oeqa: update smack runtime test

drop test_smack_mmap_enforced as is was skipped do to possible licensing issues Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2022-06-13 12:15:41 -0700
committer: Armin Kuster <akuster808@gmail.com> 2022-06-23 18:47:59 -0700
commit: 102e47f14d182bc3d32ce6a2e344a30f8e13d86f (patch)
tree: 8e163af17b74e5d71e9d016f15c60ef53a7bb8be /lib
parent: 95f7abc7ef3af9cdace7c54dba9540963cec7bad (diff)
download: meta-security-102e47f14d182bc3d32ce6a2e344a30f8e13d86f.tar.gz
1 files changed, 15 insertions, 88 deletions
diff --git a/lib/oeqa/runtime/cases/smack.py b/lib/oeqa/runtime/cases/smack.py
index b8255c7..6b87574 100644
--- a/lib/oeqa/runtime/cases/smack.py
+++ b/lib/oeqa/runtime/cases/smack.py
@@ -15,17 +15,16 @@ class SmackBasicTest(OERuntimeTestCase):
    @classmethod
    def setUpClass(cls):
-        cls.smack_path = ""
        cls.current_label  = ""
        cls.uid = 1000
+        status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+        cls.smack_path = output
    @skipIfNotFeature('smack',
        'Test requires smack to be in DISTRO_FEATURES')
    @OEHasPackage(['smack-test'])
    @OETestDepends(['ssh.SSHTest.test_ssh'])
    def test_smack_basic(self):
-        status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
-        self.smack_path = output
        status,output = self.target.run("cat /proc/self/attr/current")
        self.current_label = output.strip()
@@ -41,11 +40,11 @@ class SmackBasicTest(OERuntimeTestCase):
            "Status and output: %d %s" %(status, output))
        status, output = self.target.run("chsmack %s" %filename)
        self.target.run("rm %s" %filename)
-        m = re.search('(?<=access=")\S+(?=")', output)
+        m = re.search('(access=")\S+(?=")', output)
        if m is None:
            self.fail("Did not find access attribute")
        else:
-            label_retrieved = m .group(0)
+            label_retrieved = re.split("access=\"", output)[1][:-1]
            self.assertEqual(
                LABEL, label_retrieved,
                "label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@ class SmackBasicTest(OERuntimeTestCase):
            "Status and output: %d %s" %(status, output))
        status, output = self.target.run("chsmack %s" %filename)
        self.target.run("rm %s" %filename)
-        m= re.search('(?<=execute=")\S+(?=")', output)
+        m= re.search('(execute=")\S+(?=")', output)
        if m is None:
            self.fail("Did not find execute attribute")
        else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("execute=\"", output)[1][:-1]
            self.assertEqual(
                LABEL, label_retrieved,
                "label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@ class SmackBasicTest(OERuntimeTestCase):
            "Status and output: %d %s" %(status, output))
        status, output = self.target.run("chsmack %s" %filename)
        self.target.run("rm %s" %filename)
-        m = re.search('(?<=mmap=")\S+(?=")', output)
+        m = re.search('(mmap=")\S+(?=")', output)
        if m is None:
            self.fail("Did not find mmap attribute")
        else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("mmap=\"", output)[1][:-1]
            self.assertEqual(
                LABEL, label_retrieved,
                "label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@ class SmackBasicTest(OERuntimeTestCase):
                        "Status and output: %d %s" %(status, output))
        status, output = self.target.run("chsmack %s" %directory)
        self.target.run("rmdir %s" %directory)
-        m = re.search('(?<=transmute=")\S+(?=")', output)
+        m = re.search('(transmute=")\S+(?=")', output)
        if m is None:
            self.fail("Did not find transmute attribute")
        else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("transmute=\"", output)[1][:-1]
            self.assertEqual(
                "TRUE", label_retrieved,
                "label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@ class SmackBasicTest(OERuntimeTestCase):
        '''
        labelf = "/proc/self/attr/current"
-        command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+        command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
        status, output = self.target.run(
-            "notroot.py 0 %s %s" %(self.current_label, command))
+            "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
        self.assertIn("PRIVILEGED", output,
                    "Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@ class SmackBasicTest(OERuntimeTestCase):
        command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
        status, output = self.target.run(
-            "notroot.py %d %s %s"
+            "/usr/sbin/notroot.py %d %s %s"
            %(self.uid, self.current_label, command) +
            " 2>&1 | grep 'Operation not permitted'" )
@@ -160,9 +159,9 @@ class SmackBasicTest(OERuntimeTestCase):
        filename = "/tmp/test_unprivileged_change_file_label"
        self.target.run("touch %s" % filename)
-        self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+        self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
        status, output = self.target.run(
-            "notroot.py " +
+            "/usr/sbin/notroot.py " +
            "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
            "| grep 'Operation not permitted'"  )
@@ -347,78 +346,6 @@ class SmackBasicTest(OERuntimeTestCase):
    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
-    def test_smack_mmap_enforced(self):
-        '''Test if smack mmap access is enforced'''
-        raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-        #      12345678901234567890123456789012345678901234567890123456
-        delr1="mmap_label              mmap_test_label1        -----"
-        delr2="mmap_label              mmap_test_label2        -----"
-        delr3="mmap_file_label         mmap_test_label1        -----"
-        delr4="mmap_file_label         mmap_test_label2        -----"
-        RuleA="mmap_label              mmap_test_label1        rw---"
-        RuleB="mmap_label              mmap_test_label2        r--at"
-        RuleC="mmap_file_label         mmap_test_label1        rw---"
-        RuleD="mmap_file_label         mmap_test_label2        rwxat"
-        mmap_label="mmap_label"
-        file_label="mmap_file_label"
-        test_file = "/usr/sbin/smack_test_mmap"
-        mmap_exe = "/tmp/mmap_test"
-        status, echo = self.target.run("which echo")
-        status, output = self.target.run(
-            "notroot.py %d %s %s 'test' > %s" \
-            %(self.uid, self.current_label, echo, test_file))
-        status, output = self.target.run("ls %s" %test_file)
-        self.assertEqual(status, 0, "Could not create mmap test file")
-        self.target.run("chsmack -m %s %s" %(file_label, test_file))
-        self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-        # test with no rules with mmap label or exec label as subject
-        # access should be granted
-        self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
-        self.assertEqual(
-            status, 0,
-            "Should have mmap access without rules. Output: %s" %output)
-        # add rules that do not match access required
-        self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
-        self.assertNotEqual(
-            status, 0,
-            "Should not have mmap access with unmatching rules. " +
-            "Output: %s" %output)
-        self.assertIn(
-            "Permission denied", output,
-            "Mmap access should be denied with unmatching rules")
-        # add rule to match only partially (one way)
-        self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
-        self.assertNotEqual(
-            status, 0,
-            "Should not have mmap access with partial matching rules. " +
-            "Output: %s" %output)
-        self.assertIn(
-            "Permission denied", output,
-            "Mmap access should be denied with partial matching rules")
-        # add rule to match fully
-        self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
-        self.assertEqual(
-            status, 0,
-            "Should have mmap access with full matching rules." +
-            "Output: %s" %output)
-    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
    def test_smack_transmute_dir(self):
        '''Test if smack transmute attribute works
author	Armin Kuster <akuster808@gmail.com>	2022-06-13 12:15:41 -0700
committer	Armin Kuster <akuster808@gmail.com>	2022-06-23 18:47:59 -0700
commit	102e47f14d182bc3d32ce6a2e344a30f8e13d86f (patch)
tree	8e163af17b74e5d71e9d016f15c60ef53a7bb8be /lib
parent	95f7abc7ef3af9cdace7c54dba9540963cec7bad (diff)
download	meta-security-102e47f14d182bc3d32ce6a2e344a30f8e13d86f.tar.gz