1#!/bin/sh 2 3SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` 4RC=0 5TMP="/tmp" 6test_file=$TMP/smack_test_access_file 7CAT=`which cat` 8ECHO=`which echo` 9uid=1000 10initial_label=`cat /proc/self/attr/current` 11python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file 12chsmack -a "TheOther" $test_file 13 14# 12345678901234567890123456789012345678901234567890123456 15delrule="TheOne TheOther -----" 16rule_ro="TheOne TheOther r----" 17 18# Remove pre-existent rules for "TheOne TheOther <access>" 19echo -n "$delrule" > $SMACK_PATH/load 20python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$? 21if [ $RC -ne 0 ]; then 22 echo "Process with different label than the test file and no read access on it can read it" 23 exit $RC 24fi 25 26# adding read access 27echo -n "$rule_ro" > $SMACK_PATH/load 28python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? 29if [ $RC -ne 0 ]; then 30 echo "Process with different label than the test file but with read access on it cannot read it" 31 exit $RC 32fi 33 34# Remove pre-existent rules for "TheOne TheOther <access>" 35echo -n "$delrule" > $SMACK_PATH/load 36# changing label of test file to * 37# according to SMACK documentation, read access on a * object is always permitted 38chsmack -a '*' $test_file 39python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$? 40if [ $RC -ne 0 ]; then 41 echo "Process cannot read file with * label" 42 exit $RC 43fi 44 45# changing subject label to * 46# according to SMACK documentation, every access requested by a star labeled subject is rejected 47TOUCH=`which touch` 48python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2 49ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$? 50if [ $RC -ne 0 ];then 51 echo "Process with label '*' should not have any access" 52 exit $RC 53fi 54exit 0 55