blob: 1d2b6b4ea5b8243023fe1bc988140c0cdd48a950 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
#!/bin/bash
. ../../../prepare.inc.sh
. ../../../toolbox.inc.sh
# ---- do the actual testing ----
if [ $have_grant = 0 ]
then
toolbox_skip_test $TEST "SKIPPING DUE TO LACK OF GRANT PERMIT"
exit 0
fi
result=PASS
echo "++++ BEGINNING TEST" >$OUTPUTFILE
# create a keyring and attach it to the session keyring
marker "ADD KEYRING"
create_keyring wibble @s
expect_keyid keyringid
# Create a keyring and remove most permissions from it; leaving just
# setsec for the owner.
marker "ADD KEYRING"
create_keyring lizard $keyringid
expect_keyid keyid
marker "REMOVE PERMITS"
grant_key_permit $keyid own S
grant_key_permit $keyid pos 0
grant_key_permit $keyid grp 0
grant_key_permit $keyid all 0
# Test the View permit
marker "TEST VIEW"
describe_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos v
describe_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos vs
describe_key $keyid
grant_key_permit $keyid pos 0
describe_key --fail $keyid
expect_error EACCES
# Test the Read permit
marker "TEST READ"
list_keyring --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos r
list_keyring --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos rs
list_keyring $keyid
grant_key_permit $keyid pos 0
list_keyring --fail $keyid
expect_error EACCES
# Test the Write permit
marker "TEST WRITE"
create_key --fail user lizard gizzard $keyid
expect_error EACCES
grant_key_permit $keyid pos ws
create_key user lizard gizzard $keyid
expect_keyid keyid2
grant_key_permit $keyid pos 0
unlink_key --fail $keyid $keyid2
expect_error EACCES
create_key --fail user lizard gizzard $keyid
expect_error EACCES
# Test the Search permit (we're allowed to read a key we can search out)
marker "TEST SEARCH"
search_for_key --fail $keyid user lizard
expect_error EACCES
grant_key_permit $keyid pos s
search_for_key $keyid user lizard
grant_key_permit $keyid pos 0
search_for_key --fail $keyid user lizard
expect_error EACCES
marker "TEST SEARCH 2"
search_for_key --fail @s user lizard
expect_error ENOKEY
grant_key_permit $keyid pos s
search_for_key @s user lizard
grant_key_permit $keyid pos 0
search_for_key --fail @s user lizard
expect_error ENOKEY
# Test the Link permit
marker "TEST LINK"
link_key --fail $keyid @s
expect_error EACCES
grant_key_permit $keyid pos l
link_key --fail $keyid @s
expect_error EACCES
grant_key_permit $keyid pos ls
link_key $keyid @s
grant_key_permit $keyid pos 0
link_key --fail $keyid @s
expect_error EACCES
unlink_key $keyid @s
# Test the Clear permit
marker "TEST CLEAR"
clear_keyring --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos c
clear_keyring --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos cs
clear_keyring $keyid
grant_key_permit $keyid pos 0
clear_keyring --fail $keyid
expect_error EACCES
# Test the Join permit. The possessor join permit is ineffective by
# design.
marker "TEST JOIN"
new_session lizard /bin/true
expect_joined_session ses
if [ $ses = $keyid ]; then failed; fi
pause_till_key_destroyed $ses
grant_key_permit $keyid pos j
new_session lizard /bin/true
expect_joined_session ses
if [ $ses = $keyid ]; then failed; fi
grant_key_permit $keyid pos 0
new_session lizard /bin/true
expect_joined_session ses
if [ $ses = $keyid ]; then failed; fi
# Test the Invalidate permit
marker "TEST INVAL"
invalidate_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos I
invalidate_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos Is
invalidate_key $keyid
grant_key_permit --fail $keyid pos 0
expect_error ENOKEY
invalidate_key --fail $keyid
expect_error ENOKEY
# Create a keyring and remove most permissions from it; leaving just
# setsec for the owner.
marker "ADD KEYRING 2"
create_keyring lizard $keyringid
expect_keyid keyid
marker "REMOVE PERMITS 2"
grant_key_permit $keyid own S
grant_key_permit $keyid pos 0
grant_key_permit $keyid grp 0
grant_key_permit $keyid all 0
# Test the Revoke permit
marker "TEST REVOKE"
revoke_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos R
revoke_key --fail $keyid
expect_error EACCES
grant_key_permit $keyid pos Rs
revoke_key $keyid
grant_key_permit --fail $keyid pos 0
expect_error EKEYREVOKED
revoke_key --fail $keyid
expect_error EKEYREVOKED
# Create a keyring and remove most permissions from it; leaving just
# setsec for the owner.
marker "ADD KEYRING 3"
create_keyring lizard $keyringid
expect_keyid keyid
marker "REMOVE PERMITS 3"
grant_key_permit $keyid pos Ssv
grant_key_permit $keyid own 0
grant_key_permit $keyid grp 0
grant_key_permit $keyid all 0
# Test the Set Security permit
marker "TEST SET SECURITY"
describe_key $keyid
grant_key_permit $keyid pos sv
describe_key $keyid
grant_key_permit --fail $keyid pos Ssv
expect_error EACCES
# remove the keyring we added
marker "UNLINK KEYRING"
unlink_key $keyringid @s
echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE
# --- then report the results in the database ---
toolbox_report_result $TEST $result
|
