1 #! /usr/bin/ksh
2 #
3 #
4 # This file and its contents are supplied under the terms of the
5 # Common Development and Distribution License ("CDDL"), version 1.0.
6 # You may only use this file in accordance with the terms of version
7 # 1.0 of the CDDL.
8 #
9 # A full copy of the text of the CDDL should have accompanied this
10 # source. A copy of the CDDL is also available via the Internet at
11 # http://www.illumos.org/license/CDDL.
12 #
13
14 # Copyright 2015, Richard Lowe.
15
16 # Verify that zones can be configured with security-flags
17 LC_ALL=C # Collation is important
18
19 expect_success() {
20 name=$1
21
22 (echo "create -b";
23 echo "set zonepath=/$name.$$";
24 cat /dev/stdin;
25 echo "verify";
26 echo "commit";
27 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
28
29 r=$?
30
31 zonecfg -z $name.$$ delete -F
32
33 if (($r != 0)); then
34 printf "%s: FAIL\n" $name
35 cat out.$$
36 rm out.$$
37 return 1
38 else
39 rm out.$$
40 printf "%s: PASS\n" $name
41 return 0
42 fi
43 }
44
45 expect_fail() {
46 name=$1
47 expect=$2
48
49 (echo "create -b";
50 echo "set zonepath=/$name.$$";
51 cat /dev/stdin;
52 echo "verify";
53 echo "commit";
54 echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
55
56 r=$?
57
58 # Ideally will fail, since we don't want the create to have succeeded.
59 zonecfg -z $name.$$ delete -F >/dev/null 2>&1
60
61
62 if (($r == 0)); then
63 printf "%s: FAIL (succeeded)\n" $name
64 rm out.$$
65 return 1
66 else
67 grep -q "$expect" out.$$
68 if (( $? != 0 )); then
69 printf "%s: FAIL (error didn't match)\n" $name
70 echo "Wanted:"
71 echo " $expect"
72 echo "Got:"
73 sed -e 's/^/ /' out.$$
74 rm out.$$
75 return 1;
76 else
77 rm out.$$
78 printf "%s: PASS\n" $name
79 return 0
80 fi
81 fi
82 }
83
84 ret=0
85
86 expect_success valid-no-config <<EOF
87 EOF
88 (( $? != 0 )) && ret=1
89
90 expect_success valid-full-config <<EOF
91 add security-flags
92 set lower=none
93 set default=aslr
94 set upper=all
95 end
96 EOF
97 (( $? != 0 )) && ret=1
98
99 expect_success valid-partial-config <<EOF
100 add security-flags
101 set default=aslr
102 end
103 EOF
104 (( $? != 0 )) && ret=1
105
106 expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
107 add security-flags
108 set lower=aslr
109 set default=none
110 set upper=all
111 end
112 EOF
113 (( $? != 0 )) && ret=1
114
115 expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
116 add security-flags
117 set lower=aslr
118 set default=none
119 end
120 EOF
121 (( $? != 0 )) && ret=1
122
123 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
124 add security-flags
125 set lower=none
126 set default=all
127 set upper=none
128 end
129 EOF
130 (( $? != 0 )) && ret=1
131
132 expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
133 add security-flags
134 set default=all
135 set upper=none
136 end
137 EOF
138 (( $? != 0 )) && ret=1
139
140 expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
141 add security-flags
142 set lower=none
143 set default=all
144 set upper=none
145 end
146 EOF
147 (( $? != 0 )) && ret=1
148
149 expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
150 add security-flags
151 set lower=all
152 set upper=none
153 end
154 EOF
155 (( $? != 0 )) && ret=1
156
157 expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
158 add security-flags
159 set default=fail
160 end
161 EOF
162 (( $? != 0 )) && ret=1
163
164 expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
165 add security-flags
166 set lower=fail
167 end
168 EOF
169 (( $? != 0 )) && ret=1
170
171 expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
172 add security-flags
173 set upper=fail
174 end
175 EOF
176 (( $? != 0 )) && ret=1
177
178 exit $ret