp |
| 4 | SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` |
| 5 | # make sure no access is granted |
| 6 | # 12345678901234567890123456789012345678901234567890123456 |
| 7 | echo -n "label1 label2 -----" > $SMACK_PATH/load |
| 8 | |
| 9 | tcp_server=`which tcp_server` |
| 10 | if [ -z $tcp_server ]; then |
| 11 | if [ -f "/tmp/tcp_server" ]; then |
| 12 | tcp_server="/tmp/tcp_server" |
| 13 | else |
| 14 | echo "tcp_server binary not found" |
| 15 | exit 1 |
| 16 | fi |
| 17 | fi |
| 18 | tcp_client=`which tcp_client` |
| 19 | if [ -z $tcp_client ]; then |
| 20 | if [ -f "/tmp/tcp_client" ]; then |
| 21 | tcp_client="/tmp/tcp_client" |
| 22 | else |
| 23 | echo "tcp_client binary not found" |
| 24 | exit 1 |
| 25 | fi |
| 26 | fi |
| 27 | |
| 28 | # checking access for sockets with different labels |
| 29 | $tcp_server 50016 label1 &>/dev/null & |
| 30 | server_pid=$! |
| 31 | sleep 2 |
| 32 | $tcp_client 50016 label2 label1 &>/dev/null & |
| 33 | client_pid=$! |
| 34 | |
| 35 | wait $server_pid |
| 36 | server_rv=$? |
| 37 | wait $client_pid |
| 38 | client_rv=$? |
| 39 | |
| 40 | if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then |
| 41 | echo "Sockets with different labels should not communicate on tcp" |
| 42 | exit 1 |
| 43 | fi |
| 44 | |
| 45 | # granting access between different labels |
| 46 | # 12345678901234567890123456789012345678901234567890123456 |
| 47 | echo -n "label1 label2 rw---" > $SMACK_PATH/load |
| 48 | # checking access for sockets with different labels, but having a rule granting rw |
| 49 | $tcp_server 50017 label1 2>$test_file & |
| 50 | server_pid=$! |
| 51 | sleep 1 |
| 52 | $tcp_client 50017 label2 label1 2>$test_file & |
| 53 | client_pid=$! |
| 54 | wait $server_pid |
| 55 | server_rv=$? |
| 56 | wait $client_pid |
| 57 | client_rv=$? |
| 58 | if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then |
| 59 | echo "Sockets with different labels, but having rw access, should communicate on tcp" |
| 60 | exit 1 |
| 61 | fi |
| 62 | |
| 63 | # checking access for sockets with the same label |
| 64 | $tcp_server 50018 label1 2>$test_file & |
| 65 | server_pid=$! |
| 66 | sleep 1 |
| 67 | $tcp_client 50018 label1 label1 2>$test_file & |
| 68 | client_pid=$! |
| 69 | wait $server_pid |
| 70 | server_rv=$? |
| 71 | wait $client_pid |
| 72 | client_rv=$? |
| 73 | if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then |
| 74 | echo "Sockets with same labels should communicate on tcp" |
| 75 | exit 1 |
| 76 | fi |
| 77 | |
| 78 | # checking access on socket labeled star (*) |
| 79 | # should always be permitted |
| 80 | $tcp_server 50019 \* 2>$test_file & |
| 81 | server_pid=$! |
| 82 | sleep 1 |
| 83 | $tcp_client 50019 label1 label1 2>$test_file & |
| 84 | client_pid=$! |
| 85 | wait $server_pid |
| 86 | server_rv=$? |
| 87 | wait $client_pid |
| 88 | client_rv=$? |
| 89 | if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then |
| 90 | echo "Should have access on tcp socket labeled star (*)" |
| 91 | exit 1 |
| 92 | fi |
| 93 | |
| 94 | # checking access from socket labeled star (*) |
| 95 | # all access from subject star should be denied |
| 96 | $tcp_server 50020 label1 2>$test_file & |
| 97 | server_pid=$! |
| 98 | sleep 1 |
| 99 | $tcp_client 50020 label1 \* 2>$test_file & |
| 100 | client_pid=$! |
| 101 | wait $server_pid |
| 102 | server_rv=$? |
| 103 | wait $client_pid |
| 104 | client_rv=$? |
| 105 | if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then |
| 106 | echo "Socket labeled star should not have access to any tcp socket" |
| 107 | exit 1 |
| 108 | fi |