xref: /openbmc/openbmc/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh (revision 615f2f11d3f46e3eae642475495a7ca4cfddc49e) 
1c342db35SBrad Bishop#!/bin/sh
2c342db35SBrad Bishop
3c342db35SBrad BishopSMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' `
4c342db35SBrad BishopRC=0
5c342db35SBrad BishopTMP="/tmp"
6c342db35SBrad Bishoptest_file=$TMP/smack_test_access_file
7c342db35SBrad BishopCAT=`which cat`
8c342db35SBrad BishopECHO=`which echo`
9c342db35SBrad Bishopuid=1000
10c342db35SBrad Bishopinitial_label=`cat /proc/self/attr/current`
11*615f2f11SAndrew Geisslerpython3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
12c342db35SBrad Bishopchsmack -a "TheOther" $test_file
13c342db35SBrad Bishop
14c342db35SBrad Bishop#        12345678901234567890123456789012345678901234567890123456
15c342db35SBrad Bishopdelrule="TheOne                  TheOther                -----"
16c342db35SBrad Bishoprule_ro="TheOne                  TheOther                r----"
17c342db35SBrad Bishop
18c342db35SBrad Bishop# Remove pre-existent rules for "TheOne TheOther <access>"
19c342db35SBrad Bishopecho -n "$delrule" > $SMACK_PATH/load
20*615f2f11SAndrew Geisslerpython3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
21c342db35SBrad Bishopif [ $RC -ne 0 ]; then
22c342db35SBrad Bishop	echo "Process with different label than the test file and no read access on it can read it"
23c342db35SBrad Bishop	exit $RC
24c342db35SBrad Bishopfi
25c342db35SBrad Bishop
26c342db35SBrad Bishop# adding read access
27c342db35SBrad Bishopecho -n "$rule_ro" > $SMACK_PATH/load
28*615f2f11SAndrew Geisslerpython3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
29c342db35SBrad Bishopif [ $RC -ne 0 ]; then
30c342db35SBrad Bishop	echo "Process with different label than the test file but with read access on it cannot read it"
31c342db35SBrad Bishop	exit $RC
32c342db35SBrad Bishopfi
33c342db35SBrad Bishop
34c342db35SBrad Bishop# Remove pre-existent rules for "TheOne TheOther <access>"
35c342db35SBrad Bishopecho -n "$delrule" > $SMACK_PATH/load
36c342db35SBrad Bishop# changing label of test file to *
37c342db35SBrad Bishop# according to SMACK documentation, read access on a * object is always permitted
38c342db35SBrad Bishopchsmack -a '*' $test_file
39*615f2f11SAndrew Geisslerpython3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
40c342db35SBrad Bishopif [ $RC -ne 0 ]; then
41c342db35SBrad Bishop	echo  "Process cannot read file with * label"
42c342db35SBrad Bishop	exit $RC
43c342db35SBrad Bishopfi
44c342db35SBrad Bishop
45c342db35SBrad Bishop# changing subject label to *
46c342db35SBrad Bishop# according to SMACK documentation, every access requested by a star labeled subject is rejected
47c342db35SBrad BishopTOUCH=`which touch`
48*615f2f11SAndrew Geisslerpython3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
49c342db35SBrad Bishopls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
50c342db35SBrad Bishopif [ $RC -ne 0 ];then
51c342db35SBrad Bishop	echo "Process with label '*' should not have any access"
52c342db35SBrad Bishop	exit $RC
53c342db35SBrad Bishopfi
54c342db35SBrad Bishopexit 0
55