1*d2a70789SRichard Lowe#! /usr/bin/ksh 2*d2a70789SRichard Lowe# 3*d2a70789SRichard Lowe# 4*d2a70789SRichard Lowe# This file and its contents are supplied under the terms of the 5*d2a70789SRichard Lowe# Common Development and Distribution License ("CDDL"), version 1.0. 6*d2a70789SRichard Lowe# You may only use this file in accordance with the terms of version 7*d2a70789SRichard Lowe# 1.0 of the CDDL. 8*d2a70789SRichard Lowe# 9*d2a70789SRichard Lowe# A full copy of the text of the CDDL should have accompanied this 10*d2a70789SRichard Lowe# source. A copy of the CDDL is also available via the Internet at 11*d2a70789SRichard Lowe# http://www.illumos.org/license/CDDL. 12*d2a70789SRichard Lowe# 13*d2a70789SRichard Lowe 14*d2a70789SRichard Lowe# Copyright 2015, Richard Lowe. 15*d2a70789SRichard Lowe 16*d2a70789SRichard Lowe# Verify that zones can be configured with security-flags 17*d2a70789SRichard LoweLC_ALL=C # Collation is important 18*d2a70789SRichard Lowe 19*d2a70789SRichard Loweexpect_success() { 20*d2a70789SRichard Lowe name=$1 21*d2a70789SRichard Lowe 22*d2a70789SRichard Lowe (echo "create -b"; 23*d2a70789SRichard Lowe echo "set zonepath=/$name.$$"; 24*d2a70789SRichard Lowe cat /dev/stdin; 25*d2a70789SRichard Lowe echo "verify"; 26*d2a70789SRichard Lowe echo "commit"; 27*d2a70789SRichard Lowe echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 28*d2a70789SRichard Lowe 29*d2a70789SRichard Lowe r=$? 30*d2a70789SRichard Lowe 31*d2a70789SRichard Lowe zonecfg -z $name.$$ delete -F 32*d2a70789SRichard Lowe 33*d2a70789SRichard Lowe if (($r != 0)); then 34*d2a70789SRichard Lowe printf "%s: FAIL\n" $name 35*d2a70789SRichard Lowe cat out.$$ 36*d2a70789SRichard Lowe rm out.$$ 37*d2a70789SRichard Lowe return 1 38*d2a70789SRichard Lowe else 39*d2a70789SRichard Lowe rm out.$$ 40*d2a70789SRichard Lowe printf "%s: PASS\n" $name 41*d2a70789SRichard Lowe return 0 42*d2a70789SRichard Lowe fi 43*d2a70789SRichard Lowe} 44*d2a70789SRichard Lowe 45*d2a70789SRichard Loweexpect_fail() { 46*d2a70789SRichard Lowe name=$1 47*d2a70789SRichard Lowe expect=$2 48*d2a70789SRichard Lowe 49*d2a70789SRichard Lowe (echo "create -b"; 50*d2a70789SRichard Lowe echo "set zonepath=/$name.$$"; 51*d2a70789SRichard Lowe cat /dev/stdin; 52*d2a70789SRichard Lowe echo "verify"; 53*d2a70789SRichard Lowe echo "commit"; 54*d2a70789SRichard Lowe echo "exit") | zonecfg -z $name.$$ > out.$$ 2>&1 55*d2a70789SRichard Lowe 56*d2a70789SRichard Lowe r=$? 57*d2a70789SRichard Lowe 58*d2a70789SRichard Lowe # Ideally will fail, since we don't want the create to have succeeded. 59*d2a70789SRichard Lowe zonecfg -z $name.$$ delete -F >/dev/null 2>&1 60*d2a70789SRichard Lowe 61*d2a70789SRichard Lowe 62*d2a70789SRichard Lowe if (($r == 0)); then 63*d2a70789SRichard Lowe printf "%s: FAIL (succeeded)\n" $name 64*d2a70789SRichard Lowe rm out.$$ 65*d2a70789SRichard Lowe return 1 66*d2a70789SRichard Lowe else 67*d2a70789SRichard Lowe grep -q "$expect" out.$$ 68*d2a70789SRichard Lowe if (( $? != 0 )); then 69*d2a70789SRichard Lowe printf "%s: FAIL (error didn't match)\n" $name 70*d2a70789SRichard Lowe echo "Wanted:" 71*d2a70789SRichard Lowe echo " $expect" 72*d2a70789SRichard Lowe echo "Got:" 73*d2a70789SRichard Lowe sed -e 's/^/ /' out.$$ 74*d2a70789SRichard Lowe rm out.$$ 75*d2a70789SRichard Lowe return 1; 76*d2a70789SRichard Lowe else 77*d2a70789SRichard Lowe rm out.$$ 78*d2a70789SRichard Lowe printf "%s: PASS\n" $name 79*d2a70789SRichard Lowe return 0 80*d2a70789SRichard Lowe fi 81*d2a70789SRichard Lowe fi 82*d2a70789SRichard Lowe} 83*d2a70789SRichard Lowe 84*d2a70789SRichard Loweret=0 85*d2a70789SRichard Lowe 86*d2a70789SRichard Loweexpect_success valid-no-config <<EOF 87*d2a70789SRichard LoweEOF 88*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 89*d2a70789SRichard Lowe 90*d2a70789SRichard Loweexpect_success valid-full-config <<EOF 91*d2a70789SRichard Loweadd security-flags 92*d2a70789SRichard Loweset lower=none 93*d2a70789SRichard Loweset default=aslr 94*d2a70789SRichard Loweset upper=all 95*d2a70789SRichard Loweend 96*d2a70789SRichard LoweEOF 97*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 98*d2a70789SRichard Lowe 99*d2a70789SRichard Loweexpect_success valid-partial-config <<EOF 100*d2a70789SRichard Loweadd security-flags 101*d2a70789SRichard Loweset default=aslr 102*d2a70789SRichard Loweend 103*d2a70789SRichard LoweEOF 104*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 105*d2a70789SRichard Lowe 106*d2a70789SRichard Loweexpect_fail invalid-full-lower-gt-def "default secflags must be above the lower limit" <<EOF 107*d2a70789SRichard Loweadd security-flags 108*d2a70789SRichard Loweset lower=aslr 109*d2a70789SRichard Loweset default=none 110*d2a70789SRichard Loweset upper=all 111*d2a70789SRichard Loweend 112*d2a70789SRichard LoweEOF 113*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 114*d2a70789SRichard Lowe 115*d2a70789SRichard Loweexpect_fail invalid-partial-lower-gt-def "default secflags must be above the lower limit" <<EOF 116*d2a70789SRichard Loweadd security-flags 117*d2a70789SRichard Loweset lower=aslr 118*d2a70789SRichard Loweset default=none 119*d2a70789SRichard Loweend 120*d2a70789SRichard LoweEOF 121*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 122*d2a70789SRichard Lowe 123*d2a70789SRichard Loweexpect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 124*d2a70789SRichard Loweadd security-flags 125*d2a70789SRichard Loweset lower=none 126*d2a70789SRichard Loweset default=all 127*d2a70789SRichard Loweset upper=none 128*d2a70789SRichard Loweend 129*d2a70789SRichard LoweEOF 130*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 131*d2a70789SRichard Lowe 132*d2a70789SRichard Loweexpect_fail invalid-partial-def-gt-upper "default secflags must be within the upper limit" <<EOF 133*d2a70789SRichard Loweadd security-flags 134*d2a70789SRichard Loweset default=all 135*d2a70789SRichard Loweset upper=none 136*d2a70789SRichard Loweend 137*d2a70789SRichard LoweEOF 138*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 139*d2a70789SRichard Lowe 140*d2a70789SRichard Loweexpect_fail invalid-full-def-gt-upper "default secflags must be within the upper limit" <<EOF 141*d2a70789SRichard Loweadd security-flags 142*d2a70789SRichard Loweset lower=none 143*d2a70789SRichard Loweset default=all 144*d2a70789SRichard Loweset upper=none 145*d2a70789SRichard Loweend 146*d2a70789SRichard LoweEOF 147*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 148*d2a70789SRichard Lowe 149*d2a70789SRichard Loweexpect_fail invalid-partial-lower-gt-upper "lower secflags must be within the upper limit" <<EOF 150*d2a70789SRichard Loweadd security-flags 151*d2a70789SRichard Loweset lower=all 152*d2a70789SRichard Loweset upper=none 153*d2a70789SRichard Loweend 154*d2a70789SRichard LoweEOF 155*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 156*d2a70789SRichard Lowe 157*d2a70789SRichard Loweexpect_fail invalid-parse-fail-def "default security flags 'fail' are invalid" <<EOF 158*d2a70789SRichard Loweadd security-flags 159*d2a70789SRichard Loweset default=fail 160*d2a70789SRichard Loweend 161*d2a70789SRichard LoweEOF 162*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 163*d2a70789SRichard Lowe 164*d2a70789SRichard Loweexpect_fail invalid-parse-fail-lower "lower security flags 'fail' are invalid" <<EOF 165*d2a70789SRichard Loweadd security-flags 166*d2a70789SRichard Loweset lower=fail 167*d2a70789SRichard Loweend 168*d2a70789SRichard LoweEOF 169*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 170*d2a70789SRichard Lowe 171*d2a70789SRichard Loweexpect_fail invalid-parse-fail-def "upper security flags 'fail' are invalid" <<EOF 172*d2a70789SRichard Loweadd security-flags 173*d2a70789SRichard Loweset upper=fail 174*d2a70789SRichard Loweend 175*d2a70789SRichard LoweEOF 176*d2a70789SRichard Lowe(( $? != 0 )) && ret=1 177*d2a70789SRichard Lowe 178*d2a70789SRichard Loweexit $ret 179