Code review comments from pmooney (sundry), and igork (screwups in zonecfg refactoring)

          --- old/usr/src/test/os-tests/tests/secflags/secflags_zonecfg.sh
          +++ new/usr/src/test/os-tests/tests/secflags/secflags_zonecfg.sh

   1    1  #! /usr/bin/ksh
   2    2  #
   3    3  #
   4    4  # This file and its contents are supplied under the terms of the
   5    5  # Common Development and Distribution License ("CDDL"), version 1.0.
   6    6  # You may only use this file in accordance with the terms of version
   7    7  # 1.0 of the CDDL.
   8    8  #
   9    9  # A full copy of the text of the CDDL should have accompanied this
  10   10  # source.  A copy of the CDDL is also available via the Internet at
  11   11  # http://www.illumos.org/license/CDDL.
  12   12  #
  13   13  
  14   14  # Copyright 2015, Richard Lowe.
  15   15  
  16   16  # Verify that zones can be configured with security-flags
  17   17  LC_ALL=C                        # Collation is important
  18   18  
  19   19  expect_success() {
  20   20      name=$1
  21   21  
  22   22      (echo "create -b";
  23   23       echo "set zonepath=/$name.$$";
  24   24       cat /dev/stdin;
  25   25       echo "verify";
  26   26       echo "commit";
  27   27       echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
  28   28  
  29   29      r=$?
  30   30  
  31   31      zonecfg -z $name.$$ delete -F
  32   32  
  33   33      if (($r != 0)); then
  34   34          printf "%s: FAIL\n" $name
  35   35          cat out.$$
  36   36          rm out.$$
  37   37          return 1 
  38   38      else
  39   39          rm out.$$
  40   40          printf  "%s: PASS\n" $name
  41   41          return 0
  42   42      fi
  43   43  }
  44   44  
  45   45  expect_fail() {
  46   46      name=$1
  47   47      expect=$2
  48   48  
  49   49      (echo "create -b";
  50   50       echo "set zonepath=/$name.$$";
  51   51       cat /dev/stdin;
  52   52       echo "verify";
  53   53       echo "commit";
  54   54       echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
  55   55  
  56   56      r=$?
  57   57  
  58   58      # Ideally will fail, since we don't want the create to have succeeded.
  59   59      zonecfg -z $name.$$ delete -F >/dev/null 2>&1
  60   60  
  61   61  
  62   62      if (($r == 0)); then
  63   63          printf "%s: FAIL (succeeded)\n" $name
  64   64          rm out.$$
  65   65          return 1
  66   66      else
  67   67          grep -q "$expect" out.$$
  68   68          if (( $? != 0 )); then
  69   69              printf "%s: FAIL (error didn't match)\n" $name
  70   70              echo "Wanted:"
  71   71              echo "  $expect"
  72   72              echo "Got:"
  73   73              sed -e 's/^/  /' out.$$
  74   74              rm out.$$
  75   75              return 1;

  76   76          else
  77   77              rm out.$$
  78   78              printf  "%s: PASS\n" $name
  79   79              return 0
  80   80          fi
  81   81      fi
  82   82  }
  83   83  
  84   84  ret=0
  85   85  
       86 +expect_success valid-no-config <<EOF
       87 +EOF
       88 +(( $? != 0 )) && ret=1
       89 +
  86   90  expect_success valid-full-config <<EOF
  87   91  add security-flags
  88   92  set lower=none
  89   93  set default=aslr
  90   94  set upper=all
  91   95  end
  92   96  EOF
  93   97  (( $? != 0 )) && ret=1
  94   98  
  95   99  expect_success valid-partial-config <<EOF

  96  100  add security-flags
  97  101  set default=aslr
  98  102  end
  99  103  EOF
 100  104  (( $? != 0 )) && ret=1
 101  105  
 102  106  expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
 103  107  add security-flags
 104  108  set lower=aslr
 105  109  set default=none
 106  110  set upper=all
 107  111  end
 108  112  EOF
 109  113  (( $? != 0 )) && ret=1
 110  114  
 111  115  expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
 112  116  add security-flags
 113  117  set lower=aslr
 114  118  set default=none
 115  119  end
 116  120  EOF
 117  121  (( $? != 0 )) && ret=1
 118  122  
 119  123  expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
 120  124  add security-flags
 121  125  set lower=none
 122  126  set default=all
 123  127  set upper=none
 124  128  end
 125  129  EOF
 126  130  (( $? != 0 )) && ret=1
 127  131  
 128  132  expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
 129  133  add security-flags
 130  134  set default=all
 131  135  set upper=none
 132  136  end
 133  137  EOF
 134  138  (( $? != 0 )) && ret=1
 135  139  
 136  140  expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
 137  141  add security-flags
 138  142  set lower=none
 139  143  set default=all
 140  144  set upper=none
 141  145  end
 142  146  EOF
 143  147  (( $? != 0 )) && ret=1
 144  148  
 145  149  expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
 146  150  add security-flags
 147  151  set lower=all
 148  152  set upper=none
 149  153  end
 150  154  EOF
 151  155  (( $? != 0 )) && ret=1
 152  156  
 153  157  expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
 154  158  add security-flags
 155  159  set default=fail
 156  160  end
 157  161  EOF
 158  162  (( $? != 0 )) && ret=1
 159  163  
 160  164  expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
 161  165  add security-flags
 162  166  set lower=fail
 163  167  end
 164  168  EOF
 165  169  (( $? != 0 )) && ret=1
 166  170  
 167  171  expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
 168  172  add security-flags
 169  173  set upper=fail
 170  174  end
 171  175  EOF
 172  176  (( $? != 0 )) && ret=1
 173  177  
 174  178  exit $ret

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX