1 #! /usr/bin/ksh
   2 #
   3 #
   4 # This file and its contents are supplied under the terms of the
   5 # Common Development and Distribution License ("CDDL"), version 1.0.
   6 # You may only use this file in accordance with the terms of version
   7 # 1.0 of the CDDL.
   8 #
   9 # A full copy of the text of the CDDL should have accompanied this
  10 # source.  A copy of the CDDL is also available via the Internet at
  11 # http://www.illumos.org/license/CDDL.
  12 #
  13 
  14 # Copyright 2015, Richard Lowe.
  15 
  16 # Verify that zones can be configured with security-flags
  17 LC_ALL=C                        # Collation is important
  18 
  19 expect_success() {
  20     name=$1
  21 
  22     (echo "create -b";
  23      echo "set zonepath=/$name.$$";
  24      cat /dev/stdin;
  25      echo "verify";
  26      echo "commit";
  27      echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
  28 
  29     r=$?
  30 
  31     zonecfg -z $name.$$ delete -F
  32 
  33     if (($r != 0)); then
  34         printf "%s: FAIL\n" $name
  35         cat out.$$
  36         rm out.$$
  37         return 1 
  38     else
  39         rm out.$$
  40         printf  "%s: PASS\n" $name
  41         return 0
  42     fi
  43 }
  44 
  45 expect_fail() {
  46     name=$1
  47     expect=$2
  48 
  49     (echo "create -b";
  50      echo "set zonepath=/$name.$$";
  51      cat /dev/stdin;
  52      echo "verify";
  53      echo "commit";
  54      echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
  55 
  56     r=$?
  57 
  58     # Ideally will fail, since we don't want the create to have succeeded.
  59     zonecfg -z $name.$$ delete -F >/dev/null 2>&1
  60 
  61 
  62     if (($r == 0)); then
  63         printf "%s: FAIL (succeeded)\n" $name
  64         rm out.$$
  65         return 1
  66     else
  67         grep -q "$expect" out.$$
  68         if (( $? != 0 )); then
  69             printf "%s: FAIL (error didn't match)\n" $name
  70             echo "Wanted:"
  71             echo "  $expect"
  72             echo "Got:"
  73             sed -e 's/^/  /' out.$$
  74             rm out.$$
  75             return 1;
  76         else
  77             rm out.$$
  78             printf  "%s: PASS\n" $name
  79             return 0
  80         fi
  81     fi
  82 }
  83 
  84 ret=0
  85 
  86 expect_success valid-full-config <<EOF
  87 add security-flags
  88 set lower=none
  89 set default=aslr
  90 set upper=all
  91 end
  92 EOF
  93 (( $? != 0 )) && ret=1
  94 
  95 expect_success valid-partial-config <<EOF
  96 add security-flags
  97 set default=aslr
  98 end
  99 EOF
 100 (( $? != 0 )) && ret=1
 101 
 102 expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
 103 add security-flags
 104 set lower=aslr
 105 set default=none
 106 set upper=all
 107 end
 108 EOF
 109 (( $? != 0 )) && ret=1
 110 
 111 expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
 112 add security-flags
 113 set lower=aslr
 114 set default=none
 115 end
 116 EOF
 117 (( $? != 0 )) && ret=1
 118 
 119 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
 120 add security-flags
 121 set lower=none
 122 set default=all
 123 set upper=none
 124 end
 125 EOF
 126 (( $? != 0 )) && ret=1
 127 
 128 expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
 129 add security-flags
 130 set default=all
 131 set upper=none
 132 end
 133 EOF
 134 (( $? != 0 )) && ret=1
 135 
 136 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
 137 add security-flags
 138 set lower=none
 139 set default=all
 140 set upper=none
 141 end
 142 EOF
 143 (( $? != 0 )) && ret=1
 144 
 145 expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
 146 add security-flags
 147 set lower=all
 148 set upper=none
 149 end
 150 EOF
 151 (( $? != 0 )) && ret=1
 152 
 153 expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
 154 add security-flags
 155 set default=fail
 156 end
 157 EOF
 158 (( $? != 0 )) && ret=1
 159 
 160 expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
 161 add security-flags
 162 set lower=fail
 163 end
 164 EOF
 165 (( $? != 0 )) && ret=1
 166 
 167 expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
 168 add security-flags
 169 set upper=fail
 170 end
 171 EOF
 172 (( $? != 0 )) && ret=1
 173 
 174 exit $ret