Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/mac/do/common.sh
289023 views
1
# Copyright (c) 2026 The FreeBSD Foundation

2
#

3
# SPDX-License-Identifier: BSD-2-Clause

4
#

5
# This software was developed by Olivier Certner <[email protected]> at

6
# Kumacom SARL under sponsorship from the FreeBSD Foundation.

7


8
rules_parameter()

9
{

10
    echo "$1".rules

11
}

12


13
exec_paths_parameter()

14
{

15
    echo "$1".exec_paths

16
}

17


18
: ${MDO:=/usr/bin/mdo}

19


20
ROOT_KNOB=security.mac.do

21
RULES_KNOB=$(rules_parameter ${ROOT_KNOB})

22
EXEC_PATHS_KNOB=$(exec_paths_parameter ${ROOT_KNOB})

23
PPE_KNOB=${ROOT_KNOB}.print_parse_error

24


25
ROOT_JAIL_PARAM=mac.do

26
RULES_JAIL_PARAM=$(rules_parameter ${ROOT_JAIL_PARAM})

27
EXEC_PATHS_JAIL_PARAM=$(exec_paths_parameter ${ROOT_JAIL_PARAM})

28


29
# To be overridden to execute commands in a sub-jail

30
JEXEC=

31


32
# Exit status: 0 iff disabled

33
mac_do_disabled()

34
{

35
    [ -z "$($JEXEC sysctl -n ${RULES_KNOB})" ] ||

36
        [ -z "$($JEXEC sysctl -n ${EXEC_PATHS_KNOB})" ]

37
}

38


39
mac_do_check_disabled()

40
{

41
    mac_do_disabled || atf_fail "mac_do(4) expected disabled but is not."

42
}

43


44
mac_do_ensure_disabled()

45
{

46
    mac_do_disabled || $JEXEC sysctl ${RULES_KNOB}=""

47
}

48


49
sysctl_rules()

50
{

51
    $JEXEC sysctl -n ${RULES_KNOB}

52
}

53


54
sysctl_exec_paths()

55
{

56
    $JEXEC sysctl -n ${EXEC_PATHS_KNOB}

57
}

58


59
# $1 = sysctl func, $2 = expected value

60
sysctl_check()

61
{

62
    local func value

63


64
    func=$1

65
    value=$2

66
    atf_check [ "$($func)" = "$value" ]

67
}

68


69
# $1 = value

70
sysctl_check_rules()

71
{

72
    local value

73


74
    value=$1

75
    sysctl_check sysctl_rules $value

76
}

77


78
# $1 = value

79
sysctl_check_exec_paths()

80
{

81
    local value

82


83
    value=$1

84
    sysctl_check sysctl_exec_paths $value

85
}

86


87
# $1 = knob name, $2 = value

88
sysctl_set_and_check()

89
{

90
    local knob value

91


92
    knob=$1

93
    value=$2

94
    atf_check -o ignore $JEXEC sysctl "$knob"="$value"

95
    atf_check -o inline:"$value\n" $JEXEC sysctl -n "$knob"

96
}

97


98
# $1 = knob name, $2 = value

99
sysctl_set_and_check_fails()

100
{

101
    local knob value orig_value

102


103
    knob=$1

104
    value=$2

105
    orig_value=$(sysctl -n "$knob")

106
    atf_check -s not-exit:0 -o ignore -e ignore $JEXEC sysctl "$knob"="$value"

107
    atf_check -o inline:"${orig_value}\n" $JEXEC sysctl -n "$knob"

108
}

109


110
# $1 = sysctl function, $2 = value

111
sysctl_set_and_check_rules_common()

112
{

113
    local func value

114


115
    func=$1

116
    value=$2

117
    # Use older in-rule separator (':') first to have final value as specified

118
    "$func" ${RULES_KNOB} "$(echo "$value" | sed 's%>%:%')"

119
    "$func" ${RULES_KNOB} "$value"

120
}

121


122
# $1 = value

123
sysctl_set_and_check_rules()

124
{

125
    local value

126


127
    value=$1

128
    sysctl_set_and_check_rules_common sysctl_set_and_check "$value"

129
}

130


131
# $1 = value

132
sysctl_set_and_check_fails_rules()

133
{

134
    local value

135


136
    value=$1

137
    sysctl_set_and_check_rules_common sysctl_set_and_check_fails "$value"

138
}

139


140
# $1 = sysctl function, $2 = value

141
sysctl_set_and_check_exec_paths_common()

142
{

143
    local func value

144


145
    func=$1

146
    value=$2

147
    # Use older in-rule separator (':') first to have final value as specified

148
    "$func" ${EXEC_PATHS_KNOB} "$(echo "$value" | sed 's%>%:%')"

149
    "$func" ${EXEC_PATHS_KNOB} "$value"

150
}

151


152
# $1 = value

153
sysctl_set_and_check_exec_paths()

154
{

155
    local value

156


157
    value=$1

158
    sysctl_set_and_check_exec_paths_common sysctl_set_and_check "$value"

159
}

160


161
# Create a persistent subjail.  Echoes its JID.

162
launch_subjail()

163
{

164
    (

165
        set -o pipefail

166
        $JEXEC jail -c -J /dev/stdout persist=true |

167
            sed -nE 's%^.*jid=([0-9]+).*$%\1%p'

168
    ) || atf_fail "Cannot create a subjail (check children limits?)"

169
}

170


171
atf_require_prog sysctl

172
atf_require_prog jail

173
atf_require_prog sed

174


175
# Do not pollute kernel logs with parse errors

176
sysctl $PPE_KNOB=0 >/dev/null 2>&1

177


178