Implement execute_label_check test.

Change-Id: Ib8d4dc939e7ef4d2acf33b711a1eb83dcbbacf7b

diff --git a/packaging/security-config.spec b/packaging/security-config.spec
index a9bf30feaa0146bb11ae5aebcb32357b89a973bc..c4e7f4a5e8b026be612075294aff18eb00eb766a 100755 (executable)
--- a/packaging/security-config.spec
+++ b/packaging/security-config.spec
@@ -74,6 +74,7 @@ mkdir -p /opt/share/security-config/result
 mkdir -p /opt/share/security-config/log
 touch /opt/share/askuser_disable
 chmod 600 /opt/share/askuser_disable
+rm -r /opt/share/security-config/test
 ln -s %{SECURITY_TEST_DIR} /opt/share/security-config/test
 touch /opt/share/security-config/dummy_file
 chmod 600 /opt/share/security-config/dummy_file
@@ -132,6 +133,7 @@ rm %{SECURITY_TEST_DIR}/new_service_test/*
 %attr(755,root,root) %{SECURITY_TEST_DIR}/security_mount_option_test/*
 %attr(755,root,root) %{SECURITY_TEST_DIR}/relro_stack_canary_test/*
 %attr(755,root,root) %{SECURITY_TEST_DIR}/setuid_test/*
+%attr(755,root,root) %{SECURITY_TEST_DIR}/execute_label_check_test/*
 %attr(755,root,root) /usr/share/upgrade/scripts/201.security_upgrade.sh
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/90_user-content-permissions.post
 %attr(755,root,root) %{_sysconfdir}/gumd/useradd.d/91_user-dbspace-permissions.post

diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index f8461af39b36b9406e26e5a25bb4440fa49863f8..469c53342b38416804ed99a4b144378a71a23cc4 100755 (executable)
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -15,3 +15,4 @@ ADD_SUBDIRECTORY(setuid_test)
 ADD_SUBDIRECTORY(smack_basic_test)
 ADD_SUBDIRECTORY(new_service_test)
 ADD_SUBDIRECTORY(relro_stack_canary_test)
+ADD_SUBDIRECTORY(execute_label_check_test)

diff --git a/test/execute_label_check_test/CMakeLists.txt b/test/execute_label_check_test/CMakeLists.txt
new file mode 100755 (executable)
index 0000000..0187462
--- /dev/null
+++ b/test/execute_label_check_test/CMakeLists.txt
@@ -0,0 +1,9 @@
+CMAKE_MINIMUM_REQUIRED(VERSION 2.6)
+
+FILE(GLOB SHELL_SCRIPT *.sh)
+INSTALL(FILES
+       ${SHELL_SCRIPT}
+       DESTINATION
+       /usr/share/security-config/test/execute_label_check_test
+)
+

diff --git a/test/execute_label_check_test/execute_label_check_test.sh b/test/execute_label_check_test/execute_label_check_test.sh
new file mode 100644 (file)
index 0000000..781b900
--- /dev/null
+++ b/test/execute_label_check_test/execute_label_check_test.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+test_dir=("/usr" "/etc" "/opt")
+result_file="/opt/share/security-config/result/execute_label_check.result"
+log_file="/opt/share/security-config/log/execute_label_check.log"
+
+# args : $1 = target dir path. Searching recursively inside of it.
+function run_chsmack
+{
+       chsmack -r $1 2>/dev/null | grep 'access="_"' | grep 'execute=' | while read LINE
+       do
+               execute_label=$(echo $LINE | cut -d '"' -f4)
+               if [ "$execute_label" != "_" ]
+               then
+                       echo $LINE >> $log_file
+               fi
+       done
+}
+
+# clear log and result files
+if [ -e "$log_file" ]
+then
+       rm $log_file
+fi
+if [ -e "$result_file" ]
+then
+       rm $result_file
+fi
+
+echo "This test is to find executables which have arbitrarily defined execute label with the default access label."
+# MAIN
+for DIR in ${test_dir[@]}
+do
+       run_chsmack $DIR
+done
+
+if [ ! -e $log_file ]
+then
+       echo "YES" > $result_file
+else
+       echo "Some executables have a arbitrarily defined execute label. Please check |$log_file|."
+       echo "NO" > $result_file
+fi
+
+echo "SMACK execute label check FINISHED!"