1 #! /usr/bin/ksh
2 #
3 #
4 # This file and its contents are supplied under the terms of the
5 # Common Development and Distribution License ("CDDL"), version 1.0.
6 # You may only use this file in accordance with the terms of version
7 # 1.0 of the CDDL.
8 #
9 # A full copy of the text of the CDDL should have accompanied this
10 # source. A copy of the CDDL is also available via the Internet at
11 # http://www.illumos.org/license/CDDL.
12 #
13
14 # Copyright 2015, Richard Lowe.
15
16 # Verify that zones can be configured with security-flags
17 LC_ALL=C # Collation is important
18
19 expect_success() {
20 name=$1
21
22 (echo "create -b";
23 echo "set zonepath=/$name.$$";
24 cat /dev/stdin;
25 echo "verify";
26 echo "commit";
27 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
28
29 r=$?
30
31 zonecfg -z $name.$$ delete -F
32
33 if (($r != 0)); then
34 printf "%s: FAIL\n" $name
35 cat out.$$
36 rm out.$$
37 return 1
38 else
39 rm out.$$
40 printf "%s: PASS\n" $name
41 return 0
42 fi
43 }
44
45 expect_fail() {
46 name=$1
47 expect=$2
48
49 (echo "create -b";
50 echo "set zonepath=/$name.$$";
51 cat /dev/stdin;
52 echo "verify";
53 echo "commit";
54 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
55
56 r=$?
57
58 # Ideally will fail, since we don't want the create to have succeeded.
59 zonecfg -z $name.$$ delete -F >/dev/null 2>&1
60
61
62 if (($r == 0)); then
63 printf "%s: FAIL (succeeded)\n" $name
64 rm out.$$
65 return 1
66 else
67 grep -q "$expect" out.$$
68 if (( $? != 0 )); then
69 printf "%s: FAIL (error didn't match)\n" $name
70 echo "Wanted:"
71 echo " $expect"
72 echo "Got:"
73 sed -e 's/^/ /' out.$$
74 rm out.$$
75 return 1;
76 else
77 rm out.$$
78 printf "%s: PASS\n" $name
79 return 0
80 fi
81 fi
82 }
83
84 ret=0
85
86 expect_success valid-full-config <<EOF
87 add security-flags
88 set lower=none
89 set default=aslr
90 set upper=all
91 end
92 EOF
93 (( $? != 0 )) && ret=1
94
95 expect_success valid-partial-config <<EOF
96 add security-flags
97 set default=aslr
98 end
99 EOF
100 (( $? != 0 )) && ret=1
101
102 expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
103 add security-flags
104 set lower=aslr
105 set default=none
106 set upper=all
107 end
108 EOF
109 (( $? != 0 )) && ret=1
110
111 expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
112 add security-flags
113 set lower=aslr
114 set default=none
115 end
116 EOF
117 (( $? != 0 )) && ret=1
118
119 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
120 add security-flags
121 set lower=none
122 set default=all
123 set upper=none
124 end
125 EOF
126 (( $? != 0 )) && ret=1
127
128 expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
129 add security-flags
130 set default=all
131 set upper=none
132 end
133 EOF
134 (( $? != 0 )) && ret=1
135
136 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
137 add security-flags
138 set lower=none
139 set default=all
140 set upper=none
141 end
142 EOF
143 (( $? != 0 )) && ret=1
144
145 expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
146 add security-flags
147 set lower=all
148 set upper=none
149 end
150 EOF
151 (( $? != 0 )) && ret=1
152
153 expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
154 add security-flags
155 set default=fail
156 end
157 EOF
158 (( $? != 0 )) && ret=1
159
160 expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
161 add security-flags
162 set lower=fail
163 end
164 EOF
165 (( $? != 0 )) && ret=1
166
167 expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
168 add security-flags
169 set upper=fail
170 end
171 EOF
172 (( $? != 0 )) && ret=1
173
174 exit $ret