1#! /usr/bin/ksh
2#
3#
4# This file and its contents are supplied under the terms of the
5# Common Development and Distribution License ("CDDL"), version 1.0.
6# You may only use this file in accordance with the terms of version
7# 1.0 of the CDDL.
8#
9# A full copy of the text of the CDDL should have accompanied this
10# source.  A copy of the CDDL is also available via the Internet at
11# http://www.illumos.org/license/CDDL.
12#
13
14# Copyright 2015, Richard Lowe.
15
16# Verify that zones can be configured with security-flags
17LC_ALL=C                        # Collation is important
18
19expect_success() {
20    name=$1
21
22    (echo "create -b";
23     echo "set zonepath=/$name.$$";
24     cat /dev/stdin;
25     echo "verify";
26     echo "commit";
27     echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
28
29    r=$?
30
31    zonecfg -z $name.$$ delete -F
32
33    if (($r != 0)); then
34        printf "%s: FAIL\n" $name
35        cat out.$$
36        rm out.$$
37        return 1
38    else
39        rm out.$$
40        printf  "%s: PASS\n" $name
41        return 0
42    fi
43}
44
45expect_fail() {
46    name=$1
47    expect=$2
48
49    (echo "create -b";
50     echo "set zonepath=/$name.$$";
51     cat /dev/stdin;
52     echo "verify";
53     echo "commit";
54     echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1
55
56    r=$?
57
58    # Ideally will fail, since we don't want the create to have succeeded.
59    zonecfg -z $name.$$ delete -F >/dev/null 2>&1
60
61
62    if (($r == 0)); then
63        printf "%s: FAIL (succeeded)\n" $name
64        rm out.$$
65        return 1
66    else
67        grep -q "$expect" out.$$
68        if (( $? != 0 )); then
69            printf "%s: FAIL (error didn't match)\n" $name
70            echo "Wanted:"
71            echo "  $expect"
72            echo "Got:"
73            sed -e 's/^/  /' out.$$
74            rm out.$$
75            return 1;
76        else
77            rm out.$$
78            printf  "%s: PASS\n" $name
79            return 0
80        fi
81    fi
82}
83
84ret=0
85
86expect_success valid-no-config <<EOF
87EOF
88(( $? != 0 )) && ret=1
89
90expect_success valid-full-config <<EOF
91add security-flags
92set lower=none
93set default=aslr
94set upper=all
95end
96EOF
97(( $? != 0 )) && ret=1
98
99expect_success valid-partial-config <<EOF
100add security-flags
101set default=aslr
102end
103EOF
104(( $? != 0 )) && ret=1
105
106expect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF
107add security-flags
108set lower=aslr
109set default=none
110set upper=all
111end
112EOF
113(( $? != 0 )) && ret=1
114
115expect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF
116add security-flags
117set lower=aslr
118set default=none
119end
120EOF
121(( $? != 0 )) && ret=1
122
123expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
124add security-flags
125set lower=none
126set default=all
127set upper=none
128end
129EOF
130(( $? != 0 )) && ret=1
131
132expect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF
133add security-flags
134set default=all
135set upper=none
136end
137EOF
138(( $? != 0 )) && ret=1
139
140expect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF
141add security-flags
142set lower=none
143set default=all
144set upper=none
145end
146EOF
147(( $? != 0 )) && ret=1
148
149expect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF
150add security-flags
151set lower=all
152set upper=none
153end
154EOF
155(( $? != 0 )) && ret=1
156
157expect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF
158add security-flags
159set default=fail
160end
161EOF
162(( $? != 0 )) && ret=1
163
164expect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF
165add security-flags
166set lower=fail
167end
168EOF
169(( $? != 0 )) && ret=1
170
171expect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF
172add security-flags
173set upper=fail
174end
175EOF
176(( $? != 0 )) && ret=1
177
178exit $ret
179