Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/tests/sys/mac/ipacl/ipacl_test.sh
103904 views
1
#-

2
# Copyright (c) 2019, 2023 Shivank Garg <[email protected]>

3
#

4
# This code was developed as a Google Summer of Code 2019 project

5
# under the guidance of Bjoern A. Zeeb.

6
#

7
# Redistribution and use in source and binary forms, with or without

8
# modification, are permitted provided that the following conditions

9
# are met:

10
# 1. Redistributions of source code must retain the above copyright

11
#    notice, this list of conditions and the following disclaimer.

12
# 2. Redistributions in binary form must reproduce the above copyright

13
#    notice, this list of conditions and the following disclaimer in the

14
#    documentation and/or other materials provided with the distribution.

15
#

16
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND

17
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

18
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

19
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE

20
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

21
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

22
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

23
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

24
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

25
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

26
# SUCH DAMAGE.

27
#

28


29
. $(atf_get_srcdir)/utils.subr

30


31
atf_test_case "ipacl_v4" "cleanup"

32


33
ipacl_v4_head()

34
{

35
	atf_set descr 'basic test for ipacl on IPv4 addresses'

36
	atf_set require.user root

37
}

38


39
ipacl_v4_body()

40
{

41
	ipacl_test_init

42


43
	prev_ipacl_ipv4="$(sysctl -n security.mac.ipacl.ipv4)"

44
	prev_ipacl_rules="$(sysctl -n security.mac.ipacl.rules)"

45


46
	epairA=$(vnet_mkepair)

47
	epairB=$(vnet_mkepair)

48
	epairC=$(vnet_mkepair)

49


50
	vnet_mkjail A ${epairA}b

51
	vnet_mkjail B ${epairB}b ${epairC}b

52


53
	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')

54
	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')

55


56
	# The ipacl policy module is not enforced for IPv4.

57
	sysctl security.mac.ipacl.ipv4=0

58


59
	atf_check -s exit:0 -e ignore \

60
	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up

61
	atf_check -s exit:0 -e ignore \

62
	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up

63


64
	# The ipacl policy module is enforced for IPv4 and prevent all

65
	# jails from setting their IPv4 address.

66
	sysctl security.mac.ipacl.ipv4=1

67
	sysctl security.mac.ipacl.rules=

68


69
	atf_check -s not-exit:0 -e ignore \

70
	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up

71
	atf_check -s not-exit:0 -e ignore \

72
	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up

73


74
	rule="${jidA},1,${epairA}b,AF_INET,192.0.2.42/-1@"

75
	rule="${rule}${jidB},1,${epairB}b,AF_INET,198.51.100.12/-1@"

76
	rule="${rule}${jidB},1,,AF_INET,203.0.113.1/24@"

77
	rule="${rule}${jidB},0,,AF_INET,203.0.113.9/-1"

78
	sysctl security.mac.ipacl.rules="${rule}"

79


80
	# Verify if it allows jail to set only certain IPv4 address.

81
	atf_check -s exit:0 -e ignore \

82
	    jexec A ifconfig ${epairA}b 192.0.2.42/24 up

83
	atf_check -s not-exit:0 -e ignore \

84
	    jexec A ifconfig ${epairA}b 192.0.2.43/24 up

85
	atf_check -s exit:0 -e ignore \

86
	    jexec B ifconfig ${epairB}b 198.51.100.12/24 up

87
	atf_check -s not-exit:0 -e ignore \

88
	    jexec B ifconfig ${epairC}b 198.51.100.12/24 up

89


90
	# Verify if the module allow jail to set any address in subnet.

91
	atf_check -s exit:0 -e ignore \

92
	    jexec B ifconfig ${epairB}b 203.0.113.19/24 up

93
	atf_check -s exit:0 -e ignore \

94
	    jexec B ifconfig ${epairB}b 203.0.113.241/24 up

95
	atf_check -s not-exit:0 -e ignore \

96
	    jexec B ifconfig ${epairB}b 198.18.0.1/24 up

97
	atf_check -s not-exit:0 -e ignore \

98
	    jexec B ifconfig ${epairB}b 203.0.113.9/24 up

99


100
	# Check wildcard for interfaces.

101
	atf_check -s exit:0 -e ignore \

102
	    jexec B ifconfig ${epairC}b 203.0.113.20/24 up

103
	atf_check -s exit:0 -e ignore \

104
	    jexec B ifconfig ${epairC}b 203.0.113.242/24 up

105
	atf_check -s not-exit:0 -e ignore \

106
	    jexec B ifconfig ${epairC}b 198.18.0.1/24 up

107
	atf_check -s not-exit:0 -e ignore \

108
	    jexec B ifconfig ${epairC}b 203.0.113.9/24 up

109


110
	rule="${jidA},1,,AF_INET,198.18.0.0/15@"

111
	rule="${rule}${jidA},0,,AF_INET,198.18.23.0/24@"

112
	rule="${rule}${jidA},1,,AF_INET,198.18.23.1/-1@"

113
	rule="${rule}${jidA},1,,AF_INET,198.51.100.0/24@"

114
	rule="${rule}${jidA},0,,AF_INET,198.51.100.100/-1"

115
	sysctl security.mac.ipacl.rules="${rule}"

116


117
	# Tests from Benchamarking and Documentation(TEST-NET-3).

118
	atf_check -s exit:0 -e ignore \

119
	    jexec A ifconfig ${epairA}b 198.18.0.1/24 up

120
	atf_check -s not-exit:0 -e ignore \

121
	    jexec A ifconfig ${epairA}b 198.18.23.2/24 up

122
	atf_check -s exit:0 -e ignore \

123
	    jexec A ifconfig ${epairA}b 198.18.23.1/22 up

124
	atf_check -s not-exit:0 -e ignore \

125
	    jexec A ifconfig ${epairA}b 198.18.23.3/24 up

126


127
	atf_check -s exit:0 -e ignore \

128
	    jexec A ifconfig ${epairA}b 198.51.100.001/24 up

129
	atf_check -s exit:0 -e ignore \

130
	    jexec A ifconfig ${epairA}b 198.51.100.254/24 up

131
	atf_check -s not-exit:0 -e ignore \

132
	    jexec A ifconfig ${epairA}b 198.51.100.100/24 up

133
	atf_check -s not-exit:0 -e ignore \

134
	    jexec A ifconfig ${epairA}b 203.0.113.1/24 up

135


136
	# Reset sysctls.

137
	sysctl security.mac.ipacl.rules="${prev_ipacl_rules}"

138
	sysctl security.mac.ipacl.ipv4="${prev_ipacl_ipv4}"

139
}

140


141
ipacl_v4_cleanup()

142
{

143
	ipacl_test_cleanup

144
}

145


146
atf_test_case "ipacl_v6" "cleanup"

147


148
ipacl_v6_head()

149
{

150
	atf_set descr 'basic test for ipacl on IPv6 addresses'

151
	atf_set require.user root

152
}

153


154
ipacl_v6_body()

155
{

156
	ipacl_test_init

157


158
	prev_ipacl_ipv6="$(sysctl -n security.mac.ipacl.ipv6)"

159
	prev_ipacl_rules="$(sysctl -n security.mac.ipacl.rules)"

160


161
	epairA=$(vnet_mkepair)

162
	epairB=$(vnet_mkepair)

163
	epairC=$(vnet_mkepair)

164


165
	vnet_mkjail A ${epairA}b

166
	vnet_mkjail B ${epairB}b ${epairC}b

167


168
	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')

169
	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')

170


171
	# The ipacl policy module is not enforced for IPv6.

172
	sysctl security.mac.ipacl.ipv6=0

173


174
	atf_check -s exit:0 -e ignore \

175
	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up

176
	atf_check -s exit:0 -e ignore \

177
	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up

178


179
	# The ipacl policy module is enforced for IPv6 and prevent all

180
	# jails from setting their IPv6 address.

181
	sysctl security.mac.ipacl.ipv6=1

182
	sysctl security.mac.ipacl.rules=

183


184
	atf_check -s not-exit:0 -e ignore \

185
	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up

186
	atf_check -s not-exit:0 -e ignore \

187
	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up

188


189
	rule="${jidA},1,${epairA}b,AF_INET6,2001:db8::1111/-1@"

190
	rule="${rule}${jidB},1,${epairB}b,AF_INET6,2001:2::1234:1234/-1@"

191
	rule="${rule}${jidB},1,,AF_INET6,fe80::/32@"

192
	rule="${rule}${jidB},0,,AF_INET6,fe80::abcd/-1"

193
	sysctl security.mac.ipacl.rules="${rule}"

194


195
	# Verify if it allows jail to set only certain IPv6 address.

196
	atf_check -s exit:0 -e ignore \

197
	    jexec A ifconfig ${epairA}b inet6 2001:db8::1111/64 up

198
	atf_check -s not-exit:0 -e ignore \

199
	    jexec A ifconfig ${epairA}b inet6 2001:db8::1112/64 up

200
	atf_check -s exit:0 -e ignore \

201
	    jexec B ifconfig ${epairB}b inet6 2001:2::1234:1234/48 up

202
	atf_check -s not-exit:0 -e ignore \

203
	    jexec A ifconfig ${epairA}b inet6 2001:2::1234:1234/48 up

204


205
	# Verify if the module allow jail set any address in subnet.

206
	atf_check -s exit:0 -e ignore \

207
	    jexec B ifconfig ${epairB}b inet6 FE80::1101:1221/15 up

208
	atf_check -s exit:0 -e ignore \

209
	    jexec B ifconfig ${epairB}b inet6 FE80::abab/15 up

210
	atf_check -s exit:0 -e ignore \

211
	    jexec B ifconfig ${epairB}b inet6 FE80::1/64 up

212
	atf_check -s not-exit:0 -e ignore \

213
	    jexec B ifconfig ${epairB}b inet6 FE80::abcd/15 up

214


215
	# Check wildcard for interfaces.

216
	atf_check -s exit:0 -e ignore \

217
	    jexec B ifconfig ${epairC}b inet6 FE80::1101:1221/15 up

218
	atf_check -s exit:0 -e ignore \

219
	    jexec B ifconfig ${epairC}b inet6 FE80::abab/32 up

220
	atf_check -s not-exit:0 -e ignore \

221
	    jexec B ifconfig ${epairC}b inet6 FE81::1/64 up

222
	atf_check -s not-exit:0 -e ignore \

223
	    jexec B ifconfig ${epairC}b inet6 FE80::abcd/32 up

224


225
	rule="${jidB},1,,AF_INET6,2001:2::/48@"

226
	rule="${rule}${jidB},1,,AF_INET6,2001:3::/32"

227
	sysctl security.mac.ipacl.rules="${rule}"

228


229
	# Tests when subnet is allowed.

230
	atf_check -s not-exit:0 -e ignore \

231
	    jexec B ifconfig ${epairC}b inet6 2001:2:0001::1/64 up

232
	atf_check -s not-exit:0 -e ignore \

233
	    jexec B ifconfig ${epairC}b inet6 2001:2:1000::1/32 up

234
	atf_check -s exit:0 -e ignore \

235
	    jexec B ifconfig ${epairC}b inet6 2001:3:0001::1/64 up

236
	atf_check -s not-exit:0 -e ignore \

237
	    jexec B ifconfig ${epairC}b inet6 2001:4::1/64 up

238


239
	# More tests of ULA address space.

240
	rule="${jidA},1,,AF_INET6,fc00::/7@"

241
	rule="${rule}${jidA},0,,AF_INET6,fc00::1111:2200/120@"

242
	rule="${rule}${jidA},1,,AF_INET6,fc00::1111:2299/-1@"

243
	rule="${rule}${jidA},1,,AF_INET6,2001:db8::/32@"

244
	rule="${rule}${jidA},0,,AF_INET6,2001:db8::abcd/-1"

245
	sysctl security.mac.ipacl.rules="${rule}"

246


247
	atf_check -s exit:0 -e ignore \

248
	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up

249
	atf_check -s exit:0 -e ignore \

250
	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up

251
	atf_check -s not-exit:0 -e ignore \

252
	    jexec A ifconfig ${epairA}b inet6 f800::2222:2200/48 up

253
	atf_check -s not-exit:0 -e ignore \

254
	    jexec A ifconfig ${epairA}b inet6 f800::2222:22ff/48 up

255


256
	atf_check -s exit:0 -e ignore \

257
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2111/64 up

258
	atf_check -s not-exit:0 -e ignore \

259
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2211/64 up

260
	atf_check -s not-exit:0 -e ignore \

261
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:22aa/48 up

262
	atf_check -s exit:0 -e ignore \

263
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2299/48 up

264


265
	# More tests from IPv6 documentation range.

266
	atf_check -s exit:0 -e ignore jexec A ifconfig \

267
	    ${epairA}b inet6 2001:db8:abcd:bcde:cdef:def1:ef12:f123/32 up

268
	atf_check -s exit:0 -e ignore jexec A ifconfig \

269
	    ${epairA}b inet6 2001:db8:1111:2222:3333:4444:5555:6666/32 up

270
	atf_check -s not-exit:0 -e ignore jexec A ifconfig \

271
	    ${epairA}b inet6 2001:ab9:1111:2222:3333:4444:5555:6666/32 up

272
	atf_check -s not-exit:0 -e ignore jexec A ifconfig \

273
	    ${epairA}b inet6 2001:db8::abcd/32 up

274


275
	# Reset sysctls.

276
	sysctl security.mac.ipacl.rules="${prev_ipacl_rules}"

277
	sysctl security.mac.ipacl.ipv6="${prev_ipacl_ipv6}"

278
}

279


280
ipacl_v6_cleanup()

281
{

282
	ipacl_test_cleanup

283
}

284


285
atf_init_test_cases()

286
{

287
	atf_add_test_case "ipacl_v4"

288
	atf_add_test_case "ipacl_v6"

289
}

290


291