1
#!/bin/sh
2

3
dir=`dirname $0`
4
. ${dir}/misc.sh
5

6
echo "1..64"
7

8
# security.mac.portacl.suser_exempt value doesn't affect unprivileged users
9
# behaviour.
10
# mac_portacl has no impact on ports <= net.inet.ip.portrange.reservedhigh.
11

12
trap restore_settings EXIT INT TERM
13

14
sysctl security.mac.portacl.suser_exempt=1 >/dev/null
15
sysctl net.inet.ip.portrange.reservedhigh=78 >/dev/null
16

17
bind_test fl fl uid nobody tcp 77
18
bind_test ok ok uid nobody tcp 7777
19
bind_test fl fl uid nobody udp 77
20
bind_test ok ok uid nobody udp 7777
21

22
bind_test fl fl gid nobody tcp 77
23
bind_test ok ok gid nobody tcp 7777
24
bind_test fl fl gid nobody udp 77
25
bind_test ok ok gid nobody udp 7777
26

27
sysctl security.mac.portacl.suser_exempt=0 >/dev/null
28

29
bind_test fl fl uid nobody tcp 77
30
bind_test ok ok uid nobody tcp 7777
31
bind_test fl fl uid nobody udp 77
32
bind_test ok ok uid nobody udp 7777
33

34
bind_test fl fl gid nobody tcp 77
35
bind_test ok ok gid nobody tcp 7777
36
bind_test fl fl gid nobody udp 77
37
bind_test ok ok gid nobody udp 7777
38

39
# Verify if security.mac.portacl.port_high works.
40

41
sysctl security.mac.portacl.port_high=7778 >/dev/null
42

43
bind_test fl fl uid nobody tcp 77
44
bind_test fl ok uid nobody tcp 7777
45
bind_test fl fl uid nobody udp 77
46
bind_test fl ok uid nobody udp 7777
47

48
bind_test fl fl gid nobody tcp 77
49
bind_test fl ok gid nobody tcp 7777
50
bind_test fl fl gid nobody udp 77
51
bind_test fl ok gid nobody udp 7777
52

53
# Verify if mac_portacl rules work.
54

55
sysctl net.inet.ip.portrange.reservedhigh=76 >/dev/null
56
sysctl security.mac.portacl.port_high=7776 >/dev/null
57

58
bind_test fl ok uid nobody tcp 77
59
bind_test ok ok uid nobody tcp 7777
60
bind_test fl ok uid nobody udp 77
61
bind_test ok ok uid nobody udp 7777
62

63
bind_test fl ok gid nobody tcp 77
64
bind_test ok ok gid nobody tcp 7777
65
bind_test fl ok gid nobody udp 77
66
bind_test ok ok gid nobody udp 7777
67

68