1 #! /usr/bin/ksh 2 # 3 # 4 # This file and its contents are supplied under the terms of the 5 # Common Development and Distribution License ("CDDL"), version 1.0. 6 # You may only use this file in accordance with the terms of version 7 # 1.0 of the CDDL. 8 # 9 # A full copy of the text of the CDDL should have accompanied this 10 # source. A copy of the CDDL is also available via the Internet at 11 # http://www.illumos.org/license/CDDL. 12 # 13 14 # Copyright 2015, Richard Lowe. 15 16 # Verify that zones can be configured with security-flags 17 LC_ALL=C # Collation is important 18 19 expect_success() { 20 name=$1 21 22 (echo "create -b"; 23 echo "set zonepath=/$name.$$"; 24 cat /dev/stdin; 25 echo "verify"; 26 echo "commit"; 27 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 28 29 r=$? 30 31 zonecfg -z $name.$$ delete -F 32 33 if (($r != 0)); then 34 printf "%s: FAIL\n" $name 35 cat out.$$ 36 rm out.$$ 37 return 1 38 else 39 rm out.$$ 40 printf "%s: PASS\n" $name 41 return 0 42 fi 43 } 44 45 expect_fail() { 46 name=$1 47 expect=$2 48 49 (echo "create -b"; 50 echo "set zonepath=/$name.$$"; 51 cat /dev/stdin; 52 echo "verify"; 53 echo "commit"; 54 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 55 56 r=$? 57 58 # Ideally will fail, since we don't want the create to have succeeded. 59 zonecfg -z $name.$$ delete -F >/dev/null 2>&1 60 61 62 if (($r == 0)); then 63 printf "%s: FAIL (succeeded)\n" $name 64 rm out.$$ 65 return 1 66 else 67 grep -q "$expect" out.$$ 68 if (( $? != 0 )); then 69 printf "%s: FAIL (error didn't match)\n" $name 70 echo "Wanted:" 71 echo " $expect" 72 echo "Got:" 73 sed -e 's/^/ /' out.$$ 74 rm out.$$ 75 return 1; 76 else 77 rm out.$$ 78 printf "%s: PASS\n" $name 79 return 0 80 fi 81 fi 82 } 83 84 ret=0 85 86 expect_success valid-full-config <<EOF 87 add security-flags 88 set lower=none 89 set default=aslr 90 set upper=all 91 end 92 EOF 93 (( $? != 0 )) && ret=1 94 95 expect_success valid-partial-config <<EOF 96 add security-flags 97 set default=aslr 98 end 99 EOF 100 (( $? != 0 )) && ret=1 101 102 expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF 103 add security-flags 104 set lower=aslr 105 set default=none 106 set upper=all 107 end 108 EOF 109 (( $? != 0 )) && ret=1 110 111 expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF 112 add security-flags 113 set lower=aslr 114 set default=none 115 end 116 EOF 117 (( $? != 0 )) && ret=1 118 119 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 120 add security-flags 121 set lower=none 122 set default=all 123 set upper=none 124 end 125 EOF 126 (( $? != 0 )) && ret=1 127 128 expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF 129 add security-flags 130 set default=all 131 set upper=none 132 end 133 EOF 134 (( $? != 0 )) && ret=1 135 136 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 137 add security-flags 138 set lower=none 139 set default=all 140 set upper=none 141 end 142 EOF 143 (( $? != 0 )) && ret=1 144 145 expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF 146 add security-flags 147 set lower=all 148 set upper=none 149 end 150 EOF 151 (( $? != 0 )) && ret=1 152 153 expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF 154 add security-flags 155 set default=fail 156 end 157 EOF 158 (( $? != 0 )) && ret=1 159 160 expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF 161 add security-flags 162 set lower=fail 163 end 164 EOF 165 (( $? != 0 )) && ret=1 166 167 expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF 168 add security-flags 169 set upper=fail 170 end 171 EOF 172 (( $? != 0 )) && ret=1 173 174 exit $ret