1#!/bin/sh 2RC=0 3test_file=/tmp/smack_socket_tcp 4SMACK_PATH=`grep smack /proc/mounts | awk '{print $2}' ` 5# make sure no access is granted 6# 12345678901234567890123456789012345678901234567890123456 7echo -n "label1 label2 -----" > $SMACK_PATH/load 8 9tcp_server=`which tcp_server` 10if [ -z $tcp_server ]; then 11 if [ -f "/tmp/tcp_server" ]; then 12 tcp_server="/tmp/tcp_server" 13 else 14 echo "tcp_server binary not found" 15 exit 1 16 fi 17fi 18tcp_client=`which tcp_client` 19if [ -z $tcp_client ]; then 20 if [ -f "/tmp/tcp_client" ]; then 21 tcp_client="/tmp/tcp_client" 22 else 23 echo "tcp_client binary not found" 24 exit 1 25 fi 26fi 27 28# checking access for sockets with different labels 29$tcp_server 50016 label1 &>/dev/null & 30server_pid=$! 31sleep 2 32$tcp_client 50016 label2 label1 &>/dev/null & 33client_pid=$! 34 35wait $server_pid 36server_rv=$? 37wait $client_pid 38client_rv=$? 39 40if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then 41 echo "Sockets with different labels should not communicate on tcp" 42 exit 1 43fi 44 45# granting access between different labels 46# 12345678901234567890123456789012345678901234567890123456 47echo -n "label1 label2 rw---" > $SMACK_PATH/load 48# checking access for sockets with different labels, but having a rule granting rw 49$tcp_server 50017 label1 2>$test_file & 50server_pid=$! 51sleep 1 52$tcp_client 50017 label2 label1 2>$test_file & 53client_pid=$! 54wait $server_pid 55server_rv=$? 56wait $client_pid 57client_rv=$? 58if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then 59 echo "Sockets with different labels, but having rw access, should communicate on tcp" 60 exit 1 61fi 62 63# checking access for sockets with the same label 64$tcp_server 50018 label1 2>$test_file & 65server_pid=$! 66sleep 1 67$tcp_client 50018 label1 label1 2>$test_file & 68client_pid=$! 69wait $server_pid 70server_rv=$? 71wait $client_pid 72client_rv=$? 73if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then 74 echo "Sockets with same labels should communicate on tcp" 75 exit 1 76fi 77 78# checking access on socket labeled star (*) 79# should always be permitted 80$tcp_server 50019 \* 2>$test_file & 81server_pid=$! 82sleep 1 83$tcp_client 50019 label1 label1 2>$test_file & 84client_pid=$! 85wait $server_pid 86server_rv=$? 87wait $client_pid 88client_rv=$? 89if [ $server_rv -ne 0 -o $client_rv -ne 0 ]; then 90 echo "Should have access on tcp socket labeled star (*)" 91 exit 1 92fi 93 94# checking access from socket labeled star (*) 95# all access from subject star should be denied 96$tcp_server 50020 label1 2>$test_file & 97server_pid=$! 98sleep 1 99$tcp_client 50020 label1 \* 2>$test_file & 100client_pid=$! 101wait $server_pid 102server_rv=$? 103wait $client_pid 104client_rv=$? 105if [ $server_rv -eq 0 -o $client_rv -eq 0 ]; then 106 echo "Socket labeled star should not have access to any tcp socket" 107 exit 1 108fi 109