1
#-
2
# Copyright (c) 2019, 2023 Shivank Garg <[email protected]>
3
#
4
# This code was developed as a Google Summer of Code 2019 project
5
# under the guidance of Bjoern A. Zeeb.
6
#
7
# Redistribution and use in source and binary forms, with or without
8
# modification, are permitted provided that the following conditions
9
# are met:
10
# 1. Redistributions of source code must retain the above copyright
11
#    notice, this list of conditions and the following disclaimer.
12
# 2. Redistributions in binary form must reproduce the above copyright
13
#    notice, this list of conditions and the following disclaimer in the
14
#    documentation and/or other materials provided with the distribution.
15
#
16
# THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
17
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26
# SUCH DAMAGE.
27
#
28

29
. $(atf_get_srcdir)/utils.subr
30

31
atf_test_case "ipacl_v4" "cleanup"
32

33
ipacl_v4_head()
34
{
35
	atf_set descr 'basic test for ipacl on IPv4 addresses'
36
	atf_set require.user root
37
}
38

39
ipacl_v4_body()
40
{
41
	ipacl_test_init
42

43
	epairA=$(vnet_mkepair)
44
	epairB=$(vnet_mkepair)
45
	epairC=$(vnet_mkepair)
46

47
	vnet_mkjail A ${epairA}b
48
	vnet_mkjail B ${epairB}b ${epairC}b
49

50
	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
51
	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
52

53
	# The ipacl policy module is not enforced for IPv4.
54
	sysctl security.mac.ipacl.ipv4=0
55

56
	atf_check -s exit:0 -e ignore \
57
	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
58
	atf_check -s exit:0 -e ignore \
59
	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
60

61
	# The ipacl policy module is enforced for IPv4 and prevent all
62
	# jails from setting their IPv4 address.
63
	sysctl security.mac.ipacl.ipv4=1
64
	sysctl security.mac.ipacl.rules=
65

66
	atf_check -s not-exit:0 -e ignore \
67
	    jexec A ifconfig ${epairA}b 192.0.2.2/24 up
68
	atf_check -s not-exit:0 -e ignore \
69
	    jexec A ifconfig ${epairA}b 203.0.113.254/24 up
70

71
	rule="${jidA},1,${epairA}b,AF_INET,192.0.2.42/-1@"
72
	rule="${rule}${jidB},1,${epairB}b,AF_INET,198.51.100.12/-1@"
73
	rule="${rule}${jidB},1,,AF_INET,203.0.113.1/24@"
74
	rule="${rule}${jidB},0,,AF_INET,203.0.113.9/-1"
75
	sysctl security.mac.ipacl.rules="${rule}"
76

77
	# Verify if it allows jail to set only certain IPv4 address.
78
	atf_check -s exit:0 -e ignore \
79
	    jexec A ifconfig ${epairA}b 192.0.2.42/24 up
80
	atf_check -s not-exit:0 -e ignore \
81
	    jexec A ifconfig ${epairA}b 192.0.2.43/24 up
82
	atf_check -s exit:0 -e ignore \
83
	    jexec B ifconfig ${epairB}b 198.51.100.12/24 up
84
	atf_check -s not-exit:0 -e ignore \
85
	    jexec B ifconfig ${epairC}b 198.51.100.12/24 up
86

87
	# Verify if the module allow jail to set any address in subnet.
88
	atf_check -s exit:0 -e ignore \
89
	    jexec B ifconfig ${epairB}b 203.0.113.19/24 up
90
	atf_check -s exit:0 -e ignore \
91
	    jexec B ifconfig ${epairB}b 203.0.113.241/24 up
92
	atf_check -s not-exit:0 -e ignore \
93
	    jexec B ifconfig ${epairB}b 198.18.0.1/24 up
94
	atf_check -s not-exit:0 -e ignore \
95
	    jexec B ifconfig ${epairB}b 203.0.113.9/24 up
96

97
	# Check wildcard for interfaces.
98
	atf_check -s exit:0 -e ignore \
99
	    jexec B ifconfig ${epairC}b 203.0.113.20/24 up
100
	atf_check -s exit:0 -e ignore \
101
	    jexec B ifconfig ${epairC}b 203.0.113.242/24 up
102
	atf_check -s not-exit:0 -e ignore \
103
	    jexec B ifconfig ${epairC}b 198.18.0.1/24 up
104
	atf_check -s not-exit:0 -e ignore \
105
	    jexec B ifconfig ${epairC}b 203.0.113.9/24 up
106

107
	rule="${jidA},1,,AF_INET,198.18.0.0/15@"
108
	rule="${rule}${jidA},0,,AF_INET,198.18.23.0/24@"
109
	rule="${rule}${jidA},1,,AF_INET,198.18.23.1/-1@"
110
	rule="${rule}${jidA},1,,AF_INET,198.51.100.0/24@"
111
	rule="${rule}${jidA},0,,AF_INET,198.51.100.100/-1"
112
	sysctl security.mac.ipacl.rules="${rule}"
113

114
	# Tests from Benchamarking and Documentation(TEST-NET-3).
115
	atf_check -s exit:0 -e ignore \
116
	    jexec A ifconfig ${epairA}b 198.18.0.1/24 up
117
	atf_check -s not-exit:0 -e ignore \
118
	    jexec A ifconfig ${epairA}b 198.18.23.2/24 up
119
	atf_check -s exit:0 -e ignore \
120
	    jexec A ifconfig ${epairA}b 198.18.23.1/22 up
121
	atf_check -s not-exit:0 -e ignore \
122
	    jexec A ifconfig ${epairA}b 198.18.23.3/24 up
123

124
	atf_check -s exit:0 -e ignore \
125
	    jexec A ifconfig ${epairA}b 198.51.100.001/24 up
126
	atf_check -s exit:0 -e ignore \
127
	    jexec A ifconfig ${epairA}b 198.51.100.254/24 up
128
	atf_check -s not-exit:0 -e ignore \
129
	    jexec A ifconfig ${epairA}b 198.51.100.100/24 up
130
	atf_check -s not-exit:0 -e ignore \
131
	    jexec A ifconfig ${epairA}b 203.0.113.1/24 up
132

133
	# Reset rules OID.
134
	sysctl security.mac.ipacl.rules=
135
}
136

137
ipacl_v4_cleanup()
138
{
139
	ipacl_test_cleanup
140
}
141

142
atf_test_case "ipacl_v6" "cleanup"
143

144
ipacl_v6_head()
145
{
146
	atf_set descr 'basic test for ipacl on IPv6 addresses'
147
	atf_set require.user root
148
}
149

150
ipacl_v6_body()
151
{
152
	ipacl_test_init
153

154
	epairA=$(vnet_mkepair)
155
	epairB=$(vnet_mkepair)
156
	epairC=$(vnet_mkepair)
157

158
	vnet_mkjail A ${epairA}b
159
	vnet_mkjail B ${epairB}b ${epairC}b
160

161
	jidA=$(jls -j A -s jid | grep -o -E '[0-9]+')
162
	jidB=$(jls -j B -s jid | grep -o -E '[0-9]+')
163

164
	# The ipacl policy module is not enforced for IPv6.
165
	sysctl security.mac.ipacl.ipv6=0
166

167
	atf_check -s exit:0 -e ignore \
168
	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
169
	atf_check -s exit:0 -e ignore \
170
	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
171

172
	# The ipacl policy module is enforced for IPv6 and prevent all
173
	# jails from setting their IPv6 address.
174
	sysctl security.mac.ipacl.ipv6=1
175
	sysctl security.mac.ipacl.rules=
176

177
	atf_check -s not-exit:0 -e ignore \
178
	    jexec A ifconfig ${epairA}b inet6 2001:2::abcd/48 up
179
	atf_check -s not-exit:0 -e ignore \
180
	    jexec A ifconfig ${epairA}b inet6 2001:2::5ea:11/48 up
181

182
	rule="${jidA},1,${epairA}b,AF_INET6,2001:db8::1111/-1@"
183
	rule="${rule}${jidB},1,${epairB}b,AF_INET6,2001:2::1234:1234/-1@"
184
	rule="${rule}${jidB},1,,AF_INET6,fe80::/32@"
185
	rule="${rule}${jidB},0,,AF_INET6,fe80::abcd/-1"
186
	sysctl security.mac.ipacl.rules="${rule}"
187

188
	# Verify if it allows jail to set only certain IPv6 address.
189
	atf_check -s exit:0 -e ignore \
190
	    jexec A ifconfig ${epairA}b inet6 2001:db8::1111/64 up
191
	atf_check -s not-exit:0 -e ignore \
192
	    jexec A ifconfig ${epairA}b inet6 2001:db8::1112/64 up
193
	atf_check -s exit:0 -e ignore \
194
	    jexec B ifconfig ${epairB}b inet6 2001:2::1234:1234/48 up
195
	atf_check -s not-exit:0 -e ignore \
196
	    jexec A ifconfig ${epairA}b inet6 2001:2::1234:1234/48 up
197

198
	# Verify if the module allow jail set any address in subnet.
199
	atf_check -s exit:0 -e ignore \
200
	    jexec B ifconfig ${epairB}b inet6 FE80::1101:1221/15 up
201
	atf_check -s exit:0 -e ignore \
202
	    jexec B ifconfig ${epairB}b inet6 FE80::abab/15 up
203
	atf_check -s exit:0 -e ignore \
204
	    jexec B ifconfig ${epairB}b inet6 FE80::1/64 up
205
	atf_check -s not-exit:0 -e ignore \
206
	    jexec B ifconfig ${epairB}b inet6 FE80::abcd/15 up
207

208
	# Check wildcard for interfaces.
209
	atf_check -s exit:0 -e ignore \
210
	    jexec B ifconfig ${epairC}b inet6 FE80::1101:1221/15 up
211
	atf_check -s exit:0 -e ignore \
212
	    jexec B ifconfig ${epairC}b inet6 FE80::abab/32 up
213
	atf_check -s not-exit:0 -e ignore \
214
	    jexec B ifconfig ${epairC}b inet6 FE81::1/64 up
215
	atf_check -s not-exit:0 -e ignore \
216
	    jexec B ifconfig ${epairC}b inet6 FE80::abcd/32 up
217

218
	rule="${jidB},1,,AF_INET6,2001:2::/48@"
219
	rule="${rule}${jidB},1,,AF_INET6,2001:3::/32"
220
	sysctl security.mac.ipacl.rules="${rule}"
221

222
	# Tests when subnet is allowed.
223
	atf_check -s not-exit:0 -e ignore \
224
	    jexec B ifconfig ${epairC}b inet6 2001:2:0001::1/64 up
225
	atf_check -s not-exit:0 -e ignore \
226
	    jexec B ifconfig ${epairC}b inet6 2001:2:1000::1/32 up
227
	atf_check -s exit:0 -e ignore \
228
	    jexec B ifconfig ${epairC}b inet6 2001:3:0001::1/64 up
229
	atf_check -s not-exit:0 -e ignore \
230
	    jexec B ifconfig ${epairC}b inet6 2001:4::1/64 up
231

232
	# More tests of ULA address space.
233
	rule="${jidA},1,,AF_INET6,fc00::/7@"
234
	rule="${rule}${jidA},0,,AF_INET6,fc00::1111:2200/120@"
235
	rule="${rule}${jidA},1,,AF_INET6,fc00::1111:2299/-1@"
236
	rule="${rule}${jidA},1,,AF_INET6,2001:db8::/32@"
237
	rule="${rule}${jidA},0,,AF_INET6,2001:db8::abcd/-1"
238
	sysctl security.mac.ipacl.rules="${rule}"
239

240
	atf_check -s exit:0 -e ignore \
241
	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
242
	atf_check -s exit:0 -e ignore \
243
	    jexec A ifconfig ${epairA}b inet6 fc00::0000:1234/48 up
244
	atf_check -s not-exit:0 -e ignore \
245
	    jexec A ifconfig ${epairA}b inet6 f800::2222:2200/48 up
246
	atf_check -s not-exit:0 -e ignore \
247
	    jexec A ifconfig ${epairA}b inet6 f800::2222:22ff/48 up
248

249
	atf_check -s exit:0 -e ignore \
250
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2111/64 up
251
	atf_check -s not-exit:0 -e ignore \
252
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2211/64 up
253
	atf_check -s not-exit:0 -e ignore \
254
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:22aa/48 up
255
	atf_check -s exit:0 -e ignore \
256
	    jexec A ifconfig ${epairA}b inet6 fc00::1111:2299/48 up
257

258
	# More tests from IPv6 documentation range.
259
	atf_check -s exit:0 -e ignore jexec A ifconfig \
260
	    ${epairA}b inet6 2001:db8:abcd:bcde:cdef:def1:ef12:f123/32 up
261
	atf_check -s exit:0 -e ignore jexec A ifconfig \
262
	    ${epairA}b inet6 2001:db8:1111:2222:3333:4444:5555:6666/32 up
263
	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
264
	    ${epairA}b inet6 2001:ab9:1111:2222:3333:4444:5555:6666/32 up
265
	atf_check -s not-exit:0 -e ignore jexec A ifconfig \
266
	    ${epairA}b inet6 2001:db8::abcd/32 up
267

268
	# Reset rules OID.
269
	sysctl security.mac.ipacl.rules=
270
}
271

272
ipacl_v6_cleanup()
273
{
274
	ipacl_test_cleanup
275
}
276

277
atf_init_test_cases()
278
{
279
	atf_add_test_case "ipacl_v4"
280
	atf_add_test_case "ipacl_v6"
281
}
282

283