FILE(GLOB SHELL_SCRIPT *.sh)
INSTALL(FILES
${SHELL_SCRIPT}
- smacklabel_exception.list
- smackrule_exception.list
- smackrule_exception_saved.list
DESTINATION
/usr/share/security-config/test/smack_rule_test
)
+++ /dev/null
-#!/bin/bash
-
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
-result_dir="/opt/share/security-config/result"
-log_dir="/opt/share/security-config/log"
-result_file=$result_dir"/checksmacklabel.result"
-log_file=$log_dir"/checksmacklabel.log"
-exception_file="/usr/share/security-config/test/smack_rule_test/smacklabel_exception.list"
-
-function CHECK_EXCEPTION
-{
- while read exception_line
- do
- filtered_label=$(echo $label | grep $exception_line)
- if [ -n "$filtered_label" ]
- then
- return 1
- fi
- done < <(cat $exception_file )
- return 0
-}
-
-function CHECK_RULE_ACCESS
-{
- access_label=$(echo "${label:8}" | rev | cut -c 2- | rev)
- if [ "$access_label" != '_' ] && [ "$access_label" != '*' ] && [ "$access_label" != '^' ] &&
- [ "$access_label" != 'System' ] && [ "$access_label" != 'System::Run' ] && [ "$access_label" != 'System::Log' ] &&
- [ "$access_label" != 'System::Shared' ] && [ "$access_label" != 'User' ] && [ "$access_label" != 'User::Home' ] &&
- [ "$access_label" != 'User::App::Shared' ] && [ "$access_label" != 'System::Privileged' ] &&
- [ "$access_label" != 'User::Shell' ] && [ "${access_label:0:11}" != 'User::Pkg::' ] && [ "${access_label:0:14}" != 'User::Author::' ]
- then
- CHECK_EXCEPTION
- if [ "$?" == 0 ]
- then
- echo "ACCESS label,$line2" >> $log_file
- fi
- fi
-}
-
-function CHECK_RULE_EXECUTE
-{
- execute_label=$(echo "${label:9}" | rev | cut -c 2- | rev)
- if [ "$execute_label" != '_' ] && [ "$execute_label" != '^' ] && [ "$execute_label" != 'System' ] && [ "$execute_label" != 'User' ] &&
- [ "$execute_label" != 'System::Privileged' ] && [ "$execute_label" != 'User::Shell' ] && [ "${execute_label:0:9}" != 'User::Pkg' ]
- then
- CHECK_EXCEPTION
- if [ "$?" == 0 ]
- then
- echo "EXECUTE label,$line2" >> $log_file
- fi
- fi
-}
-
-function LABEL_CHECK
-{
- chsmack $1/* | while read line2
- do
- label=$(echo $line2 | rev | cut -f1 -d " " | rev)
- cutted_label=${label:0:3}
- if [ "$cutted_label" == 'acc' ]
- then
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'exe' ]
- then
- CHECK_RULE_EXECUTE
- label=$(echo $line2 | rev | cut -f2 -d " " | rev)
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'tra' ]
- then
- label=$(echo $line2 | rev | cut -f2 -d " " | rev)
- cutted_label=${label:0:3}
- if [ "$cutted_label" == 'acc' ]
- then
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'exe' ]
- then
- CHECK_RULE_EXECUTE
- label=$(echo $line2 | rev | cut -f3 -d " " | rev)
- CHECK_RULE_ACCESS
- fi
- fi
- done
- chsmack $1/.* | while read line2
- do
- label=$(echo $line2 | rev | cut -f1 -d " " | rev)
- cutted_label=${label:0:3}
- if [ "$cutted_label" == 'acc' ]
- then
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'exe' ]
- then
- CHECK_RULE_EXECUTE
- label=$(echo $line2 | rev | cut -f2 -d " " | rev)
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'tra' ]
- then
- label=$(echo $line2 | rev | cut -f2 -d " " | rev)
- cutted_label=${label:0:3}
- if [ "$cutted_label" == 'acc' ]
- then
- CHECK_RULE_ACCESS
- elif [ "$cutted_label" == 'exe' ]
- then
- CHECK_RULE_EXECUTE
- label=$(echo $line2 | rev | cut -f3 -d " " | rev)
- CHECK_RULE_ACCESS
- fi
- fi
- done
-}
-
-function SMACK_LABEL_CHECK
-{
- find / -type d 2>/dev/null | while read line # Remove error print
- do
- LABEL_CHECK $line
- done
-}
-
-if [ -e $result_file ]
-then
- rm $result_file
-fi
-if [ -e $log_file ]
-then
- rm $log_file
-fi
-
-echo "SMACK LABEL CHECK STARTED!"
-
-SMACK_LABEL_CHECK
-
-if [ ! -e $log_file ]
-then
- echo "YES" >> $result_file
-else
- echo "NO" >> $result_file
-fi
-
-echo "SMACK LABEL CHECK FINISHED!"
--- /dev/null
+#!/bin/bash
+
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+log_file="/opt/share/security-config/log/checksmacklabel.log"
+
+# System::NoUse is added intentionally by security team.
+access_label_array=("$(cat /sys/fs/smackfs/load2 | cut -d " " -f2 | sort | uniq)" '^' '*' '@' 'System::NoUse')
+# In some cases, process runs with the label defined only in access rule. This is to change SMACK label of created files.
+execute_label_array=("$(cat /sys/fs/smackfs/load2 | cut -d " " --fields=1,2 | xargs printf '%s\n' | sort | uniq)" '^' '*' '@')
+
+function check_label
+{
+ access_label="$(echo $1 | grep -o 'access=[^\\ ]*' | cut -d "=" -f2 | sed 's/\"//g')"
+ if [ "$(echo "${access_label_array[@]}" | fgrep --word-regexp "$access_label")" == "" ]
+ then
+ echo "access_label_error" $1 >> $log_file
+ fi
+
+ execute_label="$(echo $1 | grep -o 'execute=[^\\ ]*' | cut -d "=" -f2 | sed 's/\"//g')"
+ if [ "$execute_label" != "" ] && [ "$(echo "${execute_label_array[@]}" | fgrep --word-regexp "$execute_label")" == "" ]
+ then
+ echo "execute_label_error" $1 >> $log_file
+ fi
+}
+
+# $1 : File path which has chsmack results.
+while read line
+do
+ check_label "$line"
+done < $1
+
--- /dev/null
+#!/bin/bash
+
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+result_file="/opt/share/security-config/result/checksmacklabel.result"
+log_file="/opt/share/security-config/log/checksmacklabel.log"
+check_script="/opt/share/security-config/test/smack_rule_test/checksmacklabel_check.sh"
+tmp_file_name="/tmp/chsmack_result"
+process_number=40
+
+# Create lists using chsmack (/usr /opt /etc)
+# It seems to create tmpfile instead of direct use to avoid an unexpected syntax error
+chsmack -r /usr /opt /etc 2>/dev/null > $tmp_file_name
+
+# Calculate test loop count per one process
+line_num=$(wc -l $tmp_file_name | cut -d " " -f1)
+loop_cnt=`expr $line_num / $process_number`
+
+# Init log and result files
+if [ -e $result_file ]
+then
+ rm $result_file
+fi
+if [ -e $log_file ]
+then
+ rm $log_file
+fi
+
+# Run processes
+echo "SMACK LABEL CHECK STARTED!"
+index=0
+PIDS=()
+while [ 1 ]
+do
+ start=`expr $loop_cnt \* $index`
+ index=$(($index+1))
+ end=`expr $loop_cnt \* $index`
+ awk -v var1=$start -v var2=$end 'NR>=var1 && NR<var2' "$tmp_file_name" > "$tmp_file_name$index"
+ $check_script "$tmp_file_name$index" &
+ PID=$!
+ PIDS+=("$PID")
+ if [ $end -gt $line_num ]
+ then
+ break
+ fi
+done
+
+# Check PID
+while [ 1 ]
+do
+ sleep 10
+ tmp_flag=true
+ for PID in "${PIDS[@]}"
+ do
+ kill -0 $PID 2> /dev/null # Check process is still running
+ if [ $? -eq 0 ]
+ then
+ tmp_flag=false
+ break
+ fi
+ done
+ if [ "$tmp_flag" = true ] # Check all process is finished.
+ then
+ break
+ fi
+done
+
+# clean up temporary files
+rm -f "$tmp_file_name"*
+
+# check result
+if [ ! -e $log_file ]
+then
+ echo "TEST PASS"
+ echo "YES" >> $result_file
+else
+ echo "TEST FAIL : check log file in " $log_file
+ echo "NO" >> $result_file
+fi
+
+echo "SMACK LABEL CHECK FINISHED!"
+
--- /dev/null
+#!/bin/bash
+
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+result_file="/opt/share/security-config/result/checksmackrule.result"
+log_file="/opt/share/security-config/log/checksmackrule.log"
+SMACK_RULE_PATH="/sys/fs/smackfs/load2"
+tmp_current_rule="/tmp/smack_rule_current"
+tmp_calculated_rule="/tmp/smack_rule_calculated"
+
+echo "SMACK Rule Test Started"
+
+# Init log and result files
+if [ -e $result_file ]
+then
+ rm $result_file
+fi
+if [ -e $log_file ]
+then
+ rm $log_file
+fi
+
+# Copy original SMACK rules
+cat /sys/fs/smackfs/load2 | sort > $tmp_current_rule
+
+# clear all rules
+smackctl clear
+
+# check all rules are cleared
+if [ "$(cat $SMACK_RULE_PATH)" != "" ]
+then
+ echo "RULE is not cleared. Unexpected problem."
+ exit 1
+fi
+
+# restore rules
+smackctl apply
+security-manager-rules-loader
+
+# Copy calculated SMACK rules
+cat /sys/fs/smackfs/load2 | sort > $tmp_calculated_rule
+
+# compare
+compare=$(comm -3 $tmp_current_rule $tmp_calculated_rule)
+
+if [ "$compare" != "" ]
+then
+ echo "TEST FAIL : Some not permitted rules are existed"
+ echo "$compare"
+ echo "$compare" > $log_file
+ /bin/echo "NO" >> $result_file
+else
+ echo "TEST PASS"
+ /bin/echo "YES" >> $result_file
+fi
+
+rm -f $tmp_current_rule $tmp_calculated_rule
+
+echo "SMACK Rule Test Finished"
+
+++ /dev/null
-#!/bin/bash
-
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
-result_dir="/opt/share/security-config/result"
-log_dir="/opt/share/security-config/log"
-SMACK_RULE_APPLY_PATH="/sys/fs/smackfs/load2"
-dbpath="/opt/dbspace/.security-manager.db"
-result_file=$result_dir"/checksmackrule_loaded.result"
-log_file=$log_dir"/checksmackrule_loaded.log"
-exception_file="/usr/share/security-config/test/smack_rule_test/smackrule_exception.list"
-
-function EXCEPTION_CHECK
-{
- while read exception_line
- do
- if [ "$1,$2,$3" == "$exception_line" ]
- then
- return 1
- fi
- done < <(/bin/cat $exception_file )
- return 0
-}
-
-function RULE_CHECK
-{
- #System ~PROCESS~ rwx
- #System ~PATH_RW~ rwxat
- #need to be modified later
- if [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ] # should be checked
- then
- return 0
- fi
- #System::Privileged ~PROCESS~ rwx
- #System::Privileged ~PATH_RW~ rwxat
- #need to be modified later
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ] # should be checked
- then
- return 0
- fi
- #~PROCESS~ System wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- #~PROCESS~ System::Privileged wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- #~PROCESS~ System::Shared rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- #~PROCESS~ System::Run rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #~PROCESS~ System::Log rwxa
- elif [[ "$1" == "User::Pkg:"* ]] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- #~PROCESS~ _ l
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "_" ]
- then
- if [ "$3" == "l" ]
- then
- return 0
- fi
- #User ~PROCESS~ rwx
- #need to be checked later
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx" ] || [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #~PROCESS~ User wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- #~PROCESS~ User::Home rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- #~PROCESS~ User::App::Shared rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_RO~ rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::RO" ]]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_SHARED_RO~ rwxat (self)
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "$1""::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_SHARED_RO~ rx (other)
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::SharedRO" ]] && [[ "$2" != "$1""::SharedRO" ]]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_TRUSTED~ rwxat
- elif [[ "$1" == *"::Pkg::"* ]] && [[ "$2" == *"::Author::"* ]]
- then
- authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- pkgname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where pkg_name='$pkgname';")
- if [ "$authorID" == "$authorID_db" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- fi
- #User ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System ~PATH_RO~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_RW~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_RO~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #User ~PATH_RW~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #User ~PATH_RO~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- #User ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # From here, default 3-Domain Rule Check
- # _ System rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # ^ System::Log rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # ^ System::Run rwxat
- elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # _ System wx
- elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # _ System::Run rwxat
- elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System System::Log rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System System::Run rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System System::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System User rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System User::Home rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System _ rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
- then
-
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System ^ rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User _ rxl
- elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwl" ]
- then
- return 0
- fi
- # User System wx
- elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # User System::Run rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User System::Log rwxa
- elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User System::Shared rxl
- elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # User User::Home rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Run rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged System::Log rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System::Privileged User::Home rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged _ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # _ System::Privileged wx
- elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # System System::Privileged rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # ^ System::Privileged rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System::Privileged ^ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # User System::Privileged wx
- elif [ "$1" == "User" ] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # System::Privileged User rwxa
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User" ]
- then
- if [ "$3" == "rwxa" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User::Shell System wx
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # User::Shell,System::Shared,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # User::Shell,System::Run,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # User::Shell,System::Log,w
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "w" ]
- then
- return 0
- fi
- # User::Shell,User,wx
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User" ]
- then
- if [ "$3" == "wx" ]
- then
- return 0
- fi
- # User::Shell,User::Home,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "rxl" ]
- then
- return 0
- fi
- # User::Shell,User::App::Shared,rwxat
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User,User::Shell,rwxat
- elif [ "$1" == "User" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # User,User::App::Shared,rwxat
- elif [ "$1" == "User" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System::Privileged,User::Shell,rwxat
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System,User::Shell,rwxat
- elif [ "$1" == "System" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # System,User::App::Shared,rwxat
- elif [ "$1" == "System" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat" ]
- then
- return 0
- fi
- # ~PROCESS ~PROCESS, same label, rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$1" == "$2" ]
- then
- pkgname=$(/bin/echo ${1##User::Pkg::})
- ishybrid=$(/usr/bin/sqlite3 $dbpath "select DISTINCT is_hybrid from user_app_pkg_view where pkg_name='$pkgname';")
- if [ "$3" == "rwxat" ] && [ "$ishybrid" == "0" ]
- then
- return 0
- fi
- fi
-
- EXCEPTION_CHECK $1 $2 $3
-
- if [ "$?" == 0 ]
- then
- /bin/echo "$1,$2,$3" >> $log_file
- fi
-}
-
-function RULE_CHECK_APPLY_PATH
-{
- /usr/bin/cat $SMACK_RULE_APPLY_PATH | while read line
- do
- subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
- object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
- rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
-
- RULE_CHECK $subject $object $rule
- done
-}
-
-if [ ! -d $log_dir ]; then
- /bin/mkdir $log_dir
-fi
-if [ ! -d $result_dir ]; then
- /bin/mkdir $result_dir
-fi
-
-if [ -e $result_file ]
-then
- /bin/rm $result_file
-fi
-if [ -e $log_file ]
-then
- /bin/rm $log_file
-fi
-
-/bin/echo "SMACK RULE CHECK STARTED!"
-
-RULE_CHECK_APPLY_PATH
-
-if [ ! -e $log_file ]
-then
- /bin/echo "YES" >> $result_file
-else
- /bin/echo "NO" >> $result_file
-fi
-
-/bin/echo "SMACK RULE CHECK FINISHED! "
+++ /dev/null
-#!/bin/bash
-
-PATH=/bin:/usr/bin:/sbin:/usr/sbin
-result_dir="/opt/share/security-config/result"
-log_dir="/opt/share/security-config/log"
-SMACK_RULE_APPLY_PATH1='/opt/var/security-manager/rules/*'
-SMACK_RULE_APPLY_PATH2='/etc/smack/accesses.d/*'
-dbpath='/opt/dbspace/.security-manager.db'
-result_file=$result_dir"/checksmackrule_saved.result"
-log_file=$log_dir"/checksmackrule_saved.log"
-exception_file="/usr/share/security-config/test/smack_rule_test/smackrule_exception_saved.list"
-
-function EXCEPTION_CHECK
-{
- while read exception_line
- do
- if [ "$1,$2,$3" == "$exception_line" ]
- then
- return 1
- fi
- done < <(/bin/cat $exception_file )
- return 0
-}
-
-function RULE_CHECK
-{
- #System ~PROCESS~ rwx
- #System ~PATH_RW~ rwxat
- #need to be checked
- if [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ] # should be checked
- then
- return 0
- fi
- #System::Privileged ~PROCESS~ rwx
- #System::Privileged ~PATH_RW~ rwxat
- #need to be checked
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ] # should be checked
- then
- return 0
- fi
- #~PROCESS~ System wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- #~PROCESS~ System::Privileged wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- #~PROCESS~ System::Shared rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- #~PROCESS~ System::Run rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #~PROCESS~ System::Log rwxa
- elif [[ "$1" == "User::Pkg:"* ]] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- #~PROCESS~ _ l
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "_" ]
- then
- if [ "$3" == "-----l" ]
- then
- return 0
- fi
- #User ~PROCESS~ rwx
- #need to be checked later
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwx---" ] || [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #~PROCESS~ User wx
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- #~PROCESS~ User::Home rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- #~PROCESS~ User::App::Shared rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_RO~ rxl
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::RO" ]]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_SHARED_RO~ rwxat (self)
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "$1""::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_SHARED_RO~ rx (other)
- elif [[ "$1" == "User::Pkg::"* ]] && [[ "$2" == "User::Pkg"*"::SharedRO" ]] && [[ "$2" != "$1""::SharedRO" ]]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- #~PROCESS~ ~PATH_TRUSTED~ rwxat
- elif [[ "$1" == *"::Pkg::"* ]] && [[ "$2" == *"::Author::"* ]]
- then
- authorID=$(/bin/echo $2 | /usr/bin/cut -f 5 -d ":")
- pkgname=$(/bin/echo $1 | /usr/bin/cut -f 5 -d ":")
- authorID_db=$(/usr/bin/sqlite3 $dbpath "select DISTINCT author_id from user_app_pkg_view where pkg_name='$pkgname';")
- if [ "$authorID" == "$authorID_db" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- fi
- #User ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_TRUSTED~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == *"::Author::"* ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System ~PATH_RO~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_RW~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_RO~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #System::Privileged ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Pkg::"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #User ~PATH_RW~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"* ]] && [[ "$2" != "User::Pkg::"*"::SharedRO" ]] && [[ "$2" != "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #User ~PATH_RO~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg::"*"::RO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- #User ~PATH_SHARED_RO~ rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Pkg"*"::SharedRO" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # From here, default 3-Domain Rule Check
- # _ System rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # ^ System::Log rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # ^ System::Run rwxat
- elif [ "$1" == "^" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # _ System wx
- elif [ "$1" == "_" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # _ System::Run rwxat
- elif [ "$1" == "_" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System System::Log rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System System::Run rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System System::Shared rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System User rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "User" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System User::Home rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System _ rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "_" ]]
- then
-
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System ^ rwxa
- elif [ "$1" == "System" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # User _ rxl
- elif [ "$1" == "User" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rw---l" ]
- then
- return 0
- fi
- # User System wx
- elif [ "$1" == "User" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # User System::Run rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User System::Log rwxa
- elif [ "$1" == "User" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # User System::Shared rxl
- elif [ "$1" == "User" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # User User::Home rwxat
- elif [ "$1" == "User" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Run rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Run" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged System::Log rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "System::Log" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System::Privileged User::Home rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::Home" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "User::App::Shared" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged _ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "_" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # _ System::Privileged wx
- elif [ "$1" == "_" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # System System::Privileged rwxat
- elif [ "$1" == "System" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # ^ System::Privileged rwxa
- elif [ "$1" == "^" ] && [[ "$2" == "System::Privileged" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System::Privileged ^ rwxa
- elif [ "$1" == "System::Privileged" ] && [[ "$2" == "^" ]]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # User System::Privileged wx
- elif [ "$1" == "User" ] && [ "$2" == "System::Privileged" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # System::Privileged User rwxa
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User" ]
- then
- if [ "$3" == "rwxa--" ]
- then
- return 0
- fi
- # System::Privileged User::App::Shared rwxat
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User::Shell System wx
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # User::Shell,System::Shared,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Shared" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # User::Shell,System::Run,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Run" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # User::Shell,System::Log,w
- elif [ "$1" == "User::Shell" ] && [ "$2" == "System::Log" ]
- then
- if [ "$3" == "-w----" ]
- then
- return 0
- fi
- # User::Shell,User,wx
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User" ]
- then
- if [ "$3" == "-wx---" ]
- then
- return 0
- fi
- # User::Shell,User::Home,rxl
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User::Home" ]
- then
- if [ "$3" == "r-x--l" ]
- then
- return 0
- fi
- # User::Shell,User::App::Shared,rwxat
- elif [ "$1" == "User::Shell" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User,User::Shell,rwxat
- elif [ "$1" == "User" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # User,User::App::Shared,rwxat
- elif [ "$1" == "User" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System::Privileged,User::Shell,rwxat
- elif [ "$1" == "System::Privileged" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System,User::Shell,rwxat
- elif [ "$1" == "System" ] && [ "$2" == "User::Shell" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # System,User::App::Shared,rwxat
- elif [ "$1" == "System" ] && [ "$2" == "User::App::Shared" ]
- then
- if [ "$3" == "rwxat-" ]
- then
- return 0
- fi
- # ~PROCESS ~PROCESS, same label, rwxat
- elif [[ "$1" == "User::Pkg::"* ]] && [ "$1" == "$2" ]
- then
- pkgname=$(/bin/echo ${1##User::Pkg::})
- ishybrid=$(/usr/bin/sqlite3 $dbpath "select DISTINCT is_hybrid from user_app_pkg_view where pkg_name='$pkgname';")
- if [ "$3" == "rwxat-" ] && [ "$ishybrid" == "0" ]
- then
- return 0
- fi
- fi
-
- EXCEPTION_CHECK $1 $2 $3
-
- if [ "$?" == 0 ]
- then
- /bin/echo "$1,$2,$3" >> $log_file
- fi
-}
-
-function RULE_CHECK_APPLY_PATH
-{
- cat $SMACK_RULE_APPLY_PATH1 $SMACK_RULE_APPLY_PATH2 | while read line
- do
- subject=$(/bin/echo $line | /usr/bin/cut -f 1 -d " ")
- object=$(/bin/echo $line | /usr/bin/cut -f 2 -d " ")
- rule=$(/bin/echo $line | /usr/bin/cut -f 3 -d " ")
-
- RULE_CHECK $subject $object $rule
- done
-}
-
-if [ ! -d $log_dir ]; then
- /bin/mkdir $log_dir
-fi
-if [ ! -d $result_dir ]; then
- /bin/mkdir $result_dir
-fi
-
-if [ -e $result_file ]
-then
- /bin/rm $result_file
-fi
-if [ -e $log_file ]
-then
- /bin/rm $log_file
-fi
-
-/bin/echo "SMACK RULE CHECK STARTED!"
-
-RULE_CHECK_APPLY_PATH
-
-if [ ! -e $log_file ]
-then
- /bin/echo "YES" >> $result_file
-else
- /bin/echo "NO" >> $result_file
-fi
-
-/bin/echo "SMACK RULE CHECK FINISHED! "
projects / platform / core / security / security-config.git / commitdiff