| |
@@ -0,0 +1,108 @@
|
| |
+ #!/bin/bash
|
| |
+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+ #
|
| |
+ # runtest.sh of /tools/elfutils/Sanity/yama-scope
|
| |
+ # Description: yama-scope
|
| |
+ # Author: Martin Cermak <mcermak@redhat.com>
|
| |
+ #
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+ #
|
| |
+ # Copyright (c) 2017 Red Hat, Inc.
|
| |
+ #
|
| |
+ # This program is free software: you can redistribute it and/or
|
| |
+ # modify it under the terms of the GNU General Public License as
|
| |
+ # published by the Free Software Foundation, either version 2 of
|
| |
+ # the License, or (at your option) any later version.
|
| |
+ #
|
| |
+ # This program is distributed in the hope that it will be
|
| |
+ # useful, but WITHOUT ANY WARRANTY; without even the implied
|
| |
+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
| |
+ # PURPOSE. See the GNU General Public License for more details.
|
| |
+ #
|
| |
+ # You should have received a copy of the GNU General Public License
|
| |
+ # along with this program. If not, see http://www.gnu.org/licenses/.
|
| |
+ #
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+
|
| |
+ # Include Beaker environment
|
| |
+ . /usr/share/beakerlib/beakerlib.sh || exit 1
|
| |
+
|
| |
+ PACKAGE="elfutils"
|
| |
+ MY_USER="ptrace_scope_testuser"
|
| |
+ TESTCASE="/tmp/ptrace-scope-test.sh"
|
| |
+ PROCFILE='/proc/sys/kernel/yama/ptrace_scope'
|
| |
+
|
| |
+ test_root()
|
| |
+ {
|
| |
+ $TESTCASE
|
| |
+ }
|
| |
+
|
| |
+ test_user()
|
| |
+ {
|
| |
+ su - $MY_USER -c $TESTCASE
|
| |
+ }
|
| |
+
|
| |
+ rlJournalStart
|
| |
+ rlPhaseStartTest
|
| |
+
|
| |
+ # This can easily be tested with strace. Just cycle through the settings:
|
| |
+
|
| |
+ # 0 - Default attach security permissions.
|
| |
+ # 1 - Restricted attach. Only child processes plus normal permissions.
|
| |
+ # 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
|
| |
+ # 3 - No attach. No process may call ptrace at all. Irrevocable.
|
| |
+
|
| |
+ # echo 0 > /proc/sys/kernel/yama/ptrace_scope
|
| |
+
|
| |
+ # With 0, strace works against any process with your uid. For example, strace -p 2190.
|
| |
+ # With 1, strace errors when doing the same as in 0: strace: attach: ptrace(PTRACE_SEIZE, 3180): Operation not permitted. However, you can strace any program you run from strace, "strace /bin/ls" or example.
|
| |
+ # With 2, you can only strace from the root account. You can no longer strace commands run from strace.
|
| |
+ # With 3, even root cannot strace.
|
| |
+
|
| |
+ # ---
|
| |
+
|
| |
+ # possible related AVCs tracked as https://bugzilla.redhat.com/show_bug.cgi?id=1458999
|
| |
+
|
| |
+ # ---
|
| |
+
|
| |
+ rlRun "useradd $MY_USER" 0,9
|
| |
+
|
| |
+ rlRun "cp ptrace-scope-test.sh /tmp/"
|
| |
+ rlRun "chmod a+rx /tmp/ptrace-scope-test.sh"
|
| |
+
|
| |
+ rlRun "ORIGVAL=$( cat $PROCFILE )"
|
| |
+
|
| |
+ # First, test the default behaviour, which is "no restriction"
|
| |
+ # from the ptrace perspective. Here we assume that
|
| |
+ # elfutils-default-yama-scope.rpm is installed and so the default
|
| |
+ # yama policy is set to 0 instead of 1 which would otherwise be set
|
| |
+ # as a kernel default (security/yama/yama_lsm.c ---> YAMA_SCOPE_RELATIONAL)
|
| |
+ rlRun test_root
|
| |
+ rlRun test_user
|
| |
+
|
| |
+ rlRun "echo 0 > $PROCFILE"
|
| |
+ rlRun test_root
|
| |
+ rlRun test_user
|
| |
+ rlRun "echo 1 > $PROCFILE"
|
| |
+ rlRun test_root
|
| |
+ rlRun test_user 1
|
| |
+ rlRun "echo 2 > $PROCFILE"
|
| |
+ rlRun test_root
|
| |
+ rlRun test_user 1
|
| |
+ # Following subtest would be irrevertible (till next reboot)
|
| |
+ # rlRun "echo 3 > $PROCFILE"
|
| |
+ # rlRun test_root 1
|
| |
+ # rlRun test_user 1
|
| |
+
|
| |
+ rlRun "userdel -f $MY_USER"
|
| |
+
|
| |
+ # This testcase could be more complex - using child and non-child processes and
|
| |
+ # performing reboots. But let's keep this simple, since we are not testing the
|
| |
+ # kernel facility, but merely an elfutils "plugin" for it, whose purpose is to
|
| |
+ # set the default yama policy as such.
|
| |
+
|
| |
+ rlRun "echo $ORIGVAL > $PROCFILE"
|
| |
+ rlPhaseEnd
|
| |
+ rlJournalPrintText
|
| |
+ rlJournalEnd
|
| |